From: Thibaut Verron <thibaut.verron@gmail.com>
To: Anders Munch <ajm@flonidan.dk>,
Srinivasan Santhanam <srinivasan.santhanam@hitachienergy.com>,
help-gnu-emacs <help-gnu-emacs@gnu.org>,
Alec Gordon <alec.gordon@hitachienergy.com>,
Sridhar Peddapelli <sridhar.peddapelli@hitachienergy.com>
Subject: Re: Need information regarding Emacs application
Date: Sat, 10 Feb 2024 12:07:05 +0100 [thread overview]
Message-ID: <CAFsi02SatE1mBGCJvom=ohJc6jb2kunnaOX4ZNVzYPrd9R7ugg@mail.gmail.com> (raw)
In-Reply-To: <ZcdQilIQjLOmcriA@lco.syogm.com>
On Sat 10 Feb 2024, 11:33 Jean Louis, <bugs@gnu.support> wrote:
> * Anders Munch <ajm@flonidan.dk> [2024-02-09 18:19]:
> > Srinivasan Santhanam wrote:
> > > Could you please confirm whether there are any vulnerabilities
> identified with the latest 29.2 version.
> >
> > https://www.opencve.io/cve?vendor=gnu&product=emacs
>
> I would not agree that those CVE reports are propriate to Emacs.
>
> Let us review few examples:
>
> > CVE-2023-2491 2 Gnu, Redhat 5 Emacs, Enterprise Linux,
> Enterprise Linux Eus and 2 more 2023-12-10 N/A 7.8 HIGH
> > A flaw was found in the Emacs text editor. Processing a specially
> > crafted org-mode code with the "org-babel-execute:latex" function in
> > ob-latex.el can result in arbitrary command execution. This CVE exists
> > because of a CVE-2023-28617 security regression for the emacs package
> > in Red Hat Enterprise Linux 8.8 and Red Hat Enterprise Linux 9.2.
>
> We have to consider that Emacs has a built-in programming
> language. All parts of Emacs can be replaced, or loaded from not only
> system files but also private files.
>
> If any attacking user has access to file system, than such user can
> provide custom "Org" library or any other library and can impose on
> the victim user for that library to do whatever they want.
>
This one could point to an actual vulnerability, given that LaTeX by
default does not allow evaluating arbitrary code on the system.
A user can be wary about elisp and e.g. python snippets, yet trust that
LaTeX code should be safe.
I don't see why you bring compromised libraries into the mix, afaik
ob-latex is distributed with org-mode. If I understand the summary
correctly, the attack only requires a .org file with a malicious "src
LaTeX" block, that's not full access to the file system.
Thibaut
next prev parent reply other threads:[~2024-02-10 11:07 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-09 8:51 Need information regarding Emacs application Srinivasan Santhanam via Users list for the GNU Emacs text editor
2024-02-09 15:12 ` Anders Munch
2024-02-10 10:31 ` Jean Louis
2024-02-10 11:07 ` Thibaut Verron [this message]
2024-02-12 10:35 ` Anders Munch
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAFsi02SatE1mBGCJvom=ohJc6jb2kunnaOX4ZNVzYPrd9R7ugg@mail.gmail.com' \
--to=thibaut.verron@gmail.com \
--cc=ajm@flonidan.dk \
--cc=alec.gordon@hitachienergy.com \
--cc=help-gnu-emacs@gnu.org \
--cc=sridhar.peddapelli@hitachienergy.com \
--cc=srinivasan.santhanam@hitachienergy.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/emacs.git
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.