From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.io/gmane.text.pandoc/32850 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: John MacFarlane Newsgroups: gmane.text.pandoc Subject: SECURITY: arbitrary file write vulnerability Date: Tue, 20 Jun 2023 14:17:06 -0700 Message-ID: <91409F78-637E-4CBE-B601-DC436300C714@gmail.com> Reply-To: pandoc-discuss-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.600.7\)) Content-Type: multipart/alternative; boundary="Apple-Mail=_B8790BB1-3D74-46B6-957A-91F49802EA91" Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="26627"; mail-complaints-to="usenet@ciao.gmane.io" To: pandoc-announce-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org, pandoc-discuss-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org Original-X-From: pandoc-discuss+bncBDW7ZIEHTIIBBX5OZCSAMGQE25B3BCA-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org Tue Jun 20 23:17:23 2023 Return-path: Envelope-to: gtp-pandoc-discuss@m.gmane-mx.org Original-Received: from mail-qt1-f183.google.com ([209.85.160.183]) by ciao.gmane.io with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from ) id 1qBij5-0006cO-1v for gtp-pandoc-discuss@m.gmane-mx.org; Tue, 20 Jun 2023 23:17:23 +0200 Original-Received: by mail-qt1-f183.google.com with SMTP id d75a77b69052e-3fde20356e2sf49519681cf.0 for ; Tue, 20 Jun 2023 14:17:22 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1687295842; cv=pass; d=google.com; s=arc-20160816; b=rhGAWAkrWStYjj1rbdKe1BAXPDPbVs0VwGJbaUd5sE2bv0tXSVNceQCgcfJDBym0LL HV5yKLwaaFYu0hfBToL5CLP86YrfYXNlJzGDSz+seb3GGNRFlVjoTs7W+L3xU9mICe55 5TQltVdrI0nU1yATlAOB4i1gTM3syyz+EHwJEOVM663kwcnNr3agzwYGtKVq+oWFNXg0 cKPOYprP+OCU/0zYfNjc+Qmqa7vJAzj5aNjBGCSNrXEvlvdq7NDkZfjYEKt4UYhD3FT3 3pU/dg1EsVyjxn2Z++Dy6nGTSXTnY8MeRxjvHxRR6DxtB6XT2wQI+4VVEUuC7GhMPTaV KDJw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:to:date:message-id:subject :mime-version:from:sender:dkim-signature:dkim-signature; bh=NKLKZZwBF8lhw8tbh7poybpqZjoC9MLHB1kixF+v9Co=; b=B7FF6xQrs/wCNYXYz/uzvseQ9p/BpCopMmOYRLFJ70LOzxsTE9QIu5kbdXPllIH8jX D6Sj3gOPRFfhdRlWAkIHkdAsG2Nyvew+xEDAuqp45TAz6qAqvBGcaX5dX5vpnDIGa+Kr fdevhyePpHkgQZoArsGNfvxTjSqRMck2GdNq0oHGJAifJy7X6ShRgyksS3ggiBK2Sabf nt62CW5B2Ubrw1c/T0WeHeE86PSTNtBwoyWFfQuC/zZPG+nAA7A3ztW3kIGUex/cSA8d zNaIDvVQZuqO3x2aQeL6+GmK/rV6H4Zkb22T3jMepZPMd8mkEr0qXkkzmTPu+4lgR67Z l6rg== ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20221208 header.b=DV3HPEul; spf=pass (google.com: domain of fiddlosopher-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org designates 2607:f8b0:4864:20::62f as permitted sender) smtp.mailfrom=fiddlosopher-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20221208; t=1687295842; x=1689887842; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:to:date :message-id:subject:mime-version:from:sender:from:to:cc:subject:date :message-id:reply-to; bh=NKLKZZwBF8lhw8tbh7poybpqZjoC9MLHB1kixF+v9Co=; b=BcpbNifbZlMNWpKbwzyruyk7QwPz2vtA7d/2SO5sK96oGOCTgLcZ+Rh7qYG5g8VdJa ai3q9Lg7FLCqJqyKqyffgsSpR8xGG6CHPGy3Y2voSzVL86FQ7bPjeyqas8SFPgqwToQS aRoELl8UoJ25EwfIqoJAhxnDrhozMpUl8TIYOtTg81yPV5+7nHyLz2RB/+je+JyWQwz3 RZWlZ1ShUXvYAiwvUq76rUj7cvmsJso/MJZ2hgZ4cDSSwSSVOPwfG8momWDAJUXgLTG8 78iKTT4swf/y5qdXj2i/x21254vHwzfb/Le4I0p8Mo731XaQWLHBHYE3RgNwURXhN7We G9XA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1687295842; x=1689887842; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:to:date :message-id:subject:mime-version:from:from:to:cc:subject:date :message-id:reply-to; bh=NKLKZZwBF8lhw8tbh7poybpqZjoC9MLHB1kixF+v9Co=; b=O2d+tN/ciOOCaw4jCVRuzGW4/Lo3V13vqpbupBgqcWAsA15l494hUWGG49BxsVrnbT 2ID0YweE54j3NKQUAgryityjzHbT8RD84dDvJwY2ajAzUTrUDuDi1H1Dmbdtp2di6yJn y+M/HdIBF09fR23ioKF2r3nMDKpUM17a1PABzsdlTlVGP6a/0gr9nFV8xAs4JxITcJfp IlzpR4hS3hMgbD51hhUfln/AlLi9mKHMjCPGZ7xXayFUvGZwqt2O9v1jyZBK6Q/kF3+y