From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1.migadu.com ([2001:41d0:403:4876::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms13.migadu.com with LMTPS id EOBZLqJkd2ZAcwEA62LTzQ:P1 (envelope-from ) for ; Sat, 22 Jun 2024 23:56:18 +0000 Received: from aspmx1.migadu.com ([2001:41d0:403:4876::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1.migadu.com with LMTPS id EOBZLqJkd2ZAcwEA62LTzQ (envelope-from ) for ; Sun, 23 Jun 2024 01:56:18 +0200 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=lexort.com header.s=mail header.b=qKEvUn24; spf=pass (aspmx1.migadu.com: domain of "emacs-orgmode-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="emacs-orgmode-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=lexort.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1719100578; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature:openpgp:openpgp; bh=lFB1+I1iovlYoaazvqjVu/mGf1AWN7RJeMT94XsXmws=; b=QJ5o+w9bY2F0ZMuWpXVghbN2KU97qXTmL5h7hJrX7LBKcRJguhWEVZYeQ84hXB04xvL/Wj nPSGLZf4dxecuDjIRrA9zoTLVyQherDaV2ImKvwVUS538CVslaIDPgF8w8vpryDALyhHAy QFGMafmYEWLI8m/9u0tmtPy3T/4ytHyEiQspioQowDjsd7hWi6IkKlTUsx3PIoYoQM14/c jMk5hrUCeYYvJM5bV81ydQLHerP4N8NCEBBGOnQtI+JLL41bYxb+hc0aLWAM0O4837P9xH TBxr1CC1VFaiJwWshmTcjj9LCjbBoW7s3MLuWyNh4VKFKUreNR9d9+LmQ5AklA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=lexort.com header.s=mail header.b=qKEvUn24; spf=pass (aspmx1.migadu.com: domain of "emacs-orgmode-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="emacs-orgmode-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=lexort.com ARC-Seal: i=1; s=key1; d=yhetil.org; t=1719100578; a=rsa-sha256; cv=none; b=Vox9zOOX4uDwvnDZivtB9qCr9yCgcmOcgKAdY97DYW2APIEygett4yasomPkI9sbaLu6JV txjpqrwY0CQmZeLP/8YVKQ2eysNrq5TdZZm2J9Ku7bTiFKjpXcJhtKyGiq5AHuB63rLr+/ jXBgKNHDybEfIzg33cl3O5DiqWVMoqQth4YS0tfK3eJNoQc8FjMVhFsvTPW40kExP6RSAB /RbONY4suTHe7rYkd9c+TnsYyIqDAupIWpuZ66E+cmwY/uZajpodK/+asPwQk9rBE0/i3c UbXW/UIUidHQhtjMaPH6wKS8Qhv3B9fia80rv0C/YjIhS1RvtxX9uc63CuWpUw== Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 14B94220E7 for ; Sun, 23 Jun 2024 01:56:18 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1sLAZy-0001nu-DO; Sat, 22 Jun 2024 19:55:34 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sLAZw-0001nE-AA for emacs-orgmode@gnu.org; Sat, 22 Jun 2024 19:55:32 -0400 Received: from s1.lexort.com ([71.19.148.97]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sLAZu-00062E-CJ; Sat, 22 Jun 2024 19:55:32 -0400 Received: by s1.lexort.com (Postfix, from userid 10853) id D03C8410716; Sat, 22 Jun 2024 19:55:25 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=lexort.com; s=mail; t=1719100525; bh=o5Hzei+16m61nU0jueTJCFspx+TFF8JTmIf5BNfEhkY=; h=From:To:Cc:Subject:In-Reply-To:References:Date; b=qKEvUn24FWebkSUOQTz218IHYjYyotAkJeabcGTVoRYwfuCOsbmXJLntL9nT84Coc CGF3GQjkdiVIjmrWsP/c68yu+4aYgsEm3DGlYIfASMeldwZWyXuHfZIUdzVlgR+pPf iSt+uNzW/cGI0hTbN/uqPuJqzuhLNAiUuMj7BNkU= From: Greg Troxel To: Ihor Radchenko Cc: emacs-orgmode@gnu.org, Bastien Subject: Re: [ANN] Emergency bugfix release: Org mode 9.7.5 In-Reply-To: <87pls8hnqa.fsf@localhost> (Ihor Radchenko's message of "Sat, 22 Jun 2024 17:49:17 +0000") References: <87sex5gdqc.fsf@localhost> <87pls8hnqa.fsf@localhost> OpenPGP: id=098ED60E Date: Sat, 22 Jun 2024 19:55:25 -0400 Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain Received-SPF: pass client-ip=71.19.148.97; envelope-from=gdt@lexort.com; helo=s1.lexort.