From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp12.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id KAMPLwqo8GN4rAAAbAwnHQ (envelope-from ) for ; Sat, 18 Feb 2023 11:27:22 +0100 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp12.migadu.com with LMTPS id uL7XLgqo8GMpYgEAauVa8A (envelope-from ) for ; Sat, 18 Feb 2023 11:27:22 +0100 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 7893928D6C for ; Sat, 18 Feb 2023 11:27:21 +0100 (CET) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pTKQJ-000128-TS; Sat, 18 Feb 2023 05:26:32 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pTKQI-00011m-B8 for emacs-orgmode@gnu.org; Sat, 18 Feb 2023 05:26:30 -0500 Received: from out162-62-57-64.mail.qq.com ([162.62.57.64]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pTKQE-0000qt-Mu for emacs-orgmode@gnu.org; Sat, 18 Feb 2023 05:26:29 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qq.com; s=s201512; t=1676715978; bh=9wIgF/AjcLULX2cJGMj8lVR5VKwNP1YZmWsP0vQ+8Jc=; h=Subject:From:To:Date; b=iSet11wHQp9LW29xNajuIoZsfP5DpVZ6kQLr+4S0KkvLp0CXCC+YldGBMBu56tktW 0T6zq5IILfPLy7XtGcp6SDhHhRE5a72ior5ma8rTAF3m5BS7BBxhZiPEmuvgjEBNKm zbRryUtHm9tyCY3G+WgEG9SLssm7FJ+VcL5iWL1M= Received: from [IPv6:240e:399:e6f:ee32:f815:4044:ba50:97f9] ([240e:399:e6f:ee32:f815:4044:ba50:97f9]) by newxmesmtplogicsvrszb6-0.qq.com (NewEsmtp) with SMTP id 22C1868F; Sat, 18 Feb 2023 18:08:44 +0800 X-QQ-mid: xmsmtpt1676714924tmqhvmhk1 Message-ID: X-QQ-XMAILINFO: M7uElAZZZMmFO3N9+AIINFve5Jp97slthXXd2g1luc4jQOXaFyqx9XsEGm5XEe rfZNUKMDqT2Jv+2917lU2npM62hG5qkfgZRt5daXFkz+Kj4FUktrkDsnyJqi8Bo66KRla8MthL// eoL1JQ3+2lyLJBauBYL1rRct1itWUjd1aB+JhIWHldX6qjKvVtR410kmvomrLyT//HgGI0Utw6uG HQtUYSHGm+p5KCCPPxtNDv8aW7BI0Sz6GqJdFeuvoSmBnISigYA6IvU7gKOzeuDvc2gEtL5JmTRU rjR6Urr8bjIM2jv4DG5BISfU0uIb/6CK0uj3Tzrvzd/woLoQye2GbBU+2Vqe7OWqdaLLUBdRAUsB fhWJ6/kWY+IwHuCiSQ0YDKvScZt9faadfs7t0v2dCEAZYZKBoOQLC1+gYjQ2qP3HtynA4czIGpnU QYJFmyxF2N5teYhJaa6EvXq17C6foFU3o/i1SktBW89pu0UbtfB66bjBylG0sUEx6nzkukkfQcue Qxne30kcSrack6jK00c0VneLhV5nm0Hm31YHOBAyn/rdOu7tbGN6Mu4f4F0PpuEtlVtj58aqc4xY 9x+o8CqSsCAeXPe2eRhV8BwIsoFdrd/ZEB0e/MhZHaJdh854LfWHXNWtxhIeUaMGIG0lASc2aPEQ w54+uZrecLdtG73qFfeSIOxDfm993oyP+f9uURXfM/g7bVXJjSfm+KDjpiISvnp/qBTWhRB+UU+9 c6C6O3IXCql0Zu0WXt53mwS/dtDZ1Bg4HHOTJ2eNZZIz5KhXpj9VG+0SWwlNjxfT713v00KaeTt7 8X+hHFc+EA71JNoRnLVVhey66bTCEVM7cMIvuZs4UrbpiSUcHIt2Y59BycXznoxnV8NgQALVPj1B RD5A4cafrKYa9TGo2Ame3gIqAVpKh74Sjzwbw9EAOFkamxQN/80LATSa2w9tjRCMYZYj2gMa0nOh sIk0AZEqCj6ZGj6xOYOTekdaBbav4r X-OQ-MSGID: Subject: [PATCH] Fix ob-latex.el command injection vulnerability. From: lux To: emacs-orgmode@gnu.org Date: Sat, 18 Feb 2023 18:08:44 +0800 Content-Type: multipart/mixed; boundary="=-xt+ZnPaKLkT3vyKi+x39" User-Agent: Evolution 3.46.3 (3.46.3-1.fc37) MIME-Version: 1.0 Received-SPF: none client-ip=162.62.57.64; envelope-from=lx@shellcodes.org; helo=out162-62-57-64.mail.qq.com X-Spam_score_int: 10 X-Spam_score: 1.0 X-Spam_bar: + X-Spam_report: (1.