[SECURITY] [DLA 3507-1] pandoc security update

2023-07-2519:10:00

lists.debian.org

cve-2023-35936

cve-2023-38745

vulnerabilities

arbitrary file

pandoc

debian 10

6.3 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H

6.8 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

38.0%

JSON

Debian LTS Advisory DLA-3507-1 [email protected]
https://www.debian.org/lts/security/ Guilhem Moulin
July 25, 2023 https://wiki.debian.org/LTS

Package : pandoc
Version : 2.2.1-3+deb10u1
CVE ID : CVE-2023-35936 CVE-2023-38745
Debian Bug : 1041976

Arbitrary file write vulnerabilities were discovered in pandoc, an
Haskell library and CLI tool for converting from one markup format to
another. These vulnerabilities can be triggered by providing a
specially crafted image element in the input when generating files using
the --extract-media option or outputting to PDF format, and allow an
attacker to create or overwrite arbitrary files on the system (depending
on the privileges of the process running pandoc).

CVE-2023-35936

Entroy C discovered that appending percent-encoded directory
components to the end of malicious data: URI, an attacker could
trick pandoc into creating or or overwriting arbitrary files on the
system.

CVE-2023-38745

I discovered that the upstream fix for CVE-2023-35936 was
incomplete, namely that the vulnerability remained when encoding &#x27;%&#x27;
characters as &#x27;%25&#x27;.

For Debian 10 buster, these problems have been fixed in version
2.2.1-3+deb10u1.

We recommend that you upgrade your pandoc packages.

For the detailed security status of pandoc please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/pandoc

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
Attachment:
signature.asc
Description: PGP signature

OSVersionArchitecturePackageVersionFilename
Debian10allpandoc< 2.2.1-3+deb10u1pandoc_2.2.1-3+deb10u1_all.deb
Debian10armhflibghc-pandoc-dev< 2.2.1-3+deb10u1libghc-pandoc-dev_2.2.1-3+deb10u1_armhf.deb
Debian10arm64pandoc< 2.2.1-3+deb10u1pandoc_2.2.1-3+deb10u1_arm64.deb
Debian10armhfpandoc< 2.2.1-3+deb10u1pandoc_2.2.1-3+deb10u1_armhf.deb
Debian10i386libghc-pandoc-prof< 2.2.1-3+deb10u1libghc-pandoc-prof_2.2.1-3+deb10u1_i386.deb
Debian10alllibghc-pandoc-doc< 2.2.1-3+deb10u1libghc-pandoc-doc_2.2.1-3+deb10u1_all.deb
Debian10amd64libghc-pandoc-dev< 2.2.1-3+deb10u1libghc-pandoc-dev_2.2.1-3+deb10u1_amd64.deb
Debian10i386libghc-pandoc-dev< 2.2.1-3+deb10u1libghc-pandoc-dev_2.2.1-3+deb10u1_i386.deb
Debian10armhflibghc-pandoc-prof< 2.2.1-3+deb10u1libghc-pandoc-prof_2.2.1-3+deb10u1_armhf.deb
Debian10allpandoc-data< 2.2.1-3+deb10u1pandoc-data_2.2.1-3+deb10u1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	10	all	pandoc	< 2.2.1-3+deb10u1	pandoc_2.2.1-3+deb10u1_all.deb
Debian	10	armhf	libghc-pandoc-dev	< 2.2.1-3+deb10u1	libghc-pandoc-dev_2.2.1-3+deb10u1_armhf.deb
Debian	10	arm64	pandoc	< 2.2.1-3+deb10u1	pandoc_2.2.1-3+deb10u1_arm64.deb
Debian	10	armhf	pandoc	< 2.2.1-3+deb10u1	pandoc_2.2.1-3+deb10u1_armhf.deb
Debian	10	i386	libghc-pandoc-prof	< 2.2.1-3+deb10u1	libghc-pandoc-prof_2.2.1-3+deb10u1_i386.deb
Debian	10	all	libghc-pandoc-doc	< 2.2.1-3+deb10u1	libghc-pandoc-doc_2.2.1-3+deb10u1_all.deb
Debian	10	amd64	libghc-pandoc-dev	< 2.2.1-3+deb10u1	libghc-pandoc-dev_2.2.1-3+deb10u1_amd64.deb
Debian	10	i386	libghc-pandoc-dev	< 2.2.1-3+deb10u1	libghc-pandoc-dev_2.2.1-3+deb10u1_i386.deb
Debian	10	armhf	libghc-pandoc-prof	< 2.2.1-3+deb10u1	libghc-pandoc-prof_2.2.1-3+deb10u1_armhf.deb
Debian	10	all	pandoc-data	< 2.2.1-3+deb10u1	pandoc-data_2.2.1-3+deb10u1_all.deb