From: Greg Troxel <gdt@lexort.com>
To: Ihor Radchenko <yantar92@posteo.net>
Cc: emacs-orgmode@gnu.org, Bastien <bzg@gnu.org>
Subject: Re: [ANN] Emergency bugfix release: Org mode 9.7.5
Date: Sat, 22 Jun 2024 19:55:25 -0400 [thread overview]
Message-ID: <rmi4j9kzg5u.fsf@s1.lexort.com> (raw)
In-Reply-To: <87pls8hnqa.fsf@localhost> (Ihor Radchenko's message of "Sat, 22 Jun 2024 17:49:17 +0000")
(Thanks for fixing and your efforts on org. I've been an org user since
at least July of 2010.)
Just to be clear, is this the commit that needs applying to emacs
sources, 29.3, 28.x, and so on? It seems so, but I would rather not
guess. I'm asking on behalf of pkgsrc, where I am managing the release
process for our 2024Q2 branch, due on 30 June. Believe it or not we
have 20, 21, 26, 27, 28, 29 and a from-git version. While some should
be pruned, some people use it on vaxes. Any idea how far back this
goes?
Thanks,
Greg
commit f4cc61636947b5c2f0afc67174dd369fe3277aa8
Author: Ihor Radchenko <yantar92@posteo.net>
Date: Tue Jun 18 13:06:44 2024 +0200
org-link-expand-abbrev: Do not evaluate arbitrary unsafe Elisp code
* lisp/ol.el (org-link-expand-abbrev): Refuse expanding %(...) link
abbrevs that specify unsafe function. Instead, display a warning, and
do not expand the abbrev. Clear all the text properties from the
returned link, to avoid any potential vulnerabilities caused by
properties that may contain arbitrary Elisp.
diff --git a/lisp/ol.el b/lisp/ol.el
index 7a7f4f558..8a556c7b9 100644
--- a/lisp/ol.el
+++ b/lisp/ol.el
@@ -1152,17 +1152,35 @@ Abbreviations are defined in `org-link-abbrev-alist'."
(if (not as)
link
(setq rpl (cdr as))
- (cond
- ((symbolp rpl) (funcall rpl tag))
- ((string-match "%(\\([^)]+\\))" rpl)
- (replace-match
- (save-match-data
- (funcall (intern-soft (match-string 1 rpl)) tag))
- t t rpl))
- ((string-match "%s" rpl) (replace-match (or tag "") t t rpl))
- ((string-match "%h" rpl)
- (replace-match (url-hexify-string (or tag "")) t t rpl))
- (t (concat rpl tag)))))))
+ ;; Drop any potentially dangerous text properties like
+ ;; `modification-hooks' that may be used as an attack vector.
+ (substring-no-properties
+ (cond
+ ((symbolp rpl) (funcall rpl tag))
+ ((string-match "%(\\([^)]+\\))" rpl)
+ (let ((rpl-fun-symbol (intern-soft (match-string 1 rpl))))
+ ;; Using `unsafep-function' is not quite enough because
+ ;; Emacs considers functions like `genenv' safe, while
+ ;; they can potentially be used to expose private system
+ ;; data to attacker if abbreviated link is clicked.
+ (if (or (eq t (get rpl-fun-symbol 'org-link-abbrev-safe))
+ (eq t (get rpl-fun-symbol 'pure)))
+ (replace-match
+ (save-match-data
+ (funcall (intern-soft (match-string 1 rpl)) tag))
+ t t rpl)
+ (org-display-warning
+ (format "Disabling unsafe link abbrev: %s
+You may mark function safe via (put '%s 'org-link-abbrev-safe t)"
+ rpl (match-string 1 rpl)))
+ (setq org-link-abbrev-alist-local (delete as org-link-abbrev-alist-local)
+ org-link-abbrev-alist (delete as org-link-abbrev-alist))
+ link
+ )))
+ ((string-match "%s" rpl) (replace-match (or tag "") t t rpl))
+ ((string-match "%h" rpl)
+ (replace-match (url-hexify-string (or tag "")) t t rpl))
+ (t (concat rpl tag))))))))
(defun org-link-open (link &optional arg)
"Open a link object LINK.
next prev parent reply other threads:[~2024-06-22 23:56 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-06-22 16:10 [ANN] Emergency bugfix release: Org mode 9.7.5 Ihor Radchenko
2024-06-22 17:49 ` Ihor Radchenko
2024-06-22 23:55 ` Greg Troxel [this message]
2024-06-23 1:58 ` Steven Allen
2024-06-22 17:59 ` emacs-orgmode
2024-06-22 19:15 ` Ihor Radchenko
2024-06-24 9:09 ` Assigned: CVE-2024-39331 (was: [ANN] Emergency bugfix release: Org mode 9.7.5) Ihor Radchenko
2024-06-24 8:08 ` [ANN] Emergency bugfix release: Org mode 9.7.5 Bastien Guerry
2024-06-28 15:09 ` [POLL] We plan to remove #+LINK: ...%(my-function) placeholder from link abbreviation spec (was: [ANN] Emergency bugfix release: Org mode 9.7.5) Ihor Radchenko
2024-06-28 15:51 ` [POLL] We plan to remove #+LINK: ...%(my-function) placeholder from link abbreviation spec Suhail Singh
2024-06-28 16:20 ` Steven Allen
2024-06-28 16:45 ` Suhail Singh
2024-06-28 16:55 ` Ihor Radchenko
2024-06-28 17:34 ` Suhail Singh
2024-06-28 17:01 ` Steven Allen
2024-06-28 17:55 ` Suhail Singh
2024-06-28 18:16 ` Steven Allen
2024-06-28 15:23 ` [POLL] Bug of Feature? Attack vector via deceiving link abbrevs (was: [ANN] Emergency bugfix release: Org mode 9.7.5) Ihor Radchenko
2024-06-28 15:52 ` Steven Allen
2024-06-28 15:54 ` [POLL] Bug of Feature? Attack vector via deceiving link abbrevs Suhail Singh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.orgmode.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=rmi4j9kzg5u.fsf@s1.lexort.com \
--to=gdt@lexort.com \
--cc=bzg@gnu.org \
--cc=emacs-orgmode@gnu.org \
--cc=yantar92@posteo.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).