-------------------------------------------------------------------------
Debian LTS Advisory DLA-3507-1                [email protected]
https://www.debian.org/lts/security/                       Guilhem Moulin
July 25, 2023                                 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package        : pandoc
Version        : 2.2.1-3+deb10u1
CVE ID         : CVE-2023-35936 CVE-2023-38745
Debian Bug     : 1041976

Arbitrary file write vulnerabilities were discovered in pandoc, an
Haskell library and CLI tool for converting from one markup format to
another.  These vulnerabilities can be triggered by providing a
specially crafted image element in the input when generating files using
the `--extract-media` option or outputting to PDF format, and allow an
attacker to create or overwrite arbitrary files on the system (depending
on the privileges of the process running pandoc).

CVE-2023-35936

    Entroy C discovered that appending percent-encoded directory
    components to the end of malicious data: URI, an attacker could
    trick pandoc into creating or or overwriting arbitrary files on the
    system.

CVE-2023-38745

    I discovered that the upstream fix for CVE-2023-35936 was
    incomplete, namely that the vulnerability remained when encoding '%'
    characters as '%25'.

For Debian 10 buster, these problems have been fixed in version
2.2.1-3+deb10u1.

We recommend that you upgrade your pandoc packages.

For the detailed security status of pandoc please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/pandoc

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS