Bug 2225379 (CVE-2023-38745)

Summary: CVE-2023-38745 pandoc: allows attacker to create or overwrite arbitrary files on the system (incomplete fix in upstream for CVE-2023-35936)
Product: [Other] Security Response Reporter: Sandipan Roy <saroy>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: petersen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: pandoc 3.1.6 Doc Type: If docs needed, set a value
Doc Text:
An arbitrary file write vulnerability was found in Haskell's Pandoc. This issue can be triggered by providing a specially crafted image element in the input when generating files using the --extract-media option or outputting to PDF format. This may allow an attacker to create or overwrite arbitrary files on the system, depending on the privileges of the process running pandoc.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2220880, 2225382, 2227033, 2227034    
Bug Blocks: 2225384    

Description Sandipan Roy 2023-07-25 07:05:09 UTC 
Pandoc before 3.1.6 allows arbitrary file write: this can be triggered by providing a crafted image element in the input when generating files via the --extract-media option or outputting to PDF format. This allows an attacker to create or overwrite arbitrary files, depending on the privileges of the process running Pandoc. It only affects systems that pass untrusted user input to Pandoc and allow Pandoc to be used to produce a PDF or with the --extract-media option. NOTE: this issue exists because of an incomplete fix for CVE-2023-35936 (failure to properly account for double encoded path names).

https://github.com/jgm/pandoc/compare/3.1.5...3.1.6
https://github.com/jgm/pandoc/commit/eddedbfc14916aa06fc01ff04b38aeb30ae2e625
Comment 2 TEJ RATHI 2023-07-27 13:57:07 UTC 
Created pandoc tracking bugs for this issue:

Affects: epel-all [bug 2227033]
Affects: fedora-all [bug 2227034]
Comment 3 Fedora Update System 2024-03-29 00:17:29 UTC 
FEDORA-2024-7d83cbccb6 (ghc-base64-0.4.2.4-28.fc40, ghc-hakyll-4.16.2.0-4.fc40, and 6 more) has been pushed to the Fedora 40 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 4 Fedora Update System 2024-03-30 01:08:50 UTC 
FEDORA-2024-b458482d48 (ghc-base64-0.4.2.4-28.fc39, ghc-hakyll-4.16.2.0-4.fc39, and 6 more) has been pushed to the Fedora 39 stable repository.
If problem still persists, please make note of it in this bug report.