2225379 – (CVE-2023-38745) CVE-2023-38745 pandoc: allows attacker to create or overwrite arbitrary files on the system (incomplete fix in upstream for CVE-2023-35936)

Bug 2225379 (CVE-2023-38745) - CVE-2023-38745 pandoc: allows attacker to create or overwrite arbitrary files on the system (incomplete fix in upstream for CVE-2023-35936)

Summary: CVE-2023-38745 pandoc: allows attacker to create or overwrite arbitrary files...

Keywords:
Status:	NEW
Alias:	CVE-2023-38745
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2220880 2225382 2227033 2227034
Blocks:	2225384
TreeView+	depends on / blocked

Reported:	2023-07-25 07:05 UTC by Sandipan Roy
Modified:	2024-03-30 01:08 UTC (History)
CC List:	1 user (show)
Fixed In Version:	pandoc 3.1.6
Doc Type:	If docs needed, set a value
Doc Text:	An arbitrary file write vulnerability was found in Haskell's Pandoc. This issue can be triggered by providing a specially crafted image element in the input when generating files using the --extract-media option or outputting to PDF format. This may allow an attacker to create or overwrite arbitrary files on the system, depending on the privileges of the process running pandoc.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Sandipan Roy 2023-07-25 07:05:09 UTC

Pandoc before 3.1.6 allows arbitrary file write: this can be triggered by providing a crafted image element in the input when generating files via the --extract-media option or outputting to PDF format. This allows an attacker to create or overwrite arbitrary files, depending on the privileges of the process running Pandoc. It only affects systems that pass untrusted user input to Pandoc and allow Pandoc to be used to produce a PDF or with the --extract-media option. NOTE: this issue exists because of an incomplete fix for CVE-2023-35936 (failure to properly account for double encoded path names).

https://github.com/jgm/pandoc/compare/3.1.5...3.1.6
https://github.com/jgm/pandoc/commit/eddedbfc14916aa06fc01ff04b38aeb30ae2e625

Comment 2 TEJ RATHI 2023-07-27 13:57:07 UTC

Created pandoc tracking bugs for this issue:

Affects: epel-all [bug 2227033]
Affects: fedora-all [bug 2227034]

Comment 3 Fedora Update System 2024-03-29 00:17:29 UTC

FEDORA-2024-7d83cbccb6 (ghc-base64-0.4.2.4-28.fc40, ghc-hakyll-4.16.2.0-4.fc40, and 6 more) has been pushed to the Fedora 40 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 4 Fedora Update System 2024-03-30 01:08:50 UTC

FEDORA-2024-b458482d48 (ghc-base64-0.4.2.4-28.fc39, ghc-hakyll-4.16.2.0-4.fc39, and 6 more) has been pushed to the Fedora 39 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.