On Sun, 23 Jun 2024 18:16:27 +0200 Salvatore Bonaccorso wrote:
https://www.openwall.com/lists/oss-security/2024/06/23/1
Upstream fix (in org-mode);
https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=f4cc61636947b5c2f0afc67174dd369fe3277aa8
Will the fix be backported to bookworm emacs-28 package? The change is
local, so risk of unexpected consequences due to the patch should be low.
Severity of the vulnerability should not be lower than for
https://nvd.nist.gov/vuln/detail/CVE-2023-28617
Base Score: 7.8 HIGH
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
However to exploit that vulnerability a user must invoke an inherently
insecure action. In the case of CVE-2024-39331 it is enough to open a
crafted file or a mail message.
I am surprised by a conclusion for
https://security-tracker.debian.org/tracker/CVE-2024-30202
[bookworm] - emacs <no-dsa> (Minor issue, will be fixed via point release)
that is arbitrary code execution on opening a file or a mail message as
well.
A file may have an almost arbitrary suffix, e.g. a valid python code, so
activation of Org mode may be unexpected for a user opening some file:
cve-2024-39331.py
---- 8< ----
#!/usr/bin/env python3
# -*- mode: org; -*-
#+link: vuln %(shell-command)
"[[vuln:emacs -Q]]"
#+begin_src python
if __name__ == '__main__':
print("Hello, Org!")
#+end_src
---- >8 ----
It should launch another emacs instance.
I expect that this message is enough to demonstrate the issue since
Gnus calls Org mode preview for any "#+keyword:" and next line in a
text/plain message.
#+link: vuln %(shell-command)
[[vuln:emacs -Q]]
