[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: CVE-2023-28617 (was Re: [PATCH] Fix ob-latex.el command injection vu
|
From: |
Ihor Radchenko |
|
Subject: |
Re: CVE-2023-28617 (was Re: [PATCH] Fix ob-latex.el command injection vulnerability.) |
|
Date: |
Tue, 02 May 2023 11:21:50 +0000 |
Max Nikulin <manikulin@gmail.com> writes:
>> And we do not need to do anything about it, right?
>
> I posted the links as a reminder that shell commands should be avoided
> when possible (and it does not break TRAMP) and arguments should be
> escaped otherwise.
But this patch literally fixed the problem. What else should we do?
> I suppose, the issue has been received too much attention already:
>
> - https://security-tracker.debian.org/tracker/CVE-2023-28617
> - https://ubuntu.com/security/notices/USN-6003-1
> - https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2023-28617
These appear to be different issues.
If you think that any of them remains unaddressed, patches welcome.
--
Ihor Radchenko // yantar92,
Org mode contributor,
Learn more about Org mode at <https://orgmode.org/>.
Support Org development at <https://liberapay.com/org-mode>,
or support my work at <https://liberapay.com/yantar92>