Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu
Dear Release Team, [ Reason ] https://security-tracker.debian.org/tracker/CVE-2023-28617 Bug #1033341 latex in ob-latex.el in Org Mode (≤9.6.1) allows attackers to execute arbitrary commands via a file name or directory name that contains shell metacharacters. At this time, org-mode 9.1.14+dfsg-3 in buster continues to be affected. Bullseye's copy of Emacs also has a bundled version that is effected, and I'm willing to patch that copy too. Elpa-org-mode is a modular add-on that upgrades and shadows that copy, by the way, so the CVE should be fixed here first. [ Impact ] Security risk that is worth the effort to fix. Emacs has no sandboxing... Carnil asked me to "consider proposing a fix via the upcoming bullseye point release" (#1033341), so here I am! [ Tests ] For the version of src:org-mode, in bullseye, manual testing; however, the same fix has been tested in the bundled copy of Org-mode that is part of Emacs in bookworm. This fix has seen two months of testing. [ Risks ] It's a trivial and fairly obvious fix that was discussed upstream here: https://list.orgmode.org/tencent_04cf842704737012ccbcd63cd654dd41c...@qq.com/T/#m6ef8e7d34b25fe17b4cbb655b161edce18c6655e?cve=title [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] A cherry picked patch that has been tested in bookworm for two months, an update to the series file, and a changelog entry. The patch replaces calls to the external "mv" command with Emacs internal function "rename-file", which has been in active use since the '80s. Thank you for all the work that you are doing for bookworm! Regards, Nicholas
diff -Nru org-mode-9.4.0+dfsg/debian/changelog org-mode-9.4.0+dfsg/debian/changelog --- org-mode-9.4.0+dfsg/debian/changelog 2020-09-24 10:07:33.000000000 -0400 +++ org-mode-9.4.0+dfsg/debian/changelog 2023-06-04 13:26:52.000000000 -0400 @@ -1,3 +1,12 @@ +org-mode (9.4.0+dfsg-1+deb11u1) bullseye-security; urgency=medium + + * Fix Org Mode command injection vulnerability CVE-2023-28617 by backporting + 0004-Org-Mode-vulnerability-CVE-2023-28617-is-fixed.patch like src:emacs + did (Closes: #1033341). Thanks to Rob Browning's work in that package, + fixing org-mode was trivially easy! + + -- Nicholas D Steeves <s...@debian.org> Sun, 04 Jun 2023 13:26:52 -0400 + org-mode (9.4.0+dfsg-1) unstable; urgency=medium * New upstream version 9.4.0+dfsg diff -Nru org-mode-9.4.0+dfsg/debian/patches/0004-Org-Mode-vulnerability-CVE-2023-28617-is-fixed.patch org-mode-9.4.0+dfsg/debian/patches/0004-Org-Mode-vulnerability-CVE-2023-28617-is-fixed.patch --- org-mode-9.4.0+dfsg/debian/patches/0004-Org-Mode-vulnerability-CVE-2023-28617-is-fixed.patch 1969-12-31 19:00:00.000000000 -0500 +++ org-mode-9.4.0+dfsg/debian/patches/0004-Org-Mode-vulnerability-CVE-2023-28617-is-fixed.patch 2023-06-04 03:17:12.000000000 -0400 @@ -0,0 +1,51 @@ +From 320ab831aad7b66605e3778abe51a29cc377fb46 Mon Sep 17 00:00:00 2001 +From: Xi Lu <l...@shellcodes.org> +Date: Sat, 11 Mar 2023 18:53:37 +0800 +Subject: Fix command injection vulnerability CVE-2023-28617 + +https://security-tracker.debian.org/tracker/CVE-2023-28617 + +Trivially backport the following upstream patch like emacs-1:28.2+1-15 did: + + * lisp/ob-latex.el: Fix command injection vulnerability + + (org-babel-execute:latex): + Replaced the `(shell-command "mv BAR NEWBAR")' with `rename-file'. + + TINYCHANGE + +The second patch of the series does not appear to needed by Org-mode 9.4.0. + +Origin: https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=a8006ea580ed74f27f974d60b598143b04ad1741 +Bug-Debian: https://bugs.debian.org/1033341 +--- + lisp/ob-latex.el | 13 +++++-------- + 1 file changed, 5 insertions(+), 8 deletions(-) + +diff --git a/lisp/ob-latex.el b/lisp/ob-latex.el +index 4b343dd..704ae4e 100644 +--- a/lisp/ob-latex.el ++++ b/lisp/ob-latex.el +@@ -152,17 +152,14 @@ This function is called by `org-babel-execute-src-block'." + (if (string-suffix-p ".svg" out-file) + (progn + (shell-command "pwd") +- (shell-command (format "mv %s %s" +- (concat (file-name-sans-extension tex-file) "-1.svg") +- out-file))) ++ (rename-file (concat (file-name-sans-extension tex-file) "-1.svg") ++ out-file t)) + (error "SVG file produced but HTML file requested"))) + ((file-exists-p (concat (file-name-sans-extension tex-file) ".html")) + (if (string-suffix-p ".html" out-file) +- (shell-command "mv %s %s" +- (concat (file-name-sans-extension tex-file) +- ".html") +- out-file) +- (error "HTML file produced but SVG file requested"))))) ++ (rename-file (concat (file-name-sans-extension tex-file) ".html") ++ out-file t) ++ (error "HTML file produced but SVG file requested"))))) + ((or (string= "pdf" extension) imagemagick) + (with-temp-file tex-file + (require 'ox-latex) diff -Nru org-mode-9.4.0+dfsg/debian/patches/series org-mode-9.4.0+dfsg/debian/patches/series --- org-mode-9.4.0+dfsg/debian/patches/series 2020-09-24 10:07:33.000000000 -0400 +++ org-mode-9.4.0+dfsg/debian/patches/series 2023-06-04 03:19:47.000000000 -0400 @@ -1,4 +1,4 @@ 10-shebang.patch #20-links-unescaping.patch 30-local-mk.patch - +0004-Org-Mode-vulnerability-CVE-2023-28617-is-fixed.patch