XkoMnODmLv2e3mV0wgJrRlaIqFc5l4bDdrX3pRBI5jIzBMkPSfWiPLA7mphtdMf+nLTL /7nA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1687295842; x=1689887842; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:to:date :message-id:subject:mime-version:from:x-beenthere:x-gm-message-state :sender:from:to:cc:subject:date:message-id:reply-to; bh=NKLKZZwBF8lhw8tbh7poybpqZjoC9MLHB1kixF+v9Co=; b=aI3skqn5ipFO+73xQJndhNSgMVcRJanlJjz6UfXYmhrfcqG2oswW7ctl+jFaq8cCSn 0dUJ82FEfEv3ZU1n3OTrMmzLh0S3/A//a07qfjD859ZP9z80GpFY0T5AfpMS54MNHZPL zL/1bkTsiJVPDa5ZeXkM/L2eomd9LEUs+mISGEP/GqbNsOweaBXSGM6+e9S7QwKcdEqa I8p/0J2vW1ipyTeX3vMPve5XVcI5WZD7+MK7DhTu90pVo6iuI/sjdNAqylnbZf7bN/V8 kOqbfE2yWpMpPoHMjO1Yoh1iXLdxPQ0oF24L2RG Original-Sender: pandoc-discuss-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org X-Gm-Message-State: AC+VfDzs/DCihKt3gJ4cWFFcxVwBMUJlm9JpqJelHjYO1smcrI68YpOg zhyNVKEt8k66l4v4n/p7aiE= X-Google-Smtp-Source: ACHHUZ77JXCEpX5zJkv3EiGnNKOo6Nj7wSzZeGXVj3cDAB0Y0zjBZLcQRqjtj6BuAjxZ48IX5WnVhg== X-Received: by 2002:ac8:5c12:0:b0:3ef:4a9b:5dca with SMTP id i18-20020ac85c12000000b003ef4a9b5dcamr16513940qti.29.1687295841878; Tue, 20 Jun 2023 14:17:21 -0700 (PDT) X-BeenThere: pandoc-discuss-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org Original-Received: by 2002:ac8:7592:0:b0:3ff:302c:3d5d with SMTP id s18-20020ac87592000000b003ff302c3d5dls1078622qtq.2.-pod-prod-02-us; Tue, 20 Jun 2023 14:17:19 -0700 (PDT) X-Received: by 2002:a05:620a:56e:b0:762:4e86:fa50 with SMTP id p14-20020a05620a056e00b007624e86fa50mr8763554qkp.28.1687295838955; Tue, 20 Jun 2023 14:17:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1687295838; cv=none; d=google.com; s=arc-20160816; b=jXrjA7Pct5U+TccCgecHPPfYkQJ/mnyviSDBGXz1iJrS7KCNldY5E5ApyXJbVoZpMt ax3n4JiddtgM/Wcjj4/7KpDpMyHn8ZyxFxC1FdOrhr70I+41qNLkYC54RQTBNTAdN03r 98hwntlsm7I9v7sPytOWUqedLNvd9JKq8h0LbHdyyR9k92UmAwrPHukT071vGoO13dnO brDgGpoXAHRHZGoiJ5qCT64AmLq/sQbORsIxvqU4pcxuTV9/R0Q7qUs6vOhW1jvABRdL nQ6tlBELkO6YO7lTSV9eDtbu68CwnawN1BfbWONXUyzux+dAbdmBmEtAC8dQPkYHvuoj v1JQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=to:date:message-id:subject:mime-version:from:dkim-signature; bh=QJyp09dKhdTQTDUxnskopoRN/4eOwn1+NFbH+P6r+Vo=; b=QfF4vNYNY9oLU/ue1i8cczy+fMyqxqpBTg5oCPfqxGKNPa9nAqH4ylVPnXK6BGgUT2 hr2wIGe6+QRxEf0JtLJ8lWIt0ppEmg0nMcHV7ijqFUTiDZ0wpvk8RvlyrBOYMGo5KCXH vD52D19/cKCWL1ra5azhN0pR56EdBKSsBfyLUp5z3ACp2EAFDczKixXWW8TWE0wqp6pk 5yaLMycIn/ES/HvhsasayUa7CjcjgZ1zvEkJFrxlCURhNGs4NRuSDTfrKHA2qoCtnCSY C+54XBnQ74kGgQs/+SVpyrLweEwkFObucPhdIZDQzSm5YP9FFoK+910f1sJ23RxCg3g5 dGEw== ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20221208 header.b=DV3HPEul; spf=pass (google.com: domain of fiddlosopher-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org designates 2607:f8b0:4864:20::62f as permitted sender) smtp.mailfrom=fiddlosopher-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Original-Received: from mail-pl1-x62f.google.com (mail-pl1-x62f.google.com. [2607:f8b0:4864:20::62f]) by gmr-mx.google.com with ESMTPS id fl5-20020a05690c338500b005705cb82b22si266207ywb.3.2023.06.20.14.17.18 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 20 Jun 2023 14:17:18 -0700 (PDT) Received-SPF: pass (google.com: domain of fiddlosopher-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org designates 2607:f8b0:4864:20::62f as permitted sender) client-ip=2607:f8b0:4864:20::62f; Original-Received: by mail-pl1-x62f.google.com with SMTP id d9443c01a7336-1b525af07a6so24274155ad.1; Tue, 20 Jun 2023 14:17:18 -0700 (PDT) X-Received: by 2002:a17:902:d2c7:b0:1b6:9551:e297 with SMTP id n7-20020a170902d2c700b001b69551e297mr730271plc.44.1687295837597; Tue, 20 Jun 2023 14:17:17 -0700 (PDT) Original-Received: from smtpclient.apple ([2607:f140:4208:8000:c0c3:d9be:1085:b5b]) by smtp.gmail.com with ESMTPSA id