StarlingX

[Debian] High CVE: CVE-2023-35936 pandoc: an arbitrary file write vulnerability

Bug #2038885 reported by Yue Tao on 2023-10-10

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	StarlingX	Fix Released	High	Peng Zhang

Bug Description

CVE-2023-35936: https://nvd.nist.gov/vuln/detail/CVE-2023-35936

Pandoc is a Haskell library for converting from one markup format to another, and a command-line tool that uses this library. Starting in version 1.13 and prior to version 3.1.4, Pandoc is susceptible to an arbitrary file write vulnerability, which can be triggered by providing a specially crafted image element in the input when generating files using the `-extract-media` option or outputting to PDF format. This vulnerability allows an attacker to create or overwrite arbitrary files on the system ,depending on the privileges of the process running pandoc. It only affects systems that pass untrusted user input to pandoc and allow pandoc to be used to produce a PDF or with the `-extract-media` option.

The fix is to unescape the percent-encoding prior to checking that the resource is not above the working directory, and prior to extracting the extension. Some code for checking that the path is below the working directory was flawed in a similar way and has also been fixed. Note that the `-sandbox` option, which only affects IO done by readers and writers themselves, does not block this vulnerability. The vulnerability is patched in pandoc 3.1.4. As a workaround, audit the pandoc command and disallow PDF output and the `-extract-media` option.

Base Score: High

Reference:

['pandoc_2.9.2.1-1_amd64.deb===>pandoc_2.9.2.1-1+deb11u1_amd64.deb']

Tags:

CVE References

2023-35936

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-10-30: Fix proposed to tools (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/tools/+/899534

Changed in starlingx:
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-11-07: Fix merged to tools (master)

Reviewed: https://review.opendev.org/c/starlingx/tools/+/899534
Committed: https://opendev.org/starlingx/tools/commit/f2617a5e4be82deb41a480586b25ebc30fc6c62f
Submitter: "Zuul (22348)"
Branch: master

commit f2617a5e4be82deb41a480586b25ebc30fc6c62f
Author: Peng Zhang <email address hidden>
Date: Thu Nov 2 06:51:11 2023 +0000

Debian: pandoc: fix CVE-2023-35936

Upgrade pandoc package version from 2.9.2.1-1
to 2.9.2.1-1+deb11u1 to fix CVE-2023-35936.

Refer to:
https://nvd.nist.gov/vuln/detail/CVE-2023-35936

    Test Plan:
    Pass: downloader
    Pass: build-pkgs --clean --all
    Pass: build-image
    Pass: boot

Closes-bug: #2038885

Change-Id: Id8e1a18eddcf7328718bac2e1959aaff84f61f7e
Signed-off-by: Peng Zhang <email address hidden>

Changed in starlingx:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-11-14:

Reviewed: https://review.opendev.org/c/starlingx/tools/+/900741
Committed: https://opendev.org/starlingx/tools/commit/d3c3805eef808e5327fd6dbcc36d805baf61871d
Submitter: "Zuul (22348)"
Branch: master

commit d3c3805eef808e5327fd6dbcc36d805baf61871d
Author: Peng Zhang <email address hidden>
Date: Mon Nov 13 05:23:17 2023 +0000

Add dependency for package pandoc and python2.7

    After python2.7 related packages are upgraded to 2.7.18-8+deb11u1,
    dependency also need be added, or else it will show following broken
    packages issue:
    'libpython2.7-dev : Depends: libpython2.7-stdlib (= 2.7.18-8+deb11u1)
                        but 2.7.18-8 is to be installed
                        Depends: libpython2.7 (= 2.7.18-8+deb11u1) but it
                        is not going to be installed
    python2.7-dev : Depends: python2.7 (= 2.7.18-8+deb11u1) but 2.7.18-8
                    is to be installed
                    Depends: libpython2.7 (= 2.7.18-8+deb11u1) but it is
                    not going to be installed'.
    So add debian related packages for the unmet dependency of python2.7.

    After pandoc related package is upgraded to 2.9.2.1-1+deb11u1,
    dependency also need be added, or else it will show following broken
    packages issue:
    'pandoc : Depends: pandoc-data (>= 2.9.2.1-1+deb11u1) but 2.9.2.1-1
    is to be installed'.
    So add debian related packages for the dependency of pandoc.

    Test Plan:
    Pass: downloader
    Pass: build-pkgs --clean --all
    Pass: build-image
    Pass: boot

Closes-bug: #2038885
Closes-bug: #2038879

Change-Id: Iddd84d615cfac3e8cc0d8ab0988d055ff4424648
Signed-off-by: Peng Zhang <email address hidden>

Ghada Khalil (gkhalil) on 2023-11-27

Changed in starlingx:
assignee:	nobody → Peng Zhang (pzhang2)

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.