This release fixes three security breaches. Please update as soon as possible.
Critical RCE in rebber that affected zmarkdown
A Remote Command Execution vulnerability was found in the rebber module,
which allowed execution of arbitrary commands. The reported problem came
from CodeBlocks, which could be escaped to insert malicious LaTeX.
The mitigation involves forbidding any \end{CodeBlock} command from
inside code blocks themselves. This vulnerability impact is critical, as it allows
Remote Code Execution.
Minor LFI in remark-download-images that affected zmarkdown
A minor Local File Inclusion vulnerability has been found in
remark-download-images, which allowed for images with a known path on
the host machine to be included inside a LaTeX document.
To prevent it, a new option has been created that allow to replace
invalid paths with a default image instead of linking the image on the
host directly. This option is now enabled inside zmarkdown.
This vulnerability impact is minor, as it is restricted to images and
one need to know the path of the image to exploit it.
Major blind SSRF in remark-download-images that affected zmarkdown
A major blind SSRF has been found in remark-images-download, which allowed
for requests to be made to neighboring servers on local IP ranges.
The issue came from a loose filtering of URLs inside the module.
It has been corrected by preventing images downloads from
local IP ranges, both in IPv4 and IPv6.
To avoid malicious domain names, resolved local IPs from are also
forbidden inside the module.
This vulnerability impact is major, as it is can allow access to
unexposed documents on the local network, and is very easy
to exploit..