From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail
From: Thibaut Verron <thibaut.verron@gmail.com>
Newsgroups: gmane.emacs.help
Subject: Re: Need information regarding Emacs application
Date: Sat, 10 Feb 2024 12:07:05 +0100
Message-ID: <CAFsi02SatE1mBGCJvom=ohJc6jb2kunnaOX4ZNVzYPrd9R7ugg@mail.gmail.com>
References: <DB7PR06MB4539DEE0DD052722850238FB884B2@DB7PR06MB4539.eurprd06.prod.outlook.com>
 <VI1PR05MB106803A97E3589C8345F531F1B44B2@VI1PR05MB10680.eurprd05.prod.outlook.com>
 <ZcdQilIQjLOmcriA@lco.syogm.com>
Reply-To: thibaut.verron@gmail.com
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214";
	logging-data="40417"; mail-complaints-to="usenet@ciao.gmane.io"
To: Anders Munch <ajm@flonidan.dk>, 
 Srinivasan Santhanam <srinivasan.santhanam@hitachienergy.com>, 
 help-gnu-emacs <help-gnu-emacs@gnu.org>,
 Alec Gordon <alec.gordon@hitachienergy.com>, 
 Sridhar Peddapelli <sridhar.peddapelli@hitachienergy.com>
Original-X-From: help-gnu-emacs-bounces+geh-help-gnu-emacs=m.gmane-mx.org@gnu.org Sat Feb 10 12:08:06 2024
Return-path: <help-gnu-emacs-bounces+geh-help-gnu-emacs=m.gmane-mx.org@gnu.org>
Envelope-to: geh-help-gnu-emacs@m.gmane-mx.org
Original-Received: from lists.gnu.org ([209.51.188.17])
	by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <help-gnu-emacs-bounces+geh-help-gnu-emacs=m.gmane-mx.org@gnu.org>)
	id 1rYlDI-000AEZ-Fm
	for geh-help-gnu-emacs@m.gmane-mx.org; Sat, 10 Feb 2024 12:08:04 +0100
Original-Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <help-gnu-emacs-bounces@gnu.org>)
	id 1rYlCo-0007NS-L7; Sat, 10 Feb 2024 06:07:34 -0500
Original-Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <thibaut.verron@gmail.com>)
 id 1rYlCc-0007Dj-Cu
 for help-gnu-emacs@gnu.org; Sat, 10 Feb 2024 06:07:24 -0500
Original-Received: from mail-pf1-x429.google.com ([2607:f8b0:4864:20::429])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <thibaut.verron@gmail.com>)
 id 1rYlCa-0002wd-Gn
 for help-gnu-emacs@gnu.org; Sat, 10 Feb 2024 06:07:22 -0500
Original-Received: by mail-pf1-x429.google.com with SMTP id
 d2e1a72fcca58-6e0a4823881so276296b3a.0
 for <help-gnu-emacs@gnu.org>; Sat, 10 Feb 2024 03:07:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1707563238; x=1708168038; darn=gnu.org;
 h=to:subject:message-id:date:from:reply-to:in-reply-to:references
 :mime-version:from:to:cc:subject:date:message-id:reply-to;
 bh=up5gfmYU9+1zhT4q5TEydIQ4uuFu85htTTsQ7kNMqg4=;
 b=bg0F16G8ao+NE5CfMC6fD8v91K5fLVhDt4fiBrNk8I5r9Lvmurheim7iLcG0yhlfsV
 7jPlPLUDXTH9TlfrztpAWGxwiSeEB4B3RAh64UayyykSr/DrxqZaDrdQEtE+ZPHNtzGn
 5WE7ATOy8CJkds6XKEzuee5RF5Fd5wOJiHybcBguZFLncz+wM6g45Vxtmi6NVHUIBFcj
 zlo/V5740VjlamCLHtH893NcQYze40esfp/wJlNaQbY9LyzIYZwyBsN9vDuIcGCdqomA
 oLWIV7xmZR2658WayMFIYBl/aYJ7SAgbcIqhsIUVgHUYXtAVVC1UxhzecAAP80C50MJz
 OlxQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1707563238; x=1708168038;
 h=to:subject:message-id:date:from:reply-to:in-reply-to:references
 :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
 :reply-to;
 bh=up5gfmYU9+1zhT4q5TEydIQ4uuFu85htTTsQ7kNMqg4=;
 b=AO5IKLLC+hleKXmlE1zPjkwR1F0NHOvqrWJFhcwAolrG6KNq++rNLQKvphEEoZX/TJ
 0exeTDJpBtSJ2RE7NmFSY59reCwK51dDr0IRvXM7XEbXv6ikHMfMlFE1rAhWm6fRyltU
 Iwf2yiVgw/qawN1NE/GkBTYaTWnGyyaqVswZmohzT4diGhux1JyL15cIxytwUSC6NqOB
 yLKP22pZ159s5BDMEh4AP7/8f01DzmUQ8gwZ387vcv+hwdhk5cgoC3MSUGewCmJW+8qv
 QBUlW50FIHyneJhVy9sIM1vuo7FviF3Asl7rxSCGt8B5JLuGxRrzUhPZQd3CzK5jGtAc
 FM4w==
X-Gm-Message-State: AOJu0YzXvuaWcEM4VEcAMhA/+E9pWTkDXz4U5nOyT583kD+Uc9HLSq5z
 ChLffHouW7es1RndtGAhiOWWxrUt9fhpQck3QYqMnAQDRlEsA5+6p1cMmIezMTjGtHs7VV4qeAc
 cBLyuNNhAKWyhyREgA8sN1sDGvZE=
X-Google-Smtp-Source: AGHT+IEoG0LbdzFGmEi4LO2h8MXKUWPDVY6Y+3R47+1ttYjZse5/SDDVEfXUj/ihZk4624VpK0+xND9FQPO8IdYHCQk=
X-Received: by 2002:a05:6a20:9f47:b0:19c:a632:e176 with SMTP id
 ml7-20020a056a209f4700b0019ca632e176mr1949400pzb.11.1707563237836; Sat, 10
 Feb 2024 03:07:17 -0800 (PST)
In-Reply-To: <ZcdQilIQjLOmcriA@lco.syogm.com>
Received-SPF: pass client-ip=2607:f8b0:4864:20::429;
 envelope-from=thibaut.verron@gmail.com; helo=mail-pf1-x429.google.com
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
 HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Content-Filtered-By: Mailman/MimeDel 2.1.29
X-BeenThere: help-gnu-emacs@gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Users list for the GNU Emacs text editor <help-gnu-emacs.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/help-gnu-emacs>,
 <mailto:help-gnu-emacs-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/help-gnu-emacs>
List-Post: <mailto:help-gnu-emacs@gnu.org>
List-Help: <mailto:help-gnu-emacs-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/help-gnu-emacs>,
 <mailto:help-gnu-emacs-request@gnu.org?subject=subscribe>
Errors-To: help-gnu-emacs-bounces+geh-help-gnu-emacs=m.gmane-mx.org@gnu.org
Original-Sender: help-gnu-emacs-bounces+geh-help-gnu-emacs=m.gmane-mx.org@gnu.org
Xref: news.gmane.io gmane.emacs.help:145901
Archived-At: <http://permalink.gmane.org/gmane.emacs.help/145901>

