From 94063522b41208dbb545759fbd3b3b209ba276f380400548c08970259e340fb6 Mon Sep 17 00:00:00 2001 From: Peter Simons Date: Fri, 23 Feb 2024 15:02:07 +0000 Subject: [PATCH 1/4] osc copypac from project:devel:languages:haskell:ghc-9.6.x package:ghc-pandoc revision:15, using keep-link OBS-URL: https://build.opensuse.org/package/show/devel:languages:haskell/ghc-pandoc?expand=0&rev=26 --- ghc-pandoc.changes | 9 +++++++++ ghc-pandoc.spec | 7 +++++-- pandoc-3.1.11.1.tar.gz | 3 --- pandoc-3.1.12.1.tar.gz | 3 +++ 4 files changed, 17 insertions(+), 5 deletions(-) delete mode 100644 pandoc-3.1.11.1.tar.gz create mode 100644 pandoc-3.1.12.1.tar.gz diff --git a/ghc-pandoc.changes b/ghc-pandoc.changes index 433c469..38c2636 100644 --- a/ghc-pandoc.changes +++ b/ghc-pandoc.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Sun Feb 18 01:35:04 UTC 2024 - Peter Simons + +- Update pandoc to version 3.1.12.1. + Upstream has edited the change log file since the last release in + a non-trivial way, i.e. they did more than just add a new entry + at the top. You can review the file at: + http://hackage.haskell.org/package/pandoc-3.1.12.1/src/changelog.md + ------------------------------------------------------------------- Sat Jan 6 02:21:39 UTC 2024 - Peter Simons diff --git a/ghc-pandoc.spec b/ghc-pandoc.spec index 69a062e..f40c43e 100644 --- a/ghc-pandoc.spec +++ b/ghc-pandoc.spec @@ -20,7 +20,7 @@ %global pkgver %{pkg_name}-%{version} %bcond_with tests Name: ghc-%{pkg_name} -Version: 3.1.11.1 +Version: 3.1.12.1 Release: 0 Summary: Conversion between markup formats License: GPL-2.0-or-later @@ -73,6 +73,8 @@ BuildRequires: ghc-deepseq-devel BuildRequires: ghc-deepseq-prof BuildRequires: ghc-directory-devel BuildRequires: ghc-directory-prof +BuildRequires: ghc-djot-devel +BuildRequires: ghc-djot-prof BuildRequires: ghc-doclayout-devel BuildRequires: ghc-doclayout-prof BuildRequires: ghc-doctemplates-devel @@ -185,7 +187,7 @@ Pandoc is a Haskell library for converting from one markup format to another. The formats it can handle include - light markup formats (many variants of Markdown, reStructuredText, AsciiDoc, -Org-mode, Muse, Textile, txt2tags) - HTML formats (HTML 4 and 5) - Ebook +Org-mode, Muse, Textile, txt2tags, djot) - HTML formats (HTML 4 and 5) - Ebook formats (EPUB v2 and v3, FB2) - Documentation formats (GNU TexInfo, Haddock) - Roff formats (man, ms) - TeX formats (LaTeX, ConTeXt) - Typst - XML formats (DocBook 4 and 5, JATS, TEI Simple, OpenDocument) - Outline formats (OPML) - @@ -371,6 +373,7 @@ This package provides the Haskell %{pkg_name} profiling library. %{_datadir}/%{pkg_name}-%{version}/data/templates/default.chunkedhtml %{_datadir}/%{pkg_name}-%{version}/data/templates/default.commonmark %{_datadir}/%{pkg_name}-%{version}/data/templates/default.context +%{_datadir}/%{pkg_name}-%{version}/data/templates/default.djot %{_datadir}/%{pkg_name}-%{version}/data/templates/default.docbook4 %{_datadir}/%{pkg_name}-%{version}/data/templates/default.docbook5 %{_datadir}/%{pkg_name}-%{version}/data/templates/default.dokuwiki diff --git a/pandoc-3.1.11.1.tar.gz b/pandoc-3.1.11.1.tar.gz deleted file mode 100644 index 3ae1656..0000000 --- a/pandoc-3.1.11.1.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:ef968d654000e5b21943573039fee92b132b547790fb1471f363abeb09dbcf79 -size 7336100 diff --git a/pandoc-3.1.12.1.tar.gz b/pandoc-3.1.12.1.tar.gz new file mode 100644 index 0000000..17f0e39 --- /dev/null +++ b/pandoc-3.1.12.