Fedora 34: FEDORA-2022-1f981071eb Moderate: Pandoc Remote Code Execution

Pandoc is a Haskell library for converting from one markup format to another,

and a command-line tool that uses this library. It can read several dialects of

Markdown and (subsets of) HTML, reStructuredText, LaTeX, DocBook, JATS,

MediaWiki markup, DokuWiki markup, TWiki markup, TikiWiki markup, Jira markup,

Creole 1.0, Haddock markup, OPML, Emacs Org-Mode, Emacs Muse, txt2tags, ipynb

(Jupyter notebooks), Vimwiki, Word Docx, ODT, EPUB, FictionBook2, roff man,

Textile, and CSV, and it can write Markdown, reStructuredText, XHTML, HTML 5,

LaTeX, ConTeXt, DocBook, JATS, OPML, TEI, OpenDocument, ODT, Word docx,

PowerPoint pptx, RTF, MediaWiki, DokuWiki, XWiki, ZimWiki, Textile, Jira, roff

man, roff ms, plain text, Emacs Org-Mode, AsciiDoc, Haddock markup, EPUB (v2

and v3), ipynb, FictionBook2, InDesign ICML, Muse, LaTeX beamer slides, and

several kinds of HTML/JavaScript slide shows (S5, Slidy, Slideous, DZSlides,

reveal.js).

In contrast to most existing tools for converting Markdown to HTML, pandoc has

a modular design: it consists of a set of readers, which parse text in a given

format and produce a native representation of the document, and a set of

writers, which convert this native representation into a target format.

Thus, adding an input or output format requires only adding a reader or writer.

For pdf output please also install pandoc-pdf or weasyprint.

Security fix for CVE-2022-24724 - https://github.com/github/cmark-gfm/security/advisories/GHSA-mc3g-88wq-6f4x - fixed upstream in Haskell cmark-gfm-0.2.3 in bundled cmark-gfm-0.29.0.gfm.3 C library - pandoc-citeproc: update

HsYAML-aeson to 0.2.0.1

* Thu Mar 24 2022 Jens Petersen - 2.9.2.1-10

- require cmark-gfm-0.2.3 for CVE-2022-24724 (#2060663)

https://github.com/github/cmark-gfm/security/advisories/GHSA-mc3g-88wq-6f4x

[ 1 ] Bug #2060662 - CVE-2022-24724 cmark-gfm: possible RCE due to integer overflow

https://bugzilla.redhat.com/show_bug.cgi?id=2060662

su -c 'dnf upgrade --advisory FEDORA-2022-1f981071eb' at the command

line. For more information, refer to the dnf documentation available at

https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the

GPG keys used by the Fedora Project can be found at

https://fedoraproject.org/security/

package-announce mailing list -- package-announce@lists.fedoraproject.org

To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org

Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/

Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure