* [ANN] Emergency bugfix release: Org mode 9.7.5 @ 2024-06-22 16:10 Ihor Radchenko 2024-06-22 17:49 ` Ihor Radchenko ` (4 more replies) 0 siblings, 5 replies; 21+ messages in thread From: Ihor Radchenko @ 2024-06-22 16:10 UTC (permalink / raw) To: emacs-orgmode; +Cc: Bastien Dear all, I just released Org mode 9.7.5 that fixes a critical vulnerability. The release is coordinated with emergency Emacs 29.4 release. Please upgrade your Org mode *and* Emacs ASAP. The vulnerability involves arbitrary Shell code evaluation when previewing attachments in Emacs MUA (gnus-based: at least, mu4e, Notmuch, Gnus itself) or when opening third-party Org files. All the earlier versions of Org mode are affected. Note that the vulnerability solved in this release has nothing to do with recent Org 9.6.23 release (https://list.orgmode.org/871q7zbldp.fsf@localhost/). It existed since long time ago and was discovered by accident. -- Ihor Radchenko // yantar92, Org mode contributor, Learn more about Org mode at <https://orgmode.org/>. Support Org development at <https://liberapay.com/org-mode>, or support my work at <https://liberapay.com/yantar92> ^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [ANN] Emergency bugfix release: Org mode 9.7.5 2024-06-22 16:10 [ANN] Emergency bugfix release: Org mode 9.7.5 Ihor Radchenko @ 2024-06-22 17:49 ` Ihor Radchenko 2024-06-22 23:55 ` Greg Troxel 2024-06-22 17:59 ` emacs-orgmode ` (3 subsequent siblings) 4 siblings, 1 reply; 21+ messages in thread From: Ihor Radchenko @ 2024-06-22 17:49 UTC (permalink / raw) To: emacs-orgmode; +Cc: Bastien Ihor Radchenko <yantar92@posteo.net> writes: > Please upgrade your Org mode *and* Emacs ASAP. *Org mode or Emacs. The fix is purely in Org code, so upgrading Emacs is only needed when you want to use built-in Org mode. Otherwise, it is enough to upgrade Org mode via ELPA (the tarball will be available soon, after ELPA scripts fetch the latest release tag). -- Ihor Radchenko // yantar92, Org mode contributor, Learn more about Org mode at <https://orgmode.org/>. Support Org development at <https://liberapay.com/org-mode>, or support my work at <https://liberapay.com/yantar92> ^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [ANN] Emergency bugfix release: Org mode 9.7.5 2024-06-22 17:49 ` Ihor Radchenko @ 2024-06-22 23:55 ` Greg Troxel 2024-06-23 1:58 ` Steven Allen 0 siblings, 1 reply; 21+ messages in thread From: Greg Troxel @ 2024-06-22 23:55 UTC (permalink / raw) To: Ihor Radchenko; +Cc: emacs-orgmode, Bastien (Thanks for fixing and your efforts on org. I've been an org user since at least July of 2010.) Just to be clear, is this the commit that needs applying to emacs sources, 29.3, 28.x, and so on? It seems so, but I would rather not guess. I'm asking on behalf of pkgsrc, where I am managing the release process for our 2024Q2 branch, due on 30 June. Believe it or not we have 20, 21, 26, 27, 28, 29 and a from-git version. While some should be pruned, some people use it on vaxes. Any idea how far back this goes? Thanks, Greg commit f4cc61636947b5c2f0afc67174dd369fe3277aa8 Author: Ihor Radchenko <yantar92@posteo.net> Date: Tue Jun 18 13:06:44 2024 +0200 org-link-expand-abbrev: Do not evaluate arbitrary unsafe Elisp code * lisp/ol.el (org-link-expand-abbrev): Refuse expanding %(...) link abbrevs that specify unsafe function. Instead, display a warning, and do not expand the abbrev. Clear all the text properties from the returned link, to avoid any potential vulnerabilities caused by properties that may contain arbitrary Elisp. diff --git a/lisp/ol.el b/lisp/ol.el index 7a7f4f558..8a556c7b9 100644 --- a/lisp/ol.el +++ b/lisp/ol.el @@ -1152,17 +1152,35 @@ Abbreviations are defined in `org-link-abbrev-alist'." (if (not as) link (setq rpl (cdr as)) - (cond - ((symbolp rpl) (funcall rpl tag)) - ((string-match "%(\\([^)]+\\))" rpl) - (replace-match - (save-match-data - (funcall (intern-soft (match-string 1 rpl)) tag)) - t t rpl)) - ((string-match "%s" rpl) (replace-match (or tag "") t t rpl)) - ((string-match "%h" rpl) - (replace-match (url-hexify-string (or tag "")) t t rpl)) - (t (concat rpl tag))))))) + ;; Drop any potentially dangerous text properties like + ;; `modification-hooks' that may be used as an attack vector. + (substring-no-properties + (cond + ((symbolp rpl) (funcall rpl tag)) + ((string-match "%(\\([^)]+\\))" rpl) + (let ((rpl-fun-symbol (intern-soft (match-string 1 rpl)))) + ;; Using `unsafep-function' is not quite enough because + ;; Emacs considers functions like `genenv' safe, while + ;; they can potentially be used to expose private system + ;; data to attacker if abbreviated link is clicked. + (if (or (eq t (get rpl-fun-symbol 'org-link-abbrev-safe)) + (eq t (get rpl-fun-symbol 'pure))) + (replace-match + (save-match-data + (funcall (intern-soft (match-string 1 rpl)) tag)) + t t rpl) + (org-display-warning + (format "Disabling unsafe link abbrev: %s +You may mark function safe via (put '%s 'org-link-abbrev-safe t)" + rpl (match-string 1 rpl))) + (setq org-link-abbrev-alist-local (delete as org-link-abbrev-alist-local) + org-link-abbrev-alist (delete as org-link-abbrev-alist)) + link + ))) + ((string-match "%s" rpl) (replace-match (or tag "") t t rpl)) + ((string-match "%h" rpl) + (replace-match (url-hexify-string (or tag "")) t t rpl)) + (t (concat rpl tag)))))))) (defun org-link-open (link &optional arg) "Open a link object LINK. ^ permalink raw reply related [flat|nested] 21+ messages in thread
* Re: [ANN] Emergency bugfix release: Org mode 9.7.5 2024-06-22 23:55 ` Greg Troxel @ 2024-06-23 1:58 ` Steven Allen 0 siblings, 0 replies; 21+ messages in thread From: Steven Allen @ 2024-06-23 1:58 UTC (permalink / raw) To: Greg Troxel, Ihor Radchenko; +Cc: emacs-orgmode, Bastien Greg Troxel <gdt@lexort.com> writes: > (Thanks for fixing and your efforts on org. I've been an org user since > at least July of 2010.) > > Just to be clear, is this the commit that needs applying to emacs > sources, 29.3, 28.x, and so on? Yes, that's the correct commit. > It seems so, but I would rather not guess. I'm asking on behalf of > pkgsrc, where I am managing the release process for our 2024Q2 branch, > due on 30 June. Believe it or not we have 20, 21, 26, 27, 28, 29 and a > from-git version. While some should be pruned, some people use it on > vaxes. Any idea how far back this goes? It was introduced in org 7.9 (commit [1] from July of 2012). From what I can tell, it has been present in Emacs since emacs-24.2. [1]: ef3d4b5965b828e85a535ef3f32999473c6a2a7a > > Thanks, > Greg > > commit f4cc61636947b5c2f0afc67174dd369fe3277aa8 > Author: Ihor Radchenko <yantar92@posteo.net> > Date: Tue Jun 18 13:06:44 2024 +0200 > > org-link-expand-abbrev: Do not evaluate arbitrary unsafe Elisp code > > * lisp/ol.el (org-link-expand-abbrev): Refuse expanding %(...) link > abbrevs that specify unsafe function. Instead, display a warning, and > do not expand the abbrev. Clear all the text properties from the > returned link, to avoid any potential vulnerabilities caused by > properties that may contain arbitrary Elisp. > > diff --git a/lisp/ol.el b/lisp/ol.el > index 7a7f4f558..8a556c7b9 100644 > --- a/lisp/ol.el > +++ b/lisp/ol.el > @@ -1152,17 +1152,35 @@ Abbreviations are defined in `org-link-abbrev-alist'." > (if (not as) > link > (setq rpl (cdr as)) > - (cond > - ((symbolp rpl) (funcall rpl tag)) > - ((string-match "%(\\([^)]+\\))" rpl) > - (replace-match > - (save-match-data > - (funcall (intern-soft (match-string 1 rpl)) tag)) > - t t rpl)) > - ((string-match "%s" rpl) (replace-match (or tag "") t t rpl)) > - ((string-match "%h" rpl) > - (replace-match (url-hexify-string (or tag "")) t t rpl)) > - (t (concat rpl tag))))))) > + ;; Drop any potentially dangerous text properties like > + ;; `modification-hooks' that may be used as an attack vector. > + (substring-no-properties > + (cond > + ((symbolp rpl) (funcall rpl tag)) > + ((string-match "%(\\([^)]+\\))" rpl) > + (let ((rpl-fun-symbol (intern-soft (match-string 1 rpl)))) > + ;; Using `unsafep-function' is not quite enough because > + ;; Emacs considers functions like `genenv' safe, while > + ;; they can potentially be used to expose private system > + ;; data to attacker if abbreviated link is clicked. > + (if (or (eq t (get rpl-fun-symbol 'org-link-abbrev-safe)) > + (eq t (get rpl-fun-symbol 'pure))) > + (replace-match > + (save-match-data > + (funcall (intern-soft (match-string 1 rpl)) tag)) > + t t rpl) > + (org-display-warning > + (format "Disabling unsafe link abbrev: %s > +You may mark function safe via (put '%s 'org-link-abbrev-safe t)" > + rpl (match-string 1 rpl))) > + (setq org-link-abbrev-alist-local (delete as org-link-abbrev-alist-local) > + org-link-abbrev-alist (delete as org-link-abbrev-alist)) > + link > + ))) > + ((string-match "%s" rpl) (replace-match (or tag "") t t rpl)) > + ((string-match "%h" rpl) > + (replace-match (url-hexify-string (or tag "")) t t rpl)) > + (t (concat rpl tag)))))))) > > (defun org-link-open (link &optional arg) > "Open a link object LINK. ^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [ANN] Emergency bugfix release: Org mode 9.7.5 2024-06-22 16:10 [ANN] Emergency bugfix release: Org mode 9.7.5 Ihor Radchenko 2024-06-22 17:49 ` Ihor Radchenko @ 2024-06-22 17:59 ` emacs-orgmode 2024-06-22 19:15 ` Ihor Radchenko 2024-06-24 8:08 ` [ANN] Emergency bugfix release: Org mode 9.7.5 Bastien Guerry ` (2 subsequent siblings) 4 siblings, 1 reply; 21+ messages in thread From: emacs-orgmode @ 2024-06-22 17:59 UTC (permalink / raw) To: Ihor Radchenko; +Cc: emacs-orgmode, Bastien Ihor Radchenko <yantar92@posteo.net> writes: > I just released Org mode 9.7.5 that fixes a critical vulnerability. > The release is coordinated with emergency Emacs 29.4 release. Thanks for the release and the anouncement. Will a CVE be released? I am interested if there are mitigating factors such as using `emacs -nw` (without GUI), thus no possible preview of the attachments (IIUC). Best, ^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [ANN] Emergency bugfix release: Org mode 9.7.5 2024-06-22 17:59 ` emacs-orgmode @ 2024-06-22 19:15 ` Ihor Radchenko 2024-06-24 9:09 ` Assigned: CVE-2024-39331 (was: [ANN] Emergency bugfix release: Org mode 9.7.5) Ihor Radchenko 0 siblings, 1 reply; 21+ messages in thread From: Ihor Radchenko @ 2024-06-22 19:15 UTC (permalink / raw) To: emacs-orgmode; +Cc: emacs-orgmode, Bastien emacs-orgmode@city17.xyz writes: > Will a CVE be released? Should be, I think. If nobody reports it independently by tomorrow, I will look into how to request a CVE number myself. > ... I am interested if there are mitigating factors > such as using `emacs -nw` (without GUI), thus no possible preview of the > attachments (IIUC). AFAIK, previewing attachments is not disabled by "no GUI" - preview in this context simply means fontification using major mode of the attached files. To disable email previews, see `mm-inline-media-tests'. Note that you cannot easily work around the problem when opening an actual Org file. You would either have to advice the problematic Org function, or cherry-pick the relevant commit from the release. -- Ihor Radchenko // yantar92, Org mode contributor, Learn more about Org mode at <https://orgmode.org/>. Support Org development at <https://liberapay.com/org-mode>, or support my work at <https://liberapay.com/yantar92> ^ permalink raw reply [flat|nested] 21+ messages in thread
* Assigned: CVE-2024-39331 (was: [ANN] Emergency bugfix release: Org mode 9.7.5) 2024-06-22 19:15 ` Ihor Radchenko @ 2024-06-24 9:09 ` Ihor Radchenko 0 siblings, 0 replies; 21+ messages in thread From: Ihor Radchenko @ 2024-06-24 9:09 UTC (permalink / raw) To: emacs-orgmode; +Cc: emacs-orgmode, Bastien Ihor Radchenko <yantar92@posteo.net> writes: > emacs-orgmode@city17.xyz writes: > >> Will a CVE be released? > > Should be, I think. > If nobody reports it independently by tomorrow, I will look into how to > request a CVE number myself. https://www.cve.org/CVERecord?id=CVE-2024-39331 -- Ihor Radchenko // yantar92, Org mode contributor, Learn more about Org mode at <https://orgmode.org/>. Support Org development at <https://liberapay.com/org-mode>, or support my work at <https://liberapay.com/yantar92> ^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [ANN] Emergency bugfix release: Org mode 9.7.5 2024-06-22 16:10 [ANN] Emergency bugfix release: Org mode 9.7.5 Ihor Radchenko 2024-06-22 17:49 ` Ihor Radchenko 2024-06-22 17:59 ` emacs-orgmode @ 2024-06-24 8:08 ` Bastien Guerry 2024-06-28 15:09 ` [POLL] We plan to remove #+LINK: ...