org-babel-execute:latex in ob-latex.el in Org Mode through 9.6.1 for GNU Emacs allows attackers to execute arbitrary commands via a file name or directory name that contains shell metacharacters. Reference: https://list.orgmode.org/tencent_04CF842704737012CCBCD63CD654DD41CA0A@qq.com/T/#m6ef8e7d34b25fe17b4cbb655b161edce18c6655e Upstream patches: https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=8f8ec2ccf3f5ef8f38d68ec84a7e4739c45db485 https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=a8006ea580ed74f27f974d60b598143b04ad1741
Created emacs tracking bugs for this issue: Affects: fedora-all [bug 2180545]
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Advanced Update Support Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions Red Hat Enterprise Linux 8.2 Telecommunications Update Service Via RHSA-2023:1915 https://access.redhat.com/errata/RHSA-2023:1915
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:1930 https://access.redhat.com/errata/RHSA-2023:1930
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2023:1931 https://access.redhat.com/errata/RHSA-2023:1931
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2023:1958 https://access.redhat.com/errata/RHSA-2023:1958
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2023:2010 https://access.redhat.com/errata/RHSA-2023:2010
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:2074 https://access.redhat.com/errata/RHSA-2023:2074
This flaw is a bit of a stretch, The user executing the code has to inject the code, and run the code, kinda like a shell almost. If an attacker can make this. #+name: vul_test #+header: :file test;uname -a;.svg #+begin_src latex \LaTeX #+end_src Then they can make this #+name: wades_test #+begin_src :var x="reboot" $x #+end_src or more specifically.. #+name: wades_test #+begin_src sh rm -rf / && reboot #+end_src It may be unintended side affects, but org-babel is intended to execute code with side affects provided by the user. I use this every day.
If you're really feeling the need to "not be vulnerable" to this flaw, disable org-babel's latex from loading with the command: $ rpm -ql emacs |grep ob-latex mv the file it references to a backup location, emacs should continue to work albeit without org-babel latex support. If org-mode / org-babel latext mode is required : Install a more recent version, please do it from [GNU ELPA] by running this command: `M-x package-install RET org RET' See https://orgmode.org/install.html for more details.
Hello, Is it possible to label the package emacs-filesystem as not vulnerable? That particular package creates a few directories and has no code. It is installed very widely, creating noise about vulnerabilities in unrelated components. For background, I am working on an openshift operator called "openshift virtualization". Some of our containers use registry.redhat.io/rhel8/nginx-120 as a base image. It installs just emacs-filesystem and no other emacs pieces. There's a warning about our own containers that we are shipping RPMs with a known vulnerability. Updating emacs-filesystem will affect our release timelines (nginx-120 is expected to release a version with an updated emacs-filesystem in a few days, but we'll be releasing too soon to use this it).
Ping - can emacs-filesystem be marked as not vulnerable?
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions Via RHSA-2023:3189 https://access.redhat.com/errata/RHSA-2023:3189
In reply to comment #17: > Ping - can emacs-filesystem be marked as not vulnerable? Hi, we only add RPM source packages to the affected list, emacs-filesystem is a RPM binary package. Thanks.