Bug 2180544 (CVE-2023-28617)

Summary: CVE-2023-28617 emacs: command injection vulnerability in org-mode
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: fsumsal, jmigacz, wmealing
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Emacs text editor. Processing a specially crafted org-mode code with the function org-babel-execute:latex in ob-latex.el can result in arbitrary command execution.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2180545, 2180580, 2180581, 2180582, 2180583, 2180584, 2180585, 2180586, 2180587, 2180588, 2180589, 2180590, 2180591, 2180592, 2184377    
Bug Blocks: 2179730    

Description Guilherme de Almeida Suckevicz 2023-03-21 17:48:34 UTC 
org-babel-execute:latex in ob-latex.el in Org Mode through 9.6.1 for GNU Emacs allows attackers to execute arbitrary commands via a file name or directory name that contains shell metacharacters.

Reference:
https://list.orgmode.org/tencent_04CF842704737012CCBCD63CD654DD41CA0A@qq.com/T/#m6ef8e7d34b25fe17b4cbb655b161edce18c6655e

Upstream patches:
https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=8f8ec2ccf3f5ef8f38d68ec84a7e4739c45db485
https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=a8006ea580ed74f27f974d60b598143b04ad1741
Comment 1 Guilherme de Almeida Suckevicz 2023-03-21 17:48:48 UTC 
Created emacs tracking bugs for this issue:

Affects: fedora-all [bug 2180545]
Comment 5 errata-xmlrpc 2023-04-20 13:26:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2023:1915 https://access.redhat.com/errata/RHSA-2023:1915
Comment 6 errata-xmlrpc 2023-04-24 02:30:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:1930 https://access.redhat.com/errata/RHSA-2023:1930
Comment 7 errata-xmlrpc 2023-04-24 02:57:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:1931 https://access.redhat.com/errata/RHSA-2023:1931
Comment 8 errata-xmlrpc 2023-04-25 08:35:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2023:1958 https://access.redhat.com/errata/RHSA-2023:1958
Comment 9 errata-xmlrpc 2023-04-25 14:50:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:2010 https://access.redhat.com/errata/RHSA-2023:2010
Comment 10 errata-xmlrpc 2023-05-02 07:12:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:2074 https://access.redhat.com/errata/RHSA-2023:2074
Comment 14 Wade Mealing 2023-05-10 05:26:24 UTC 
This flaw is a bit of a stretch, The user executing the code has to inject the code, and run the code, kinda like a shell almost.

If an attacker can make this.

  #+name: vul_test
  #+header: :file test;uname -a;.svg
  #+begin_src latex
  \LaTeX
  #+end_src

Then they can make this

  #+name: wades_test
  #+begin_src :var x="reboot"
  $x
  #+end_src
  
  or more specifically..

  #+name: wades_test
  #+begin_src sh
  rm -rf / && reboot 
  #+end_src

It may be unintended side affects, but org-babel is intended to execute code with side affects provided by the user. I use this every day.
Comment 15 Wade Mealing 2023-05-10 05:39:38 UTC 
If you're really feeling the need to "not be vulnerable" to this flaw, disable org-babel's latex from loading with the command:

$ rpm -ql emacs |grep ob-latex 

mv the file it references to a backup location, emacs should continue to work albeit without org-babel latex support.  

If org-mode / org-babel latext mode is required :

  Install a more recent version, please do it from [GNU ELPA] by
  running this command: `M-x package-install RET org RET'

See https://orgmode.org/install.html for more details.
Comment 16 Maya Rashish 2023-05-10 09:36:46 UTC 
Hello,

Is it possible to label the package emacs-filesystem as not vulnerable?
That particular package creates a few directories and has no code.
It is installed very widely, creating noise about vulnerabilities in unrelated components.

For background, I am working on an openshift operator called "openshift virtualization".
Some of our containers use registry.redhat.io/rhel8/nginx-120 as a base image.
It installs just emacs-filesystem and no other emacs pieces.
There's a warning about our own containers that we are shipping RPMs with a known vulnerability.
Updating emacs-filesystem will affect our release timelines (nginx-120 is expected to release a version with an updated emacs-filesystem in a few days, but we'll be releasing too soon to use this it).
Comment 17 Maya Rashish 2023-05-17 10:10:58 UTC 
Ping - can emacs-filesystem be marked as not vulnerable?
Comment 18 errata-xmlrpc 2023-05-17 15:24:03 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2023:3189 https://access.redhat.com/errata/RHSA-2023:3189
Comment 19 Guilherme de Almeida Suckevicz 2023-05-17 18:31:22 UTC 
In reply to comment #17:
> Ping - can emacs-filesystem be marked as not vulnerable?

Hi, we only add RPM source packages to the affected list, emacs-filesystem is a RPM binary package.

Thanks.