From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail
From: Rafael Ramirez Morales <rafael.ramirezmorales@gmail.com>
Newsgroups: gmane.emacs.bugs
Subject: bug#48676: Arbitrary code execution in Org export macros
Date: Thu, 27 May 2021 09:02:20 +0200
Message-ID: <CAL1NY7bbWcCX7Ni1t+LcxL9_jdBmCgKkfj9u=xUqxaLoxJkJig__22143.9863134705$1622118495$gmane$org@mail.gmail.com>
References: <2nk0nl7asb.fsf@fencepost.gnu.org>
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="000000000000d1af9d05c34a57cb"
Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214";
	logging-data="32489"; mail-complaints-to="usenet@ciao.gmane.io"
Cc: 48676@debbugs.gnu.org
To: Glenn Morris <rgm@gnu.org>
Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Thu May 27 14:28:07 2021
Return-path: <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>
Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org
Original-Received: from lists.gnu.org ([209.51.188.17])
	by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>)
	id 1lmF7O-0008Ey-Pf
	for geb-bug-gnu-emacs@m.gmane-mx.org; Thu, 27 May 2021 14:28:06 +0200
Original-Received: from localhost ([::1]:48860 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>)
	id 1lmF7H-0001u7-Ru
	for geb-bug-gnu-emacs@m.gmane-mx.org; Thu, 27 May 2021 08:28:03 -0400
Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:53518)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1lmEo2-0007eu-6X; Thu, 27 May 2021 08:08:06 -0400
Original-Received: from debbugs.gnu.org ([209.51.188.43]:39238)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1lmEny-0003y9-RN; Thu, 27 May 2021 08:08:05 -0400
Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1lmEny-0005TU-K9; Thu, 27 May 2021 08:08:02 -0400
X-Loop: help-debbugs@gnu.org
Resent-From: Rafael Ramirez Morales <rafael.ramirezmorales@gmail.com>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@gnu.org, emacs-orgmode@gnu.org
Resent-Date: Thu, 27 May 2021 12:08:02 +0000
Resent-Message-ID: <handler.48676.B48676.162211724220974@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 48676
X-GNU-PR-Package: emacs,org-mode
X-GNU-PR-Keywords: security
Original-Received: via spool by 48676-submit@debbugs.gnu.org id=B48676.162211724220974
 (code B ref 48676); Thu, 27 May 2021 12:08:02 +0000
Original-Received: (at 48676) by debbugs.gnu.org; 27 May 2021 12:07:22 +0000
Original-Received: from localhost ([127.0.0.1]:50781 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1lmEnJ-0005SC-R2
 for submit@debbugs.gnu.org; Thu, 27 May 2021 08:07:22 -0400
Original-Received: from mail-oi1-f169.google.com ([209.85.167.169]:34741)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <rafael.ramirezmorales@gmail.com>) id 1lmA2P-00044x-TY
 for 48676@debbugs.gnu.org; Thu, 27 May 2021 03:02:38 -0400
Original-Received: by mail-oi1-f169.google.com with SMTP id u11so4183330oiv.1
 for <48676@debbugs.gnu.org>; Thu, 27 May 2021 00:02:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; 
 h=mime-version:references:in-reply-to:from:date:message-id:subject:to
 :cc; bh=8WM6UbgaHpHTgnZ7mAOmu+GpC30S8Ljl8NJ0OFIgPT0=;
 b=m8BjRRWNUzVqFwes59Xy3coeL9wBluIMpy2LOBGayhFIFtx01cxKTooJhgOKCSVUEx
 LvOpu5hTdl5Ea6K20pfLzf4gn/P50dkFjo/LjlvAZCvIimNmlBVBbuuw/IE3u8645qYC
 6Sa/N4UzKGvUrub8rzwNq7w8Vu9oTnv9PpP658Oa8v07cc6PDYRgFjwPmiZuD4uYkNM9
 tL8IjZxOsRPwa8TTLFU4tw33eYboQEGuLT4uMpLYb+GOZYI74ZuxAmh2rR0OABR5v5WS
 K2/78cX/k7yjTorYXeONIhFidzOKnBUAO4XDfZFERUH6CROQnEEJ7vNslVeLqMUdkaft
 tVSA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc;
 bh=8WM6UbgaHpHTgnZ7mAOmu+GpC30S8Ljl8NJ0OFIgPT0=;
 b=gABeR/EnsQyoPB3xIy/H/veExD0xOK+RBFem2e2e9fF1qHb0eSIRDRPJbn8nTnLgRf
 e8NV7r1eCVjonQYue38g8R7D4bl22xzHCwIFZIMKrLFcClIA+kWQ4WSRoQ0BvUihgWC3
 dp3/uibbK9FWFJhs9nu8wA5kMt7W1y1MVxQKAVkaARVGIggh0+f735YdN5I2QRIraN4k
 sHoqQxDnNMYQFSFdAJln3y00tnqkJYjeRB2Nzoalhcahny2+k9SaYrpY8Hf608Dl2S7x
 BKjNvAgIWr1iJwymBlVo+q6kcmhPYOeddu84FETbZF+PIwT4QUmiRFlhhiVtEZsHYts8
 CYow==
X-Gm-Message-State: AOAM532pXatqDc60Uyv9J0YEVIAX4V4bmTMGpUkCBInkjn/DU0r26nCJ
 P3wEnkM7XT6Y5ZOtJVxN607I3uhkSjkTTmFdqOE=
X-Google-Smtp-Source: ABdhPJzzmgT+yNhKBIhaTiR3WJkG8J3JxHjcd+frvF1vuV3bi1MyST/U4Y2Sr2gwaZq8ud9ODDs84xuhxe8+8t0Wv6M=
X-Received: by 2002:a54:4e82:: with SMTP id c2mr4722276oiy.137.1622098951908; 
 Thu, 27 May 2021 00:02:31 -0700 (PDT)
In-Reply-To: <2nk0nl7asb.fsf@fencepost.gnu.org>
X-Mailman-Approved-At: Thu, 27 May 2021 08:07:20 -0400
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: bug-gnu-emacs@gnu.org
List-Id: "Bug reports for GNU Emacs,
 the Swiss army knife of text editors" <bug-gnu-emacs.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-gnu-emacs>,
 <mailto:bug-gnu-emacs-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/bug-gnu-emacs>
List-Post: <mailto:bug-gnu-emacs@gnu.org>
List-Help: <mailto:bug-gnu-emacs-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-gnu-emacs>,
 <mailto:bug-gnu-emacs-request@gnu.org?subject=subscribe>
Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org
Original-Sender: "bug-gnu-emacs"
 <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>
Xref: news.gmane.io gmane.emacs.bugs:207369
Archived-At: <http://permalink.gmane.org/gmane.emacs.bugs/207369>

