From: Max Nikulin <manikulin@gmail.com>
To: emacs-orgmode@gnu.org
Subject: [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands
Date: Fri, 11 Aug 2023 17:59:00 +0700 [thread overview]
Message-ID: <ub549k$q11$1@ciao.gmane.io> (raw)
Consider the following Org file
---- 8< ----
#+begin_src elisp :results none
(require 'ob-sqlite)
#+end_src
#+begin_src sqlite :db /tmp/ob.sqlite$(date >/tmp/ob-sqlite-vuln.log)
select 1
#+end_src
---- >8 ----
Executing of the sqlite code block causes creation of the
/tmp/ob-sqlite-vuln.log file.
The cause is usage of `org-fill-template' without `shell-quote-argument'.
From my point of view it is unsafe to open Org files from untrusted
sources in Emacs in general, so it is not a serious vulnerability. Some
users may consider shell expansion in file name as a convenient feature.
However earlier we had a quite similar issue:
lux. [PATCH] Fix ob-latex.el command injection vulnerability. Sat, 18
Feb 2023 18:08:44 +0800.
https://list.orgmode.org/tencent_7B48D6A8D4FCDC2DC8DF842B069B715ECE0A@qq.com
that is known as CVE-2023-28617 with high enough score
"org-babel-execute:latex in ob-latex.el in Org Mode through 9.6.1 for
GNU Emacs allows attackers to execute arbitrary commands via a file name
or directory name that contains shell metacharacters."
and caused updates of Emacs in various Linux distributions
https://security-tracker.debian.org/tracker/CVE-2023-28617
As to `org-fill-template', it may be affected by an issue similar to
Maxim Nikulin. greedy substitution in org-open-file. Wed, 20 Jan 2021
23:08:35 +0700.
https://list.orgmode.org/ru9ki4$t5e$1@ciao.gmane.io
since expansion of a %key may contain %another that might be
interpolated on next iteration. The function should perform substitution
during single scan of the passed template.
next reply other threads:[~2023-08-11 11:00 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-11 10:59 Max Nikulin [this message]
2023-08-13 7:52 ` [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands Ihor Radchenko
2023-08-17 16:11 ` Max Nikulin
2023-08-18 8:43 ` Ihor Radchenko
2023-08-18 10:56 ` Max Nikulin
2023-08-18 11:05 ` Ihor Radchenko
2023-08-19 5:58 ` Max Nikulin
2023-08-21 7:04 ` Ihor Radchenko
2023-08-21 15:05 ` Max Nikulin
2023-08-22 9:46 ` Ihor Radchenko
2023-08-28 8:15 ` Max Nikulin
2023-08-29 8:02 ` Ihor Radchenko
2023-08-21 7:09 ` [SECURITY] Shell expansion of babel header args (was: [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands) Ihor Radchenko
2023-08-17 16:29 ` [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands Max Nikulin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.orgmode.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='ub549k$q11$1@ciao.gmane.io' \
--to=manikulin@gmail.com \
--cc=emacs-orgmode@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).