Re: [POLL] Bug of Feature? Attack vector via deceiving link abbrevs (was: [ANN] Emergency bugfix release: Org mode 9.7.5)

2024-06-28 Thread Steven Allen 
Ihor Radchenko  writes:

> Ihor Radchenko  writes:
>
>> I just released Org mode 9.7.5 that fixes a critical vulnerability.
>> The release is coordinated with emergency Emacs 29.4 release.
>
> This one is another potential issue (or a feature) we have found while
> discussing the main vulnerability.
>
> Currently, one can create an Org file like
>
> #+LINK: https https://fake-gmail-login-page.xyz/
> [[https://gmail.com]]

This is no different from:

[[https://fake-gmail-login-page.xyz][https://gmail.com]]

In both cases, mousing over the link will show you the actual target address.

On the other hand, having different faces for "plain" links (links where
the text in the buffer matches the link target) and special links would
be kind of nice.

[POLL] Bug of Feature? Attack vector via deceiving link abbrevs (was: [ANN] Emergency bugfix release: Org mode 9.7.5)

2024-06-28 Thread Ihor Radchenko 
Ihor Radchenko  writes:

> I just released Org mode 9.7.5 that fixes a critical vulnerability.
> The release is coordinated with emergency Emacs 29.4 release.

This one is another potential issue (or a feature) we have found while
discussing the main vulnerability.

Currently, one can create an Org file like

#+LINK: https https://fake-gmail-login-page.xyz/
[[https://gmail.com]]

And the "https" link will actually be expanded according to the
abbreviation.  In other words, abbreviations take priority over the link
types in Org mode.

As illustrated above, one can try to trick user into clicking the above
"gmail" link, redirecting to completely different page instead.

On the other hand, I can totally see people making use of the current
behavior to have custom filters for existing link types. For example, to
redirect to archive.org when opening web links.

I am inclined to call this a feature, and leave the current behavior
unchanged, but would like to hear from others first.

-- 
Ihor Radchenko // yantar92,
Org mode contributor,
Learn more about Org mode at .
Support Org development at ,
or support my work at

[POLL] We plan to remove #+LINK: ...%(my-function) placeholder from link abbreviation spec (was: [ANN] Emergency bugfix release: Org mode 9.7.5)

2024-06-28 Thread Ihor Radchenko 
Dear all,

> I just released Org mode 9.7.5 that fixes a critical vulnerability.
> The release is coordinated with emergency Emacs 29.4 release.
> ...
> The vulnerability involves arbitrary Shell code evaluation...

In a view of the recent vulnerability, we are considering to remove the
offending feature completely.

For the time being, we restricted %(function) constructs in #+LINK:
... lines to (1) pure functions (no side effects, no access to global
state); (2) functions explicitly marked by the user.

However, while discussing how to approach the vulnerability, we did not
find many examples of using #+LINK: label %(function) in the wild.

If you are actively using #+LINK: keywords with %(...) placeholders or
have any objections to this feature removal, please let us know.

-- 
Ihor Radchenko // yantar92,
Org mode contributor,
Learn more about Org mode at .
Support Org development at ,
or support my work at

Assigned: CVE-2024-39331 (was: [ANN] Emergency bugfix release: Org mode 9.7.5)

2024-06-24 Thread Ihor Radchenko 
Ihor Radchenko  writes:

> emacs-orgm...@city17.xyz writes:
>
>> Will a CVE be released?
>
> Should be, I think.
> If nobody reports it independently by tomorrow, I will look into how to
> request a CVE number myself.

https://www.cve.org/CVERecord?id=CVE-2024-39331

-- 
Ihor Radchenko // yantar92,
Org mode contributor,
Learn more about Org mode at .
Support Org development at ,
or support my work at

Re: [ANN] Emergency bugfix release: Org mode 9.7.5

2024-06-24 Thread Bastien Guerry 
Ihor Radchenko  writes:

> I just released Org mode 9.7.5 that fixes a critical vulnerability.
> The release is coordinated with emergency Emacs 29.4 release.

Thank you a lot for your diligent and careful work on this!

-- 
 Bastien Guerry

Re: [ANN] Emergency bugfix release: Org mode 9.7.5

2024-06-22 Thread Steven Allen 
Greg Troxel  writes:

> (Thanks for fixing and your efforts on org.  I've been an org user since
> at least July of 2010.)
>
> Just to be clear, is this the commit that needs applying to emacs
> sources, 29.3, 28.x, and so on?

Yes, that's the correct commit.

> It seems so, but I would rather not guess. I'm asking on behalf of
> pkgsrc, where I am managing the release process for our 2024Q2 branch,
> due on 30 June. Believe it or not we have 20, 21, 26, 27, 28, 29 and a
> from-git version. While some should be pruned, some people use it on
> vaxes. Any idea how far back this goes?

It was introduced in org 7.9 (commit [1] from July of 2012). From what I
can tell, it has been present in Emacs since emacs-24.2.

