Bug#1033341: org-mode: CVE-2023-28617

[Salvatore Bonaccorso]

Source: org-mode
Version: 9.5.2+dfsh-4
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <te...@security.debian.org>
Control: clone -1 -2
Control: reassign -2 src:emacs 1:28.2+1-13
Control: retitle -2 emacs: CVE-2023-28617

Hi,

The following vulnerability was published for org-mode (and emacs,
will close tis bug).

CVE-2023-28617[0]:
| org-babel-execute:latex in ob-latex.el in Org Mode through 9.6.1 for
| GNU Emacs allows attackers to execute arbitrary commands via a file
| name or directory name that contains shell metacharacters.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-28617
https://www.cve.org/CVERecord?id=CVE-2023-28617

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

[Nicholas D Steeves]

fixed 1033341 org/mode/9.5.2+dfsh-5
fixed 1033341 org-mode/9.6.6+dfsg-1~exp1
thanks

Dear Salvatore and Security Team,

Salvatore Bonaccorso <car...@debian.org> writes:

> Source: org-mode
> Version: 9.5.2+dfsh-4
> Severity: important
> Tags: security upstream
> X-Debbugs-Cc: car...@debian.org, Debian Security Team <te...@security.debian.org>
> Control: clone -1 -2
> Control: reassign -2 src:emacs 1:28.2+1-13
> Control: retitle -2 emacs: CVE-2023-28617
>
> Hi,
>
> The following vulnerability was published for org-mode (and emacs,
> will close tis bug).
>
> CVE-2023-28617[0]:
> | org-babel-execute:latex in ob-latex.el in Org Mode through 9.6.1 for
> | GNU Emacs allows attackers to execute arbitrary commands via a file
> | name or directory name that contains shell metacharacters.

All lisp files were dropped in org-mode/9.5.2+dfsh-5, and so this CVE is
fixed there; however, unfortunately this bug was not closed from that
changelog entry.

This CVE is also not present in the 9.6.6+dfsg-1~exp1 that I just
uploaded to experimental, but be honest I forgot about this bug when
uploading, and so I forgot to close this bug from the changelog as
instructed. Sorry.

What is the correct way to proceed now?

Regards,
Nicholas

[Salvatore Bonaccorso]

Hi,

On Sat, Jun 03, 2023 at 10:02:43PM -0400, Nicholas D Steeves wrote:
> fixed 1033341 org/mode/9.5.2+dfsh-5
> fixed 1033341 org-mode/9.6.6+dfsg-1~exp1
> thanks
>
> Dear Salvatore and Security Team,
>
> Salvatore Bonaccorso <car...@debian.org> writes:
>
> > Source: org-mode
> > Version: 9.5.2+dfsh-4
> > Severity: important
> > Tags: security upstream
> > X-Debbugs-Cc: car...@debian.org, Debian Security Team <te...@security.debian.org>
> > Control: clone -1 -2
> > Control: reassign -2 src:emacs 1:28.2+1-13
> > Control: retitle -2 emacs: CVE-2023-28617
> >
> > Hi,
> >
> > The following vulnerability was published for org-mode (and emacs,
> > will close tis bug).
> >
> > CVE-2023-28617[0]:
> > | org-babel-execute:latex in ob-latex.el in Org Mode through 9.6.1 for
> > | GNU Emacs allows attackers to execute arbitrary commands via a file
> > | name or directory name that contains shell metacharacters.
>
> All lisp files were dropped in org-mode/9.5.2+dfsh-5, and so this CVE is
> fixed there; however, unfortunately this bug was not closed from that
> changelog entry.

While this technically would be a case for unimportant severity in
sec-tracker, we cannot do it per suite. So I went ahead marking it as
fixed with org-mode/9.5.2+dfsh-5 but adding a note explaining why we
did so.

> This CVE is also not present in the 9.6.6+dfsg-1~exp1 that I just
> uploaded to experimental, but be honest I forgot about this bug when
> uploading, and so I forgot to close this bug from the changelog as
> instructed. Sorry.
>
> What is the correct way to proceed now?

All information updated in the tracker. For bullseye you migh consider
proposing a fix via the upcoming bullseye point release (no DSA is
needed for this issue).

Regards,
Salvatore

[David Bremner]

Nicholas D Steeves <st...@debian.org> writes:

> fixed 1033341 org/mode/9.5.2+dfsh-5
> fixed 1033341 org-mode/9.6.6+dfsg-1~exp1
> thanks

Are you sure about that? It depends on emacs 28.2, which afaik has the
vulnerable org-mode embedded. I guess it's a question of interpretation,
but the vulnerability is still there after installing the package.

d

[Salvatore Bonaccorso]

Hi David,

For src:emacs the respective bug is in #1033342.

But this is why I as well mentioned that for org-mode this tecnically
would need a per suite "unimportant" tracking in the security-tracker
(as the source still affected up to < 9.6.6+dfsg-1~exp1, but not the
resulting binary packages).

Looking at https://security-tracker.debian.org/tracker/CVE-2023-28617
I think we should be fine for bookworm already, correct?

(For bullseye the issue is no-dsa and could be fixed with respective
updates in a point release).

Regards,
Salvatore

[David Bremner]

Salvatore Bonaccorso <car...@debian.org> writes:

>
> Looking at https://security-tracker.debian.org/tracker/CVE-2023-28617
> I think we should be fine for bookworm already, correct?

Yes, I think what is there makes sense, given the constraints of
expressing a weird situation.

d

[Nicholas D Steeves]

Wasn't the fix in emacs 1:28.2+1-14 two months ago? Meanwhile the new
empty org-mode 9.5.2+dfsh-5 won't be able to shadow the (fixed) bundled
copy. Thanks again for that work!

This was also in bullseye in emacs 26.1+1-3.2+deb10u4

After uploading to bullseye-updates I'll upload 9.6.6 to unstable.

I'd rather let someone else take care of buster, if we're still
supporting it.

Regards,
Nicholas