emacs-orgmode
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE-2023-28617 (was Re: [PATCH] Fix ob-latex.el command injection vu

From: Max Nikulin
Subject: Re: CVE-2023-28617 (was Re: [PATCH] Fix ob-latex.el command injection vulnerability.)
Date: Thu, 11 May 2023 22:56:19 +0700
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.10.0 
On 02/05/2023 18:21, Ihor Radchenko wrote:

Max Nikulin writes:


I posted the links as a reminder that shell commands should be avoided
when possible (and it does not break TRAMP) and arguments should be
escaped otherwise.


But this patch literally fixed the problem. What else should we do?
Do you really think that it was the last unsafe shell command in the Org code? 

https://git.savannah.gnu.org/cgit/emacs/org-mode.git/tree/lisp/ob-ditaa.el#n101
and (shell-command pdf-cmd) below

https://git.savannah.gnu.org/cgit/emacs/org-mode.git/tree/lisp/ob-lilypond.el#n194
Of course, you may say that expanding shell constructs in :file header argument is a feature that allows more flexibility. Personally, I inspect Org files obtained from external resources in some dumb enough viewer before opening them in Emacs. 


I suppose, the issue has been received too much attention already:

- https://security-tracker.debian.org/tracker/CVE-2023-28617
- https://ubuntu.com/security/notices/USN-6003-1
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2023-28617


These appear to be different issues.
Linux distributions had to react to the CVE with formally high score and updated Emacs packages applying 2 tiny patches from this thread.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]