Re: CVE-2023-28617 (was Re: [PATCH] Fix ob-latex.el command injection vulnerability.)

2023-05-12 Thread Ihor Radchenko
Max Nikulin writes: >> But this patch literally fixed the problem. What else should we do? > > Do you really think that it was the last unsafe shell command in the Org > code? No, but I prefer concrete examples. The CVE you linked to refers to an already fixed bug. >

Re: CVE-2023-28617 (was Re: [PATCH] Fix ob-latex.el command injection vulnerability.)

2023-05-11 Thread Max Nikulin
On 02/05/2023 18:21, Ihor Radchenko wrote: Max Nikulin writes: I posted the links as a reminder that shell commands should be avoided when possible (and it does not break TRAMP) and arguments should be escaped otherwise. But this patch literally fixed the problem. What else should we do?

Re: CVE-2023-28617 (was Re: [PATCH] Fix ob-latex.el command injection vulnerability.)

2023-05-02 Thread Ihor Radchenko
Max Nikulin writes: >> And we do not need to do anything about it, right? > > I posted the links as a reminder that shell commands should be avoided > when possible (and it does not break TRAMP) and arguments should be > escaped otherwise. But this patch literally fixed the problem. What else

CVE-2023-28617 (was Re: [PATCH] Fix ob-latex.el command injection vulnerability.)

2023-05-02 Thread Max Nikulin
On 01/05/2023 18:18, Ihor Radchenko wrote: Max Nikulin writes: I just have noticed that it is tracked as a CVE record: https://www.cve.org/CVERecord?id=CVE-2023-28617 https://nvd.nist.gov/vuln/detail/CVE-2023-28617 And we do not need to do anything about it, right? I posted the links as a

Re: [PATCH] Fix ob-latex.el command injection vulnerability.

2023-05-01 Thread Ihor Radchenko
Max Nikulin writes: > I just have noticed that it is tracked as a CVE record: > > https://www.cve.org/CVERecord?id=CVE-2023-28617 > https://nvd.nist.gov/vuln/detail/CVE-2023-28617 And we do not need to do anything about it, right? -- Ihor Radchenko // yantar92, Org mode contributor, Learn

Re: [PATCH] Fix ob-latex.el command injection vulnerability.

2023-05-01 Thread Max Nikulin
On 12/03/2023 18:28, Ihor Radchenko wrote: lux writes: Ok, I'll undo this part of the changes first, and repost patch. From b48784a16c5806694498f072ffdd98e5a3c144b5 Mon Sep 17 00:00:00 2001 From: Xi Lu Date: Sat, 11 Mar 2023 18:53:37 +0800 Subject: [PATCH] * lisp/ob-latex.el: Fix command

Re: [PATCH] Fix ob-latex.el command injection vulnerability.

2023-03-12 Thread Ihor Radchenko
lux writes: > Ok, I'll undo this part of the changes first, and repost patch. > From b48784a16c5806694498f072ffdd98e5a3c144b5 Mon Sep 17 00:00:00 2001 > From: Xi Lu > Date: Sat, 11 Mar 2023 18:53:37 +0800 > Subject: [PATCH] * lisp/ob-latex.el: Fix command injection vulnerability Thanks!

Re: [PATCH] Fix ob-latex.el command injection vulnerability.

2023-03-11 Thread lux
On Sat, 2023-03-11 at 10:47 +, Ihor Radchenko wrote: > > I am afraid that we cannot make things universally safe here without > breaking changes. The best way will be treating :cmd and similar > header > args as unsafe and include them into the planned safety prompt system > we > discussed in

Re: [PATCH] Fix ob-latex.el command injection vulnerability.

2023-03-11 Thread Ihor Radchenko
lux writes: >> However, for example, (shell-quote-argument "-enhance -strip") will >> return "-enhance\\ -strip", which is not what we want. >> >> Similar problem with other instances of `shell-command' in Org where >> header args supply command line arguments. Like in :cmdline. >> > > I think

Re: [PATCH] Fix ob-latex.el command injection vulnerability.

2023-03-10 Thread lux
On Thu, 2023-03-09 at 12:22 +, Ihor Radchenko wrote: > > im-in-options and im-out-options, according to > https://orgmode.org/worg/org-contrib/babel/languages/ob-doc-LaTeX.html > , > are options passed to ImageMagick. > > However, for example, (shell-quote-argument "-enhance -strip") will >

Re: [PATCH] Fix ob-latex.el command injection vulnerability.

2023-03-09 Thread Max Nikulin
On 09/03/2023 19:22, Ihor Radchenko wrote: lux writes: Hi, this is a new patch, let me briefly explain this patch: Thank you for scratching my itch related to unsafe shell commands in Org Mode. 2. `org-babel-latex-convert-pdf' is not safe, simple test: ... I am not sure if blindly

Re: [PATCH] Fix ob-latex.el command injection vulnerability.

2023-03-09 Thread Ihor Radchenko
lux writes: > Hi, this is a new patch, let me briefly explain this patch: Thanks! > 2. `org-babel-latex-convert-pdf' is not safe, simple test: > > (org-babel-latex-convert-pdf ";id;.tex" ";uname;.pdf" "" "") > > So, add `shell-quote-argument' to each external parameter. I am not sure if

Re: [PATCH] Fix ob-latex.el command injection vulnerability.