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HELO_DYNAMIC_IPADDR=1.951, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RDNS_DYNAMIC=0.982, SPF_HELO_NONE=0.001, SPF_NONE=0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-orgmode@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "General discussions about Org-mode." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-orgmode-bounces+larch=yhetil.org@gnu.org Sender: emacs-orgmode-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1676716042; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=9wIgF/AjcLULX2cJGMj8lVR5VKwNP1YZmWsP0vQ+8Jc=; b=jEF9H9u4BB3vnGxrG4ns1MuEHdSnoimgEs4L5uaZTQI4/Ma1Cmzd4ZJOGKmv92Il2wqc+4 N5nAdzrKZjs3ufW9a7IRPmN8JKaCeN+Yxvzu3rtNdYliFoU0rOmwssQLzSs+hWGfuEJuFd kXr+mI8TNCmyorKhl23p6qPkbZ8PpMDnViaVzy/6gGXFYtMC9dLGlQMIpX7+VUjCS+Ifna VXBWbEknYyhU3JwtSZU5TqknXcjBCANEzNNHVEML79avHIu3EbrKhSmJPIikzDnowXQpBJ 3lc8NhsO+AjpUzT82MWA31O+jP2L4qKRzCpQ2opa+XVpA4FcGyAYNWN0FyvgbQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=qq.com header.s=s201512 header.b=iSet11wH; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "emacs-orgmode-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="emacs-orgmode-bounces+larch=yhetil.org@gnu.org" ARC-Seal: i=1; s=key1; d=yhetil.org; t=1676716042; a=rsa-sha256; cv=none; b=QXbjLRvJNAuNd9Xjn2mMSSNkopl+55vg62PEM+Dw42bSPjsgAvbSocsPJdgw/tIsj+fOZh DpJ+sS9WQRu4JUOTWxeBhekLC6nJC8Mxov4hk03X2ZU2VYpzOgELOd7hseuXM+e9Y8SkU5 5II+VXSAhtF0aDaMOGRgx5lXgMswfmgruGE4bn8unMuJqFnbBCMUD1i+rkLTwcAPDdvTXq veupRuzv1Ik4zcbsmxyzLK9tvRKgNDgyzMVmLRnVAfVHToiUaO5QmyRydhcDwAdgvdL3aa 6tb5ecZWbNWMSbjKk8/z1bAr80VFWNqlp5ZuGZCk4YWKu2fOrrFoqqTzKjazFQ== Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=qq.com header.s=s201512 header.b=iSet11wH; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "emacs-orgmode-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="emacs-orgmode-bounces+larch=yhetil.org@gnu.org" X-Migadu-Scanner: scn1.migadu.com X-Spam-Score: -2.79 X-Migadu-Queue-Id: 7893928D6C X-Migadu-Spam-Score: -2.79 X-TUID: 8ljw9BzohmyW --=-xt+ZnPaKLkT3vyKi+x39 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Test environment: - Emacs 29.0.60 - Orgmode 9.6.1 - TeX Live 2020 Preconditions: (org-babel-do-load-languages 'org-babel-load-languages '((latex . t))) The vulnerability occurs in the file ob-latex.el, in the `org-babel- execute:latex' function, if then file's extension is .svg, using `shell-command' function to call the `mv' shell command: ((string=3D "svg" extension) ... (let ((tmp-pdf (org-babel-latex-tex-to-pdf tex-file))) (let* (... (img-out (org-compile-file tmp-pdf (list