Bug#1037175: [preapproval] bullseye-pu: package org-mode/9.4.0+dfsg-1+deb11u1
"Adam D. Barratt" writes: > On Thu, 2023-08-03 at 10:39 -0400, Nicholas D Steeves wrote: >> >> Thanks for the ACK, and for the reminder! I had forgotten to run dch >> with "--team", so I fixed that, and uploaded. >> > > I'm not sure what happened to the upload, but there appears to be no > sign of it in either the queued or dak logs. Oh my! Thank you for letting me know, I truly appreciate it. I checked my local build output and to-upload directory/queue and found that the package hadn't been signed, which means that my sign+upload command timed out requesting key signing password...which happened due to a horribly timed trustdb check (then I ran out of time). Gah. I've filed a debsign bug requesting feedback, since --no-auto-check-trustdb should probably be default for signing changes file. Kind regards, Nicholas signature.asc Description: PGP signature
Bug#1037175: [preapproval] bullseye-pu: package org-mode/9.4.0+dfsg-1+deb11u1
On Thu, 2023-08-03 at 10:39 -0400, Nicholas D Steeves wrote: > Jonathan Wiltshire writes: > > > Control: tag -1 confirmed > > > > On Mon, Jun 12, 2023 at 07:44:52PM -0400, Nicholas D Steeves wrote: > > > Updated debdiff attached. > > > > Please go ahead (you should probably add a non-maintainer upload > > line, or > > add yourself to uploaders, as well). > > Thanks for the ACK, and for the reminder! I had forgotten to run dch > with "--team", so I fixed that, and uploaded. > I'm not sure what happened to the upload, but there appears to be no sign of it in either the queued or dak logs. Regards, Adam
Bug#1037175: [preapproval] bullseye-pu: package org-mode/9.4.0+dfsg-1+deb11u1
Jonathan Wiltshire writes: > Control: tag -1 confirmed > > On Mon, Jun 12, 2023 at 07:44:52PM -0400, Nicholas D Steeves wrote: >> Updated debdiff attached. > > Please go ahead (you should probably add a non-maintainer upload line, or > add yourself to uploaders, as well). Thanks for the ACK, and for the reminder! I had forgotten to run dch with "--team", so I fixed that, and uploaded. Kind regards, Nicholas
Bug#1037175: [preapproval] bullseye-pu: package org-mode/9.4.0+dfsg-1+deb11u1
Control: tag -1 confirmed On Mon, Jun 12, 2023 at 07:44:52PM -0400, Nicholas D Steeves wrote: > Updated debdiff attached. Please go ahead (you should probably add a non-maintainer upload line, or add yourself to uploaders, as well). Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Bug#1037175: [preapproval] bullseye-pu: package org-mode/9.4.0+dfsg-1+deb11u1
Dear release team, please skip to the bottom for the info you're looking for. Salvatore Bonaccorso writes: > What is as well different for the uploads is to which upload queue you > would upload in the end. ftp-master for the proposed-updates via point > release, security-master for the security uploads. > > There are two good entry points about the uploads for stable: Yikes, how did I miss these? > https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#special-case-uploads-to-the-stable-and-oldstable-distributions I've updated the metadata of the blocked bug to show that the version in bullseye is in fact affected (it already was on the security tracker, of course). The rest of the info is there. > https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#handling-security-related-bugs The vulnerability is already public, and at the blocked bug Salvatore advised me that a DSA is not required and that uploading to stable-updates for the next point release is the correct action. > Hope this helps! Yes, definitely, much obliged! Can I upload now? Regards, Nicholas signature.asc Description: PGP signature
Bug#1037175: [preapproval] bullseye-pu: package org-mode/9.4.0+dfsg-1+deb11u1
