From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1.migadu.com ([2001:41d0:403:4876::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms13.migadu.com with LMTPS id eFSrLXaBd2aFcgEA62LTzQ:P1 (envelope-from ) for ; Sun, 23 Jun 2024 01:59:18 +0000 Received: from aspmx1.migadu.com ([2001:41d0:403:4876::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1.migadu.com with LMTPS id eFSrLXaBd2aFcgEA62LTzQ (envelope-from ) for ; Sun, 23 Jun 2024 03:59:18 +0200 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=stebalien.com header.s=fm1 header.b="c kD919q"; dkim=pass header.d=messagingengine.com header.s=fm2 header.b=AgsVQk+j; spf=pass (aspmx1.migadu.com: domain of "emacs-orgmode-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="emacs-orgmode-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=reject) header.from=stebalien.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1719107958; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=U6D3ERWSVcbpLrmysfn9sihMJLoI5umIXnLNb9huNWg=; b=EQKLV4+t/gb8g7DcgN/XrXAV0+lHcqvotgNHInlxpQ1a2VbeWKdVBe4zvDopLnmZzEQyt0 r3E6JXlIIhTbWF2P9jYufk5RuKD0/uKAVn3Fj8gPDlkxUZ0wQ6Utt1Bs1jeLGwAMUShPyt v/yu46lVApKYSTcFf/9GNuvMjd3Idka1SO0tljbinfBrLv5/LK/uMMNMc1dPevMi8usbrE NLQe9i6qyr1a4U46+vgwEHJF9NY6pcFD9qAGqlQ+rgbJnTWXS63kvPoS8w3e2cOcoDEgVT mCnTbC7seFaMLTRrr9ajZfCRG4RSerRZEleuh+cyHi89Mj5DdiZeOhx1ehWtkw== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=stebalien.com header.s=fm1 header.b="c kD919q"; dkim=pass header.d=messagingengine.com header.s=fm2 header.b=AgsVQk+j; spf=pass (aspmx1.migadu.com: domain of "emacs-orgmode-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="emacs-orgmode-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=reject) header.from=stebalien.com ARC-Seal: i=1; s=key1; d=yhetil.org; t=1719107958; a=rsa-sha256; cv=none; b=Y2Xm/sjiRL3dPrh6+Z7ExSKzaocDfpAt8zl3hcvIEQHAozIk3N72VXbJHnBZ2cmPV8lcD1 7xG8wQMYZkm/zpnkpDJLtgDt4n4kDWqjh7OmLPJg6lhKyoVDd7h2j0zC/xaqfK+riUexy6 25y4NPcw6JP6VBBn8fgKll6KDTqxFRnZT9+fhRmG8rJbztYNB7RXNOw8rlRGvxV8iKMUy7 yskt/vH1go4J9+ExtRoltRO4zJ8p3dGOiGTA918ilE3t3rcO8JEXxVOL1re2+XhJOCohIr Wv/kTtFoYbJmSG8dPdJE/To4zRzTfY1+WiRUnymdjIymC8oPjRkW/nsrpc2iNw== Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 306CE276B6 for ; Sun, 23 Jun 2024 03:59:17 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1sLCUi-0005b5-Em; Sat, 22 Jun 2024 21:58:16 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sLCUh-0005aw-Nc for emacs-orgmode@gnu.org; Sat, 22 Jun 2024 21:58:15 -0400 Received: from wfout2-smtp.messagingengine.com ([64.147.123.145]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sLCUf-0000Mv-Rt; Sat, 22 Jun 2024 21:58:15 -0400 Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailfout.west.internal (Postfix) with ESMTP id 3E5AA1C000F5; Sat, 22 Jun 2024 21:58:09 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute1.internal (MEProxy); Sat, 22 Jun 2024 21:58:09 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=stebalien.com; h=cc:cc:content-type:content-type:date:date:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:subject:subject:to:to; s=fm1; t=1719107888; x= 1719194288; bh=U6D3ERWSVcbpLrmysfn9sihMJLoI5umIXnLNb9huNWg=; b=c kD919q+yX2SU6qSl1jOa+b/mmigiJBAT9nemeYJSk7tigvGNbA4CIgPEts/yIi/P lDZA2Rdv6eusuM/4bxD0CORuIyWAYjpRbVDPUN/YIRmWw/Clvd6WFVfCzmL33CAx StyviGb2GtYQkuhlo/6PYM8QhB6BIGdtC2OHX8g8hkqykDDYKKro9SqQkQ6rsxvx u5dADiEFjdzNugK+o8VgIqodb7jp5+osBH0Vj5gF5yyQ/gOUmf8PoGlmEBYM9VGb WFNAYcUJjM8ls5r3rDmZTsMFs5HxRUKXkejc+Pw3Y2GrKTWvp98s7ds0xWp3VUHl YLwDCArVyX63J5UlpeU7A== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm2; t=1719107888; x=1719194288; bh=U6D3ERWSVcbpLrmysfn9sihMJLoI 5umIXnLNb9huNWg=; b=AgsVQk+jCELUzVnc1PAT2Dxqf+Q4qN2FbCDAnnKCMq68 E3Lttx1E+O4qoy0W2ryE/G6ivfiRYPQ1vYjKp0XZMuhOVWAhkztq8dOxAOtUMIjD fnm2ke+mb8SE+6RMrP8E2CHHeLl/WitnP3mRMl7bT0olK8pca9DF/IMfbpZc6Fzk optM8CLWrX9/NLk9BOFOhxADLLVdBOzZrxlgUrBQwfgJzU337gCKnKFvu6GaMGdw NVgH3jiTcec6Dn8KiVJJXnNFydqGLzl33i6Od20t3ImVIfAwjqvXPEuSImm8dtl5 VZpK2Z7SeyPCDo0Kv2Fsq2GVkKbpKlfv1HEaI8ZG/A== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvledrfeefkedgvdefucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefhvfevufgjfhffkfggtgesthdtre dttddttdenucfhrhhomhepufhtvghvvghnucetlhhlvghnuceoshhtvghvvghnsehsthgv sggrlhhivghnrdgtohhmqeenucggtffrrghtthgvrhhnpedvkeehkeegleehheeggfdule ektefhhffgueffteekgedtvdefuddutddtjeejvdenucevlhhushhtvghrufhiiigvpedt