Fedora 34: FEDORA-2020-1fbd8e0b5e Critical Pandoc Buffer Overflow Issue

Pandoc is a Haskell library for converting from one markup format to another,

and a command-line tool that uses this library. It can read several dialects of

Markdown and (subsets of) HTML, reStructuredText, LaTeX, DocBook, JATS,

MediaWiki markup, DokuWiki markup, TWiki markup, TikiWiki markup, Creole 1.0,

Haddock markup, OPML, Emacs Org-Mode, Emacs Muse, txt2tags, ipynb (Jupyter

notebooks), Vimwiki, Word Docx, ODT, EPUB, FictionBook2, roff man, and Textile,

and it can write Markdown, reStructuredText, XHTML, HTML 5, LaTeX, ConTeXt,

DocBook, JATS, OPML, TEI, OpenDocument, ODT, Word docx, PowerPoint pptx, RTF,

MediaWiki, DokuWiki, XWiki, ZimWiki, Textile, Jira, roff man, roff ms, plain

text, Emacs Org-Mode, AsciiDoc, Haddock markup, EPUB (v2 and v3), ipynb,

FictionBook2, InDesign ICML, Muse, LaTeX beamer slides, and several kinds of

HTML/JavaScript slide shows (S5, Slidy, Slideous, DZSlides, reveal.js).

In contrast to most existing tools for converting Markdown to HTML, pandoc has

a modular design: it consists of a set of readers, which parse text in a given

format and produce a native representation of the document, and a set of

writers, which convert this native representation into a target format.

Thus, adding an input or output format requires only adding a reader or writer.

For pdf output please also install pandoc-pdf or weasyprint.

Security fix for CVE-2020-5238 - ghc-cmark-gfm updated to 0.2.2 which rebases

the bundled cmark-gfm to 0.29.0.gfm.1 - also update hakyll to 4.13.4.0

https://github.com/github/cmark-gfm/security/advisories/GHSA-7gc6-9qr5-hc85

* Mon Sep 21 2020 Jens Petersen - 2.7.3-4

- rebuild for cmark-gfm-0.2.2: fixes exponential parse (#1854329)

[ 1 ] Bug #1854328 - CVE-2020-5238 cmark: Exponential time to parse certain inputs could lead to DoS.

https://bugzilla.redhat.com/show_bug.cgi?id=1854328

su -c 'dnf upgrade --advisory FEDORA-2020-1eaffe0013' at the command

line. For more information, refer to the dnf documentation available at

https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the

GPG keys used by the Fedora Project can be found at

https://fedoraproject.org/security/

package-announce mailing list -- package-announce@lists.fedoraproject.org

To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org

Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/