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:57efd39269141ed066803967b605fba3b4fd9c0f0fc31edccb186fbda1683bbc +size 7363985 From b7b03c962fab480cc129834893ad498b06f8b321cf251a73d0622dddfd080e2d Mon Sep 17 00:00:00 2001 From: Peter Simons Date: Sat, 24 Feb 2024 22:00:55 +0000 Subject: [PATCH 2/4] osc copypac from project:devel:languages:haskell:ghc-9.6.x package:ghc-pandoc revision:17, using keep-link OBS-URL: https://build.opensuse.org/package/show/devel:languages:haskell/ghc-pandoc?expand=0&rev=27 --- _constraints | 14 +------------- ghc-pandoc.changes | 5 +++++ 2 files changed, 6 insertions(+), 13 deletions(-) diff --git a/_constraints b/_constraints index 97a0331..a75eccf 100644 --- a/_constraints +++ b/_constraints @@ -5,21 +5,9 @@ 7 - 11000 + 3500 8 8 - - - armv6l - armv7l - i586 - - - - 3000 - - - diff --git a/ghc-pandoc.changes b/ghc-pandoc.changes index 38c2636..6cc15ae 100644 --- a/ghc-pandoc.changes +++ b/ghc-pandoc.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Fri Feb 23 20:37:25 UTC 2024 - Andreas Schwab + +- Reduce memory constraints + ------------------------------------------------------------------- Sun Feb 18 01:35:04 UTC 2024 - Peter Simons From 5f7a0b72fa2ec2bbf409d298c273e26050e8bd243f97494cac4d72f1ccd0c209 Mon Sep 17 00:00:00 2001 From: Peter Simons Date: Fri, 1 Mar 2024 19:00:03 +0000 Subject: [PATCH 3/4] osc copypac from project:devel:languages:haskell:ghc-9.8.x package:ghc-pandoc revision:5, using keep-link OBS-URL: https://build.opensuse.org/package/show/devel:languages:haskell/ghc-pandoc?expand=0&rev=28 --- CVE-2023-35936.patch | 124 +++++++++++++++++++++++++++++++++++++++++ CVE-2023-38745.patch | 68 ++++++++++++++++++++++ _constraints | 14 ++++- ghc-pandoc.changes | 67 ++++++++++++++++++++++ ghc-pandoc.spec | 6 +- pandoc-3.1.12.1.tar.gz | 3 - pandoc-3.1.12.2.tar.gz | 3 + 7 files changed, 280 insertions(+), 5 deletions(-) create mode 100644 CVE-2023-35936.patch create mode 100644 CVE-2023-38745.patch delete mode 100644 pandoc-3.1.12.1.tar.gz create mode 100644 pandoc-3.1.12.2.tar.gz diff --git a/CVE-2023-35936.patch b/CVE-2023-35936.patch new file mode 100644 index 0000000..ae6b655 --- /dev/null +++ b/CVE-2023-35936.patch @@ -0,0 +1,124 @@ +From 5e381e3878b5da87ee7542f7e51c3c1a7fd84b89 Mon Sep 17 00:00:00 2001 +From: John MacFarlane +Date: Tue, 20 Jun 2023 13:50:13 -0700 +Subject: [PATCH] Fix a security vulnerability in MediaBag and + T.P.Class.IO.writeMedia. + +This vulnerability, discovered by Entroy C, allows users to write +arbitrary files to any location by feeding pandoc a specially crafted +URL in an image element. The vulnerability is serious for anyone +using pandoc to process untrusted input. The vulnerability does +not affect pandoc when run with the `--sandbox` flag. +--- + src/Text/Pandoc/Class/IO.hs | 14 +++++++------- + src/Text/Pandoc/MediaBag.hs | 28 ++++++++++++++++------------ + 2 files changed, 23 insertions(+), 19 deletions(-) + +Index: pandoc-3.1.3/src/Text/Pandoc/Class/IO.hs +=================================================================== +--- pandoc-3.1.3.orig/src/Text/Pandoc/Class/IO.hs 2001-09-09 01:46:40.000000000 +0000 ++++ pandoc-3.1.3/src/Text/Pandoc/Class/IO.hs 2023-07-14 18:39:12.169005026 +0000 +@@ -50,7 +50,7 @@ import Network.HTTP.Client.Internal (add + import Network.HTTP.Client.TLS (mkManagerSettings) + import Network.HTTP.Types.Header ( hContentType ) + import Network.Socket (withSocketsDo) +-import Network.URI (unEscapeString) ++import Network.URI (URI(..), parseURI) + import System.Directory (createDirectoryIfMissing) + import System.Environment (getEnv) + import System.FilePath ((), takeDirectory, normalise) +@@ -122,11 +122,11 @@ newUniqueHash = hashUnique <$> liftIO Da + + openURL :: (PandocMonad m, MonadIO m) => Text -> m (B.ByteString, Maybe MimeType) + openURL u +- | Just u'' <- T.stripPrefix "data:" u = do +- let mime = T.takeWhile (/=',') u'' +- let contents = UTF8.fromString $ +- unEscapeString $ T.unpack $ T.drop 1 $ T.dropWhile (/=',') u'' +- return (decodeBase64Lenient contents, Just mime) ++ | Just (URI{ uriScheme = "data:", ++ uriPath = upath }) <- parseURI (T.unpack u) = do ++ let (mime, rest) = break (== '.') upath ++ let contents = UTF8.fromString $ drop 1 rest ++ return (decodeBase64Lenient contents, Just (T.pack mime)) + | otherwise = do + let toReqHeader (n, v) = (CI.mk (UTF8.fromText n), UTF8.fromText v) + customHeaders <- map toReqHeader <$> getsCommonState stRequestHeaders +@@ -224,7 +224,7 @@ writeMedia :: (PandocMonad m, MonadIO m) + -> m () + writeMedia dir (fp, _mt, bs) = do + -- we normalize to get proper path separators for the platform +- let fullpath = normalise $ dir unEscapeString fp ++ let fullpath = normalise $ dir fp + liftIOError (createDirectoryIfMissing True) (takeDirectory fullpath) + logIOError $ BL.writeFile fullpath bs + +Index: pandoc-3.1.3/src/Text/Pandoc/MediaBag.hs +=================================================================== +--- pandoc-3.1.3.orig/src/Text/Pandoc/MediaBag.hs 2001-09-09 01:46:40.000000000 +0000 ++++ pandoc-3.1.3/src/Text/Pandoc/MediaBag.hs 2023-07-14 18:39:12.170005139 +0000 +@@ -28,6 +28,7 @@ import Data.Data (Data) + import qualified Data.Map as M + import Data.Maybe (fromMaybe, isNothing) + import Data.Typeable (Typeable) ++import Network.URI (unEscapeString) + import System.FilePath + import qualified System.FilePath.Posix as Posix + import qualified System.FilePath.Windows as Windows +@@ -35,7 +36,7 @@ import Text.Pandoc.MIME (MimeType, getMi + import Data.Text (Text) + import qualified Data.Text as T + import Data.Digest.Pure.SHA (sha1, showDigest) +-import Network.URI (URI (..), parseURI) ++import Network.URI (URI (..), parseURI, isURI) + + data MediaItem = + MediaItem +@@ -54,9 +55,12 @@ newtype MediaBag = MediaBag (M.Map Text + instance Show MediaBag where + show bag = "MediaBag " ++ show (mediaDirectory bag) + +--- | We represent paths with /, in normalized form. ++-- | We represent paths with /, in normalized form. Percent-encoding ++-- is resolved. + canonicalize :: FilePath -> Text +-canonicalize = T.replace "\\" "/" . T.pack . normalise ++canonicalize fp ++ | isURI fp = T.pack fp ++ | otherwise = T.replace "\\" "/" . T.pack . normalise . unEscapeString $ fp + + -- | Delete a media item from a 'MediaBag', or do nothing if no item corresponds + -- to the given path. +@@ -79,23 +83,23 @@ insertMedia fp mbMime contents (MediaBag + , mediaContents = contents + , mediaMimeType = mt } + fp' = canonicalize fp ++ fp'' = T.unpack fp' + uri = parseURI fp +- newpath = if Posix.isRelative fp +- && Windows.isRelative fp ++ newpath = if Posix.isRelative fp'' ++ && Windows.isRelative fp'' + && isNothing uri +- && ".." `notElem` splitDirectories fp +- then T.unpack fp' ++ && not (".." `T.isInfixOf` fp') ++ then fp'' + else showDigest (sha1 contents) <> "." <> ext +- fallback = case takeExtension fp of +- ".gz" -> getMimeTypeDef $ dropExtension fp +- _ -> getMimeTypeDef