%(my-function) placeholder from link abbreviation spec (was: [ANN] Emergency bugfix release: Org mode 9.7.5) Ihor Radchenko 2024-06-28 15:23 ` [POLL] Bug of Feature? Attack vector via deceiving link abbrevs (was: [ANN] Emergency bugfix release: Org mode 9.7.5) Ihor Radchenko 4 siblings, 0 replies; 21+ messages in thread From: Bastien Guerry @ 2024-06-24 8:08 UTC (permalink / raw) To: Ihor Radchenko; +Cc: emacs-orgmode Ihor Radchenko <yantar92@posteo.net> writes: > I just released Org mode 9.7.5 that fixes a critical vulnerability. > The release is coordinated with emergency Emacs 29.4 release. Thank you a lot for your diligent and careful work on this! -- Bastien Guerry ^ permalink raw reply [flat|nested] 21+ messages in thread
* [POLL] We plan to remove #+LINK: ...%(my-function) placeholder from link abbreviation spec (was: [ANN] Emergency bugfix release: Org mode 9.7.5) 2024-06-22 16:10 [ANN] Emergency bugfix release: Org mode 9.7.5 Ihor Radchenko ` (2 preceding siblings ...) 2024-06-24 8:08 ` [ANN] Emergency bugfix release: Org mode 9.7.5 Bastien Guerry @ 2024-06-28 15:09 ` Ihor Radchenko 2024-06-28 15:51 ` [POLL] We plan to remove #+LINK: ...%(my-function) placeholder from link abbreviation spec Suhail Singh 2024-06-28 15:23 ` [POLL] Bug of Feature? Attack vector via deceiving link abbrevs (was: [ANN] Emergency bugfix release: Org mode 9.7.5) Ihor Radchenko 4 siblings, 1 reply; 21+ messages in thread From: Ihor Radchenko @ 2024-06-28 15:09 UTC (permalink / raw) To: emacs-orgmode; +Cc: Bastien Dear all, > I just released Org mode 9.7.5 that fixes a critical vulnerability. > The release is coordinated with emergency Emacs 29.4 release. > ... > The vulnerability involves arbitrary Shell code evaluation... In a view of the recent vulnerability, we are considering to remove the offending feature completely. For the time being, we restricted %(function) constructs in #+LINK: ... lines to (1) pure functions (no side effects, no access to global state); (2) functions explicitly marked by the user. However, while discussing how to approach the vulnerability, we did not find many examples of using #+LINK: label %(function) in the wild. If you are actively using #+LINK: keywords with %(...) placeholders or have any objections to this feature removal, please let us know. -- Ihor Radchenko // yantar92, Org mode contributor, Learn more about Org mode at <https://orgmode.org/>. Support Org development at <https://liberapay.com/org-mode>, or support my work at <https://liberapay.com/yantar92> ^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [POLL] We plan to remove #+LINK: ...%(my-function) placeholder from link abbreviation spec 2024-06-28 15:09 ` [POLL] We plan to remove #+LINK: ...%(my-function) placeholder from link abbreviation spec (was: [ANN] Emergency bugfix release: Org mode 9.7.5) Ihor Radchenko @ 2024-06-28 15:51 ` Suhail Singh 2024-06-28 16:20 ` Steven Allen 0 siblings, 1 reply; 21+ messages in thread From: Suhail Singh @ 2024-06-28 15:51 UTC (permalink / raw) To: Ihor Radchenko; +Cc: emacs-orgmode, Bastien Ihor Radchenko <yantar92@posteo.net> writes: > If you are actively using #+LINK: keywords with %(...) placeholders or > have any objections to this feature removal, please let us know. I do not actively use this feature, however, removing it seems excessive. IIUC, it's a useful feature in situations when the tag may require deterministic, yet non-trivial manipulation. The current mechanism of restricting this to functions marked safe by user seems sufficient. Am I missing something? Is the threat model such that it can only be adequately addressed by removing the feature altogether? -- Suhail ^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [POLL] We plan to remove #+LINK: ...%(my-function) placeholder from link abbreviation spec 2024-06-28 15:51 ` [POLL] We plan to remove #+LINK: ...