Re: Need information regarding Emacs application

[Thibaut Verron]

On Sat 10 Feb 2024, 11:33 Jean Louis, <bugs@gnu.support> wrote:

> * Anders Munch <ajm@flonidan.dk> [2024-02-09 18:19]:
> > Srinivasan Santhanam wrote:
> > > Could you please confirm whether there are any vulnerabilities
> identified with the latest 29.2 version.
> >
> > https://www.opencve.io/cve?vendor=gnu&product=emacs
>
> I would not agree that those CVE reports are propriate to Emacs.
>
> Let us review few examples:
>
> > CVE-2023-2491         2 Gnu, Redhat   5 Emacs, Enterprise Linux,
> Enterprise Linux Eus and 2 more      2023-12-10      N/A     7.8 HIGH
> > A flaw was found in the Emacs text editor. Processing a specially
> > crafted org-mode code with the "org-babel-execute:latex" function in
> > ob-latex.el can result in arbitrary command execution. This CVE exists
> > because of a CVE-2023-28617 security regression for the emacs package
> > in Red Hat Enterprise Linux 8.8 and Red Hat Enterprise Linux 9.2.
>
> We have to consider that Emacs has a built-in programming
> language. All parts of Emacs can be replaced, or loaded from not only
> system files but also private files.
>
> If any attacking user has access to file system, than such user can
> provide custom "Org" library or any other library and can impose on
> the victim user for that library to do whatever they want.
>

This one could point to an actual vulnerability, given that LaTeX by
default does not allow evaluating arbitrary code on the system.

A user can be wary about elisp and e.g. python snippets, yet trust that
LaTeX code should be safe.

I don't see why you bring compromised libraries into the mix, afaik
ob-latex is distributed with org-mode. If I understand the summary
correctly, the attack only requires a .org file with a malicious "src
LaTeX" block, that's not full access to the file system.

Thibaut