From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail
From: Stefan Kangas <stefankangas@gmail.com>
Newsgroups: gmane.emacs.bugs
Subject: bug#66390: `man' allows to inject arbitrary shell code
Date: Wed, 10 Jan 2024 13:21:09 -0800
Message-ID: <CADwFkmnTMsOM+z0x8FGPGguMtoD9hLrNt9YfbaJ08KPNKW3EbQ@mail.gmail.com>
References: <f17b9b73-8927-446a-9e54-459aad3b7bee@gmail.com>
 <83wmvyzir2.fsf@gnu.org> <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@gmail.com>
 <83v8bizf9r.fsf@gnu.org> <1865abb8-16cd-4570-9a8a-87cf9430583d@gmail.com>
 <875y3iigua.fsf@gmx.de> <83o7hazap7.fsf@gnu.org> <87mswugyoq.fsf@gmx.de>
 <83jzryz6op.fsf@gnu.org> <87a5sugwcx.fsf@gmx.de> <83h6n2z3tr.fsf@gnu.org>
 <aaeb5c4f-2ae0-449e-9a8b-aa5155998e49@gmail.com> <831qe5znrz.fsf@gnu.org>
 <tencent_2EBCD42CDD9DC80B87AB06BB70EACCF8D60A@qq.com>
 <262ed9fe-b92b-489d-b1f0-5202bfdb088b@gmail.com>
 <tencent_3C358C354C777BF23EE1D3C1839C3F331C08@qq.com>
 <87il7e78j5.fsf@igel.home>
 <tencent_B89C8F336F35EB3562777DF226E178C19708@qq.com>
 <CADwFkmk4y0H3pEyErqeKBrc8Evb8qMmAK-Vi1o37Ab0T8h7GHg@mail.gmail.com>
 <83h6mksaqp.fsf@gnu.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214";
	logging-data="5068"; mail-complaints-to="usenet@ciao.gmane.io"
Cc: lx@shellcodes.org, Ihor Radchenko <yantar92@posteo.net>,
 66390@debbugs.gnu.org, schwab@linux-m68k.org, michael.albinus@gmx.de,
 manikulin@gmail.com
To: Eli Zaretskii <eliz@gnu.org>
Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Wed Jan 10 22:22:31 2024
Return-path: <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>
Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org
Original-Received: from lists.gnu.org ([209.51.188.17])
	by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>)
	id 1rNg1v-0001AC-Hi
	for geb-bug-gnu-emacs@m.gmane-mx.org; Wed, 10 Jan 2024 22:22:31 +0100
Original-Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <bug-gnu-emacs-bounces@gnu.org>)
	id 1rNg1W-0001AR-34; Wed, 10 Jan 2024 16:22:06 -0500
Original-Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1rNg1T-00019o-KF
 for bug-gnu-emacs@gnu.org; Wed, 10 Jan 2024 16:22:03 -0500
Original-Received: from debbugs.gnu.org ([2001:470:142:5::43])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1rNg1T-0006ev-Bf
 for bug-gnu-emacs@gnu.org; Wed, 10 Jan 2024 16:22:03 -0500
Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1rNg1R-0003gS-Kw
 for bug-gnu-emacs@gnu.org; Wed, 10 Jan 2024 16:22:01 -0500
X-Loop: help-debbugs@gnu.org
Resent-From: Stefan Kangas <stefankangas@gmail.com>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@gnu.org
Resent-Date: Wed, 10 Jan 2024 21:22:01 +0000
Resent-Message-ID: <handler.66390.B66390.170492167614081@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 66390
X-GNU-PR-Package: emacs
Original-Received: via spool by 66390-submit@debbugs.gnu.org id=B66390.170492167614081
 (code B ref 66390); Wed, 10 Jan 2024 21:22:01 +0000
Original-Received: (at 66390) by debbugs.gnu.org; 10 Jan 2024 21:21:16 +0000
Original-Received: from localhost ([127.0.0.1]:43313 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1rNg0i-0003f2-9X
 for submit@debbugs.gnu.org; Wed, 10 Jan 2024 16:21:16 -0500
Original-Received: from mail-ed1-x52f.google.com ([2a00:1450:4864:20::52f]:55472)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <stefankangas@gmail.com>) id 1rNg0g-0003ei-Gk
 for 66390@debbugs.gnu.org; Wed, 10 Jan 2024 16:21:15 -0500
Original-Received: by mail-ed1-x52f.google.com with SMTP id
 4fb4d7f45d1cf-557535489d0so5369909a12.2
 for <66390@debbugs.gnu.org>; Wed, 10 Jan 2024 13:21:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1704921670; x=1705526470; darn=debbugs.gnu.org;
 h=cc:to:subject:message-id:date:mime-version:references:in-reply-to
 :from:from:to:cc:subject:date:message-id:reply-to;
 bh=1Sncf9WSi36q7+OCgdVWXK/zwH/DT8uEqQkkdTBPsrA=;
 b=ASeFWagt+KL6RfLGe5grJi1UX4cUJfP+BfRNyYjDRR07wOFAgQPOwL+stGoPOBwnFe
 PKl/DkIDCquPPybemKr8ga1p7fOAc5XMSHa51bEBrOo8FrQx3N+QkOnaA6qnrMaY2Fef
 ED3bWdCxIrAhkvbFvdbA8MH6Y5FTZ0ic4MNc/6W43A/BFBl5J9Z9koseFP9NJEX9XRW7
 Eb9mDByq3V5oX6udyGddSj9vgExXa+ZDykanBPfmGGIILoNmXbgRXKL6xbURV42E8/x5
 /wHu7XDCyhNTzFF+RNOgH2rU9JYk4bZZ1rQsV0H947+IN2hDswxdXpUTz5ZpNjcObhED
 KC2A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1704921670; x=1705526470;
 h=cc:to:subject:message-id:date:mime-version:references:in-reply-to
 :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
 bh=1Sncf9WSi36q7+OCgdVWXK/zwH/DT8uEqQkkdTBPsrA=;
 b=uXhQwhr69HN7Vw3zn6gqTo5NdbonTDjcz2oArvAr2javPNWuaQFfS10DH1yIXUzI5M
 sQYF9LCuVzP3KHFhWaeCVF8NT3qv82/ANwBFkS3YVP2HRg7q8yu0cNNSJCoSHZLVN23y
 2u0QfN07DQV4y675xkF9ep3sSmecxMQ0i9kJIJeDl7m8Us3hEbd9eMNiNW63F90CFIHE
 sU83rfSBYak+jbAc76Kd/pjP4P6gA8Ll4EANrjq6BxlOXRKE43WvC6FvQwCzUArJiL1U
 m+z69fsaNkyScIjNtSVLZUUZeNYlZ34Y7CaLZtgaTsp7cJcxw90msHjbd9okhwFf9Wuq
 h9lA==
X-Gm-Message-State: AOJu0YyNO6efiC4MdDfgAtvtDnHI5ijfVwfOSSyYY1KqHm+kVXn4XWZa
 5DujVhz7L3qfjX9RexfiVpAJ8JQ3Ydr9OVBe5lM=
X-Google-Smtp-Source: AGHT+IGFJLViM43zZWSgB88QQjgKJ42vHWdulHQpOyMiYvnUEWEpPNhvr5FSmhEZsQK5iZg3+G0vDnnQn4ZqpMu+S+s=
X-Received: by 2002:aa7:ca53:0:b0:557:af52:e7bb with SMTP id
 j19-20020aa7ca53000000b00557af52e7bbmr48888edt.60.1704921669717; Wed, 10 Jan
 2024 13:21:09 -0800 (PST)
Original-Received: from 753933720722 named unknown by gmailapi.google.com with
 HTTPREST; Wed, 10 Jan 2024 13:21:09 -0800
In-Reply-To: <83h6mksaqp.fsf@gnu.org> (Eli Zaretskii's message of "Sat, 21 Oct
 2023 10:19:58 +0300")
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: bug-gnu-emacs@gnu.org
List-Id: "Bug reports for GNU Emacs,
 the Swiss army knife of text editors" <bug-gnu-emacs.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-gnu-emacs>,
 <mailto:bug-gnu-emacs-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/bug-gnu-emacs>
List-Post: <mailto:bug-gnu-emacs@gnu.org>
List-Help: <mailto:bug-gnu-emacs-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-gnu-emacs>,
 <mailto:bug-gnu-emacs-request@gnu.org?subject=subscribe>
Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org
Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org
Xref: news.gmane.io gmane.emacs.bugs:277822
Archived-At: <http://permalink.gmane.org/gmane.emacs.bugs/277822>

