From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id +Ff6HriMr2ApZgEAgWs5BA (envelope-from ) for ; Thu, 27 May 2021 14:12:40 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id 6Oe1GriMr2DdGAAAB5/wlQ (envelope-from ) for ; Thu, 27 May 2021 12:12:40 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id CAAAC22165 for ; Thu, 27 May 2021 14:12:39 +0200 (CEST) Received: from localhost ([::1]:34426 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lmEsP-0007gd-5S for larch@yhetil.org; Thu, 27 May 2021 08:12:37 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:53518) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lmEo2-0007eu-6X; Thu, 27 May 2021 08:08:06 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:39238) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lmEny-0003y9-RN; Thu, 27 May 2021 08:08:05 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lmEny-0005TU-K9; Thu, 27 May 2021 08:08:02 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#48676: Arbitrary code execution in Org export macros Resent-From: Rafael Ramirez Morales Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org, emacs-orgmode@gnu.org Resent-Date: Thu, 27 May 2021 12:08:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 48676 X-GNU-PR-Package: emacs,org-mode X-GNU-PR-Keywords: security To: Glenn Morris Received: via spool by 48676-submit@debbugs.gnu.org id=B48676.162211724220974 (code B ref 48676); Thu, 27 May 2021 12:08:02 +0000 Received: (at 48676) by debbugs.gnu.org; 27 May 2021 12:07:22 +0000 Received: from localhost ([127.0.0.1]:50781 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lmEnJ-0005SC-R2 for submit@debbugs.gnu.org; Thu, 27 May 2021 08:07:22 -0400 Received: from mail-oi1-f169.google.com ([209.85.167.169]:34741) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lmA2P-00044x-TY for 48676@debbugs.gnu.org; Thu, 27 May 2021 03:02:38 -0400 Received: by mail-oi1-f169.google.com with SMTP id u11so4183330oiv.1 for <48676@debbugs.gnu.org>; Thu, 27 May 2021 00:02:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=8WM6UbgaHpHTgnZ7mAOmu+GpC30S8Ljl8NJ0OFIgPT0=; b=m8BjRRWNUzVqFwes59Xy3coeL9wBluIMpy2LOBGayhFIFtx01cxKTooJhgOKCSVUEx LvOpu5hTdl5Ea6K20pfLzf4gn/P50dkFjo/LjlvAZCvIimNmlBVBbuuw/IE3u8645qYC 6Sa/N4UzKGvUrub8rzwNq7w8Vu9oTnv9PpP658Oa8v07cc6PDYRgFjwPmiZuD4uYkNM9 tL8IjZxOsRPwa8TTLFU4tw33eYboQEGuLT4uMpLYb+GOZYI74ZuxAmh2rR0OABR5v5WS K2/78cX/k7yjTorYXeONIhFidzOKnBUAO4XDfZFERUH6CROQnEEJ7vNslVeLqMUdkaft tVSA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=8WM6UbgaHpHTgnZ7mAOmu+GpC30S8Ljl8NJ0OFIgPT0=; b=gABeR/EnsQyoPB3xIy/H/veExD0xOK+RBFem2e2e9fF1qHb0eSIRDRPJbn8nTnLgRf e8NV7r1eCVjonQYue38g8R7D4bl22xzHCwIFZIMKrLFcClIA+kWQ4WSRoQ0BvUihgWC3 dp3/uibbK9FWFJhs9nu8wA5kMt7W1y1MVxQKAVkaARVGIggh0+f735YdN5I2QRIraN4k sHoqQxDnNMYQFSFdAJln3y00tnqkJYjeRB2Nzoalhcahny2+k9SaYrpY8Hf608Dl2S7x BKjNvAgIWr1iJwymBlVo+q6kcmhPYOeddu84FETbZF+PIwT4QUmiRFlhhiVtEZsHYts8 CYow== X-Gm-Message-State: AOAM532pXatqDc60Uyv9J0YEVIAX4V4bmTMGpUkCBInkjn/DU0r26nCJ P3wEnkM7XT6Y5ZOtJVxN607I3uhkSjkTTmFdqOE= X-Google-Smtp-Source: ABdhPJzzmgT+yNhKBIhaTiR3WJkG8J3JxHjcd+frvF1vuV3bi1MyST/U4Y2Sr2gwaZq8ud9ODDs84xuhxe8+8t0Wv6M= X-Received: by 2002:a54:4e82:: with SMTP id c2mr4722276oiy.137.1622098951908; Thu, 27 May 2021 00:02:31 -0700 (PDT) MIME-Version: 1.0 References: <2nk0nl7asb.fsf@fencepost.gnu.org> In-Reply-To: <2nk0nl7asb.fsf@fencepost.gnu.org> From: Rafael Ramirez Morales Date: Thu, 27 May 2021 09:02:20 +0200 Message-ID: Content-Type: multipart/alternative; boundary="000000000000d1af9d05c34a57cb" X-Mailman-Approved-At: Thu, 27 May 2021 08:07:20 -0400 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: emacs-orgmode@gnu.org List-Id: "General discussions about Org-mode." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: 48676@debbugs.gnu.org Errors-To: emacs-orgmode-bounces+larch=yhetil.org@gnu.org Sender: "Emacs-orgmode" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1622117560; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post: dkim-signature; bh=8WM6UbgaHpHTgnZ7mAOmu+GpC30S8Ljl8NJ0OFIgPT0=; b=K2tJqco6t1rOWTzIwSWgotEYVd/HEO8Iftoi4kdCluHOWfv30VI9p8uvt1tqEMFmTHhMM2 0yy3wYzDKlcccw6eXh0v/NAvih8rDsYEN/S1B6Yc24xXCPMkeC53UHLwXbvQi7FizhNSeG n6B9OHGtG6pgWE3nmbxd70Qhm4UxG6NLHSZC3ealaeJ3am75O6eYbQ7M8Vpokpsd6oFM4e 7le+GDPh+MN6uVlrZnRY9nfjqNuFGcTVEWYp3MqJiiim+CMVHX0kF6yGVzQdJPv7bC+Qen uYGIYIllo15t37I//ZtwmHkpxt91Nivm3cxSvIh7+mMQgmoF5yt0SobGz7IJww== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1622117560; a=rsa-sha256; cv=none; b=PrRJLqxNmQlKaO+SX5NcF+lvneSGc+vRhuhDlDHjltHtakKCvqtd/n0wvp9YIO52XyHCZS ihduimQRTf9cq3wHx6Yd82oLYVelJgG8h5aGoUp5eBkGCesYhOQwbGcAgGsneYDJY6RmeH f5Bcj48gTkVa7pe0b1OUTTsHU2eeQhTiG787E3ZIfF9kFkdJ5reZNyUoPY9WS0TkPWbRhg XBYz4+hmcwvAUXI0WIyrOYLnmfMaW2Dd3GKChBxacoXjPI0Aq/paQQOpuZDdTgGXiJ/srm ZZ1ytgAB6ww39uaWb6BbT36nLjIc+XEQ+nyOC2I28ZfxBwMKPCt31BcEgDsboQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20161025 header.b=m8BjRRWN; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of emacs-orgmode-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=emacs-orgmode-bounces@gnu.org X-Migadu-Spam-Score: -1.33 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20161025 header.b=m8BjRRWN; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of emacs-orgmode-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=emacs-orgmode-bounces@gnu.org X-Migadu-Queue-Id: CAAAC22165 X-Spam-Score: -1.33 X-Migadu-Scanner: scn1.migadu.com X-TUID: iCCsL7SFD7YK --000000000000d1af9d05c34a57cb Content-Type: text/plain; charset="UTF-8" Just a couple of questions: who is the owner of the HELLO file? OR who is the owner of the "touch" process? Is the owner the unprivileged user or the "emacs" system? Thanks. On Wed, 26 May 2021 at 17:53, Glenn Morris wrote: > Package: emacs,org-mode > Version: 28.0.50 > Severity: important > Tags: security > > emacs -Q hello.org, where hello.org contains: > > #+macro: hello (eval (shell-command-to-string "touch /tmp/HELLO")) > Hello. {{{hello}}} > > Then: > M-x org-export-dispatch > t A > > -> now /tmp/HELLO exist, with no prompting. > > This seems contrary to normal Emacs practice for risky local variables, > and to the section "Code Evaluation and Security Issues" in the Org manual > (which does not mention macros). > > --000000000000d1af9d05c34a57cb Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Just a couple of questions:
who is the owner of the HELLO file?
OR
who is the own= er of the "touch" process?

Is the owner = the unprivileged user or the "emacs" system?

=
Thanks.

On Wed, 26 May 2021 at 17:53, Glenn Morris <rgm@gnu.org> wrote:
Package: emacs,org-mode
Version: 28.0.50
Severity: important
Tags: security

emacs -Q = hello.org, where hello.org contains:

#+macro: hello (eval (shell-command-to-string "touch /tmp/HELLO")= )
Hello. {{{hello}}}

Then:
M-x org-export-dispatch
t A

-> now /tmp/HELLO exist, with no prompting.

This seems contrary to normal Emacs practice for risky local variables,
and to the section "Code Evaluation and Security Issues" in the O= rg manual
(which does not mention macros).

--000000000000d1af9d05c34a57cb--