Hi, On Sat, Jun 03, 2023 at 10:02:43PM -0400, Nicholas D Steeves wrote: > fixed 1033341 org/mode/9.5.2+dfsh-5 > fixed 1033341 org-mode/9.6.6+dfsg-1~exp1 > thanks > > Dear Salvatore and Security Team, > > Salvatore Bonaccorso <car...@debian.org> writes: > > > Source: org-mode > > Version: 9.5.2+dfsh-4 > > Severity: important > > Tags: security upstream > > X-Debbugs-Cc: car...@debian.org, Debian Security Team > > <t...@security.debian.org> > > Control: clone -1 -2 > > Control: reassign -2 src:emacs 1:28.2+1-13 > > Control: retitle -2 emacs: CVE-2023-28617 > > > > Hi, > > > > The following vulnerability was published for org-mode (and emacs, > > will close tis bug). > > > > CVE-2023-28617[0]: > > | org-babel-execute:latex in ob-latex.el in Org Mode through 9.6.1 for > > | GNU Emacs allows attackers to execute arbitrary commands via a file > > | name or directory name that contains shell metacharacters. > > All lisp files were dropped in org-mode/9.5.2+dfsh-5, and so this CVE is > fixed there; however, unfortunately this bug was not closed from that > changelog entry.
While this technically would be a case for unimportant severity in sec-tracker, we cannot do it per suite. So I went ahead marking it as fixed with org-mode/9.5.2+dfsh-5 but adding a note explaining why we did so. > This CVE is also not present in the 9.6.6+dfsg-1~exp1 that I just > uploaded to experimental, but be honest I forgot about this bug when > uploading, and so I forgot to close this bug from the changelog as > instructed. Sorry. > > What is the correct way to proceed now? All information updated in the tracker. For bullseye you migh consider proposing a fix via the upcoming bullseye point release (no DSA is needed for this issue). Regards, Salvatore