fp ++ fallback = case takeExtension fp'' of ++ ".gz" -> getMimeTypeDef $ dropExtension fp'' ++ _ -> getMimeTypeDef fp'' + mt = fromMaybe fallback mbMime +- path = maybe fp uriPath uri ++ path = maybe fp'' (unEscapeString . uriPath) uri + ext = case takeExtension path of + '.':e -> e + _ -> maybe "" T.unpack $ extensionFromMimeType mt + +- + -- | Lookup a media item in a 'MediaBag', returning mime type and contents. + lookupMedia :: FilePath + -> MediaBag diff --git a/CVE-2023-38745.patch b/CVE-2023-38745.patch new file mode 100644 index 0000000..4645c48 --- /dev/null +++ b/CVE-2023-38745.patch @@ -0,0 +1,68 @@ +From eddedbfc14916aa06fc01ff04b38aeb30ae2e625 Mon Sep 17 00:00:00 2001 +From: John MacFarlane +Date: Thu, 20 Jul 2023 09:26:38 -0700 +Subject: [PATCH] Fix new variant of the vulnerability in CVE-2023-35936. + +Guilhem Moulin noticed that the fix to CVE-2023-35936 was incomplete. +An attacker could get around it by double-encoding the malicious +extension to create or override arbitrary files. + + $ echo '![](data://image/png;base64,cHJpbnQgImhlbGxvIgo=;.lua+%252f%252e%252e%252f%252e%252e%252fb%252elua)' >b.md + $ .cabal/bin/pandoc b.md --extract-media=bar +

+ $ cat b.lua + print "hello" + $ find bar + bar/ + bar/2a0eaa89f43fada3e6c577beea4f2f8f53ab6a1d.lua+ + +This commit adds a test case for this more complex attack and fixes +the vulnerability. (The fix is quite simple: if the URL-unescaped +filename or extension contains a '%', we just use the sha1 hash of the +contents as the canonical name, just as we do if the filename contains +'..'.) +--- + src/Text/Pandoc/Class/IO.hs | 2 ++ + src/Text/Pandoc/MediaBag.hs | 7 ++++--- + test/Tests/MediaBag.hs | 12 +++++++++++- + 3 files changed, 17 insertions(+), 4 deletions(-) + +Index: pandoc-3.1.3/src/Text/Pandoc/Class/IO.hs +=================================================================== +--- pandoc-3.1.3.orig/src/Text/Pandoc/Class/IO.hs 2023-09-21 09:24:23.311539088 +0000 ++++ pandoc-3.1.3/src/Text/Pandoc/Class/IO.hs 2023-09-21 09:27:24.005959930 +0000 +@@ -224,6 +224,8 @@ writeMedia :: (PandocMonad m, MonadIO m) + -> m () + writeMedia dir (fp, _mt, bs) = do + -- we normalize to get proper path separators for the platform ++ -- we unescape URI encoding, but given how insertMedia ++ -- is written, we shouldn't have any % in a canonical media name... + let fullpath = normalise $ dir fp + liftIOError (createDirectoryIfMissing True) (takeDirectory fullpath) + logIOError $ BL.writeFile fullpath bs +Index: pandoc-3.1.3/src/Text/Pandoc/MediaBag.hs +=================================================================== +--- pandoc-3.1.3.orig/src/Text/Pandoc/MediaBag.hs 2023-09-21 09:24:23.311539088 +0000 ++++ pandoc-3.1.3/src/Text/Pandoc/MediaBag.hs 2023-09-21 09:27:24.006959920 +0000 +@@ -89,16 +89,17 @@ insertMedia fp mbMime contents (MediaBag + && Windows.isRelative fp'' + && isNothing uri + && not (".." `T.isInfixOf` fp') ++ && '%' `notElem` fp'' + then fp'' +- else showDigest (sha1 contents) <> "." <> ext ++ else showDigest (sha1 contents) <> ext + fallback = case takeExtension fp'' of + ".gz" -> getMimeTypeDef $ dropExtension fp'' + _ -> getMimeTypeDef fp'' + mt = fromMaybe fallback mbMime + path = maybe fp'' (unEscapeString . uriPath) uri + ext = case takeExtension path of +- '.':e -> e +- _ -> maybe "" T.unpack $ extensionFromMimeType mt ++ '.':e | '%' `notElem` e -> '.':e ++ _ -> maybe "" (\x -> '.':T.unpack x) $ extensionFromMimeType mt + + -- | Lookup a