%(my-function) placeholder from link abbreviation spec Suhail Singh @ 2024-06-28 16:20 ` Steven Allen 2024-06-28 16:45 ` Suhail Singh 0 siblings, 1 reply; 21+ messages in thread From: Steven Allen @ 2024-06-28 16:20 UTC (permalink / raw) To: Suhail Singh, Ihor Radchenko; +Cc: emacs-orgmode, Bastien Suhail Singh <suhailsingh247@gmail.com> writes: > Ihor Radchenko <yantar92@posteo.net> writes: > >> If you are actively using #+LINK: keywords with %(...) placeholders or >> have any objections to this feature removal, please let us know. > > I do not actively use this feature, however, removing it seems > excessive. IIUC, it's a useful feature in situations when the tag may > require deterministic, yet non-trivial manipulation. The current > mechanism of restricting this to functions marked safe by user seems > sufficient. > > Am I missing something? Is the threat model such that it can only be > adequately addressed by removing the feature altogether? There are two issues: 1. While this feature no longer invokes completely arbitrary code, it still allows an attacker to call any function marked as "pure" which is a pretty large attack surface. 2. Making it secure also made it significantly less useful, if it ever was all that useful. For the %(...) specifier to be useful, you need a pure/safe function that takes exactly one string argument and produces the string you need. You can, of course, write that function; but then you might as well use org-link-abbrev-alist instead of defining a local #+LINK. Personally, I'd start by forbidding %(...) placeholders in buffer-local #+LINK: definitions, they're perfectly safe in org-link-abbrev-alist. ^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [POLL] We plan to remove #+LINK: ...%(my-function) placeholder from link abbreviation spec 2024-06-28 16:20 ` Steven Allen @ 2024-06-28 16:45 ` Suhail Singh 2024-06-28 16:55 ` Ihor Radchenko 2024-06-28 17:01 ` Steven Allen 0 siblings, 2 replies; 21+ messages in thread From: Suhail Singh @ 2024-06-28 16:45 UTC (permalink / raw) To: Steven Allen; +Cc: Suhail Singh, Ihor Radchenko, emacs-orgmode, Bastien Steven Allen <steven@stebalien.com> writes: > 1. While this feature no longer invokes completely arbitrary code, it > still allows an attacker to call any function marked as "pure" which > is a pretty large attack surface. I am struggling to assess this, because it's not clear to me what the threat model is. Could you please elaborate? How are the attacker and potential victim interacting; what is the attack vector(s); who are the threat agents and what is their goal that we are trying to guard against, etc? > You can, of course, write that function; but then you might as well > use org-link-abbrev-alist instead of defining a local #+LINK. Perhaps I misunderstood, I thought the thing being polled was whether or not to allow org-link-abbrev-alist to have REPLACE (per its docstring) be a function. I.e., if %(my-function) is removed, so too would the ability to have a function in the REPLACE position in org-link-abbrev-alist. Did I misunderstand? -- Suhail ^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [POLL] We plan to remove #+LINK: ...%(my-function) placeholder from link abbreviation spec 2024-06-28 16:45 ` Suhail Singh @ 2024-06-28 16:55 ` Ihor Radchenko 2024-06-28 17:34 ` Suhail Singh 2024-06-28 17:01 ` Steven Allen 1 sibling, 1 reply; 21+ messages in thread From: Ihor Radchenko @ 2024-06-28 16:55 UTC (permalink / raw) To: Suhail Singh; +Cc: Steven Allen, emacs-orgmode, Bastien Suhail Singh <suhailsingh247@gmail.com> writes: >> You can, of course, write that function; but then you might as well >> use org-link-abbrev-alist instead of defining a local #+LINK. > > Perhaps I misunderstood, I thought the thing being polled was whether or > not to allow org-link-abbrev-alist to have REPLACE (per its docstring) > be a function. I.e., if %(my-function) is removed, so too would the > ability to have a function in the REPLACE position in > org-link-abbrev-alist. Did I misunderstand? Yup. I only meant %(...) placeholder constructs. ("linkkey" . REPLACE) where REPLACE is a function symbol will still be allowed. What will not be allowed is: #+LINK: linkkey %(my-function) and ("linkkey" . "...%(my-function)...") in `org-link-abbrev-alist'. -- Ihor Radchenko // yantar92, Org mode contributor, Learn more about Org mode at <https://orgmode.org/>. Support Org development at <https://liberapay.com/org-mode>, or support my work at <https://liberapay.com/yantar92> ^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [POLL] We plan to remove #+LINK: ...