On Sat 10 Feb 2024, 11:33 Jean Louis, <bugs@gnu.support> wrote:

> * Anders Munch <ajm@flonidan.dk> [2024-02-09 18:19]:
> > Srinivasan Santhanam wrote:
> > > Could you please confirm whether there are any vulnerabilities
> identified with the latest 29.2 version.
> >
> > https://www.opencve.io/cve?vendor=gnu&product=emacs
>
> I would not agree that those CVE reports are propriate to Emacs.
>
> Let us review few examples:
>
> > CVE-2023-2491         2 Gnu, Redhat   5 Emacs, Enterprise Linux,
> Enterprise Linux Eus and 2 more      2023-12-10      N/A     7.8 HIGH
> > A flaw was found in the Emacs text editor. Processing a specially
> > crafted org-mode code with the "org-babel-execute:latex" function in
> > ob-latex.el can result in arbitrary command execution. This CVE exists
> > because of a CVE-2023-28617 security regression for the emacs package
> > in Red Hat Enterprise Linux 8.8 and Red Hat Enterprise Linux 9.2.
>
> We have to consider that Emacs has a built-in programming
> language. All parts of Emacs can be replaced, or loaded from not only
> system files but also private files.
>
> If any attacking user has access to file system, than such user can
> provide custom "Org" library or any other library and can impose on
> the victim user for that library to do whatever they want.
>

This one could point to an actual vulnerability, given that LaTeX by
default does not allow evaluating arbitrary code on the system.

A user can be wary about elisp and e.g. python snippets, yet trust that
LaTeX code should be safe.

I don't see why you bring compromised libraries into the mix, afaik
ob-latex is distributed with org-mode. If I understand the summary
correctly, the attack only requires a .org file with a malicious "src
LaTeX" block, that's not full access to the file system.

Thibaut