From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp11.migadu.com ([2001:41d0:306:2d92::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms9.migadu.com with LMTPS id wLaZJsEU1mQnYgAASxT56A (envelope-from ) for ; Fri, 11 Aug 2023 13:00:17 +0200 Received: from aspmx1.migadu.com ([2001:41d0:306:2d92::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp11.migadu.com with LMTPS id GNBGJsEU1mS5mgAA9RJhRA (envelope-from ) for ; Fri, 11 Aug 2023 13:00:17 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 54AD149695 for ; Fri, 11 Aug 2023 13:00:17 +0200 (CEST) Authentication-Results: aspmx1.migadu.com; dkim=none; spf=pass (aspmx1.migadu.com: domain of "emacs-orgmode-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="emacs-orgmode-bounces+larch=yhetil.org@gnu.org"; dmarc=fail reason="SPF not aligned (relaxed), No valid DKIM" header.from=gmail.com (policy=none) ARC-Seal: i=1; s=key1; d=yhetil.org; t=1691751617; a=rsa-sha256; cv=none; b=gWLKhjfubprNUvFLvjkkLolfD6QgAecPSeSowP1NZ4CWuRU1MGGY9tVG1BKqNbeNyDhKkC muzHN0oQw0tdcMxcZMcyxM5Gm5nvIxIKSUJQ+qI0yGGJAMzOISvWYwxj8QlpkhZSWcfMLA ny1BfzD98SDvqcjpW2w+nEI3vPMZQqmsU9Z4a1zyKUX9Rkq5e1sQxlQ9tSOm23PT09hckM mwL/of+o9HaDTvfydhYpFqeD/Q2y8fOgm5msDme0/ZpOJBKk5xl/GMCT8kQbsieZQ6F4Ew FGupyQcnbwbaBWHYUvGpBIqWQGCy0DY0C19/v1FjNIH5ReVZR/xMi6+NggN1pw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1691751617; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=k8L8QzkT2/iGTFIwRElpEu3RpOJQegAhlD5OoREDqD0=; b=sleP/8sWVFfPfn27nrQUi/NkYJV4fr/Pu0wntztwnjimrHmtf0c6gq/h6fWJbJ6eovPeYc vR1O/g6ZI1rrc0TP7wqOkhpuFTu111OpmlOOG1KP5jIuHv2tVZx9HS8k6FgszaLZXfWjX8 7mDbP+qhtMYeDkv+ajnbpGsXmzo7LmyDxq19HLa5GA8LDPfToSdCWErL8Lzpi1GxDDavKG yA8E4pnTHhlMibLP88wMPkJx9L+KSlqSNKCO4llaKJRtnofJVITl65OI5/amxAxkkppHu3 Zc94QIV/nftPdAwLdu/1lgWRp+CUFNMmwSoNkoA1zKI8wJOUHuIyxTB/7mikVg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; spf=pass (aspmx1.migadu.com: domain of "emacs-orgmode-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="emacs-orgmode-bounces+larch=yhetil.org@gnu.org"; dmarc=fail reason="SPF not aligned (relaxed), No valid DKIM" header.from=gmail.com (policy=none) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qUPrR-0005Ko-Pg; Fri, 11 Aug 2023 06:59:17 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qUPrO-0005IN-4C for emacs-orgmode@gnu.org; Fri, 11 Aug 2023 06:59:14 -0400 Received: from ciao.gmane.io ([116.202.254.214]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qUPrL-00058G-2I for emacs-orgmode@gnu.org; Fri, 11 Aug 2023 06:59:12 -0400 Received: from list by ciao.gmane.io with local (Exim 4.92) (envelope-from ) id 1qUPrJ-0006si-5y for emacs-orgmode@gnu.org; Fri, 11 Aug 2023 12:59:09 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: emacs-orgmode@gnu.org From: Max Nikulin Subject: [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands Date: Fri, 11 Aug 2023 17:59:00 +0700 Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.13.0 Content-Language: en-US, ru-RU Received-SPF: pass client-ip=116.202.254.214; envelope-from=geo-emacs-orgmode@m.gmane-mx.org; helo=ciao.gmane.io X-Spam_score_int: 28 X-Spam_score: 2.8 X-Spam_bar: ++ X-Spam_report: (2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_ADSP_CUSTOM_MED=0.001, FORGED_GMAIL_RCVD=1, FORGED_MUA_MOZILLA=2.309, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, NML_ADSP_CUSTOM_MED=0.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-orgmode@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "General discussions about Org-mode." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-orgmode-bounces+larch=yhetil.org@gnu.org Sender: emacs-orgmode-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Migadu-Spam-Score: -5.11 X-Migadu-Scanner: mx2.migadu.com X-Migadu-Queue-Id: 54AD149695 X-Spam-Score: -5.11 X-TUID: tq+U1TFwkvQ7 Consider the following Org file ---- 8< ---- #+begin_src elisp :results none (require 'ob-sqlite) #+end_src #+begin_src sqlite :db /tmp/ob.sqlite$(date >/tmp/ob-sqlite-vuln.log) select 1 #+end_src ---- >8 ---- Executing of the sqlite code block causes creation of the /tmp/ob-sqlite-vuln.log file. The cause is usage of `org-fill-template' without `shell-quote-argument'. From my point of view it is unsafe to open Org files from untrusted sources in Emacs in general, so it is not a serious vulnerability. Some users may consider shell expansion in file name as a convenient feature. However earlier we had a quite similar issue: lux. [PATCH] Fix ob-latex.el command injection vulnerability. Sat, 18 Feb 2023 18:08:44 +0800. https://list.orgmode.org/tencent_7B48D6A8D4FCDC2DC8DF842B069B715ECE0A@qq.com that is known as CVE-2023-28617 with high enough score "org-babel-execute:latex in ob-latex.el in Org Mode through 9.6.1 for GNU Emacs allows attackers to execute arbitrary commands via a file name or directory name that contains shell metacharacters." and caused updates of Emacs in various Linux distributions https://security-tracker.debian.org/tracker/CVE-2023-28617 As to `org-fill-template', it may be affected by an issue similar to Maxim Nikulin. greedy substitution in org-open-file. Wed, 20 Jan 2021 23:08:35 +0700. https://list.orgmode.org/ru9ki4$t5e$1@ciao.gmane.io since expansion of a %key may contain %another that might be interpolated on next iteration. The function should perform substitution during single scan of the passed template.