%(my-function) placeholder from link abbreviation spec 2024-06-28 16:55 ` Ihor Radchenko @ 2024-06-28 17:34 ` Suhail Singh 0 siblings, 0 replies; 21+ messages in thread From: Suhail Singh @ 2024-06-28 17:34 UTC (permalink / raw) To: Ihor Radchenko; +Cc: Suhail Singh, Steven Allen, emacs-orgmode, Bastien Ihor Radchenko <yantar92@posteo.net> writes: > Yup. I only meant %(...) placeholder constructs. ("linkkey" > . REPLACE) where REPLACE is a function symbol will still be allowed. Thank you for confirming. Please ignore my previous response. -- Suhail ^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [POLL] We plan to remove #+LINK: ...%(my-function) placeholder from link abbreviation spec 2024-06-28 16:45 ` Suhail Singh 2024-06-28 16:55 ` Ihor Radchenko @ 2024-06-28 17:01 ` Steven Allen 2024-06-28 17:55 ` Suhail Singh 1 sibling, 1 reply; 21+ messages in thread From: Steven Allen @ 2024-06-28 17:01 UTC (permalink / raw) To: Suhail Singh; +Cc: Suhail Singh, Ihor Radchenko, emacs-orgmode, Bastien Suhail Singh <suhailsingh247@gmail.com> writes: > Steven Allen <steven@stebalien.com> writes: > >> 1. While this feature no longer invokes completely arbitrary code, it >> still allows an attacker to call any function marked as "pure" which >> is a pretty large attack surface. > > I am struggling to assess this, because it's not clear to me what the > threat model is. Could you please elaborate? How are the attacker and > potential victim interacting; what is the attack vector(s); who are the > threat agents and what is their goal that we are trying to guard > against, etc? Scenario: Attacker sends an email containing an inline org-mode part with a malicious link abbreviation. The concern is that, e.g., there may b a function _marked_ as pure that's not actually pure, leaks some information, and/or has a security vulnerability (e.g., a C function exposed to lisp that's marked as pure but internally has, e.g., a buffer overflow). Of course, the actual attack hypothetical. The question being asked here is: is the %(..) specifier in link abbreviations useful enough to warent the potential risks. >> You can, of course, write that function; but then you might as well >> use org-link-abbrev-alist instead of defining a local #+LINK. > > Perhaps I misunderstood, I thought the thing being polled was whether or > not to allow org-link-abbrev-alist to have REPLACE (per its docstring) > be a function. I.e., if %(my-function) is removed, so too would the > ability to have a function in the REPLACE position in > org-link-abbrev-alist. Did I misunderstand? The question is whether or not %(function) placeholders should be allowed in #+LINK: lines. It doesn't actually say anything about allowing them in the global org-link-abbrev-alist. But to be explicit, there are three options: 1. Allow them in both #+LINK: lines and the global org-link-abbrev-alist. 2. Allow them in org-link-abbrev-alist only. 3. Remove them entirely. ^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [POLL] We plan to remove #+LINK: ...%(my-function) placeholder from link abbreviation spec 2024-06-28 17:01 ` Steven Allen @ 2024-06-28 17:55 ` Suhail Singh 2024-06-28 18:16 ` Steven Allen 0 siblings, 1 reply; 21+ messages in thread From: Suhail Singh @ 2024-06-28 17:55 UTC (permalink / raw) To: Steven Allen; +Cc: Suhail Singh, Ihor Radchenko, emacs-orgmode, Bastien Steven Allen <steven@stebalien.com> writes: > The concern is that, e.g., there may b a function _marked_ as pure > that's not actually pure, leaks some information, and/or has a > security vulnerability (e.g., a C function exposed to lisp that's > marked as pure but internally has, e.g., a buffer overflow). Are there any functions marked as pure, by default? > 1. Allow them in both #+LINK: lines and the global > org-link-abbrev-alist. > > 2. Allow them in org-link-abbrev-alist only. > > 3. Remove them entirely. If no functions are marked as pure by default, 1 seems reasonable to me. If some functions are marked as pure by default (by Emacs / Org mode), then 2 seems reasonable. I believe 3 is excessive. -- Suhail ^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [POLL] We plan to remove #+LINK: ...