From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <emacs-orgmode-bounces+larch=yhetil.org@gnu.org>
Received: from mp10.migadu.com ([2001:41d0:8:6d80::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms9.migadu.com with LMTPS
	id 4KIUMdAZXWR8rAAASxT56A
	(envelope-from <emacs-orgmode-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Thu, 11 May 2023 18:37:36 +0200
Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp10.migadu.com with LMTPS
	id MB4nMNAZXWRlIQEAG6o9tA
	(envelope-from <emacs-orgmode-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Thu, 11 May 2023 18:37:36 +0200
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id 537712DF97
	for <larch@yhetil.org>; Thu, 11 May 2023 18:37:36 +0200 (CEST)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <emacs-orgmode-bounces@gnu.org>)
	id 1px8ej-0006bX-3o; Thu, 11 May 2023 11:56:37 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <geo-emacs-orgmode@m.gmane-mx.org>)
 id 1px8eh-0006bH-PN
 for emacs-orgmode@gnu.org; Thu, 11 May 2023 11:56:35 -0400
Received: from ciao.gmane.io ([116.202.254.214])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <geo-emacs-orgmode@m.gmane-mx.org>)
 id 1px8ef-0005XR-AN
 for emacs-orgmode@gnu.org; Thu, 11 May 2023 11:56:34 -0400
Received: from list by ciao.gmane.io with local (Exim 4.92)
 (envelope-from <geo-emacs-orgmode@m.gmane-mx.org>)
 id 1px8eZ-00025f-L9
 for emacs-orgmode@gnu.org; Thu, 11 May 2023 17:56:27 +0200
X-Injected-Via-Gmane: http://gmane.org/
To: emacs-orgmode@gnu.org
From: Max Nikulin <manikulin@gmail.com>
Subject: Re: CVE-2023-28617 (was Re: [PATCH] Fix ob-latex.el command injection
 vulnerability.)
Date: Thu, 11 May 2023 22:56:19 +0700
Message-ID: <u3j374$6v7$1@ciao.gmane.io>
References: <tencent_7B48D6A8D4FCDC2DC8DF842B069B715ECE0A@qq.com>
 <ea686f70-3cf7-e9cd-1663-c065af08ae03@gmail.com>
 <tencent_6D4D5A4DF7DDB77C7C385FB019E7FACC7C06@qq.com>
 <87v8jzjj1p.fsf@localhost>
 <tencent_5C4D5D0DEFDDBBFC66F855703927E60C7706@qq.com>
 <047b7367-c98f-e531-b3e9-bc50b6b098e5@gmail.com>
 <tencent_2A4B339A354335947724F292E1F9C1A69C08@qq.com>
 <871qlyqfm0.fsf@localhost>
 <tencent_085A9C48333235B5356377B0F280E1B7C108@qq.com>
 <87wn3nwomf.fsf@localhost>
 <tencent_1D638DC55D917C6CB84EB01927D74C774D06@qq.com>
 <87ilf6us3g.fsf@localhost> <u2o5s5$joh$1@ciao.gmane.io>
 <87a5yo8fln.fsf@localhost> <u2qqki$25r$1@ciao.gmane.io>
 <87ttwvdlm9.fsf@localhost>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
 Thunderbird/102.10.0
Content-Language: en-US
In-Reply-To: <87ttwvdlm9.fsf@localhost>
Received-SPF: pass client-ip=116.202.254.214;
 envelope-from=geo-emacs-orgmode@m.gmane-mx.org; helo=ciao.gmane.io
X-Spam_score_int: 7
X-Spam_score: 0.7
X-Spam_bar: /
X-Spam_report: (0.7 / 5.0 requ) BAYES_00=-1.9, DKIM_ADSP_CUSTOM_MED=0.001,
 FORGED_GMAIL_RCVD=1, FORGED_MUA_MOZILLA=2.309,
 FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001,
 HEADER_FROM_DIFFERENT_DOMAINS=0.25, NICE_REPLY_A=-2.124,
 NML_ADSP_CUSTOM_MED=0.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001,
 T_SCC_BODY_TEXT_LINE=-0.01 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: emacs-orgmode@gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "General discussions about Org-mode." <emacs-orgmode.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-orgmode>,
 <mailto:emacs-orgmode-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/emacs-orgmode>