Hi Nicholas, On Mon, Jun 12, 2023 at 07:44:52PM -0400, Nicholas D Steeves wrote: > Control: block 1033341 by -1 > > Dear Salvatore and release team, > > Salvatore Bonaccorso writes: > > > On Tue, Jun 06, 2023 at 11:00:14PM -0400, Nicholas D Steeves wrote: > >> +org-mode (9.4.0+dfsg-1+deb11u1) bullseye-security; urgency=medium > >> + > >> + * Fix Org Mode command injection vulnerability CVE-2023-28617 by > >> backporting > >> +0004-Org-Mode-vulnerability-CVE-2023-28617-is-fixed.patch like > >> src:emacs > >> +did (Closes: #1033341). Thanks to Rob Browning's work in that > >> package, > >> +fixing org-mode was trivially easy! > >> + > >> + -- Nicholas D Steeves Sun, 04 Jun 2023 13:26:52 -0400 > > > > Small remark, for the bullseye pu update please target at 'bullseye' > > not 'bullseye-security'. > > > > Done. That was actually my first instinct, but I thought the existence > of a CVE would destine the upload to the -security queue! I was wrong, > but this is a teaching/learning moment. > > Is it as simple as: Use the -security queue when a DSA is needed, > otherwise use the normal distribution code name and the foo-updates > queue? No need to explain if it's more complicated and if you're busy. > (I couldn't find documentation of this in the Dev Ref) What is as well different for the uploads is to which upload queue you would upload in the end. ftp-master for the proposed-updates via point release, security-master for the security uploads. There are two good entry points about the uploads for stable: https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#special-case-uploads-to-the-stable-and-oldstable-distributions https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#handling-security-related-bugs Hope this helps! Regards, Salvatore
Bug#1037175: [preapproval] bullseye-pu: package org-mode/9.4.0+dfsg-1+deb11u1
Control: block 1033341 by -1 Dear Salvatore and release team, Salvatore Bonaccorso writes: > On Tue, Jun 06, 2023 at 11:00:14PM -0400, Nicholas D Steeves wrote: >> +org-mode (9.4.0+dfsg-1+deb11u1) bullseye-security; urgency=medium >> + >> + * Fix Org Mode command injection vulnerability CVE-2023-28617 by >> backporting >> +0004-Org-Mode-vulnerability-CVE-2023-28617-is-fixed.patch like src:emacs >> +did (Closes: #1033341). Thanks to Rob Browning's work in that package, >> +fixing org-mode was trivially easy! >> + >> + -- Nicholas D Steeves Sun, 04 Jun 2023 13:26:52 -0400 > > Small remark, for the bullseye pu update please target at 'bullseye' > not 'bullseye-security'. > Done. That was actually my first instinct, but I thought the existence of a CVE would destine the upload to the -security queue! I was wrong, but this is a teaching/learning moment. Is it as simple as: Use the -security queue when a DSA is needed, otherwise use the normal distribution code name and the foo-updates queue? No need to explain if it's more complicated and if you're busy. (I couldn't find documentation of this in the Dev Ref) Updated debdiff attached. Regards, Nicholas 9.4.0+dfsg-1__to__9.4.0+dfsg-1.debdiff Description: debdiff signature.asc Description: PGP signature
Bug#1037175: [preapproval] bullseye-pu: package org-mode/9.4.0+dfsg-1+deb11u1
Hi, On Tue, Jun 06, 2023 at 11:00:14PM -0400, Nicholas D Steeves wrote: > +org-mode (9.4.0+dfsg-1+deb11u1) bullseye-security; urgency=medium > + > + * Fix Org Mode command injection vulnerability CVE-2023-28617 by > backporting > +0004-Org-Mode-vulnerability-CVE-2023-28617-is-fixed.patch like src:emacs > +did (Closes: #1033341). Thanks to Rob Browning's work in that package, > +fixing org-mode was trivially easy! > + > + -- Nicholas D Steeves Sun, 04 Jun 2023 13:26:52 -0400 Small remark, for the bullseye pu update please target at 'bullseye' not 'bullseye-security'. Regards, Salvatore
Bug#1037175: [preapproval] bullseye-pu: package org-mode/9.4.0+dfsg-1+deb11u1