tags 66390 + security
close 66390 30.1
thanks

Eli Zaretskii <eliz@gnu.org> writes:

>> From: Stefan Kangas <stefankangas@gmail.com>
>>
>> I lost track of this discussion a little bit, but I think we should
>> try to have this fixed in Emacs 29.2.
>
> If we have a reliable solution (a hard-to-satisfy condition, see
> below), yes.
>
>> Is the below patch acceptable?
>
> I'm not sure it is reliable enough.  man.el is an extremely tricky
> package wrt the weird file names it must support (because many man
> pages have weird names and include characters that are not normally
> found in file names).  In particular, who can guarantee that ';' will
> not be part of some man page some day? it's a valid file-name
> character on Posix hosts, isn't it?
>
> So I would be happier with installing this on master instead.
> Distros which consider this a serious vulnerability can always
> cherry-pick the change in their Emacs 29 distributions.

OK, I've now installed the change on master (820f0793f0b).  I'm tagging
the bug "security" to make it easier to find for distro maintainers.

Ihor, I'm copying in you as well, in case you want to add a workaround
for this security-relevant bug to Org mode as well.  AFAIU, org mode
man:// links are vulnerable to a shell injection vulnerability in all
released versions of Emacs, and will continue to be so for users until
they upgrade to 30.1.  See this bug for details.  (Bug#66390)

I'm closing the bug with this message.