Bug 1213622 (CVE-2023-38745)

Summary: VUL-0: CVE-2023-38745: pandoc: arbitrary file write via crafted image element in the input when generating files
Product: [Novell Products] SUSE Security Incidents Reporter: Carlos López <carlos.lopez>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: meissner, peter.simons, rfrohl, security-team, stoyan.manolov
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/373342/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-38745:6.1:(AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1213066    

Description Carlos López 2023-07-25 07:49:29 UTC 
CVE-2023-38745

Pandoc before 3.1.6 allows arbitrary file write: this can be triggered by
providing a crafted image element in the input when generating files via the
--extract-media option or outputting to PDF format. This allows an attacker to
create or overwrite arbitrary files, depending on the privileges of the process
running Pandoc. It only affects systems that pass untrusted user input to Pandoc
and allow Pandoc to be used to produce a PDF or with the --extract-media option.
NOTE: this issue exists because of an incomplete fix for CVE-2023-35936 (failure
to properly account for double encoded path names).

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-38745
https://www.cve.org/CVERecord?id=CVE-2023-38745
https://github.com/jgm/pandoc/commit/eddedbfc14916aa06fc01ff04b38aeb30ae2e625
https://github.com/jgm/pandoc/compare/3.1.5...3.1.6
Comment 1 Carlos López 2023-07-25 07:53:16 UTC 
This is essentially the fact that the fix for CVE-2023-35936 (bsc#1213066) was incomplete.
Comment 4 Peter Simons 2023-09-21 10:14:08 UTC 
The fix is on its way To Factory via https://build.opensuse.org/request/show/1112771. I'll propagate it to the other code streams from there once its been accepted.
Comment 17 Robert Frohl 2024-05-22 11:10:25 UTC 
done, closing