[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
CVE-2023-28617 (was Re: [PATCH] Fix ob-latex.el command injection vulner
|
From: |
Max Nikulin |
|
Subject: |
CVE-2023-28617 (was Re: [PATCH] Fix ob-latex.el command injection vulnerability.) |
|
Date: |
Tue, 2 May 2023 18:02:42 +0700 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.10.0 |
On 01/05/2023 18:18, Ihor Radchenko wrote:
Max Nikulin writes:
I just have noticed that it is tracked as a CVE record:
https://www.cve.org/CVERecord?id=CVE-2023-28617
https://nvd.nist.gov/vuln/detail/CVE-2023-28617
And we do not need to do anything about it, right?
I posted the links as a reminder that shell commands should be avoided
when possible (and it does not break TRAMP) and arguments should be
escaped otherwise.
I suppose, the issue has been received too much attention already:
- https://security-tracker.debian.org/tracker/CVE-2023-28617
- https://ubuntu.com/security/notices/USN-6003-1
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2023-28617
etc.