2023-03-08 Thread lux
On Tue, 2023-03-07 at 22:31 +0700, Max Nikulin wrote: > On 06/03/2023 10:17, lux wrote: > > On Sat, 2023-02-18 at 11:43 +, Ihor Radchenko wrote: > > > > > > I think should be (rename-file img-out out-file t) > > > > Fixed, thank you. > > There are a couple more mv shell commands in

Re: [PATCH] Fix ob-latex.el command injection vulnerability.

2023-03-07 Thread lux
On Tue, 2023-03-07 at 22:31 +0700, Max Nikulin wrote: > There are a couple more mv shell commands in ob-latex.el. It would be > nice to fix them as well. Sorry, I have not checked it earlier. Are > you > still interested in this topic? I hope, you already have examples > that > can be used to

Re: [PATCH] Fix ob-latex.el command injection vulnerability.

2023-03-07 Thread Max Nikulin
On 06/03/2023 10:17, lux wrote: On Sat, 2023-02-18 at 11:43 +, Ihor Radchenko wrote: I think should be (rename-file img-out out-file t) Fixed, thank you. There are a couple more mv shell commands in ob-latex.el. It would be nice to fix them as well. Sorry, I have not checked it

Re: [PATCH] Fix ob-latex.el command injection vulnerability.

2023-03-07 Thread Ihor Radchenko
Bastien Guerry writes: > Hi, > > Ihor Radchenko writes: > >> Bastien, may you check the FSF records for Xi Lu? > > I confirm Xi Lu FSF assignment is in order. Updated on Worg. https://git.sr.ht/~bzg/worg/commit/e94905a7 -- Ihor Radchenko // yantar92, Org mode contributor, Learn more about

Re: [PATCH] Fix ob-latex.el command injection vulnerability.

2023-03-07 Thread Bastien Guerry
Hi, Ihor Radchenko writes: > Bastien, may you check the FSF records for Xi Lu? I confirm Xi Lu FSF assignment is in order. Thanks for contributing! -- Bastien Guerry

Re: [PATCH] Fix ob-latex.el command injection vulnerability.

2023-03-07 Thread Ihor Radchenko
lux writes: >> (you don't seem to have FSF copyright >> assignment). >> > > Thank you :-) > > I have already signed a copyright assignment with Emacs, do I need to > sign again with Org Mode? No, you don't. Emacs assignment is sufficient. Bastien, may you check the FSF records for Xi Lu? --

Re: [PATCH] Fix ob-latex.el command injection vulnerability.

2023-03-07 Thread lux
On Tue, 2023-03-07 at 12:35 +, Ihor Radchenko wrote: > lux writes: > > (you don't seem to have FSF copyright > assignment). > Thank you :-) I have already signed a copyright assignment with Emacs, do I need to sign again with Org Mode?

Re: [PATCH] Fix ob-latex.el command injection vulnerability.

2023-03-07 Thread Ihor Radchenko
lux writes: >> I think should be (rename-file img-out out-file t) >> > > Fixed, thank you. Applied, onto bugfix. I amended the commit message adding a link to this thread and a TINYCHANGE cookie (you don't seem to have FSF copyright assignment).

Re: [PATCH] Fix ob-latex.el command injection vulnerability.

2023-03-05 Thread lux
On Sat, 2023-02-18 at 11:43 +, Ihor Radchenko wrote: > lux writes: > > > -  (shell-command (format "mv %s %s" img-out out- > > file) > > +  (rename-file img-out out-file > > I think should be (rename-file img-out out-file t) > Fixed, thank you. From

Re: [PATCH] Fix ob-latex.el command injection vulnerability.

2023-02-18 Thread lux
On Sat, 2023-02-18 at 11:43 +, Ihor Radchenko wrote: > lux writes: > > > -  (shell-command (format "mv %s %s" img-out out- > > file) > > +  (rename-file img-out out-file > > I think should be (rename-file img-out out-file t) > Yes, my pachted changed it,

Re: [PATCH] Fix ob-latex.el command injection vulnerability.

2023-02-18 Thread Ihor Radchenko
lux writes: > - (shell-command (format "mv %s %s" img-out out-file) > + (rename-file img-out out-file I think should be (rename-file img-out out-file t) -- Ihor Radchenko // yantar92, Org mode contributor, Learn more about Org mode at .

Re: [PATCH] Fix ob-latex.el command injection vulnerability.

2023-02-18 Thread lux
On Sat, 2023-02-18 at 18:15 +0700, Max Nikulin wrote: > On 18/02/2023 17:08, lux wrote: > > -  (shell-command (format "mv %s %s" img-out out- > > file) > > +  (shell-command (format "mv %s %s" (shell-quote- > > argument img-out) (shell-quote-argument out-file)) > >

Re: [PATCH] Fix ob-latex.el command injection vulnerability.

2023-02-18 Thread Max Nikulin
On 18/02/2023 17:08, lux wrote: - (shell-command (format "mv %s %s" img-out out-file) + (shell-command (format "mv %s %s" (shell-quote-argument img-out) (shell-quote-argument out-file)) Thank you for the patch. Certainly it is an improvement. Is there any

[PATCH] Fix ob-latex.el command injection vulnerability.

2023-02-18 Thread lux
Test environment: - Emacs 29.0.60 - Orgmode 9.6.1 - TeX Live 2020 Preconditions: (org-babel-do-load-languages 'org-babel-load-languages '((latex . t))) The vulnerability occurs in the file ob-latex.el, in the `org-babel- execute:latex' function, if then file's extension is .svg, using