media item in a 'MediaBag', returning mime type and contents. + lookupMedia :: FilePath diff --git a/_constraints b/_constraints index a75eccf..97a0331 100644 --- a/_constraints +++ b/_constraints @@ -5,9 +5,21 @@ 7 - 3500 + 11000 8 8 + + + armv6l + armv7l + i586 + + + + 3000 + + + diff --git a/ghc-pandoc.changes b/ghc-pandoc.changes index 6cc15ae..90d6499 100644 --- a/ghc-pandoc.changes +++ b/ghc-pandoc.changes @@ -1,3 +1,70 @@ +------------------------------------------------------------------- +Fri Mar 1 05:49:26 UTC 2024 - Peter Simons + +- Update pandoc to version 3.1.12.2. + ## pandoc 3.1.12.2 (2024-02-29) + + * Docx reader: + + + Ensure that table captions are counted (#9518). + + Detect caption by style name not id (#9518). + The styleId can change depending on the localization. + + Avoid emitting empty paragraph where caption was. + + * Markdown reader: fix regression in link parsing with wikilinks extensions + (#9481). This fixes a regression introduced in 3.1.12. + + * Org reader/writer: support admonitions (#9475). + + * Org writer: omit extra blank line at end of quote block. + + * Typst writer: ensure that `-`, `+`, etc. are escaped at beginning of block + (#9478). Our recent relaxing of escaping (#9386) caused problems for + things like emphasized `-` characters that were rendered using + `#strong[-]#`. This now gets rendered as `#strong[\-]`. + + * LaTeX writer: fix bug when a language is specified in two different ways + (#9472). If you used `lang: de-DE` but then had a span or div with + `lang=de`, the preamble would try to load `ngerman` twice, leading + to an error. This fix ensures that a language is only loaded once. + + * Docx writer: Don't copy over `footnotePr` in `settings.xml` + from reference.docx (#9522). + + * EPUB writer: omit EPUB2-specific meta tag on EPUB3 (#9493). + This caused a validation failure in epubs with cover images. + + * Lua: avoid crashing when an error message is not valid UTF-8 (Albert + Krewinkel). + + * Text.Pandoc.SelfContained: + + + Add `role="img"` to svgs. + + Add `aria-label` to svg elements with `alt` text if present. + Screen readers ignore `alt` attributes on svg elements but do + pay attention to `aria-label` (#9525). + + * Text.Pandoc.Shared: Fix regression in section numbering in + `makeSections` (#9516). Starting with pandoc 3.1.12, unnumbered + sections incremented the section number. + + * Text.Pandoc.Class: fix `openUrl` TLS negotiation (#9483). + With the release of TLS 2.0.0, the TLS library started requiring + Extended Main Secret for the TLS handshake. This caused problems + connecting to zotero's server and others that do not support TLS 1.3. + This commit relaxes this requirement. + + * Depend on djot 0.1.1.0 (fixes rendering on multiline block attributes). + + * Use new releases of skylighting-format-blaze-html (#9520). + Fixes auto-wrapping of long source lines in HTML print media. + + * Use new commonmark-extensions (fixes issue with the + `rebase_relative_paths` extension when used with commonmark/gfm. + + * Makefile: improve epub-validation target (#9493). + Use `--epub-cover-image` to catch issues that only arise with that. + ------------------------------------------------------------------- Fri Feb 23 20:37:25 UTC 2024 - Andreas Schwab diff --git a/ghc-pandoc.spec b/ghc-pandoc.spec index f40c43e..c9da858 100644 --- a/ghc-pandoc.spec +++ b/ghc-pandoc.spec @@ -20,7 +20,7 @@ %global pkgver %{pkg_name}-%{version} %bcond_with tests Name: ghc-%{pkg_name} -Version: 3.1.12.1 +Version: 3.1.12.2 Release: 0 Summary: Conversion between markup formats License: GPL-2.0-or-later @@ -67,6 +67,8 @@ BuildRequires: ghc-containers-devel BuildRequires: ghc-containers-prof BuildRequires: ghc-crypton-connection-devel BuildRequires: ghc-crypton-connection-prof +BuildRequires: ghc-crypton-x509-system-devel +BuildRequires: ghc-crypton-x509-system-prof BuildRequires: ghc-data-default-devel BuildRequires: ghc-data-default-prof BuildRequires: ghc-deepseq-devel @@ -146,6 +148,8 @@ BuildRequires: ghc-text-devel BuildRequires: ghc-text-prof BuildRequires: ghc-time-devel BuildRequires: ghc-time-prof +BuildRequires: ghc-tls-devel +BuildRequires: ghc-tls-prof BuildRequires: ghc-typst-devel BuildRequires: ghc-typst-prof BuildRequires: ghc-unicode-collation-devel diff --git a/pandoc-3.1.12.1.tar.gz b/pandoc-3.1.12.1.tar.gz deleted file mode 100644 index 17f0e39..0000000 --- a/pandoc-3.1.12.1.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:57efd39269141ed066803967b605fba3b4fd9c0f0fc31edccb186fbda1683bbc -size 7363985 diff --git a/pandoc-3.1.12.2.tar.gz b/pandoc-3.1.12.2.tar.gz new file mode 100644 index 0000000..99f2030 --- /dev/null +++ b/pandoc-3.1.12.2.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:fa1e2353c36d6209d9ac9434636fdca8c0a27720c9d2fa5594d31dfbeed83e52 +size 7365367 From c0fe23c0df1361b8ebe8af10ac20e86ebfc52cb1e1a4c262d2d9ecd7fd864f96 Mon Sep 17 00:00:00 2001 From: Peter Simons Date: Fri, 1 Mar 2024 21:25:57 +0000 Subject: [PATCH 4/4] osc copypac from project:devel:languages:haskell:ghc-9.8.x package:ghc-pandoc revision:6, using keep-link OBS-URL: https://build.opensuse.org/package/show/devel:languages:haskell/ghc-pandoc?expand=0&rev=29 --- CVE-2023-35936.patch | 124 ------------------------------------------- CVE-2023-38745.patch | 68 ------------------------ 2 files changed, 192 deletions(-) delete mode 100644 CVE-2023-35936.patch delete mode 100644 CVE-2023-38745.patch diff --git a/CVE-2023-35936.patch b/CVE-2023-35936.patch deleted file mode 100644 index ae6b655..0000000 --- a/CVE-2023-35936.patch +++ /dev/null @@ -1,124 +0,0 @@ -From 5e381e3878b5da87ee7542f7e51c3c1a7fd84b89 Mon Sep 17 00:00:00 2001 -From: John MacFarlane -Date: Tue, 20 Jun 2023 13:50:13 -0700 -Subject: [PATCH] Fix a security vulnerability in MediaBag and - T.P.Class.IO.writeMedia. - -This vulnerability, discovered by Entroy C, allows users to write -arbitrary files to any location by feeding pandoc a specially crafted -URL in an image element. The vulnerability is serious for anyone -using pandoc to process untrusted input. The vulnerability does -not affect pandoc when run with the `--sandbox` flag. ---- - src/Text/Pandoc/Class/IO.hs | 14 +++++++------- - src/Text/Pandoc/MediaBag.hs | 28 ++++++++++++++++------------ - 2 files changed, 23 insertions(+), 19 deletions(-) - -Index: pandoc-3.1.3/src/Text/Pandoc/Class/IO.hs -=================================================================== ---- pandoc-3.1.3.orig/src/Text/Pandoc/Class/IO.hs 2001-09-09 01:46:40.000000000 +0000 -+++ pandoc-3.1.3/src/Text/Pandoc/Class/IO.hs 2023-07-14 18:39:12.169005026 +0000 -@@ -50,7 +50,7 @@ import Network.HTTP.Client.Internal (add - import Network.HTTP.Client.TLS (mkManagerSettings) - import Network.HTTP.Types.Header ( hContentType ) - import Network.Socket (withSocketsDo) --import Network.URI (unEscapeString) -+import Network.URI (URI(..), parseURI) - import System.Directory (createDirectoryIfMissing) - import