Bug#1033341: org-mode: CVE-2023-28617
David Bremner writes: > Nicholas D Steeves writes: > >> fixed 1033341 org/mode/9.5.2+dfsh-5 >> fixed 1033341 org-mode/9.6.6+dfsg-1~exp1 >> thanks > > Are you sure about that? It depends on emacs 28.2, which afaik has the > vulnerable org-mode embedded. I guess it's a question of interpretation, > but the vulnerability is still there after installing the package. Wasn't the fix in emacs 1:28.2+1-14 two months ago? Meanwhile the new empty org-mode 9.5.2+dfsh-5 won't be able to shadow the (fixed) bundled copy. Thanks again for that work! This was also in bullseye in emacs 26.1+1-3.2+deb10u4 After uploading to bullseye-updates I'll upload 9.6.6 to unstable. I'd rather let someone else take care of buster, if we're still supporting it. Regards, Nicholas signature.asc Description: PGP signature
Bug#1033341: org-mode: CVE-2023-28617
Salvatore Bonaccorso writes: > > Looking at https://security-tracker.debian.org/tracker/CVE-2023-28617 > I think we should be fine for bookworm already, correct? Yes, I think what is there makes sense, given the constraints of expressing a weird situation. d
Bug#1033341: org-mode: CVE-2023-28617
Hi David, On Sun, Jun 04, 2023 at 08:34:18AM -0300, David Bremner wrote: > Nicholas D Steeves writes: > > > fixed 1033341 org/mode/9.5.2+dfsh-5 > > fixed 1033341 org-mode/9.6.6+dfsg-1~exp1 > > thanks > > Are you sure about that? It depends on emacs 28.2, which afaik has the > vulnerable org-mode embedded. I guess it's a question of interpretation, > but the vulnerability is still there after installing the package. For src:emacs the respective bug is in #1033342. But this is why I as well mentioned that for org-mode this tecnically would need a per suite "unimportant" tracking in the security-tracker (as the source still affected up to < 9.6.6+dfsg-1~exp1, but not the resulting binary packages). Looking at https://security-tracker.debian.org/tracker/CVE-2023-28617 I think we should be fine for bookworm already, correct? (For bullseye the issue is no-dsa and could be fixed with respective updates in a point release). Regards, Salvatore
Bug#1033341: org-mode: CVE-2023-28617
Nicholas D Steeves writes: > fixed 1033341 org/mode/9.5.2+dfsh-5 > fixed 1033341 org-mode/9.6.6+dfsg-1~exp1 > thanks Are you sure about that? It depends on emacs 28.2, which afaik has the vulnerable org-mode embedded. I guess it's a question of interpretation, but the vulnerability is still there after installing the package. d signature.asc Description: PGP signature
Bug#1033341: org-mode: CVE-2023-28617
Hi, On Sat, Jun 03, 2023 at 10:02:43PM -0400, Nicholas D Steeves wrote: > fixed 1033341 org/mode/9.5.2+dfsh-5 > fixed 1033341 org-mode/9.6.6+dfsg-1~exp1 > thanks > > Dear Salvatore and Security Team, > > Salvatore Bonaccorso writes: > > > Source: org-mode > > Version: 9.5.2+dfsh-4 > > Severity: important > > Tags: security upstream > > X-Debbugs-Cc: car...@debian.org, Debian Security Team > > > > Control: clone -1 -2 > > Control: reassign -2 src:emacs 1:28.2+1-13 > > Control: retitle -2 emacs: CVE-2023-28617 > > > > Hi, > > > > The following vulnerability was published for org-mode (and emacs, > > will close tis bug). > > > > CVE-2023-28617[0]: > > | org-babel-execute:latex in ob-latex.el in Org Mode through 9.6.1 for > > | GNU Emacs allows attackers to execute arbitrary commands via a file > > | name or directory name that contains shell metacharacters. > > All lisp files were dropped in org-mode/9.5.2+dfsh-5, and so this CVE is > fixed there; however, unfortunately this bug was not closed from that > changelog entry. While this technically would be a case for unimportant severity in sec-tracker, we cannot do it per suite. So I went ahead marking it as fixed with org-mode/9.5.2+dfsh-5 but adding a note explaining why we did so. > This CVE is also not present in the 9.6.6+dfsg-1~exp1 that I just > uploaded to experimental, but be honest I forgot about this bug when > uploading, and so I forgot to close this bug from the changelog as > instructed. Sorry. > > What is the correct way to proceed now? All information updated in the tracker. For bullseye you migh consider proposing a fix via the upcoming bullseye point release (no DSA is needed for this issue). Regards, Salvatore
Bug#1033341: org-mode: CVE-2023-28617
fixed 1033341 org/mode/9.5.2+dfsh-5 fixed 1033341 org-mode/9.6.6+dfsg-1~exp1 thanks Dear Salvatore and Security Team, Salvatore Bonaccorso writes: > Source: org-mode > Version: 9.5.2+dfsh-4 > Severity: important > Tags: security upstream > X-Debbugs-Cc: car...@debian.org, Debian Security Team > > Control: clone -1 -2 > Control: reassign -2 src:emacs 1:28.2+1-13 > Control: retitle -2 emacs: CVE-2023-28617 > > Hi, > > The following vulnerability was published for org-mode (and emacs, > will close tis bug). > > CVE-2023-28617[0]: > | org-babel-execute:latex in ob-latex.el in Org Mode through 9.6.1 for > | GNU Emacs allows attackers to execute arbitrary commands via a file > | name or directory name that contains shell metacharacters. All lisp files were dropped in org-mode/9.5.2+dfsh-5, and so this CVE is fixed there; however, unfortunately this bug was not closed from that changelog entry. This CVE is also not present in the 9.6.6+dfsg-1~exp1 that I just uploaded to experimental, but be honest I forgot about this bug when uploading, and so I forgot to close this bug from the changelog as instructed. Sorry. What is the correct way to proceed now? Regards, Nicholas signature.asc Description: PGP signature
Bug#1033341: org-mode: CVE-2023-28617
Source: org-mode Version: 9.5.2+dfsh-4 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: clone -1 -2 Control: reassign -2 src:emacs 1:28.2+1-13 Control: retitle -2 emacs: CVE-2023-28617 Hi, The following vulnerability was published for org-mode (and emacs, will close tis bug). CVE-2023-28617[0]: | org-babel-execute:latex in ob-latex.el in Org Mode through 9.6.1 for | GNU Emacs allows attackers to execute arbitrary commands via a file | name or directory name that contains shell metacharacters. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-28617 https://www.cve.org/CVERecord?id=CVE-2023-28617 Please adjust the affected versions in the BTS as needed. Regards, Salvatore