emacs-orgmode
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] Fix ob-latex.el command injection vulnerability.

From: Max Nikulin
Subject: Re: [PATCH] Fix ob-latex.el command injection vulnerability.
Date: Mon, 1 May 2023 17:56:05 +0700
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.10.0 
On 12/03/2023 18:28, Ihor Radchenko wrote:

lux writes:


Ok, I'll undo this part of the changes first, and repost patch.
 From b48784a16c5806694498f072ffdd98e5a3c144b5 Mon Sep 17 00:00:00 2001
From: Xi Lu
Date: Sat, 11 Mar 2023 18:53:37 +0800
Subject: [PATCH] * lisp/ob-latex.el: Fix command injection vulnerability


Applied, onto bugfix.
https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=a8006ea58


So the fix is included into org-mode-9.6.2.

I just have noticed that it is tracked as a CVE record:

https://www.cve.org/CVERecord?id=CVE-2023-28617
https://nvd.nist.gov/vuln/detail/CVE-2023-28617

CVE-2023-28617
org-babel-execute:latex in ob-latex.el in Org Mode through 9.6.1 for GNU Emacs allows attackers to execute arbitrary commands via a file name or directory name that contains shell metacharacters. 

Base Score:  7.8 HIGH
reply via email to
[Prev in Thread] Current Thread [Next in Thread]