[1]: ef3d4b5965b828e85a535ef3f32999473c6a2a7a 

>
> Thanks,
> Greg
>
> commit f4cc61636947b5c2f0afc67174dd369fe3277aa8
> Author: Ihor Radchenko 
> Date:   Tue Jun 18 13:06:44 2024 +0200
>
> org-link-expand-abbrev: Do not evaluate arbitrary unsafe Elisp code
> 
> * lisp/ol.el (org-link-expand-abbrev): Refuse expanding %(...) link
> abbrevs that specify unsafe function.  Instead, display a warning, and
> do not expand the abbrev.  Clear all the text properties from the
> returned link, to avoid any potential vulnerabilities caused by
> properties that may contain arbitrary Elisp.
>
> diff --git a/lisp/ol.el b/lisp/ol.el
> index 7a7f4f558..8a556c7b9 100644
> --- a/lisp/ol.el
> +++ b/lisp/ol.el
> @@ -1152,17 +1152,35 @@ Abbreviations are defined in `org-link-abbrev-alist'."
>(if (not as)
> link
>   (setq rpl (cdr as))
> - (cond
> -  ((symbolp rpl) (funcall rpl tag))
> -  ((string-match "%(\\([^)]+\\))" rpl)
> -   (replace-match
> -(save-match-data
> -  (funcall (intern-soft (match-string 1 rpl)) tag))
> -t t rpl))
> -  ((string-match "%s" rpl) (replace-match (or tag "") t t rpl))
> -  ((string-match "%h" rpl)
> -   (replace-match (url-hexify-string (or tag "")) t t rpl))
> -  (t (concat rpl tag)))
> +;; Drop any potentially dangerous text properties like
> +;; `modification-hooks' that may be used as an attack vector.
> +(substring-no-properties
> +  (cond
> +   ((symbolp rpl) (funcall rpl tag))
> +   ((string-match "%(\\([^)]+\\))" rpl)
> +   (let ((rpl-fun-symbol (intern-soft (match-string 1 rpl
> + ;; Using `unsafep-function' is not quite enough because
> + ;; Emacs considers functions like `genenv' safe, while
> + ;; they can potentially be used to expose private system
> + ;; data to attacker if abbreviated link is clicked.
> + (if (or (eq t (get rpl-fun-symbol 'org-link-abbrev-safe))
> + (eq t (get rpl-fun-symbol 'pure)))
> + (replace-match
> +   (save-match-data
> + (funcall (intern-soft (match-string 1 rpl)) tag))
> +   t t rpl)
> +   (org-display-warning
> +(format "Disabling unsafe link abbrev: %s
> +You may mark function safe via (put '%s 'org-link-abbrev-safe t)"
> +rpl (match-string 1 rpl)))
> +   (setq org-link-abbrev-alist-local (delete as 
> org-link-abbrev-alist-local)
> + org-link-abbrev-alist (delete as org-link-abbrev-alist))
> +   link
> +)))
> +   ((string-match "%s" rpl) (replace-match (or tag "") t t rpl))
> +   ((string-match "%h" rpl)
> +(replace-match (url-hexify-string (or tag "")) t t rpl))
> +   (t (concat rpl tag
>  
>  (defun org-link-open (link  arg)
>"Open a link object LINK.

Re: [ANN] Emergency bugfix release: Org mode 9.7.5

2024-06-22 Thread Greg Troxel 
(Thanks for fixing and your efforts on org.  I've been an org user since
at least July of 2010.)

Just to be clear, is this the commit that needs applying to emacs
sources, 29.3, 28.x, and so on?  It seems so, but I would rather not
guess.  I'm asking on behalf of pkgsrc, where I am managing the release
process for our 2024Q2 branch, due on 30 June.  Believe it or not we
have 20, 21, 26, 27, 28, 29 and a from-git version.  While some should
be pruned, some people use it on vaxes.   Any idea how far back this
goes?

Thanks,
Greg

commit f4cc61636947b5c2f0afc67174dd369fe3277aa8
Author: Ihor Radchenko 
Date:   Tue Jun 18 13:06:44 2024 +0200

org-link-expand-abbrev: Do not evaluate arbitrary unsafe Elisp code

* lisp/ol.el (org-link-expand-abbrev): Refuse expanding %(...) link
abbrevs that specify unsafe function.  Instead, display a warning, and
do not expand the abbrev.  Clear all the text properties from the
returned link, to avoid any potential vulnerabilities caused by
properties that may contain arbitrary Elisp.