System.Environment (getEnv) - import System.FilePath ((), takeDirectory, normalise) -@@ -122,11 +122,11 @@ newUniqueHash = hashUnique <$> liftIO Da - - openURL :: (PandocMonad m, MonadIO m) => Text -> m (B.ByteString, Maybe MimeType) - openURL u -- | Just u'' <- T.stripPrefix "data:" u = do -- let mime = T.takeWhile (/=',') u'' -- let contents = UTF8.fromString $ -- unEscapeString $ T.unpack $ T.drop 1 $ T.dropWhile (/=',') u'' -- return (decodeBase64Lenient contents, Just mime) -+ | Just (URI{ uriScheme = "data:", -+ uriPath = upath }) <- parseURI (T.unpack u) = do -+ let (mime, rest) = break (== '.') upath -+ let contents = UTF8.fromString $ drop 1 rest -+ return (decodeBase64Lenient contents, Just (T.pack mime)) - | otherwise = do - let toReqHeader (n, v) = (CI.mk (UTF8.fromText n), UTF8.fromText v) - customHeaders <- map toReqHeader <$> getsCommonState stRequestHeaders -@@ -224,7 +224,7 @@ writeMedia :: (PandocMonad m, MonadIO m) - -> m () - writeMedia dir (fp, _mt, bs) = do - -- we normalize to get proper path separators for the platform -- let fullpath = normalise $ dir unEscapeString fp -+ let fullpath = normalise $ dir fp - liftIOError (createDirectoryIfMissing True) (takeDirectory fullpath) - logIOError $ BL.writeFile fullpath bs - -Index: pandoc-3.1.3/src/Text/Pandoc/MediaBag.hs -=================================================================== ---- pandoc-3.1.3.orig/src/Text/Pandoc/MediaBag.hs 2001-09-09 01:46:40.000000000 +0000 -+++ pandoc-3.1.3/src/Text/Pandoc/MediaBag.hs 2023-07-14 18:39:12.170005139 +0000 -@@ -28,6 +28,7 @@ import Data.Data (Data) - import qualified Data.Map as M - import Data.Maybe (fromMaybe, isNothing) - import Data.Typeable (Typeable) -+import Network.URI (unEscapeString) - import System.FilePath - import qualified System.FilePath.Posix as Posix - import qualified System.FilePath.Windows as Windows -@@ -35,7 +36,7 @@ import Text.Pandoc.MIME (MimeType, getMi - import Data.Text (Text) - import qualified Data.Text as T - import Data.Digest.Pure.SHA (sha1, showDigest) --import Network.URI (URI (..), parseURI) -+import Network.URI (URI (..), parseURI, isURI) - - data MediaItem = - MediaItem -@@ -54,9 +55,12 @@ newtype MediaBag = MediaBag (M.Map Text - instance Show MediaBag where - show bag = "MediaBag " ++ show (mediaDirectory bag) - ---- | We represent paths with /, in normalized form. -+-- | We represent paths with /, in normalized form. Percent-encoding -+-- is resolved. - canonicalize :: FilePath -> Text --canonicalize = T.replace "\\" "/" . T.pack . normalise -+canonicalize fp -+ | isURI fp = T.pack fp -+ | otherwise = T.replace "\\" "/" . T.pack . normalise . unEscapeString $ fp - - -- | Delete a media item from a 'MediaBag', or do nothing if no item corresponds - -- to the given path. -@@ -79,23 +83,23 @@ insertMedia fp mbMime contents (MediaBag - , mediaContents = contents - , mediaMimeType = mt } - fp' = canonicalize fp -+ fp'' = T.unpack fp' - uri = parseURI fp -- newpath = if Posix.isRelative fp -- && Windows.isRelative fp -+ newpath = if Posix.isRelative fp'' -+ && Windows.isRelative fp'' - && isNothing uri -- && ".." `notElem` splitDirectories fp -- then T.unpack fp' -+ && not (".." `T.isInfixOf` fp') -+ then fp'' - else showDigest (sha1 contents) <> "." <> ext -- fallback = case takeExtension fp of -- ".gz" -> getMimeTypeDef $ dropExtension fp -- _ -> getMimeTypeDef fp -+ fallback = case takeExtension fp'' of -+ ".gz" -> getMimeTypeDef $ dropExtension