Bug 2293942 (CVE-2024-39331)

Summary: CVE-2024-39331 emacs: org-link-expand-abbrev: Do not evaluate arbitrary unsafe Elisp code
Product: [Other] Security Response Reporter: Avinash Hanwate <ahanwate>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: fweimer
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: emacs 29.4 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Emacs. Arbitrary shell commands can be executed without prompting when an Org mode file is opened or when the Org mode is enabled, when Emacs is used as an email client, this issue can be triggered when previewing email attachments.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2293944    
Bug Blocks: 2293945    

Description Avinash Hanwate 2024-06-24 13:38:43 UTC 
In Emacs before 29.4, org-link-expand-abbrev in lisp/ol.el expands a %(...) link abbrev even when it specifies an unsafe function, such as shell-command-to-string. This affects Org Mode before 9.7.5.

References and upstream patch:
https://git.savannah.gnu.org/cgit/emacs.git/tree/etc/NEWS?h=emacs-29
https://list.orgmode.org/87sex5gdqc.fsf%40localhost/
https://news.ycombinator.com/item?id=40768225
https://www.openwall.com/lists/oss-security/2024/06/23/1
https://www.openwall.com/lists/oss-security/2024/06/23/2
https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=f4cc61636947b5c2f0afc67174dd369fe3277aa8
Comment 1 Avinash Hanwate 2024-06-24 13:42:40 UTC 
Created emacs tracking bugs for this issue:

Affects: fedora-all [bug 2293944]
Comment 4 errata-xmlrpc 2024-08-01 08:03:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2024:4971 https://access.redhat.com/errata/RHSA-2024:4971
Comment 5 errata-xmlrpc 2024-09-03 16:04:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:6203 https://access.redhat.com/errata/RHSA-2024:6203
Comment 6 errata-xmlrpc 2024-09-09 18:28:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:6510 https://access.redhat.com/errata/RHSA-2024:6510
Comment 7 errata-xmlrpc 2024-09-24 02:58:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:6987 https://access.redhat.com/errata/RHSA-2024:6987