h21-20020a170902f7d500b001b3c2f4c9casm2007422plw.253.2023.06.20.14.17.16 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 20 Jun 2023 14:17:17 -0700 (PDT) X-Mailer: Apple Mail (2.3731.600.7) X-Original-Sender: fiddlosopher-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20221208 header.b=DV3HPEul; spf=pass (google.com: domain of fiddlosopher-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org designates 2607:f8b0:4864:20::62f as permitted sender) smtp.mailfrom=fiddlosopher-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Precedence: list Mailing-list: list pandoc-discuss-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org; contact pandoc-discuss+owners-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org List-ID: X-Google-Group-Id: 1007024079513 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , Xref: news.gmane.io gmane.text.pandoc:32850 Archived-At: --Apple-Mail=_B8790BB1-3D74-46B6-957A-91F49802EA91 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="UTF-8" Entroy C has discovered a security vulnerability in pandoc, affecting all r= ecent versions of pandoc (and probably versions as old as 1.13). The vuln= erability affects the MediaBag mechanism and allows users to write arbitrar= y files to any location by feeding pandoc an image element with a specially= crafted URL when using --extract-media or creating a PDF. The vulnerabili= ty is serious for anyone using pandoc to process untrusted input. The vuln= erability does not affect pandoc when run with the --sandbox flag. The vulnerability is fixed in commit 5e381e3878b5da87ee7542f7e51c3c1a7fd84b= 89 in the main branch of the pandoc repository. It can also be avoided by using --sandbox (which we recommend anyway when p= rocessing untrusted input). I plan to put out a release with this fix soon, but I wanted to announce th= e vulnerability now, since the commit is now visible in a public repository= . Many thanks to Entroy C for finding the issue. --=20 You received this message because you are subscribed to the Google Groups "= pandoc-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an e= mail to pandoc-discuss+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To view this discussion on the web visit https://groups.google.com/d/msgid/= pandoc-discuss/91409F78-637E-4CBE-B601-DC436300C714%40gmail.com. --Apple-Mail=_B8790BB1-3D74-46B6-957A-91F49802EA91 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset="UTF-8" Entroy C has discovered = a security vulnerability in pandoc, affecting all recent versions of pandoc= (and probably versions as old as 1.13).   The vulne= rability affects the MediaBag mechanism and allows users = to write arbitrary files to any location by feeding pando= c an image element with a specially crafted URL when usin= g --extract-media or creating a PDF.  The vulnerability is serious for= anyone using pandoc to process untrusted input.  The vulnerabili= ty does not affect pandoc when run with the --sandbox flag.

The vulnerab= ility is fixed in commit 5e381e38= 78b5da87ee7542f7e51c3c1a7fd84b89 in the main branch of the pandoc repositor= y.

It can also be avoided by using --sandbox (which we recomm= end anyway when processing untrusted input).

= I plan to put out a release with this fix soon, but I wanted to = announce the vulnerability now, since the commit is now visible in a public= repository.

Many thanks to Entroy C for finding the issue.

--
You received this message because you are subscribed to the Google Groups &= quot;pandoc-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to pand= oc-discuss+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org.
To view this discussion on the web visit https://groups.google.com/d/msgid/p= andoc-discuss/91409F78-637E-4CBE-B601-DC436300C714%40gmail.com.
--Apple-Mail=_B8790BB1-3D74-46B6-957A-91F49802EA91--