org-babel-latex-pdf-svg-process) extension err-msg log-buf))) (shell-command (format "mv %s %s" img-out out-file))))) But the parameter `img-out' and parameter `out-file' are not escape. So, if file name or directory name contains shell characters and will be executed. Example for the vul_test.org file: #+name: vul_test #+header: :file test;uname -a;.svg #+begin_src latex \LaTeX #+end_src Using Emacs open it, and press 'C-c C-e l p' export to a pdf file, or point to begin_src block and press 'C-c C-c' to execute block. In the '*Message*' buffer, you can see the 'uname -a' command output: Executing Latex code block (vul_test)... Processing LaTeX file /tmp/babel-UCtwdU/latex-zWDsHS.tex... PDF file produced. ,** (org.inkscape.Inkscape:145910): WARNING **: 17:27:24.285: Fonts dir '/usr/share/inkscape/fonts' does not exist and will be ignored. Linux lx-debian 5.10.0-21-amd64 #1 SMP Debian 5.10.162-1 (2023-01-21) x86_64 GNU/Linux <---- This is 'uname -a' output zsh:1: command not found: .svg Code block produced no output (took 1.1s). This patch fixed it. --=-xt+ZnPaKLkT3vyKi+x39 Content-Disposition: attachment; filename*0=0001-lisp-ob-latex.el-org-babel-execute-latex-Fix-command.pat; filename*1=ch Content-Transfer-Encoding: base64 Content-Type: text/x-patch; name="0001-lisp-ob-latex.el-org-babel-execute-latex-Fix-command.patch"; charset="UTF-8" RnJvbSA0MjJmZmVkYzMyYzMxZmVmMzlkOTQzNjEyZDdlNzM4Y2Y0YWQ1ZTIzIE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBYaSBMdSA8bHhAc2hlbGxjb2Rlcy5vcmc+CkRhdGU6IFNhdCwg MTggRmViIDIwMjMgMTg6MDM6MjggKzA4MDAKU3ViamVjdDogW1BBVENIXSAqIGxpc3Avb2ItbGF0 ZXguZWwgKG9yZy1iYWJlbC1leGVjdXRlOmxhdGV4KTogRml4IGNvbW1hbmQKIGluamVjdGlvbiB2 dWxuZXJhYmlsaXR5LgoKLS0tCiBsaXNwL29iLWxhdGV4LmVsIHwgMiArLQogMSBmaWxlIGNoYW5n ZWQsIDEgaW5zZXJ0aW9uKCspLCAxIGRlbGV0aW9uKC0pCgpkaWZmIC0tZ2l0IGEvbGlzcC9vYi1s YXRleC5lbCBiL2xpc3Avb2ItbGF0ZXguZWwKaW5kZXggNDI4OTA3YTI3Li5jMzJlN2VhNGMgMTAw NjQ0Ci0tLSBhL2xpc3Avb2ItbGF0ZXguZWwKKysrIGIvbGlzcC9vYi1sYXRleC5lbApAQCAtMTgw LDcgKzE4MCw3IEBAIFRoaXMgZnVuY3Rpb24gaXMgY2FsbGVkIGJ5IGBvcmctYmFiZWwtZXhlY3V0 ZS1zcmMtYmxvY2snLiIKIAkgICAgICAgICAgICAgICAgICAgICB0bXAtcGRmCiAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgIChsaXN0IG9yZy1iYWJlbC1sYXRleC1wZGYtc3ZnLXByb2Nlc3Mp CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV4dGVuc2lvbiBlcnItbXNnIGxvZy1idWYp KSkKLSAgICAgICAgICAgICAgKHNoZWxsLWNvbW1hbmQgKGZvcm1hdCAibXYgJXMgJXMiIGltZy1v dXQgb3V0LWZpbGUpKSkpKQorICAgICAgICAgICAgICAoc2hlbGwtY29tbWFuZCAoZm9ybWF0ICJt diAlcyAlcyIgKHNoZWxsLXF1b3RlLWFyZ3VtZW50IGltZy1vdXQpIChzaGVsbC1xdW90ZS1hcmd1 bWVudCBvdXQtZmlsZSkpKSkpKQogICAgICAgICAgKChzdHJpbmctc3VmZml4LXAgIi50aWt6IiBv dXQtZmlsZSkKIAkgICh3aGVuIChmaWxlLWV4aXN0cy1wIG91dC1maWxlKSAoZGVsZXRlLWZpbGUg b3V0LWZpbGUpKQogCSAgKHdpdGgtdGVtcC1maWxlIG91dC1maWxlCi0tIAoyLjMwLjIKCg== --=-xt+ZnPaKLkT3vyKi+x39--