From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp12.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms9.migadu.com with LMTPS id uGgcGLRBXmR8NQEASxT56A (envelope-from ) for ; Fri, 12 May 2023 15:40:04 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp12.migadu.com with LMTPS id YL8JGLRBXmRJnwAAauVa8A (envelope-from ) for ; Fri, 12 May 2023 15:40:04 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 26B7C311EF for ; Fri, 12 May 2023 15:40:04 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pxSzF-0005Tz-MD; Fri, 12 May 2023 09:39:09 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pxSzE-0005TU-6r for emacs-orgmode@gnu.org; Fri, 12 May 2023 09:39:08 -0400 Received: from mout01.posteo.de ([185.67.36.65]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pxSzB-0002wO-V3 for emacs-orgmode@gnu.org; Fri, 12 May 2023 09:39:07 -0400 Received: from submission (posteo.de [185.67.36.169]) by mout01.posteo.de (Postfix) with ESMTPS id 753DF240136 for ; Fri, 12 May 2023 15:39:03 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017; t=1683898743; bh=IpCv4p/JLQiTAgnO4JzIWYGl3MpTqdUAnAbT182r2ZM=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version:From; b=PGmZLo3x3v6TP2jpAY30EoGFXffBRETaD+WGSzbGb3Q0i2JbcJhD9fP4sqxX/pUyG FBCthJv7d4RHq2b+PhvBbqtyLWOKVyW/++Hd5B4yj+2wZ7xMFOkLl+7bxkw8YV/T30 zExP9V5lPHevj5I5PGhuOka4Jk+joGm1xzBoFgVtwMjDk78conX6EPVAPEld/zswza Jl0JgwleI7C83O8CMqUWPuPsIaJBgSZ+UtYPFpiVJ8zb3WQZ7JVxeNrF7xg02KKzV1 zYc9yZVZ2ViXwknCaJOaKB4VOOJEs6tk/iI1dOFdXkBAUXR4FMpjYJTwNIc6PpfGMH ENBJIziN2DTzQ== Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4QHqc70jWqz6tsf; Fri, 12 May 2023 15:39:03 +0200 (CEST) From: Ihor Radchenko To: Max Nikulin Cc: emacs-orgmode@gnu.org Subject: Re: CVE-2023-28617 (was Re: [PATCH] Fix ob-latex.el command injection vulnerability.) In-Reply-To: References: <87v8jzjj1p.fsf@localhost> <047b7367-c98f-e531-b3e9-bc50b6b098e5@gmail.com> <871qlyqfm0.fsf@localhost> <87wn3nwomf.fsf@localhost> <87ilf6us3g.fsf@localhost> <87a5yo8fln.fsf@localhost> <87ttwvdlm9.fsf@localhost> Date: Fri, 12 May 2023 13:42:30 +0000 Message-ID: <87r0rlzmwp.fsf@localhost> MIME-Version: 1.0 Content-Type: text/plain Received-SPF: pass client-ip=185.67.36.65; envelope-from=yantar92@posteo.net; helo=mout01.posteo.de X-Spam_score_int: -43 X-Spam_score: -4.4 X-Spam_bar: ---- X-Spam_report: (-4.4 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-orgmode@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "General discussions about Org-mode." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-orgmode-bounces+larch=yhetil.org@gnu.org Sender: emacs-orgmode-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN ARC-Seal: i=1; s=key1; d=yhetil.org; t=1683898804; a=rsa-sha256; cv=none; b=EvVUcQws1yy8Ho3QqILG5RD///AyB4O2NnOFLMbHNXluD36jXFM4gd5qbChkvMyyqR3Yws cZ3qSlWBF5fnVLjT0LFd299PjW7m2BAs+NBGTty++bkLOb8bjTumRHsxmcYzNrjJfGnIRy RAizBY2C0OKpCoLysWB0nkTJMcPn3qpPug1SR8PL3nhxWeRG7UCTXNBUJCRUwV2TzHiqxh 9VMCW4ceB+p5FcTR26TNxygPaDT8OEnyNEobFT0fIm2knTnkpakZDkgdifaSl9Uo20JpC7 KPPVrV8XywEwK8ggx47FoPiCaRqFmJNDBegQHqfKBuCVM5z4LbhB4h5yE8h25A== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=posteo.net header.s=2017 header.b=PGmZLo3x; dmarc=pass (policy=none) header.from=posteo.net; spf=pass (aspmx1.migadu.com: domain of "emacs-orgmode-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="emacs-orgmode-bounces+larch=yhetil.org@gnu.org" ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1683898804; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=iAO3lMN4GJ8x3gvxNUA37e2pYtT3+MOFMH7VCDE9VpI=; b=XsNIHEWgbjOiwWF0ZL9fHHS3EhMoQ6kPWCta1PzJ0T4EwHyRmx2y+NHdr82O+tMbvYs86Q TOkFCd4qe0q87TuBKsALDnd3uZgKl65YLV46/7ql2m6BVxoBIps38VNYbbwnDHageGeHZy OihD8yXoMW+rRH5cZMpYDlL6nC9l0/5kIiPxRlVYYB/m19Kfn6CNAK2ilB0nPSBzUKo1pj BzOTPooBzU/KnNx474B5qALYDxx69czxGWL+ug4PNu53Vl8iI2H7MbpABrH/uCZK7YWw57 aGE/MFcL1MgkCymrL0AxDZn+cG2wJ5GIUCI9QtaKA5zwYyXkcoEQHcQT5NiTEQ== X-Migadu-Spam-Score: -9.39 X-Spam-Score: -9.39 X-Migadu-Queue-Id: 26B7C311EF X-Migadu-Scanner: scn0.migadu.com Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=posteo.net header.s=2017 header.b=PGmZLo3x; dmarc=pass (policy=none) header.from=posteo.net; spf=pass (aspmx1.migadu.com: domain of "emacs-orgmode-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="emacs-orgmode-bounces+larch=yhetil.org@gnu.org" X-TUID: skTsRYlbgNt4 Max Nikulin writes: >> But this patch literally fixed the problem. What else should we do? > > Do you really think that it was the last unsafe shell command in the Org > code? No, but I prefer concrete examples. The CVE you linked to refers to an already fixed bug. > https://git.savannah.gnu.org/cgit/emacs/org-mode.git/tree/lisp/ob-ditaa.el#n101 > and (shell-command pdf-cmd) below The only unsafe part there is `java' that is taken from :java header argument. I am unsure how to fix this issue without feature regression. > https://git.savannah.gnu.org/cgit/emacs/org-mode.git/tree/lisp/ob-lilypond.el#n194 May you provide a patch? >>> I suppose, the issue has been received too much attention already: >>> >>> - https://security-tracker.debian.org/tracker/CVE-2023-28617 >>> - https://ubuntu.com/security/notices/USN-6003-1 >>> - https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2023-28617 >> >> These appear to be different issues. > > Linux distributions had to react to the CVE with formally high score and > updated Emacs packages applying 2 tiny patches from this thread. Sure, but I have applied both the patches onto bugfix. That's why I asked you what else we should do. -- Ihor Radchenko // yantar92, Org mode contributor, Learn more about Org mode at . Support Org development at , or support my work at