[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shel
From: |
Max Nikulin |
Subject: |
[BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands |
Date: |
Fri, 11 Aug 2023 17:59:00 +0700 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.13.0 |
Consider the following Org file
---- 8< ----
#+begin_src elisp :results none
(require 'ob-sqlite)
#+end_src
#+begin_src sqlite :db /tmp/ob.sqlite$(date >/tmp/ob-sqlite-vuln.log)
select 1
#+end_src
---- >8 ----
Executing of the sqlite code block causes creation of the
/tmp/ob-sqlite-vuln.log file.
The cause is usage of `org-fill-template' without `shell-quote-argument'.
From my point of view it is unsafe to open Org files from untrusted
sources in Emacs in general, so it is not a serious vulnerability. Some
users may consider shell expansion in file name as a convenient feature.
However earlier we had a quite similar issue:
lux. [PATCH] Fix ob-latex.el command injection vulnerability. Sat, 18
Feb 2023 18:08:44 +0800.
https://list.orgmode.org/tencent_7B48D6A8D4FCDC2DC8DF842B069B715ECE0A@qq.com
that is known as CVE-2023-28617 with high enough score
"org-babel-execute:latex in ob-latex.el in Org Mode through 9.6.1 for
GNU Emacs allows attackers to execute arbitrary commands via a file name
or directory name that contains shell metacharacters."
and caused updates of Emacs in various Linux distributions
https://security-tracker.debian.org/tracker/CVE-2023-28617
As to `org-fill-template', it may be affected by an issue similar to
Maxim Nikulin. greedy substitution in org-open-file. Wed, 20 Jan 2021
23:08:35 +0700.
https://list.orgmode.org/ru9ki4$t5e$1@ciao.gmane.io
since expansion of a %key may contain %another that might be
interpolated on next iteration. The function should perform substitution
during single scan of the passed template.
- [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands,
Max Nikulin <=
- Re: [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands, Ihor Radchenko, 2023/08/13
- Re: [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands, Max Nikulin, 2023/08/17
- Re: [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands, Ihor Radchenko, 2023/08/18
- Re: [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands, Max Nikulin, 2023/08/18
- Re: [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands, Ihor Radchenko, 2023/08/18
- Re: [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands, Max Nikulin, 2023/08/19
- Re: [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands, Ihor Radchenko, 2023/08/21
- Re: [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands, Max Nikulin, 2023/08/21
- Re: [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands, Ihor Radchenko, 2023/08/22
- Re: [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands, Max Nikulin, 2023/08/28