From: Max Nikulin <manikulin@gmail.com>
To: rms@gnu.org, Ihor Radchenko <yantar92@posteo.net>
Cc: kupfer@rawbw.com, 68687@debbugs.gnu.org, emacs-orgmode@gnu.org,
stefankangas@gmail.com, eliz@gnu.org
Subject: Re: bug#68687: Org mode code evaluation
Date: Fri, 2 Feb 2024 11:58:44 +0700 [thread overview]
Message-ID: <87bc23dd-7c0b-4f9a-a54d-29716e948c5c@gmail.com> (raw)
In-Reply-To: <E1rVkNc-0007za-6b@fencepost.gnu.org>
On 02/02/2024 10:38, Richard Stallman wrote:
>
> > I did not imply that Org mode is safe. I directly said that there are
> > security issues and that they are known.
>
> Could you plesae post a pointer to a desciption of them?
I would strongly prefer to move discussion of Org security to a
dedicated thread on emacs-orgmode or emacs-devel and leave this bug to
media types used for Org.
Whenever the suggested patch committed (as a whole or in parts) or not,
admit that Org mode is already used as media type handler for mail
messages and downloaded files.
I have tried a couple more ideas, but have not managed to achieve code
execution when files are loaded (assuming default or plausible user
settings). If Org keystrokes are not active when mail messages are
opened then it should be safe enough. (However I suspect an issue
unrelated to code execution.) If Emacs or Org mode has severe issues
then it is possible to exploit them even without the patch. Just send a
message having 3 attachments covering all variants of Content-Type.
The point is to minimize discrepancy related to Org mode stuff within
Emacs and outside of it. E.g. in default configuration Thunderbird on
Debian 12 bookworm sends attachments as text/org. Emacs core uses
text/x-org or application/vnd.lotus-organizer. With no action taken it
will last further.
next prev parent reply other threads:[~2024-02-02 4:59 UTC|newest]
Thread overview: 59+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-21 13:56 Org mode MIME type Max Nikulin
2024-01-21 15:11 ` Timothy
2024-01-22 16:21 ` Max Nikulin
2024-01-24 14:43 ` bug#68687: [PATCH] Use text/org media type Max Nikulin
2024-01-25 23:10 ` Stefan Kangas
2024-01-25 23:10 ` Stefan Kangas
2024-01-25 23:43 ` Ihor Radchenko
2024-01-25 23:43 ` Ihor Radchenko
2024-01-26 7:40 ` Eli Zaretskii
2024-01-26 14:00 ` Ihor Radchenko
2024-01-26 14:00 ` Ihor Radchenko
2024-01-26 7:40 ` Eli Zaretskii
2024-01-26 10:52 ` Max Nikulin
2024-01-30 19:39 ` Stefan Kangas
2024-01-30 20:34 ` Ihor Radchenko
2024-01-30 20:34 ` Ihor Radchenko
2024-01-30 19:39 ` Stefan Kangas
2024-01-26 7:23 ` Eli Zaretskii
2024-01-26 7:23 ` Eli Zaretskii
2024-01-26 10:39 ` Max Nikulin
2024-01-26 12:22 ` Eli Zaretskii
2024-01-31 16:30 ` Max Nikulin
2024-01-31 16:30 ` Max Nikulin
2024-01-27 3:38 ` Richard Stallman
2024-01-28 16:35 ` Max Nikulin
2024-01-28 16:35 ` Max Nikulin
2024-01-28 16:47 ` Eli Zaretskii
2024-01-30 3:56 ` Richard Stallman
2024-01-30 3:56 ` Richard Stallman
2024-01-30 12:13 ` Ihor Radchenko
2024-01-30 12:13 ` Ihor Radchenko
2024-01-30 17:12 ` bug#68687: Org mode code evaluation (was: bug#68687: [PATCH] Use text/org media type) Mike Kupfer
2024-01-30 17:12 ` Mike Kupfer
2024-01-30 17:51 ` Ihor Radchenko
2024-02-02 3:38 ` bug#68687: " Richard Stallman
2024-02-02 3:38 ` Richard Stallman
2024-02-02 4:58 ` Max Nikulin [this message]
2024-02-02 4:58 ` bug#68687: Org mode code evaluation Max Nikulin
2024-02-02 16:10 ` bug#68687: Org mode code evaluation (was: bug#68687: [PATCH] Use text/org media type) Ihor Radchenko
2024-01-30 17:51 ` Ihor Radchenko
2024-01-31 16:18 ` bug#68687: [PATCH] Use text/org media type Max Nikulin
2024-01-31 16:32 ` Ihor Radchenko
2024-01-31 16:32 ` Ihor Radchenko
2024-01-31 16:18 ` Max Nikulin
2024-02-02 3:40 ` Richard Stallman
2024-02-02 3:40 ` Richard Stallman
2024-02-02 7:15 ` Eli Zaretskii
2024-02-02 7:15 ` Eli Zaretskii
2024-01-30 12:52 ` Eli Zaretskii
2024-01-30 12:52 ` Eli Zaretskii
2024-01-28 16:47 ` Eli Zaretskii
2024-01-27 3:38 ` Richard Stallman
2024-01-31 20:00 ` Stefan Kangas
2024-01-31 20:00 ` Stefan Kangas
2024-02-01 10:40 ` Max Nikulin
2024-02-01 10:40 ` Max Nikulin
2024-02-02 7:09 ` Stefan Kangas
2024-02-02 16:28 ` bug#68687: [PATCH v2] " Max Nikulin
2024-02-02 7:09 ` bug#68687: [PATCH] " Stefan Kangas
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87bc23dd-7c0b-4f9a-a54d-29716e948c5c@gmail.com \
--to=manikulin@gmail.com \
--cc=68687@debbugs.gnu.org \
--cc=eliz@gnu.org \
--cc=emacs-orgmode@gnu.org \
--cc=kupfer@rawbw.com \
--cc=rms@gnu.org \
--cc=stefankangas@gmail.com \
--cc=yantar92@posteo.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/emacs.git
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.