necurfgrrhgrmhepmhgrihhlfhhrohhmpehsthgvvhgvnhesshhtvggsrghlihgvnhdrtg homh X-ME-Proxy: Feedback-ID: ie8a146a7:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Sat, 22 Jun 2024 21:58:08 -0400 (EDT) From: Steven Allen To: Greg Troxel , Ihor Radchenko Cc: emacs-orgmode@gnu.org, Bastien Subject: Re: [ANN] Emergency bugfix release: Org mode 9.7.5 In-Reply-To: References: <87sex5gdqc.fsf@localhost> <87pls8hnqa.fsf@localhost> Date: Sat, 22 Jun 2024 18:58:06 -0700 Message-ID: <877cegwhch.fsf@stebalien.com> MIME-Version: 1.0 Content-Type: text/plain Received-SPF: pass client-ip=64.147.123.145; envelope-from=steven@stebalien.com; helo=wfout2-smtp.messagingengine.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-orgmode@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "General discussions about Org-mode." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-orgmode-bounces+larch=yhetil.org@gnu.org Sender: emacs-orgmode-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN X-Spam-Score: -9.99 X-Migadu-Queue-Id: 306CE276B6 X-Migadu-Scanner: mx10.migadu.com X-Migadu-Spam-Score: -9.99 X-TUID: kVRQrfnW6upt Greg Troxel writes: > (Thanks for fixing and your efforts on org. I've been an org user since > at least July of 2010.) > > Just to be clear, is this the commit that needs applying to emacs > sources, 29.3, 28.x, and so on? Yes, that's the correct commit. > It seems so, but I would rather not guess. I'm asking on behalf of > pkgsrc, where I am managing the release process for our 2024Q2 branch, > due on 30 June. Believe it or not we have 20, 21, 26, 27, 28, 29 and a > from-git version. While some should be pruned, some people use it on > vaxes. Any idea how far back this goes? It was introduced in org 7.9 (commit [1] from July of 2012). From what I can tell, it has been present in Emacs since emacs-24.2. [1]: ef3d4b5965b828e85a535ef3f32999473c6a2a7a > > Thanks, > Greg > > commit f4cc61636947b5c2f0afc67174dd369fe3277aa8 > Author: Ihor Radchenko > Date: Tue Jun 18 13:06:44 2024 +0200 > > org-link-expand-abbrev: Do not evaluate arbitrary unsafe Elisp code > > * lisp/ol.el (org-link-expand-abbrev): Refuse expanding %(...) link > abbrevs that specify unsafe function. Instead, display a warning, and > do not expand the abbrev. Clear all the text properties from the > returned link, to avoid any potential vulnerabilities caused by > properties that may contain arbitrary Elisp. > > diff --git a/lisp/ol.el b/lisp/ol.el > index 7a7f4f558..8a556c7b9 100644 > --- a/lisp/ol.el > +++ b/lisp/ol.el > @@ -1152,17 +1152,35 @@ Abbreviations are defined in `org-link-abbrev-alist'." > (if (not as) > link > (setq rpl (cdr as)) > - (cond > - ((symbolp rpl) (funcall rpl tag)) > - ((string-match "%(\\([^)]+\\))" rpl) > - (replace-match > - (save-match-data > - (funcall (intern-soft (match-string 1 rpl)) tag)) > - t t rpl)) > - ((string-match "%s" rpl) (replace-match (or tag "") t t rpl)) > - ((string-match "%h" rpl) > - (replace-match (url-hexify-string (or tag "")) t t rpl)) > - (t (concat rpl tag))))))) > + ;; Drop any potentially dangerous text properties like > + ;; `modification-hooks' that may be used as an attack vector. > + (substring-no-properties > + (cond > + ((symbolp rpl) (funcall rpl tag)) > + ((string-match "%(\\([^)]+\\))" rpl) > + (let ((rpl-fun-symbol (intern-soft (match-string 1 rpl)))) > + ;; Using `unsafep-function' is not quite enough because > + ;; Emacs considers functions like `genenv' safe, while > + ;; they can potentially be used to expose private system > + ;; data to attacker if abbreviated link is clicked. > + (if (or (eq t (get rpl-fun-symbol 'org-link-abbrev-safe)) > + (eq t (get rpl-fun-symbol 'pure))) > + (replace-match > + (save-match-data > + (funcall (intern-soft (match-string 1 rpl)) tag)) > + t t rpl) > + (org-display-warning > + (format "Disabling unsafe link abbrev: %s > +You may mark function safe via (put '%s 'org-link-abbrev-safe t)" > + rpl (match-string 1 rpl))) > + (setq org-link-abbrev-alist-local (delete as org-link-abbrev-alist-local) > + org-link-abbrev-alist (delete as org-link-abbrev-alist)) > + link > + ))) > + ((string-match "%s" rpl) (replace-match (or tag "") t t rpl)) > + ((string-match "%h" rpl) > + (replace-match (url-hexify-string (or tag "")) t t rpl)) > + (t (concat rpl tag)))))))) > > (defun org-link-open (link &optional arg) > "Open a link object LINK.