Bug 1213622 (CVE-2023-38745) - VUL-0: CVE-2023-38745: pandoc: arbitrary file write via crafted image element in the input when generating files
Summary: VUL-0: CVE-2023-38745: pandoc: arbitrary file write via crafted image element...
Status: RESOLVED FIXED
Alias: CVE-2023-38745
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/373342/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-38745:6.1:(AV:...
Keywords:
Depends on:
Blocks: CVE-2023-35936
  Show dependency treegraph
 
Reported: 2023-07-25 07:49 UTC by Carlos López
Modified: 2024-05-22 11:10 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Carlos López 2023-07-25 07:49:29 UTC 
CVE-2023-38745

Pandoc before 3.1.6 allows arbitrary file write: this can be triggered by
providing a crafted image element in the input when generating files via the
--extract-media option or outputting to PDF format. This allows an attacker to
create or overwrite arbitrary files, depending on the privileges of the process
running Pandoc. It only affects systems that pass untrusted user input to Pandoc
and allow Pandoc to be used to produce a PDF or with the --extract-media option.
NOTE: this issue exists because of an incomplete fix for CVE-2023-35936 (failure
to properly account for double encoded path names).

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-38745
https://www.cve.org/CVERecord?id=CVE-2023-38745
https://github.com/jgm/pandoc/commit/eddedbfc14916aa06fc01ff04b38aeb30ae2e625
https://github.com/jgm/pandoc/compare/3.1.5...3.1.6
Comment 1 Carlos López 2023-07-25 07:53:16 UTC 
This is essentially the fact that the fix for CVE-2023-35936 (bsc#1213066) was incomplete.
Comment 4 Peter Simons 2023-09-21 10:14:08 UTC 
The fix is on its way To Factory via https://build.opensuse.org/request/show/1112771. I'll propagate it to the other code streams from there once its been accepted.
Comment 17 Robert Frohl 2024-05-22 11:10:25 UTC 
done, closing