From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Glenn Morris Newsgroups: gmane.emacs.bugs Subject: bug#48676: Arbitrary code execution in Org export macros Date: Wed, 26 May 2021 11:52:04 -0400 Message-ID: <2nk0nl7asb.fsf@fencepost.gnu.org> Mime-Version: 1.0 Content-Type: text/plain Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="24426"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Gnus (www.gnus.org), GNU Emacs (www.gnu.org/software/emacs/) To: 48676@debbugs.gnu.org Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Wed May 26 17:53:18 2021 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1llvqQ-0006Ct-G1 for geb-bug-gnu-emacs@m.gmane-mx.org; Wed, 26 May 2021 17:53:18 +0200 Original-Received: from localhost ([::1]:50684 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1llvqP-0003C4-Au for geb-bug-gnu-emacs@m.gmane-mx.org; Wed, 26 May 2021 11:53:17 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:58596) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1llvqA-0003Bh-Fm; Wed, 26 May 2021 11:53:02 -0400 Original-Received: from debbugs.gnu.org ([209.51.188.43]:38215) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1llvqA-00046v-7W; Wed, 26 May 2021 11:53:02 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1llvqA-0001yb-6i; Wed, 26 May 2021 11:53:02 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Glenn Morris Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org, emacs-orgmode@gnu.org Resent-Date: Wed, 26 May 2021 15:53:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 48676 X-GNU-PR-Package: emacs,org-mode X-GNU-PR-Keywords: security X-Debbugs-Original-To: submit@debbugs.gnu.org Original-Received: via spool by submit@debbugs.gnu.org id=B.16220443347525 (code B ref -1); Wed, 26 May 2021 15:53:01 +0000 Original-Received: (at submit) by debbugs.gnu.org; 26 May 2021 15:52:14 +0000 Original-Received: from localhost ([127.0.0.1]:49761 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1llvpO-0001xI-0e for submit@debbugs.gnu.org; Wed, 26 May 2021 11:52:14 -0400 Original-Received: from eggs.gnu.org ([209.51.188.92]:36614) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1llvpM-0001x5-2Q for submit@debbugs.gnu.org; Wed, 26 May 2021 11:52:12 -0400 Original-Received: from fencepost.gnu.org ([2001:470:142:3::e]:37996) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1llvpG-0003g6-QR for submit@debbugs.gnu.org; Wed, 26 May 2021 11:52:06 -0400 Original-Received: from rgm by fencepost.gnu.org with local (Exim 4.90_1) (envelope-from ) id 1llvpE-0007OY-SY; Wed, 26 May 2021 11:52:05 -0400 X-Spook: Ruby Ridge Snow Intiso Minox JPL BND BMDO Beltran-Leyva X-Ran: AEID5HY`jU\**5u#\,;a=Md@p)X[{jh1|>Dh9Gmj4A8F`=]fNlt%R?eV0nq6_]-IWnFQ-O X-Hue: black X-Attribution: GM X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.io gmane.emacs.bugs:207299 Archived-At: Package: emacs,org-mode Version: 28.0.50 Severity: important Tags: security emacs -Q hello.org, where hello.org contains: #+macro: hello (eval (shell-command-to-string "touch /tmp/HELLO")) Hello. {{{hello}}} Then: M-x org-export-dispatch t A -> now /tmp/HELLO exist, with no prompting. This seems contrary to normal Emacs practice for risky local variables, and to the section "Code Evaluation and Security Issues" in the Org manual (which does not mention macros).