fp'' -+ _ -> getMimeTypeDef fp'' - mt = fromMaybe fallback mbMime -- path = maybe fp uriPath uri -+ path = maybe fp'' (unEscapeString . uriPath) uri - ext = case takeExtension path of - '.':e -> e - _ -> maybe "" T.unpack $ extensionFromMimeType mt - -- - -- | Lookup a media item in a 'MediaBag', returning mime type and contents. - lookupMedia :: FilePath - -> MediaBag diff --git a/CVE-2023-38745.patch b/CVE-2023-38745.patch deleted file mode 100644 index 4645c48..0000000 --- a/CVE-2023-38745.patch +++ /dev/null @@ -1,68 +0,0 @@ -From eddedbfc14916aa06fc01ff04b38aeb30ae2e625 Mon Sep 17 00:00:00 2001 -From: John MacFarlane -Date: Thu, 20 Jul 2023 09:26:38 -0700 -Subject: [PATCH] Fix new variant of the vulnerability in CVE-2023-35936. - -Guilhem Moulin noticed that the fix to CVE-2023-35936 was incomplete. -An attacker could get around it by double-encoding the malicious -extension to create or override arbitrary files. - - $ echo '![](data://image/png;base64,cHJpbnQgImhlbGxvIgo=;.lua+%252f%252e%252e%252f%252e%252e%252fb%252elua)' >b.md - $ .cabal/bin/pandoc b.md --extract-media=bar -

- $ cat b.lua - print "hello" - $ find bar - bar/ - bar/2a0eaa89f43fada3e6c577beea4f2f8f53ab6a1d.lua+ - -This commit adds a test case for this more complex attack and fixes -the vulnerability. (The fix is quite simple: if the URL-unescaped -filename or extension contains a '%', we just use the sha1 hash of the -contents as the canonical name, just as we do if the filename contains -'..'.) ---- - src/Text/Pandoc/Class/IO.hs | 2 ++ - src/Text/Pandoc/MediaBag.hs | 7 ++++--- - test/Tests/MediaBag.hs | 12 +++++++++++- - 3 files changed, 17 insertions(+), 4 deletions(-) - -Index: pandoc-3.1.3/src/Text/Pandoc/Class/IO.hs -=================================================================== ---- pandoc-3.1.3.orig/src/Text/Pandoc/Class/IO.hs 2023-09-21 09:24:23.311539088 +0000 -+++ pandoc-3.1.3/src/Text/Pandoc/Class/IO.hs 2023-09-21 09:27:24.005959930 +0000 -@@ -224,6 +224,8 @@ writeMedia :: (PandocMonad m, MonadIO m) - -> m () - writeMedia dir (fp, _mt, bs) = do - -- we normalize to get proper path separators for the platform -+ -- we unescape URI encoding, but given how insertMedia -+ -- is written, we shouldn't have any % in a canonical media name... - let fullpath = normalise $ dir fp - liftIOError (createDirectoryIfMissing True) (takeDirectory fullpath) - logIOError $ BL.writeFile fullpath bs -Index: pandoc-3.1.3/src/Text/Pandoc/MediaBag.hs -=================================================================== ---- pandoc-3.1.3.orig/src/Text/Pandoc/MediaBag.hs 2023-09-21 09:24:23.311539088 +0000 -+++ pandoc-3.1.3/src/Text/Pandoc/MediaBag.hs 2023-09-21 09:27:24.006959920 +0000 -@@ -89,16 +89,17 @@ insertMedia fp mbMime contents (MediaBag - && Windows.isRelative fp'' - && isNothing uri - && not (".." `T.isInfixOf` fp') -+ && '%' `notElem` fp'' - then fp'' -- else showDigest (sha1 contents) <> "." <> ext -+ else showDigest (sha1 contents) <> ext - fallback = case takeExtension fp'' of - ".gz" -> getMimeTypeDef $ dropExtension fp'' - _ -> getMimeTypeDef fp'' - mt = fromMaybe fallback mbMime - path = maybe fp'' (unEscapeString . uriPath) uri - ext = case takeExtension path of -- '.':e -> e -- _ -> maybe "" T.unpack $ extensionFromMimeType mt -+ '.':e | '%' `notElem` e -> '.':e -+ _ -> maybe "" (\x -> '.':T.unpack x) $ extensionFromMimeType mt - - -- | Lookup a media item in a 'MediaBag', returning mime type and contents. - lookupMedia :: FilePath