Bug 2180544 (CVE-2023-28617) - CVE-2023-28617 emacs: command injection vulnerability in org-mode
Summary: CVE-2023-28617 emacs: command injection vulnerability in org-mode
Keywords:
Status: NEW
Alias: CVE-2023-28617
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2180545 2180580 2180581 2180582 2180583 2180584 2180585 2180586 2180587 2180588 2180589 2180590 2180591 2180592 2184377
Blocks: 2179730
TreeView+ depends on / blocked
 
Reported: 2023-03-21 17:48 UTC by Guilherme de Almeida Suckevicz
Modified: 2023-09-05 20:58 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Emacs text editor. Processing a specially crafted org-mode code with the function org-babel-execute:latex in ob-latex.el can result in arbitrary command execution.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2023:1932 0 None None None 2023-04-24 07:24:14 UTC
Red Hat Product Errata RHBA-2023:1933 0 None None None 2023-04-24 07:25:10 UTC
Red Hat Product Errata RHBA-2023:1934 0 None None None 2023-04-24 07:26:03 UTC
Red Hat Product Errata RHBA-2023:1935 0 None None None 2023-04-24 07:26:50 UTC
Red Hat Product Errata RHBA-2023:1945 0 None None None 2023-04-24 16:46:53 UTC
Red Hat Product Errata RHBA-2023:1947 0 None None None 2023-04-24 17:30:45 UTC
Red Hat Product Errata RHBA-2023:1952 0 None None None 2023-04-24 18:02:11 UTC
Red Hat Product Errata RHBA-2023:1986 0 None None None 2023-04-25 10:40:32 UTC
Red Hat Product Errata RHBA-2023:2012 0 None None None 2023-04-26 03:37:30 UTC
Red Hat Product Errata RHBA-2023:2021 0 None None None 2023-04-26 07:30:09 UTC
Red Hat Product Errata RHBA-2023:2042 0 None None None 2023-04-27 02:40:13 UTC
Red Hat Product Errata RHBA-2023:2043 0 None None None 2023-04-27 03:01:14 UTC
Red Hat Product Errata RHBA-2023:2044 0 None None None 2023-04-27 03:15:04 UTC
Red Hat Product Errata RHBA-2023:2045 0 None None None 2023-04-27 08:51:19 UTC
Red Hat Product Errata RHBA-2023:2046 0 None None None 2023-04-27 08:51:27 UTC
Red Hat Product Errata RHBA-2023:2047 0 None None None 2023-04-27 08:52:10 UTC
Red Hat Product Errata RHBA-2023:2080 0 None None None 2023-05-02 09:35:20 UTC
Red Hat Product Errata RHBA-2023:2081 0 None None None 2023-05-02 10:55:10 UTC
Red Hat Product Errata RHBA-2023:2093 0 None None None 2023-05-03 11:08:45 UTC
Red Hat Product Errata RHBA-2023:2117 0 None None None 2023-05-04 13:20:03 UTC
Red Hat Product Errata RHBA-2023:3169 0 None None None 2023-05-17 10:42:21 UTC
Red Hat Product Errata RHBA-2023:3170 0 None None None 2023-05-17 11:12:02 UTC
Red Hat Product Errata RHBA-2023:3171 0 None None None 2023-05-17 10:52:59 UTC
Red Hat Product Errata RHBA-2023:3377 0 None None None 2023-05-31 12:50:16 UTC
Red Hat Product Errata RHSA-2023:1915 0 None None None 2023-04-20 13:26:35 UTC
Red Hat Product Errata RHSA-2023:1930 0 None None None 2023-04-24 02:30:14 UTC
Red Hat Product Errata RHSA-2023:1931 0 None None None 2023-04-24 02:57:23 UTC
Red Hat Product Errata RHSA-2023:1958 0 None None None 2023-04-25 08:35:08 UTC
Red Hat Product Errata RHSA-2023:2010 0 None None None 2023-04-25 14:50:36 UTC
Red Hat Product Errata RHSA-2023:2074 0 None None None 2023-05-02 07:12:41 UTC
Red Hat Product Errata RHSA-2023:3189 0 None None None 2023-05-17 15:24:04 UTC

Description Guilherme de Almeida Suckevicz 2023-03-21 17:48:34 UTC
org-babel-execute:latex in ob-latex.el in Org Mode through 9.6.1 for GNU Emacs allows attackers to execute arbitrary commands via a file name or directory name that contains shell metacharacters.

