From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp10.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms9.migadu.com with LMTPS id 4KIUMdAZXWR8rAAASxT56A (envelope-from ) for ; Thu, 11 May 2023 18:37:36 +0200 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp10.migadu.com with LMTPS id MB4nMNAZXWRlIQEAG6o9tA (envelope-from ) for ; Thu, 11 May 2023 18:37:36 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 537712DF97 for ; Thu, 11 May 2023 18:37:36 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1px8ej-0006bX-3o; Thu, 11 May 2023 11:56:37 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1px8eh-0006bH-PN for emacs-orgmode@gnu.org; Thu, 11 May 2023 11:56:35 -0400 Received: from ciao.gmane.io ([116.202.254.214]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1px8ef-0005XR-AN for emacs-orgmode@gnu.org; Thu, 11 May 2023 11:56:34 -0400 Received: from list by ciao.gmane.io with local (Exim 4.92) (envelope-from ) id 1px8eZ-00025f-L9 for emacs-orgmode@gnu.org; Thu, 11 May 2023 17:56:27 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: emacs-orgmode@gnu.org From: Max Nikulin Subject: Re: CVE-2023-28617 (was Re: [PATCH] Fix ob-latex.el command injection vulnerability.) Date: Thu, 11 May 2023 22:56:19 +0700 Message-ID: References: <87v8jzjj1p.fsf@localhost> <047b7367-c98f-e531-b3e9-bc50b6b098e5@gmail.com> <871qlyqfm0.fsf@localhost> <87wn3nwomf.fsf@localhost> <87ilf6us3g.fsf@localhost> <87a5yo8fln.fsf@localhost> <87ttwvdlm9.fsf@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.10.0 Content-Language: en-US In-Reply-To: <87ttwvdlm9.fsf@localhost> Received-SPF: pass client-ip=116.202.254.214; envelope-from=geo-emacs-orgmode@m.gmane-mx.org; helo=ciao.gmane.io X-Spam_score_int: 7 X-Spam_score: 0.7 X-Spam_bar: / X-Spam_report: (0.7 / 5.0 requ) BAYES_00=-1.9, DKIM_ADSP_CUSTOM_MED=0.001, FORGED_GMAIL_RCVD=1, FORGED_MUA_MOZILLA=2.309, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, NICE_REPLY_A=-2.124, NML_ADSP_CUSTOM_MED=0.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-orgmode@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "General discussions about Org-mode." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-orgmode-bounces+larch=yhetil.org@gnu.org Sender: emacs-orgmode-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN ARC-Seal: i=1; s=key1; d=yhetil.org; t=1683823056; a=rsa-sha256; cv=none; b=BeNQzXNLJcC9S7mU1DPTNErVFZpwIpIYTnE2kKwcgZZdn05FAOI7aJ5BkCF3t1oumScbSC WpLnPAjHFfVitxesjyn4kRYb4wCtbHYfp6L48Bg+KuM7FQdYDxLp7mLi8MTOOMHrPgNSQ5 oTSkksNekOf1dXZVpAbzAg85qH5GcbxkPrHKEHa4V4Gr3GJBc6HDz7ki5ncrJ0CtvDOsMI EChMzm7fDfa+PJvm9cqJ/NXVlOPNwBaTiDdI6N7Z5FXBVXsk15Otk4Wvjwse58TbeApqHP lW/umneM5to9IQzuGLMw7vjef1p67l4p9LIu/ET5pVcicYvaOrg2zHCJzyRX7Q== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; dmarc=fail reason="SPF not aligned (relaxed), No valid DKIM" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of "emacs-orgmode-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="emacs-orgmode-bounces+larch=yhetil.org@gnu.org" ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1683823056; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=gbt/PUWM5+GEGRm42i3n93xh8Pnp3tyMCQzstp+olB0=; b=SLtxNXB6QgFb10YA5UoEbpa8HIvBzlbiMjxPpocs48MvzYkvQMxNq3hdKt+fIgQr6GzGfj Lbp6T9UPrOhMIESul0X7XlnU0HLOdmkl4317q58FpAqFaC7j1A97Z8pR4YQgceS00Ffunl C/XBJCUEaO83teRAMsKFUW2rzWnO1fc9t8/fwTypMtuzIzDIColSjEEr4bABagHywVtbR4 WVw4/bsm3OhkTuJrsGUW2Ig257VEI8DVpORQS8S642HmHRDZBdVsFA44rxTvypemPV6K/b Q8YW8TRaXMOEYILM2eM8pfk4I6dgvEiWQGUgbo8VZsN02+UVNZ5wS/uGaqWThQ== X-Migadu-Spam-Score: -1.48 X-Spam-Score: -1.48 X-Migadu-Queue-Id: 537712DF97 X-Migadu-Scanner: scn0.migadu.com Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=fail reason="SPF not aligned (relaxed), No valid DKIM" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of "emacs-orgmode-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="emacs-orgmode-bounces+larch=yhetil.org@gnu.org" X-TUID: D2QNoyKVu98x On 02/05/2023 18:21, Ihor Radchenko wrote: > Max Nikulin writes: >> >> I posted the links as a reminder that shell commands should be avoided >> when possible (and it does not break TRAMP) and arguments should be >> escaped otherwise. > > But this patch literally fixed the problem. What else should we do? Do you really think that it was the last unsafe shell command in the Org code? https://git.savannah.gnu.org/cgit/emacs/org-mode.git/tree/lisp/ob-ditaa.el#n101 and (shell-command pdf-cmd) below https://git.savannah.gnu.org/cgit/emacs/org-mode.git/tree/lisp/ob-lilypond.el#n194 Of course, you may say that expanding shell constructs in :file header argument is a feature that allows more flexibility. Personally, I inspect Org files obtained from external resources in some dumb enough viewer before opening them in Emacs. >> I suppose, the issue has been received too much attention already: >> >> - https://security-tracker.debian.org/tracker/CVE-2023-28617 >> - https://ubuntu.com/security/notices/USN-6003-1 >> - https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2023-28617 > > These appear to be different issues. Linux distributions had to react to the CVE with formally high score and updated Emacs packages applying 2 tiny patches from this thread.