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu Dear Release Team, [ Reason ] https://security-tracker.debian.org/tracker/CVE-2023-28617 Bug #1033341 latex in ob-latex.el in Org Mode (≤9.6.1) allows attackers to execute arbitrary commands via a file name or directory name that contains shell metacharacters. At this time, org-mode 9.1.14+dfsg-3 in buster continues to be affected. Bullseye's copy of Emacs also has a bundled version that is effected, and I'm willing to patch that copy too. Elpa-org-mode is a modular add-on that upgrades and shadows that copy, by the way, so the CVE should be fixed here first. [ Impact ] Security risk that is worth the effort to fix. Emacs has no sandboxing... Carnil asked me to "consider proposing a fix via the upcoming bullseye point release" (#1033341), so here I am! [ Tests ] For the version of src:org-mode, in bullseye, manual testing; however, the same fix has been tested in the bundled copy of Org-mode that is part of Emacs in bookworm. This fix has seen two months of testing. [ Risks ] It's a trivial and fairly obvious fix that was discussed upstream here: https://list.orgmode.org/tencent_04cf842704737012ccbcd63cd654dd41c...@qq.com/T/#m6ef8e7d34b25fe17b4cbb655b161edce18c6655e?cve=title [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] A cherry picked patch that has been tested in bookworm for two months, an update to the series file, and a changelog entry. The patch replaces calls to the external "mv" command with Emacs internal function "rename-file", which has been in active use since the '80s. Thank you for all the work that you are doing for bookworm! Regards, Nicholas diff -Nru org-mode-9.4.0+dfsg/debian/changelog org-mode-9.4.0+dfsg/debian/changelog --- org-mode-9.4.0+dfsg/debian/changelog2020-09-24 10:07:33.0 -0400 +++ org-mode-9.4.0+dfsg/debian/changelog2023-06-04 13:26:52.0 -0400 @@ -1,3 +1,12 @@ +org-mode (9.4.0+dfsg-1+deb11u1) bullseye-security; urgency=medium + + * Fix Org Mode command injection vulnerability CVE-2023-28617 by backporting +0004-Org-Mode-vulnerability-CVE-2023-28617-is-fixed.patch like src:emacs +did (Closes: #1033341). Thanks to Rob Browning's work in that package, +fixing org-mode was trivially easy! + + -- Nicholas D Steeves Sun, 04 Jun 2023 13:26:52 -0400 + org-mode (9.4.0+dfsg-1) unstable; urgency=medium * New upstream version 9.4.0+dfsg diff -Nru org-mode-9.4.0+dfsg/debian/patches/0004-Org-Mode-vulnerability-CVE-2023-28617-is-fixed.patch org-mode-9.4.0+dfsg/debian/patches/0004-Org-Mode-vulnerability-CVE-2023-28617-is-fixed.patch --- org-mode-9.4.0+dfsg/debian/patches/0004-Org-Mode-vulnerability-CVE-2023-28617-is-fixed.patch 1969-12-31 19:00:00.0 -0500 +++ org-mode-9.4.0+dfsg/debian/patches/0004-Org-Mode-vulnerability-CVE-2023-28617-is-fixed.patch 2023-06-04 03:17:12.0 -0400 @@ -0,0 +1,51 @@ +From 320ab831aad7b66605e3778abe51a29cc377fb46 Mon Sep 17 00:00:00 2001 +From: Xi Lu +Date: Sat, 11 Mar 2023 18:53:37 +0800 +Subject: Fix command injection vulnerability CVE-2023-28617 + +https://security-tracker.debian.org/tracker/CVE-2023-28617 + +Trivially backport the following upstream patch like emacs-1:28.2+1-15 did: + + * lisp/ob-latex.el: Fix command injection vulnerability + + (org-babel-execute:latex): + Replaced the `(shell-command "mv BAR NEWBAR")' with `rename-file'. + + TINYCHANGE + +The second patch of the series does not appear to needed by Org-mode 9.4.0. + +Origin: https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=a8006ea580ed74f27f974d60b598143b04ad1741 +Bug-Debian: https://bugs.debian.org/1033341 +--- + lisp/ob-latex.el | 13 + + 1 file changed, 5 insertions(+), 8 deletions(-) + +diff --git a/lisp/ob-latex.el b/lisp/ob-latex.el +index 4b343dd..704ae4e 100644 +--- a/lisp/ob-latex.el b/lisp/ob-latex.el +@@ -152,17 +152,14 @@ This function is called by `org-babel-execute-src-block'." + (if (string-suffix-p ".svg" out-file) + (progn + (shell-command "pwd") +-(shell-command (format "mv %s %s" +- (concat (file-name-sans-extension tex-file) "-1.svg") +- out-file))) ++ (rename-file (concat (file-name-sans-extension tex-file) "-1.svg") ++ out-file t)) + (error "SVG file produced but HTML file requested"))) + ((file-exists-p (concat (file-name-sans-extension tex-file) ".html")) + (if (string-suffix-p ".html" out-file) +- (shell-command "mv %s %s" +- (concat (file-name-sans-extension tex-file) +-