%(my-function) placeholder from link abbreviation spec 2024-06-28 17:55 ` Suhail Singh @ 2024-06-28 18:16 ` Steven Allen 0 siblings, 0 replies; 21+ messages in thread From: Steven Allen @ 2024-06-28 18:16 UTC (permalink / raw) To: Suhail Singh; +Cc: Suhail Singh, Ihor Radchenko, emacs-orgmode, Bastien Suhail Singh <suhailsingh247@gmail.com> writes: > Steven Allen <steven@stebalien.com> writes: > >> The concern is that, e.g., there may b a function _marked_ as pure >> that's not actually pure, leaks some information, and/or has a >> security vulnerability (e.g., a C function exposed to lisp that's >> marked as pure but internally has, e.g., a buffer overflow). > > Are there any functions marked as pure, by default? > Yes. Any function that starts with: (declare (pure t) ... This flag was introduced to allow the byte/native compiler to better optimize calls to pure functions. It's used here because "pure" functions should be safe to call. ^ permalink raw reply [flat|nested] 21+ messages in thread
* [POLL] Bug of Feature? Attack vector via deceiving link abbrevs (was: [ANN] Emergency bugfix release: Org mode 9.7.5) 2024-06-22 16:10 [ANN] Emergency bugfix release: Org mode 9.7.5 Ihor Radchenko ` (3 preceding siblings ...) 2024-06-28 15:09 ` [POLL] We plan to remove #+LINK: ...%(my-function) placeholder from link abbreviation spec (was: [ANN] Emergency bugfix release: Org mode 9.7.5) Ihor Radchenko @ 2024-06-28 15:23 ` Ihor Radchenko 2024-06-28 15:52 ` Steven Allen ` (2 more replies) 4 siblings, 3 replies; 21+ messages in thread From: Ihor Radchenko @ 2024-06-28 15:23 UTC (permalink / raw) To: emacs-orgmode; +Cc: Bastien, Steven Allen Ihor Radchenko <yantar92@posteo.net> writes: > I just released Org mode 9.7.5 that fixes a critical vulnerability. > The release is coordinated with emergency Emacs 29.4 release. This one is another potential issue (or a feature) we have found while discussing the main vulnerability. Currently, one can create an Org file like #+LINK: https https://fake-gmail-login-page.xyz/ [[https://gmail.com]] And the "https" link will actually be expanded according to the abbreviation. In other words, abbreviations take priority over the link types in Org mode. As illustrated above, one can try to trick user into clicking the above "gmail" link, redirecting to completely different page instead. On the other hand, I can totally see people making use of the current behavior to have custom filters for existing link types. For example, to redirect to archive.org when opening web links. I am inclined to call this a feature, and leave the current behavior unchanged, but would like to hear from others first. -- Ihor Radchenko // yantar92, Org mode contributor, Learn more about Org mode at <https://orgmode.org/>. Support Org development at <https://liberapay.com/org-mode>, or support my work at <https://liberapay.com/yantar92> ^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [POLL] Bug of Feature? Attack vector via deceiving link abbrevs (was: [ANN] Emergency bugfix release: Org mode 9.7.5) 2024-06-28 15:23 ` [POLL] Bug of Feature? Attack vector via deceiving link abbrevs (was: [ANN] Emergency bugfix release: Org mode 9.7.5) Ihor Radchenko @ 2024-06-28 15:52 ` Steven Allen 2024-06-28 15:54 ` [POLL] Bug of Feature? Attack vector via deceiving link abbrevs Suhail Singh 2024-07-29 18:42 ` [POLL] Bug of Feature? Attack vector via deceiving link abbrevs (was: [ANN] Emergency bugfix release: Org mode 9.7.5) Ihor Radchenko 2 siblings, 0 replies; 21+ messages in thread From: Steven Allen @ 2024-06-28 15:52 UTC (permalink / raw) To: Ihor Radchenko, emacs-orgmode; +Cc: Bastien Ihor Radchenko <yantar92@posteo.net> writes: > Ihor Radchenko <yantar92@posteo.net> writes: > >> I just released Org mode 9.7.5 that fixes a critical vulnerability. >> The release is coordinated with emergency Emacs 29.4 release. > > This one is another potential issue (or a feature) we have found while > discussing the main vulnerability. > > Currently, one can create an Org file like > > #+LINK: https https://fake-gmail-login-page.xyz/ > [[https://gmail.com]] This