From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id eO6wGgpvrmDdugAAgWs5BA (envelope-from ) for ; Wed, 26 May 2021 17:53:46 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id sKNPFgpvrmCsJAAAbx9fmQ (envelope-from ) for ; Wed, 26 May 2021 15:53:46 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id D27F1C703 for ; Wed, 26 May 2021 17:53:45 +0200 (CEST) Received: from localhost ([::1]:50680 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1llvqp-0003Bv-Pg for larch@yhetil.org; Wed, 26 May 2021 11:53:43 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:58596) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1llvqA-0003Bh-Fm; Wed, 26 May 2021 11:53:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:38215) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1llvqA-00046v-7W; Wed, 26 May 2021 11:53:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1llvqA-0001yb-6i; Wed, 26 May 2021 11:53:02 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#48676: Arbitrary code execution in Org export macros Resent-From: Glenn Morris Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org, emacs-orgmode@gnu.org Resent-Date: Wed, 26 May 2021 15:53:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 48676 X-GNU-PR-Package: emacs,org-mode X-GNU-PR-Keywords: security To: 48676@debbugs.gnu.org X-Debbugs-Original-To: submit@debbugs.gnu.org Received: via spool by submit@debbugs.gnu.org id=B.16220443347525 (code B ref -1); Wed, 26 May 2021 15:53:01 +0000 Received: (at submit) by debbugs.gnu.org; 26 May 2021 15:52:14 +0000 Received: from localhost ([127.0.0.1]:49761 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1llvpO-0001xI-0e for submit@debbugs.gnu.org; Wed, 26 May 2021 11:52:14 -0400 Received: from eggs.gnu.org ([209.51.188.92]:36614) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1llvpM-0001x5-2Q for submit@debbugs.gnu.org; Wed, 26 May 2021 11:52:12 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:37996) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1llvpG-0003g6-QR for submit@debbugs.gnu.org; Wed, 26 May 2021 11:52:06 -0400 Received: from rgm by fencepost.gnu.org with local (Exim 4.90_1) (envelope-from ) id 1llvpE-0007OY-SY; Wed, 26 May 2021 11:52:05 -0400 From: Glenn Morris X-Spook: Ruby Ridge Snow Intiso Minox JPL BND BMDO Beltran-Leyva X-Ran: AEID5HY`jU\**5u#\,;a=Md@p)X[{jh1|>Dh9Gmj4A8F`=]fNlt%R?eV0nq6_]-IWnFQ-O X-Hue: black X-Attribution: GM Date: Wed, 26 May 2021 11:52:04 -0400 Message-ID: <2nk0nl7asb.fsf@fencepost.gnu.org> User-Agent: Gnus (www.gnus.org), GNU Emacs (www.gnu.org/software/emacs/) MIME-Version: 1.0 Content-Type: text/plain X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: emacs-orgmode@gnu.org List-Id: "General discussions about Org-mode." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-orgmode-bounces+larch=yhetil.org@gnu.org Sender: "Emacs-orgmode" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1622044425; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:list-id:list-help:list-unsubscribe:list-subscribe: list-post; bh=VFniQLefOqzZ25ofn0J1IK2pOHNOZvGGUXoaaw0tQoI=; b=BYw6rwdWxEku0yfICqJ7PFdgBI6suJCBZYzb3HH3IUXhQNA3QXVPNaG88jpfN03fPQB+CZ +qW3G2/RJ/tQHjyHj5xn9g9wvc+x2spsZ5RHckR7k1BXN56G3dl5bndaIJY93D2DHvqPB5 fdqW42MV/M2zZswB2c3OlizuCpK3wgOoK0jyfJyI9yT6Fhagq47NSTZIBa+CFBz/qqFSMA u0na2rTteZGEfQk/V6WXRp82L1Rtd0qVECwZfCRpnyMg+mDOST7Q/giku2xFEjyU5Ug7rO pJV8Cyexe8P8u2GB81CCAzU4LwwTQVE+0XQZApLA2UkC14iNxpkUYQ9WGD1WGA== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1622044425; a=rsa-sha256; cv=none; b=LYVca8q8AwjIfvJJk9KsZzbvcXbmvC72lv0d2u/V5yxM+oCdRFILQn5Lz3cHtsGTgW8L7w kwl/ztwnAibIEjWopK4qgh+yswJO3qObyuw660N7aQBK9RET/cpOY3TnoMjjc1RHBqfYN9 iXRuW0+HXwObvrUmn0qBLr/Hnhj5xUP1o4rtTqQZqlSQYEDWEHv2A5wyFyVIsp9gorQ3wS G6HaqD9kuNFuSJ+aY3HBtfdQwtRL/f4OxHNn88s39p8nXufGtfhfjuHbCBAEzcmCboTUuZ wzlVHYxXnmRD4vIhPlpNcUVbCilFSstCnnP2JJ4TeRBo6KlsLqWUrDSsRnpGBA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of emacs-orgmode-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=emacs-orgmode-bounces@gnu.org X-Migadu-Spam-Score: -2.92 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of emacs-orgmode-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=emacs-orgmode-bounces@gnu.org X-Migadu-Queue-Id: D27F1C703 X-Spam-Score: -2.92 X-Migadu-Scanner: scn1.migadu.com X-TUID: DSeTq3oOYTjY Package: emacs,org-mode Version: 28.0.50 Severity: important Tags: security emacs -Q hello.org, where hello.org contains: #+macro: hello (eval (shell-command-to-string "touch /tmp/HELLO")) Hello. {{{hello}}} Then: M-x org-export-dispatch t A -> now /tmp/HELLO exist, with no prompting. This seems contrary to normal Emacs practice for risky local variables, and to the section "Code Evaluation and Security Issues" in the Org manual (which does not mention macros).