From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Stefan Kangas Newsgroups: gmane.emacs.bugs Subject: bug#66390: `man' allows to inject arbitrary shell code Date: Wed, 10 Jan 2024 13:21:09 -0800 Message-ID: References: <83wmvyzir2.fsf@gnu.org> <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@gmail.com> <83v8bizf9r.fsf@gnu.org> <1865abb8-16cd-4570-9a8a-87cf9430583d@gmail.com> <875y3iigua.fsf@gmx.de> <83o7hazap7.fsf@gnu.org> <87mswugyoq.fsf@gmx.de> <83jzryz6op.fsf@gnu.org> <87a5sugwcx.fsf@gmx.de> <83h6n2z3tr.fsf@gnu.org> <831qe5znrz.fsf@gnu.org> <262ed9fe-b92b-489d-b1f0-5202bfdb088b@gmail.com> <87il7e78j5.fsf@igel.home> <83h6mksaqp.fsf@gnu.org> Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="5068"; mail-complaints-to="usenet@ciao.gmane.io" Cc: lx@shellcodes.org, Ihor Radchenko , 66390@debbugs.gnu.org, schwab@linux-m68k.org, michael.albinus@gmx.de, manikulin@gmail.com To: Eli Zaretskii Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Wed Jan 10 22:22:31 2024 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1rNg1v-0001AC-Hi for geb-bug-gnu-emacs@m.gmane-mx.org; Wed, 10 Jan 2024 22:22:31 +0100 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rNg1W-0001AR-34; Wed, 10 Jan 2024 16:22:06 -0500 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rNg1T-00019o-KF for bug-gnu-emacs@gnu.org; Wed, 10 Jan 2024 16:22:03 -0500 Original-Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1rNg1T-0006ev-Bf for bug-gnu-emacs@gnu.org; Wed, 10 Jan 2024 16:22:03 -0500 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1rNg1R-0003gS-Kw for bug-gnu-emacs@gnu.org; Wed, 10 Jan 2024 16:22:01 -0500 X-Loop: help-debbugs@gnu.org Resent-From: Stefan Kangas Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Wed, 10 Jan 2024 21:22:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 66390 X-GNU-PR-Package: emacs Original-Received: via spool by 66390-submit@debbugs.gnu.org id=B66390.170492167614081 (code B ref 66390); Wed, 10 Jan 2024 21:22:01 +0000 Original-Received: (at 66390) by debbugs.gnu.org; 10 Jan 2024 21:21:16 +0000 Original-Received: from localhost ([127.0.0.1]:43313 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rNg0i-0003f2-9X for submit@debbugs.gnu.org; Wed, 10 Jan 2024 16:21:16 -0500 Original-Received: from mail-ed1-x52f.google.com ([2a00:1450:4864:20::52f]:55472) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rNg0g-0003ei-Gk for 66390@debbugs.gnu.org; Wed, 10 Jan 2024 16:21:15 -0500 Original-Received: by mail-ed1-x52f.google.com with SMTP id 4fb4d7f45d1cf-557535489d0so5369909a12.2 for <66390@debbugs.gnu.org>; Wed, 10 Jan 2024 13:21:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1704921670; x=1705526470; darn=debbugs.gnu.org; h=cc:to:subject:message-id:date:mime-version:references:in-reply-to :from:from:to:cc:subject:date:message-id:reply-to; bh=1Sncf9WSi36q7+OCgdVWXK/zwH/DT8uEqQkkdTBPsrA=; b=ASeFWagt+KL6RfLGe5grJi1UX4cUJfP+BfRNyYjDRR07wOFAgQPOwL+stGoPOBwnFe PKl/DkIDCquPPybemKr8ga1p7fOAc5XMSHa51bEBrOo8FrQx3N+QkOnaA6qnrMaY2Fef ED3bWdCxIrAhkvbFvdbA8MH6Y5FTZ0ic4MNc/6W43A/BFBl5J9Z9koseFP9NJEX9XRW7 Eb9mDByq3V5oX6udyGddSj9vgExXa+ZDykanBPfmGGIILoNmXbgRXKL6xbURV42E8/x5 /wHu7XDCyhNTzFF+RNOgH2rU9JYk4bZZ1rQsV0H947+IN2hDswxdXpUTz5ZpNjcObhED KC2A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1704921670; x=1705526470; h=cc:to:subject:message-id:date:mime-version:references:in-reply-to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=1Sncf9WSi36q7+OCgdVWXK/zwH/DT8uEqQkkdTBPsrA=; b=uXhQwhr69HN7Vw3zn6gqTo5NdbonTDjcz2oArvAr2javPNWuaQFfS10DH1yIXUzI5M sQYF9LCuVzP3KHFhWaeCVF8NT3qv82/ANwBFkS3YVP2HRg7q8yu0cNNSJCoSHZLVN23y 2u0QfN07DQV4y675xkF9ep3sSmecxMQ0i9kJIJeDl7m8Us3hEbd9eMNiNW63F90CFIHE sU83rfSBYak+jbAc76Kd/pjP4P6gA8Ll4EANrjq6BxlOXRKE43WvC6FvQwCzUArJiL1U m+z69fsaNkyScIjNtSVLZUUZeNYlZ34Y7CaLZtgaTsp7cJcxw90msHjbd9okhwFf9Wuq h9lA== X-Gm-Message-State: AOJu0YyNO6efiC4MdDfgAtvtDnHI5ijfVwfOSSyYY1KqHm+kVXn4XWZa 5DujVhz7L3qfjX9RexfiVpAJ8JQ3Ydr9OVBe5lM= X-Google-Smtp-Source: AGHT+IGFJLViM43zZWSgB88QQjgKJ42vHWdulHQpOyMiYvnUEWEpPNhvr5FSmhEZsQK5iZg3+G0vDnnQn4ZqpMu+S+s= X-Received: by 2002:aa7:ca53:0:b0:557:af52:e7bb with SMTP id j19-20020aa7ca53000000b00557af52e7bbmr48888edt.60.1704921669717; Wed, 10 Jan 2024 13:21:09 -0800 (PST) Original-Received: from 753933720722 named unknown by gmailapi.google.com with HTTPREST; Wed, 10 Jan 2024 13:21:09 -0800 In-Reply-To: <83h6mksaqp.fsf@gnu.org> (Eli Zaretskii's message of "Sat, 21 Oct 2023 10:19:58 +0300") X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.bugs:277822 Archived-At: tags 66390 + security close 66390 30.1 thanks Eli Zaretskii writes: >> From: Stefan Kangas >> >> I lost track of this discussion a little bit, but I think we should >> try to have this fixed in Emacs 29.2. > > If we have a reliable solution (a hard-to-satisfy condition, see > below), yes. > >> Is the below patch acceptable? > > I'm not sure it is reliable enough. man.el is an extremely tricky > package wrt the weird file names it must support (because many man > pages have weird names and include characters that are not normally > found in file names). In particular, who can guarantee that ';' will > not be part of some man page some day? it's a valid file-name > character on Posix hosts, isn't it? > > So I would be happier with installing this on master instead. > Distros which consider this a serious vulnerability can always > cherry-pick the change in their Emacs 29 distributions. OK, I've now installed the change on master (820f0793f0b). I'm tagging the bug "security" to make it easier to find for distro maintainers. Ihor, I'm copying in you as well, in case you want to add a workaround for this security-relevant bug to Org mode as well. AFAIU, org mode man:// links are vulnerable to a shell injection vulnerability in all released versions of Emacs, and will continue to be so for users until they upgrade to 30.1. See this bug for details. (Bug#66390) I'm closing the bug with this message.