is no different from: [[https://fake-gmail-login-page.xyz][https://gmail.com]] In both cases, mousing over the link will show you the actual target address. On the other hand, having different faces for "plain" links (links where the text in the buffer matches the link target) and special links would be kind of nice. ^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [POLL] Bug of Feature? Attack vector via deceiving link abbrevs 2024-06-28 15:23 ` [POLL] Bug of Feature? Attack vector via deceiving link abbrevs (was: [ANN] Emergency bugfix release: Org mode 9.7.5) Ihor Radchenko 2024-06-28 15:52 ` Steven Allen @ 2024-06-28 15:54 ` Suhail Singh 2024-07-29 18:42 ` [POLL] Bug of Feature? Attack vector via deceiving link abbrevs (was: [ANN] Emergency bugfix release: Org mode 9.7.5) Ihor Radchenko 2 siblings, 0 replies; 21+ messages in thread From: Suhail Singh @ 2024-06-28 15:54 UTC (permalink / raw) To: Ihor Radchenko; +Cc: emacs-orgmode, Bastien, Steven Allen Ihor Radchenko <yantar92@posteo.net> writes: > On the other hand, I can totally see people making use of the current > behavior to have custom filters for existing link types. Yes, I use this currently for redirecting reddit links. It's certainly a feature in my opinion. -- Suhail ^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [POLL] Bug of Feature? Attack vector via deceiving link abbrevs (was: [ANN] Emergency bugfix release: Org mode 9.7.5) 2024-06-28 15:23 ` [POLL] Bug of Feature? Attack vector via deceiving link abbrevs (was: [ANN] Emergency bugfix release: Org mode 9.7.5) Ihor Radchenko 2024-06-28 15:52 ` Steven Allen 2024-06-28 15:54 ` [POLL] Bug of Feature? Attack vector via deceiving link abbrevs Suhail Singh @ 2024-07-29 18:42 ` Ihor Radchenko 2 siblings, 0 replies; 21+ messages in thread From: Ihor Radchenko @ 2024-07-29 18:42 UTC (permalink / raw) To: emacs-orgmode; +Cc: Bastien, Steven Allen Ihor Radchenko <yantar92@posteo.net> writes: > I am inclined to call this a feature, and leave the current behavior > unchanged, but would like to hear from others first. The responses are all in favor of keeping the existing behavior. No changes. Closed. -- Ihor Radchenko // yantar92, Org mode contributor, Learn more about Org mode at <https://orgmode.org/>. Support Org development at <https://liberapay.com/org-mode>, or support my work at <https://liberapay.com/yantar92> ^ permalink raw reply [flat|nested] 21+ messages in thread
end of thread, other threads:[~2024-07-29 18:42 UTC | newest] Thread overview: 21+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2024-06-22 16:10 [ANN] Emergency bugfix release: Org mode 9.7.5 Ihor Radchenko 2024-06-22 17:49 ` Ihor Radchenko 2024-06-22 23:55 ` Greg Troxel 2024-06-23 1:58 ` Steven Allen 2024-06-22 17:59 ` emacs-orgmode 2024-06-22 19:15 ` Ihor Radchenko 2024-06-24 9:09 ` Assigned: CVE-2024-39331 (was: [ANN] Emergency bugfix release: Org mode 9.7.5) Ihor Radchenko 2024-06-24 8:08 ` [ANN] Emergency bugfix release: Org mode 9.7.5 Bastien Guerry 2024-06-28 15:09 ` [POLL] We plan to remove #+LINK: ...%(my-function) placeholder from link abbreviation spec (was: [ANN] Emergency bugfix release: Org mode 9.7.5) Ihor Radchenko 2024-06-28 15:51 ` [POLL] We plan to remove #+LINK: ...%(my-function) placeholder from link abbreviation spec Suhail Singh 2024-06-28 16:20 ` Steven Allen 2024-06-28 16:45 ` Suhail Singh 2024-06-28 16:55 ` Ihor Radchenko 2024-06-28 17:34 ` Suhail Singh 2024-06-28 17:01 ` Steven Allen 2024-06-28 17:55 ` Suhail Singh 2024-06-28 18:16 ` Steven Allen 2024-06-28 15:23 ` [POLL] Bug of Feature? Attack vector via deceiving link abbrevs (was: [ANN] Emergency bugfix release: Org mode 9.7.5) Ihor Radchenko 2024-06-28 15:52 ` Steven Allen 2024-06-28 15:54 ` [POLL] Bug of Feature? Attack vector via deceiving link abbrevs Suhail Singh 2024-07-29 18:42 ` [POLL] Bug of Feature? Attack vector via deceiving link abbrevs (was: [ANN] Emergency bugfix release: Org mode 9.7.5) Ihor Radchenko
Code repositories for project(s) associated with this external index https://git.savannah.gnu.org/cgit/emacs.git https://git.savannah.gnu.org/cgit/emacs/org-mode.git This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.