Your message dated Sat, 07 Oct 2023 12:41:28 +0100
with message-id
<84bb5ff8312f749ebe536897993782bf35aa1977.ca...@adam-barratt.org.uk>
and subject line Closing opu requests for updates included in 11.8
has caused the Debian Bug report #1037175,
regarding bullseye-pu: package org-mode/9.4.0+dfsg-1+deb11u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1037175: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1037175
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: [email protected]
Usertags: pu
Dear Release Team,
[ Reason ]
https://security-tracker.debian.org/tracker/CVE-2023-28617
Bug #1033341
latex in ob-latex.el in Org Mode (≤9.6.1) allows attackers to execute
arbitrary commands via a file name or directory name that contains
shell metacharacters.
At this time, org-mode 9.1.14+dfsg-3 in buster continues to be
affected. Bullseye's copy of Emacs also has a bundled version that is
effected, and I'm willing to patch that copy too. Elpa-org-mode is a
modular add-on that upgrades and shadows that copy, by the way, so
the CVE should be fixed here first.
[ Impact ]
Security risk that is worth the effort to fix. Emacs has no
sandboxing... Carnil asked me to "consider proposing a fix via the
upcoming bullseye point release" (#1033341), so here I am!
[ Tests ]
For the version of src:org-mode, in bullseye, manual testing; however,
the same fix has been tested in the bundled copy of Org-mode that
is part of Emacs in bookworm. This fix has seen two months of testing.
[ Risks ]
It's a trivial and fairly obvious fix that was discussed upstream here:
https://list.orgmode.org/[email protected]/T/#m6ef8e7d34b25fe17b4cbb655b161edce18c6655e?cve=title
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
A cherry picked patch that has been tested in bookworm for two months,
an update to the series file, and a changelog entry. The patch
replaces calls to the external "mv" command with Emacs internal
function "rename-file", which has been in active use since the '80s.
Thank you for all the work that you are doing for bookworm!
Regards,
Nicholas
diff -Nru org-mode-9.4.0+dfsg/debian/changelog
org-mode-9.4.0+dfsg/debian/changelog
--- org-mode-9.4.0+dfsg/debian/changelog 2020-09-24 10:07:33.000000000
-0400
+++ org-mode-9.4.0+dfsg/debian/changelog 2023-06-04 13:26:52.000000000
-0400
@@ -1,3 +1,12 @@
+org-mode (9.4.0+dfsg-1+deb11u1) bullseye-security; urgency=medium
+
+ * Fix Org Mode command injection vulnerability CVE-2023-28617 by backporting
+ 0004-Org-Mode-vulnerability-CVE-2023-28617-is-fixed.patch like src:emacs
+ did (Closes: #1033341). Thanks to Rob Browning's work in that package,
+ fixing org-mode was trivially easy!
+
+ -- Nicholas D Steeves <[email protected]> Sun, 04 Jun 2023 13:26:52 -0400
+
org-mode (9.4.0+dfsg-1) unstable; urgency=medium
* New upstream version 9.4.0+dfsg
diff -Nru
org-mode-9.4.0+dfsg/debian/patches/0004-Org-Mode-vulnerability-CVE-2023-28617-is-fixed.patch
org-mode-9.4.0+dfsg/debian/patches/0004-Org-Mode-vulnerability-CVE-2023-28617-is-fixed.patch
---
org-mode-9.4.0+dfsg/debian/patches/0004-Org-Mode-vulnerability-CVE-2023-28617-is-fixed.patch
1969-12-31 19:00:00.000000000 -0500
+++
org-mode-9.4.0+dfsg/debian/patches/0004-Org-Mode-vulnerability-CVE-2023-28617-is-fixed.patch
2023-06-04 03:17:12.000000000 -0400
@@ -0,0 +1,51 @@
+From 320ab831aad7b66605e3778abe51a29cc377fb46 Mon Sep 17 00:00:00 2001
+From: Xi Lu <[email protected]>
+Date: Sat, 11 Mar 2023 18:53:37 +0800
+Subject: Fix command injection vulnerability CVE-2023-28617
+
+https://security-tracker.debian.org/tracker/CVE-2023-28617
+
+Trivially backport the following upstream patch like emacs-1:28.2+1-15 did:
+
+ * lisp/ob-latex.el: Fix command injection vulnerability
+
+ (org-babel-execute:latex):
+ Replaced the `(shell-command "mv BAR NEWBAR")' with `rename-file'.
+
+ TINYCHANGE
+
+The second patch of the series does not appear to needed by Org-mode 9.4.0.
+
+Origin:
https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=a8006ea580ed74f27f974d60b598143b04ad1741
+Bug-Debian: https://bugs.debian.org/1033341
+---
+ lisp/ob-latex.el | 13 +++++--------
+ 1 file changed, 5 insertions(+), 8 deletions(-)
+
+diff --git a/lisp/ob-latex.el b/lisp/ob-latex.el
+index 4b343dd..704ae4e 100644
+--- a/lisp/ob-latex.el
++++ b/lisp/ob-latex.el
+@@ -152,17 +152,14 @@ This function is called by
`org-babel-execute-src-block'."
+ (if (string-suffix-p ".svg" out-file)
+ (progn
+ (shell-command "pwd")
+- (shell-command (format "mv %s %s"
+- (concat (file-name-sans-extension
tex-file) "-1.svg")
+- out-file)))
++ (rename-file (concat (file-name-sans-extension tex-file) "-1.svg")
++ out-file t))
+ (error "SVG file produced but HTML file requested")))
+ ((file-exists-p (concat (file-name-sans-extension tex-file) ".html"))
+ (if (string-suffix-p ".html" out-file)
+- (shell-command "mv %s %s"
+- (concat (file-name-sans-extension tex-file)
+- ".html")
+- out-file)
+- (error "HTML file produced but SVG file requested")))))
++ (rename-file (concat (file-name-sans-extension tex-file) ".html")
++ out-file t)
++ (error "HTML file produced but SVG file requested")))))
+ ((or (string= "pdf" extension) imagemagick)
+ (with-temp-file tex-file
+ (require 'ox-latex)
diff -Nru org-mode-9.4.0+dfsg/debian/patches/series
org-mode-9.4.0+dfsg/debian/patches/series
--- org-mode-9.4.0+dfsg/debian/patches/series 2020-09-24 10:07:33.000000000
-0400
+++ org-mode-9.4.0+dfsg/debian/patches/series 2023-06-04 03:19:47.000000000
-0400
@@ -1,4 +1,4 @@
10-shebang.patch
#20-links-unescaping.patch
30-local-mk.patch
-
+0004-Org-Mode-vulnerability-CVE-2023-28617-is-fixed.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 11.8
Hi,
The updates referred to by each of these requests were included in
today's 11.8 bullseye point release.
Regards,
Adam
--- End Message ---
