emacs-orgmode@gnu.org archives
 help / color / mirror / code / Atom feed
* [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands
@ 2023-08-11 10:59 Max Nikulin
  2023-08-13  7:52 ` Ihor Radchenko
  0 siblings, 1 reply; 14+ messages in thread
From: Max Nikulin @ 2023-08-11 10:59 UTC (permalink / raw)
  To: emacs-orgmode

Consider the following Org file

---- 8< ----
#+begin_src elisp :results none
   (require 'ob-sqlite)
#+end_src

#+begin_src sqlite :db /tmp/ob.sqlite$(date >/tmp/ob-sqlite-vuln.log)
   select 1
#+end_src
---- >8 ----

Executing of the sqlite code block causes creation of the 
/tmp/ob-sqlite-vuln.log file.

The cause is usage of `org-fill-template' without `shell-quote-argument'.

 From my point of view it is unsafe to open Org files from untrusted 
sources in Emacs in general, so it is not a serious vulnerability. Some 
users may consider shell expansion in file name as a convenient feature. 
However earlier we had a quite similar issue:

lux. [PATCH] Fix ob-latex.el command injection vulnerability. Sat, 18 
Feb 2023 18:08:44 +0800. 
https://list.orgmode.org/tencent_7B48D6A8D4FCDC2DC8DF842B069B715ECE0A@qq.com

that is known as CVE-2023-28617 with high enough score 
"org-babel-execute:latex in ob-latex.el in Org Mode through 9.6.1 for 
GNU Emacs allows attackers to execute arbitrary commands via a file name 
or directory name that contains shell metacharacters."

and caused updates of Emacs in various Linux distributions
https://security-tracker.debian.org/tracker/CVE-2023-28617

As to `org-fill-template', it may be affected by an issue similar to
Maxim Nikulin. greedy substitution in org-open-file. Wed, 20 Jan 2021 
23:08:35 +0700.
https://list.orgmode.org/ru9ki4$t5e$1@ciao.gmane.io

since expansion of a %key may contain %another that might be 
interpolated on next iteration. The function should perform substitution 
during single scan of the passed template.



^ permalink raw reply	[flat|nested] 14+ messages in thread

end of thread, other threads:[~2023-08-29  8:02 UTC | newest]

Thread overview: 14+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-08-11 10:59 [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands Max Nikulin
2023-08-13  7:52 ` Ihor Radchenko
2023-08-17 16:11   ` Max Nikulin
2023-08-18  8:43     ` Ihor Radchenko
2023-08-18 10:56       ` Max Nikulin
2023-08-18 11:05         ` Ihor Radchenko
2023-08-19  5:58           ` Max Nikulin
2023-08-21  7:04             ` Ihor Radchenko
2023-08-21 15:05               ` Max Nikulin
2023-08-22  9:46                 ` Ihor Radchenko
2023-08-28  8:15                   ` Max Nikulin
2023-08-29  8:02                     ` Ihor Radchenko
2023-08-21  7:09             ` [SECURITY] Shell expansion of babel header args (was: [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands) Ihor Radchenko
2023-08-17 16:29   ` [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands Max Nikulin

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/emacs/org-mode.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).