diff --git a/lisp/ol.el b/lisp/ol.el
index 7a7f4f558..8a556c7b9 100644
--- a/lisp/ol.el
+++ b/lisp/ol.el
@@ -1152,17 +1152,35 @@ Abbreviations are defined in `org-link-abbrev-alist'."
   (if (not as)
  link
(setq rpl (cdr as))
-   (cond
-((symbolp rpl) (funcall rpl tag))
-((string-match "%(\\([^)]+\\))" rpl)
- (replace-match
-  (save-match-data
-(funcall (intern-soft (match-string 1 rpl)) tag))
-  t t rpl))
-((string-match "%s" rpl) (replace-match (or tag "") t t rpl))
-((string-match "%h" rpl)
- (replace-match (url-hexify-string (or tag "")) t t rpl))
-(t (concat rpl tag)))
+;; Drop any potentially dangerous text properties like
+;; `modification-hooks' that may be used as an attack vector.
+(substring-no-properties
+(cond
+ ((symbolp rpl) (funcall rpl tag))
+ ((string-match "%(\\([^)]+\\))" rpl)
+   (let ((rpl-fun-symbol (intern-soft (match-string 1 rpl
+ ;; Using `unsafep-function' is not quite enough because
+ ;; Emacs considers functions like `genenv' safe, while
+ ;; they can potentially be used to expose private system
+ ;; data to attacker if abbreviated link is clicked.
+ (if (or (eq t (get rpl-fun-symbol 'org-link-abbrev-safe))
+ (eq t (get rpl-fun-symbol 'pure)))
+ (replace-match
+ (save-match-data
+   (funcall (intern-soft (match-string 1 rpl)) tag))
+ t t rpl)
+   (org-display-warning
+(format "Disabling unsafe link abbrev: %s
+You may mark function safe via (put '%s 'org-link-abbrev-safe t)"
+rpl (match-string 1 rpl)))
+   (setq org-link-abbrev-alist-local (delete as 
org-link-abbrev-alist-local)
+ org-link-abbrev-alist (delete as org-link-abbrev-alist))
+   link
+  )))
+ ((string-match "%s" rpl) (replace-match (or tag "") t t rpl))
+ ((string-match "%h" rpl)
+  (replace-match (url-hexify-string (or tag "")) t t rpl))
+ (t (concat rpl tag
 
 (defun org-link-open (link  arg)
   "Open a link object LINK.

Re: [ANN] Emergency bugfix release: Org mode 9.7.5

2024-06-22 Thread Ihor Radchenko 
emacs-orgm...@city17.xyz writes:

> Will a CVE be released?

Should be, I think.
If nobody reports it independently by tomorrow, I will look into how to
request a CVE number myself.

> ... I am interested if there are mitigating factors
> such as using `emacs -nw` (without GUI), thus no possible preview of the
> attachments (IIUC).

AFAIK, previewing attachments is not disabled by "no GUI" - preview in
this context simply means fontification using major mode of the attached
files.

To disable email previews, see `mm-inline-media-tests'.

Note that you cannot easily work around the problem when opening an
actual Org file. You would either have to advice the problematic Org
function, or cherry-pick the relevant commit from the release.

-- 
Ihor Radchenko // yantar92,
Org mode contributor,
Learn more about Org mode at .
Support Org development at ,
or support my work at

Re: [ANN] Emergency bugfix release: Org mode 9.7.5

2024-06-22 Thread emacs-orgmode 



Ihor Radchenko  writes:


I just released Org mode 9.7.5 that fixes a critical vulnerability.
The release is coordinated with emergency Emacs 29.4 release.


Thanks for the release and the anouncement.

Will a CVE be released? I am interested if there are mitigating factors
such as using `emacs -nw` (without GUI), thus no possible preview of the
attachments (IIUC).

Best,

Re: [ANN] Emergency bugfix release: Org mode 9.7.5

2024-06-22 Thread Ihor Radchenko 
Ihor Radchenko  writes:

> Please upgrade your Org mode *and* Emacs ASAP.

*Org mode or Emacs.

The fix is purely in Org code, so upgrading Emacs is only needed when
you want to use built-in Org mode.

Otherwise, it is enough to upgrade Org mode via ELPA (the tarball will
be available soon, after ELPA scripts fetch the latest release tag).

-- 
Ihor Radchenko // yantar92,
Org mode contributor,
Learn more about Org mode at .
Support Org development at ,
or support my work at

[ANN] Emergency bugfix release: Org mode 9.7.5

2024-06-22 Thread Ihor Radchenko 
Dear all,

I just released Org mode 9.7.5 that fixes a critical vulnerability.
The release is coordinated with emergency Emacs 29.4 release.

Please upgrade your Org mode *and* Emacs ASAP.

The vulnerability involves arbitrary Shell code evaluation when
previewing attachments in Emacs MUA (gnus-based: at least, mu4e,
Notmuch, Gnus itself) or when opening third-party Org files. All the
earlier versions of Org mode are affected.

Note that the vulnerability solved in this release has nothing to do
with recent Org 9.6.23 release
(https://list.orgmode.org/871q7zbldp.fsf@localhost/). It existed since
long time ago and was discovered by accident.

-- 
Ihor Radchenko // yantar92,
Org mode contributor,
Learn more about Org mode at .
Support Org development at ,
or support my work at