--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: [preapproval] bullseye-pu: package org-mode/9.4.0+dfsg-1+deb11u1
- From: Nicholas D Steeves <sten@debian.org>
- Date: Tue, 06 Jun 2023 23:00:14 -0400
- Message-id: <168610681415.387899.13575458549094574142.reportbug@bras-base-mtrlpq0313w-grc-04-65-94-64-248.dsl.bell.ca>
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
Dear Release Team,
[ Reason ]
https://security-tracker.debian.org/tracker/CVE-2023-28617
Bug #1033341
latex in ob-latex.el in Org Mode (≤9.6.1) allows attackers to execute
arbitrary commands via a file name or directory name that contains
shell metacharacters.
At this time, org-mode 9.1.14+dfsg-3 in buster continues to be
affected. Bullseye's copy of Emacs also has a bundled version that is
effected, and I'm willing to patch that copy too. Elpa-org-mode is a
modular add-on that upgrades and shadows that copy, by the way, so
the CVE should be fixed here first.
[ Impact ]
Security risk that is worth the effort to fix. Emacs has no
sandboxing... Carnil asked me to "consider proposing a fix via the
upcoming bullseye point release" (#1033341), so here I am!
[ Tests ]
For the version of src:org-mode, in bullseye, manual testing; however,
the same fix has been tested in the bundled copy of Org-mode that
is part of Emacs in bookworm. This fix has seen two months of testing.
[ Risks ]
It's a trivial and fairly obvious fix that was discussed upstream here:
https://list.orgmode.org/tencent_04CF842704737012CCBCD63CD654DD41CA0A@qq.com/T/#m6ef8e7d34b25fe17b4cbb655b161edce18c6655e?cve=title
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
A cherry picked patch that has been tested in bookworm for two months,
an update to the series file, and a changelog entry. The patch
replaces calls to the external "mv" command with Emacs internal
function "rename-file", which has been in active use since the '80s.
Thank you for all the work that you are doing for bookworm!
Regards,
Nicholas
diff -Nru org-mode-9.4.0+dfsg/debian/changelog org-mode-9.4.0+dfsg/debian/changelog
--- org-mode-9.4.0+dfsg/debian/changelog 2020-09-24 10:07:33.000000000 -0400
+++ org-mode-9.4.0+dfsg/debian/changelog 2023-06-04 13:26:52.000000000 -0400
@@ -1,3 +1,12 @@
+org-mode (9.4.0+dfsg-1+deb11u1) bullseye-security; urgency=medium
+
+ * Fix Org Mode command injection vulnerability CVE-2023-28617 by backporting
+ 0004-Org-Mode-vulnerability-CVE-2023-28617-is-fixed.patch like src:emacs
+ did (Closes: #1033341). Thanks to Rob Browning's work in that package,
+ fixing org-mode was trivially easy!
+
+ -- Nicholas D Steeves <sten@debian.org> Sun, 04 Jun 2023 13:26:52 -0400
+
org-mode (9.4.0+dfsg-1) unstable; urgency=medium
* New upstream version 9.4.0+dfsg
diff -Nru org-mode-9.4.0+dfsg/debian/patches/0004-Org-Mode-vulnerability-CVE-2023-28617-is-fixed.patch org-mode-9.4.0+dfsg/debian/patches/0004-Org-Mode-vulnerability-CVE-2023-28617-is-fixed.patch
--- org-mode-9.4.0+dfsg/debian/patches/0004-Org-Mode-vulnerability-CVE-2023-28617-is-fixed.patch 1969-12-31 19:00:00.000000000 -0500
+++ org-mode-9.4.0+dfsg/debian/patches/0004-Org-Mode-vulnerability-CVE-2023-28617-is-fixed.patch 2023-06-04 03:17:12.000000000 -0400
@@ -0,0 +1,51 @@
+From 320ab831aad7b66605e3778abe51a29cc377fb46 Mon Sep 17 00:00:00 2001
+From: Xi Lu <lx@shellcodes.org>
+Date: Sat, 11 Mar 2023 18:53:37 +0800
+Subject: Fix command injection vulnerability CVE-2023-28617
+
+https://security-tracker.debian.org/tracker/CVE-2023-28617
+
+Trivially backport the following upstream patch like emacs-1:28.2+1-15 did:
+
+ * lisp/ob-latex.el: Fix command injection vulnerability
+
+ (org-babel-execute:latex):
+ Replaced the `(shell-command "mv BAR NEWBAR")' with `rename-file'.
+
+ TINYCHANGE
+
+The second patch of the series does not appear to needed by Org-mode 9.4.0.
+
+Origin: https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=a8006ea580ed74f27f974d60b598143b04ad1741
+Bug-Debian: https://bugs.debian.org/1033341
+---
+ lisp/ob-latex.el | 13 +++++--------
+ 1 file changed, 5 insertions(+), 8 deletions(-)
+
+diff --git a/lisp/ob-latex.el b/lisp/ob-latex.el
+index 4b343dd..704ae4e 100644
+--- a/lisp/ob-latex.el
++++ b/lisp/ob-latex.el
+@@ -152,17 +152,14 @@ This function is called by `org-babel-execute-src-block'."
+ (if (string-suffix-p ".svg" out-file)
+ (progn
+ (shell-command "pwd")
+- (shell-command (format "mv %s %s"
+- (concat (file-name-sans-extension tex-file) "-1.svg")
+- out-file)))
++ (rename-file (concat (file-name-sans-extension tex-file) "-1.svg")
++ out-file t))
+ (error "SVG file produced but HTML file requested")))
+ ((file-exists-p (concat (file-name-sans-extension tex-file) ".html"))
+ (if (string-suffix-p ".html" out-file)
+- (shell-command "mv %s %s"
+- (concat (file-name-sans-extension tex-file)
+- ".html")
+- out-file)
+- (error "HTML file produced but SVG file requested")))))
++ (rename-file (concat (file-name-sans-extension tex-file) ".html")
++ out-file t)
++ (error "HTML file produced but SVG file requested")))))
+ ((or (string= "pdf" extension) imagemagick)
+ (with-temp-file tex-file
+ (require 'ox-latex)
diff -Nru org-mode-9.4.0+dfsg/debian/patches/series org-mode-9.4.0+dfsg/debian/patches/series
--- org-mode-9.4.0+dfsg/debian/patches/series 2020-09-24 10:07:33.000000000 -0400
+++ org-mode-9.4.0+dfsg/debian/patches/series 2023-06-04 03:19:47.000000000 -0400
@@ -1,4 +1,4 @@
10-shebang.patch
#20-links-unescaping.patch
30-local-mk.patch
-
+0004-Org-Mode-vulnerability-CVE-2023-28617-is-fixed.patch
--- End Message ---