List-Post: <mailto:emacs-orgmode@gnu.org>
List-Help: <mailto:emacs-orgmode-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-orgmode>,
 <mailto:emacs-orgmode-request@gnu.org?subject=subscribe>
Errors-To: emacs-orgmode-bounces+larch=yhetil.org@gnu.org
Sender: emacs-orgmode-bounces+larch=yhetil.org@gnu.org
X-Migadu-Country: US
X-Migadu-Flow: FLOW_IN
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1683823056; a=rsa-sha256; cv=none;
	b=BeNQzXNLJcC9S7mU1DPTNErVFZpwIpIYTnE2kKwcgZZdn05FAOI7aJ5BkCF3t1oumScbSC
	WpLnPAjHFfVitxesjyn4kRYb4wCtbHYfp6L48Bg+KuM7FQdYDxLp7mLi8MTOOMHrPgNSQ5
	oTSkksNekOf1dXZVpAbzAg85qH5GcbxkPrHKEHa4V4Gr3GJBc6HDz7ki5ncrJ0CtvDOsMI
	EChMzm7fDfa+PJvm9cqJ/NXVlOPNwBaTiDdI6N7Z5FXBVXsk15Otk4Wvjwse58TbeApqHP
	lW/umneM5to9IQzuGLMw7vjef1p67l4p9LIu/ET5pVcicYvaOrg2zHCJzyRX7Q==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=none;
	dmarc=fail reason="SPF not aligned (relaxed), No valid DKIM" header.from=gmail.com (policy=none);
	spf=pass (aspmx1.migadu.com: domain of "emacs-orgmode-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="emacs-orgmode-bounces+larch=yhetil.org@gnu.org"
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1683823056;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post;
	bh=gbt/PUWM5+GEGRm42i3n93xh8Pnp3tyMCQzstp+olB0=;
	b=SLtxNXB6QgFb10YA5UoEbpa8HIvBzlbiMjxPpocs48MvzYkvQMxNq3hdKt+fIgQr6GzGfj
	Lbp6T9UPrOhMIESul0X7XlnU0HLOdmkl4317q58FpAqFaC7j1A97Z8pR4YQgceS00Ffunl
	C/XBJCUEaO83teRAMsKFUW2rzWnO1fc9t8/fwTypMtuzIzDIColSjEEr4bABagHywVtbR4
	WVw4/bsm3OhkTuJrsGUW2Ig257VEI8DVpORQS8S642HmHRDZBdVsFA44rxTvypemPV6K/b
	Q8YW8TRaXMOEYILM2eM8pfk4I6dgvEiWQGUgbo8VZsN02+UVNZ5wS/uGaqWThQ==
X-Migadu-Spam-Score: -1.48
X-Spam-Score: -1.48
X-Migadu-Queue-Id: 537712DF97
X-Migadu-Scanner: scn0.migadu.com
Authentication-Results: aspmx1.migadu.com;
	dkim=none;
	dmarc=fail reason="SPF not aligned (relaxed), No valid DKIM" header.from=gmail.com (policy=none);
	spf=pass (aspmx1.migadu.com: domain of "emacs-orgmode-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="emacs-orgmode-bounces+larch=yhetil.org@gnu.org"
X-TUID: D2QNoyKVu98x

On 02/05/2023 18:21, Ihor Radchenko wrote:
> Max Nikulin writes:
>>
>> I posted the links as a reminder that shell commands should be avoided
>> when possible (and it does not break TRAMP) and arguments should be
>> escaped otherwise.
> 
> But this patch literally fixed the problem. What else should we do?

Do you really think that it was the last unsafe shell command in the Org 
code?

https://git.savannah.gnu.org/cgit/emacs/org-mode.git/tree/lisp/ob-ditaa.el#n101
and (shell-command pdf-cmd) below

https://git.savannah.gnu.org/cgit/emacs/org-mode.git/tree/lisp/ob-lilypond.el#n194

Of course, you may say that expanding shell constructs in :file header 
argument is a feature that allows more flexibility. Personally, I 
inspect Org files obtained from external resources in some dumb enough 
viewer before opening them in Emacs.

>> I suppose, the issue has been received too much attention already:
>>
>> - https://security-tracker.debian.org/tracker/CVE-2023-28617
>> - https://ubuntu.com/security/notices/USN-6003-1
>> - https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2023-28617
> 
> These appear to be different issues.

Linux distributions had to react to the CVE with formally high score and 
updated Emacs packages applying 2 tiny patches from this thread.