--000000000000d1af9d05c34a57cb
Content-Type: text/plain; charset="UTF-8"

Just a couple of questions:
who is the owner of the HELLO file?
OR
who is the owner of the "touch" process?

Is the owner the unprivileged user or the "emacs" system?

Thanks.

On Wed, 26 May 2021 at 17:53, Glenn Morris <rgm@gnu.org> wrote:

> Package: emacs,org-mode
> Version: 28.0.50
> Severity: important
> Tags: security
>
> emacs -Q hello.org, where hello.org contains:
>
> #+macro: hello (eval (shell-command-to-string "touch /tmp/HELLO"))
> Hello. {{{hello}}}
>
> Then:
> M-x org-export-dispatch
> t A
>
> -> now /tmp/HELLO exist, with no prompting.
>
> This seems contrary to normal Emacs practice for risky local variables,
> and to the section "Code Evaluation and Security Issues" in the Org manual
> (which does not mention macros).
>
>

--000000000000d1af9d05c34a57cb
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"ltr"><div>Just a couple of questions:</div><di=
v>who is the owner of the HELLO file?</div><div>OR</div><div>who is the own=
er of the &quot;touch&quot; process?</div><div><br></div><div>Is the owner =
the unprivileged user or the &quot;emacs&quot; system?</div><div><br></div>=
<div>Thanks.<br></div></div><br><div class=3D"gmail_quote"><div dir=3D"ltr"=
 class=3D"gmail_attr">On Wed, 26 May 2021 at 17:53, Glenn Morris &lt;<a hre=
f=3D"mailto:rgm@gnu.org">rgm@gnu.org</a>&gt; wrote:<br></div><blockquote cl=
ass=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid=
 rgb(204,204,204);padding-left:1ex">Package: emacs,org-mode<br>
Version: 28.0.50<br>
Severity: important<br>
Tags: security<br>
<br>
emacs -Q <a href=3D"http://hello.org" rel=3D"noreferrer" target=3D"_blank">=
hello.org</a>, where <a href=3D"http://hello.org" rel=3D"noreferrer" target=
=3D"_blank">hello.org</a> contains:<br>
<br>
#+macro: hello (eval (shell-command-to-string &quot;touch /tmp/HELLO&quot;)=
)<br>
Hello. {{{hello}}}<br>
<br>
Then:<br>
M-x org-export-dispatch<br>
t A<br>
<br>
-&gt; now /tmp/HELLO exist, with no prompting.<br>
<br>
This seems contrary to normal Emacs practice for risky local variables,<br>
and to the section &quot;Code Evaluation and Security Issues&quot; in the O=
rg manual<br>
(which does not mention macros).<br>
<br>
</blockquote></div></div>

--000000000000d1af9d05c34a57cb--