SECURITY: arbitrary file write vulnerability

[John MacFarlane <fiddlosopher-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>]

[-- Attachment #1: Type: text/plain, Size: 1363 bytes --]

Entroy C has discovered a security vulnerability in pandoc, affecting all recent versions of pandoc (and probably versions as old as 1.13).   The vulnerability affects the MediaBag mechanism and allows users to write arbitrary files to any location by feeding pandoc an image element with a specially crafted URL when using --extract-media or creating a PDF.  The vulnerability is serious for anyone using pandoc to process untrusted input.  The vulnerability does not affect pandoc when run with the --sandbox flag.

The vulnerability is fixed in commit 5e381e3878b5da87ee7542f7e51c3c1a7fd84b89 in the main branch of the pandoc repository.

It can also be avoided by using --sandbox (which we recommend anyway when processing untrusted input).

I plan to put out a release with this fix soon, but I wanted to announce the vulnerability now, since the commit is now visible in a public repository.

Many thanks to Entroy C for finding the issue.

-- 
You received this message because you are subscribed to the Google Groups "pandoc-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pandoc-discuss+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To view this discussion on the web visit https://groups.google.com/d/msgid/pandoc-discuss/91409F78-637E-4CBE-B601-DC436300C714%40gmail.com.

[-- Attachment #2: Type: text/html, Size: 3108 bytes --]