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-orgmode@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "General discussions about Org-mode." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-orgmode-bounces+larch=yhetil.org@gnu.org Sender: emacs-orgmode-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN X-Spam-Score: -9.92 X-Migadu-Queue-Id: 14B94220E7 X-Migadu-Scanner: mx10.migadu.com X-Migadu-Spam-Score: -9.92 X-TUID: K7qCEe3DrRlP (Thanks for fixing and your efforts on org. I've been an org user since at least July of 2010.) Just to be clear, is this the commit that needs applying to emacs sources, 29.3, 28.x, and so on? It seems so, but I would rather not guess. I'm asking on behalf of pkgsrc, where I am managing the release process for our 2024Q2 branch, due on 30 June. Believe it or not we have 20, 21, 26, 27, 28, 29 and a from-git version. While some should be pruned, some people use it on vaxes. Any idea how far back this goes? Thanks, Greg commit f4cc61636947b5c2f0afc67174dd369fe3277aa8 Author: Ihor Radchenko Date: Tue Jun 18 13:06:44 2024 +0200 org-link-expand-abbrev: Do not evaluate arbitrary unsafe Elisp code * lisp/ol.el (org-link-expand-abbrev): Refuse expanding %(...) link abbrevs that specify unsafe function. Instead, display a warning, and do not expand the abbrev. Clear all the text properties from the returned link, to avoid any potential vulnerabilities caused by properties that may contain arbitrary Elisp. diff --git a/lisp/ol.el b/lisp/ol.el index 7a7f4f558..8a556c7b9 100644 --- a/lisp/ol.el +++ b/lisp/ol.el @@ -1152,17 +1152,35 @@ Abbreviations are defined in `org-link-abbrev-alist'." (if (not as) link (setq rpl (cdr as)) - (cond - ((symbolp rpl) (funcall rpl tag)) - ((string-match "%(\\([^)]+\\))" rpl) - (replace-match - (save-match-data - (funcall (intern-soft (match-string 1 rpl)) tag)) - t t rpl)) - ((string-match "%s" rpl) (replace-match (or tag "") t t rpl)) - ((string-match "%h" rpl) - (replace-match (url-hexify-string (or tag "")) t t rpl)) - (t (concat rpl tag))))))) + ;; Drop any potentially dangerous text properties like + ;; `modification-hooks' that may be used as an attack vector. + (substring-no-properties + (cond + ((symbolp rpl) (funcall rpl tag)) + ((string-match "%(\\([^)]+\\))" rpl) + (let ((rpl-fun-symbol (intern-soft (match-string 1 rpl)))) + ;; Using `unsafep-function' is not quite enough because + ;; Emacs considers functions like `genenv' safe, while + ;; they can potentially be used to expose private system + ;; data to attacker if abbreviated link is clicked. + (if (or (eq t (get rpl-fun-symbol 'org-link-abbrev-safe)) + (eq t (get rpl-fun-symbol 'pure))) + (replace-match + (save-match-data + (funcall (intern-soft (match-string 1 rpl)) tag)) + t t rpl) + (org-display-warning + (format "Disabling unsafe link abbrev: %s +You may mark function safe via (put '%s 'org-link-abbrev-safe t)" + rpl (match-string 1 rpl))) + (setq org-link-abbrev-alist-local (delete as org-link-abbrev-alist-local) + org-link-abbrev-alist (delete as org-link-abbrev-alist)) + link + ))) + ((string-match "%s" rpl) (replace-match (or tag "") t t rpl)) + ((string-match "%h" rpl) + (replace-match (url-hexify-string (or tag "")) t t rpl)) + (t (concat rpl tag)))))))) (defun org-link-open (link &optional arg) "Open a link object LINK.