Reference:
https://list.orgmode.org/tencent_04CF842704737012CCBCD63CD654DD41CA0A@qq.com/T/#m6ef8e7d34b25fe17b4cbb655b161edce18c6655e

Upstream patches:
https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=8f8ec2ccf3f5ef8f38d68ec84a7e4739c45db485
https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=a8006ea580ed74f27f974d60b598143b04ad1741

Comment 1 Guilherme de Almeida Suckevicz 2023-03-21 17:48:48 UTC
Created emacs tracking bugs for this issue:

Affects: fedora-all [bug 2180545]

Comment 5 errata-xmlrpc 2023-04-20 13:26:34 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2023:1915 https://access.redhat.com/errata/RHSA-2023:1915

Comment 6 errata-xmlrpc 2023-04-24 02:30:13 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:1930 https://access.redhat.com/errata/RHSA-2023:1930

Comment 7 errata-xmlrpc 2023-04-24 02:57:21 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:1931 https://access.redhat.com/errata/RHSA-2023:1931

Comment 8 errata-xmlrpc 2023-04-25 08:35:07 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2023:1958 https://access.redhat.com/errata/RHSA-2023:1958

Comment 9 errata-xmlrpc 2023-04-25 14:50:35 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:2010 https://access.redhat.com/errata/RHSA-2023:2010

Comment 10 errata-xmlrpc 2023-05-02 07:12:39 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:2074 https://access.redhat.com/errata/RHSA-2023:2074

Comment 14 Wade Mealing 2023-05-10 05:26:24 UTC
This flaw is a bit of a stretch, The user executing the code has to inject the code, and run the code, kinda like a shell almost.

If an attacker can make this.

  #+name: vul_test
  #+header: :file test;uname -a;.svg
  #+begin_src latex
  \LaTeX
  #+end_src

Then they can make this

  #+name: wades_test
  #+begin_src :var x="reboot"
  $x
  #+end_src
  
  or more specifically..

  #+name: wades_test
  #+begin_src sh
  rm -rf / && reboot 
  #+end_src

It may be unintended side affects, but org-babel is intended to execute code with side affects provided by the user. I use this every day.

Comment 15 Wade Mealing 2023-05-10 05:39:38 UTC
If you're really feeling the need to "not be vulnerable" to this flaw, disable org-babel's latex from loading with the command:

$ rpm -ql emacs |grep ob-latex 

mv the file it references to a backup location, emacs should continue to work albeit without org-babel latex support.  

If org-mode / org-babel latext mode is required :

  Install a more recent version, please do it from [GNU ELPA] by
  running this command: `M-x package-install RET org RET'

See https://orgmode.org/install.html for more details.

Comment 16 Maya Rashish 2023-05-10 09:36:46 UTC
Hello,

Is it possible to label the package emacs-filesystem as not vulnerable?
That particular package creates a few directories and has no code.
It is installed very widely, creating noise about vulnerabilities in unrelated components.

For background, I am working on an openshift operator called "openshift virtualization".
Some of our containers use registry.redhat.io/rhel8/nginx-120 as a base image.
It installs just emacs-filesystem and no other emacs pieces.
There's a warning about our own containers that we are shipping RPMs with a known vulnerability.
Updating emacs-filesystem will affect our release timelines (nginx-120 is expected to release a version with an updated emacs-filesystem in a few days, but we'll be releasing too soon to use this it).

Comment 17 Maya Rashish 2023-05-17 10:10:58 UTC
Ping - can emacs-filesystem be marked as not vulnerable?

Comment 18 errata-xmlrpc 2023-05-17 15:24:03 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2023:3189 https://access.redhat.com/errata/RHSA-2023:3189

Comment 19 Guilherme de Almeida Suckevicz 2023-05-17 18:31:22 UTC
In reply to comment #17:
> Ping - can emacs-filesystem be marked as not vulnerable?

Hi, we only add RPM source packages to the affected list, emacs-filesystem is a RPM binary package.

Thanks.


Note You need to log in before you can comment on or make changes to this bug.