From a30e31f43710e047e39fc08a0540f94f8f8eb5e6 Mon Sep 17 00:00:00 2001 From: Jens Petersen Date: Tue, 18 Mar 2025 18:37:56 +0800 Subject: [PATCH] rebuild with ghc-cmark-gfm-0.2.6 for various security fixes see https://github.com/github/cmark-gfm/security for the full list (Sep 2022 to July 2023), including: Resolves: CVE-2023-24824 Resolves: CVE-2023-26485 Resolves: RHEL-83922 --- pandoc.spec | 10 +++++++++- rpminspect.yaml | 18 ++++++++++++++++++ 2 files changed, 27 insertions(+), 1 deletion(-) create mode 100644 rpminspect.yaml diff --git a/pandoc.spec b/pandoc.spec index b8da3d1..ae728d2 100644 --- a/pandoc.spec +++ b/pandoc.spec @@ -11,7 +11,7 @@ Name: %{pkg_name} Version: 2.0.6 -Release: 6%{?dist} +Release: 7%{?dist} Summary: Conversion between markup formats License: GPLv2+ @@ -209,6 +209,14 @@ install -m 0644 -p -D man/pandoc.1 %{buildroot}%{_mandir}/man1/pandoc.1 %changelog +* Mon Mar 17 2025 Jens Petersen - 2.0.6-7 +- rebuild with ghc-cmark-gfm-0.2.6 for various security fixes, + see https://github.com/github/cmark-gfm/security for the full list + (Sep 2022 to July 2023), including: +- Resolves: CVE-2023-24824 +- Resolves: CVE-2023-26485 +- Resolves: RHEL-83922 + * Thu Apr 14 2022 Jens Petersen - 2.0.6-6 - rebuild with ghc-cmark-gfm-0.2.3 for CVE-2022-24724 (#2060667) - https://github.com/github/cmark-gfm/security/advisories/GHSA-mc3g-88wq-6f4x diff --git a/rpminspect.yaml b/rpminspect.yaml new file mode 100644 index 0000000..c9a24c7 --- /dev/null +++ b/rpminspect.yaml @@ -0,0 +1,18 @@ +--- +xml: + # the rendering of libraries source code has anchors with + ignore: + - "/usr/share/pandoc-*/data/templates/*" + +elf: + # 14 libs for base, rts, & unix have objects built without -fPIC on x86_64. + # ghc's runtime has this intentionally for performance optimization. + ignore: + - "/usr/lib64/ghc-*/*/libHS*.a" + +runpath: + # Technically the /usr/lib64 one should be fixed in the build, but + # the other one should be allowed for the ghc ecosystem. + allowed_paths: + - /usr/lib64 + - /usr/lib64/ghc-8.8.4/rts