From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <emacs-orgmode-bounces+larch=yhetil.org@gnu.org>
Received: from mp2 ([2001:41d0:2:bcc0::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms0.migadu.com with LMTPS
	id +Ff6HriMr2ApZgEAgWs5BA
	(envelope-from <emacs-orgmode-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Thu, 27 May 2021 14:12:40 +0200
Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp2 with LMTPS
	id 6Oe1GriMr2DdGAAAB5/wlQ
	(envelope-from <emacs-orgmode-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Thu, 27 May 2021 12:12:40 +0000
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id CAAAC22165
	for <larch@yhetil.org>; Thu, 27 May 2021 14:12:39 +0200 (CEST)
Received: from localhost ([::1]:34426 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <emacs-orgmode-bounces+larch=yhetil.org@gnu.org>)
	id 1lmEsP-0007gd-5S
	for larch@yhetil.org; Thu, 27 May 2021 08:12:37 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:53518)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1lmEo2-0007eu-6X; Thu, 27 May 2021 08:08:06 -0400
Received: from debbugs.gnu.org ([209.51.188.43]:39238)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1lmEny-0003y9-RN; Thu, 27 May 2021 08:08:05 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1lmEny-0005TU-K9; Thu, 27 May 2021 08:08:02 -0400
X-Loop: help-debbugs@gnu.org
Subject: bug#48676: Arbitrary code execution in Org export macros
Resent-From: Rafael Ramirez Morales <rafael.ramirezmorales@gmail.com>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@gnu.org, emacs-orgmode@gnu.org
Resent-Date: Thu, 27 May 2021 12:08:02 +0000
Resent-Message-ID: <handler.48676.B48676.162211724220974@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 48676
X-GNU-PR-Package: emacs,org-mode
X-GNU-PR-Keywords: security
To: Glenn Morris <rgm@gnu.org>
Received: via spool by 48676-submit@debbugs.gnu.org id=B48676.162211724220974
 (code B ref 48676); Thu, 27 May 2021 12:08:02 +0000
Received: (at 48676) by debbugs.gnu.org; 27 May 2021 12:07:22 +0000
Received: from localhost ([127.0.0.1]:50781 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1lmEnJ-0005SC-R2
 for submit@debbugs.gnu.org; Thu, 27 May 2021 08:07:22 -0400
Received: from mail-oi1-f169.google.com ([209.85.167.169]:34741)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <rafael.ramirezmorales@gmail.com>) id 1lmA2P-00044x-TY
 for 48676@debbugs.gnu.org; Thu, 27 May 2021 03:02:38 -0400
Received: by mail-oi1-f169.google.com with SMTP id u11so4183330oiv.1
 for <48676@debbugs.gnu.org>; Thu, 27 May 2021 00:02:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; 
 h=mime-version:references:in-reply-to:from:date:message-id:subject:to
 :cc; bh=8WM6UbgaHpHTgnZ7mAOmu+GpC30S8Ljl8NJ0OFIgPT0=;
 b=m8BjRRWNUzVqFwes59Xy3coeL9wBluIMpy2LOBGayhFIFtx01cxKTooJhgOKCSVUEx
 LvOpu5hTdl5Ea6K20pfLzf4gn/P50dkFjo/LjlvAZCvIimNmlBVBbuuw/IE3u8645qYC
 6Sa/N4UzKGvUrub8rzwNq7w8Vu9oTnv9PpP658Oa8v07cc6PDYRgFjwPmiZuD4uYkNM9
 tL8IjZxOsRPwa8TTLFU4tw33eYboQEGuLT4uMpLYb+GOZYI74ZuxAmh2rR0OABR5v5WS
 K2/78cX/k7yjTorYXeONIhFidzOKnBUAO4XDfZFERUH6CROQnEEJ7vNslVeLqMUdkaft
 tVSA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc;
 bh=8WM6UbgaHpHTgnZ7mAOmu+GpC30S8Ljl8NJ0OFIgPT0=;
 b=gABeR/EnsQyoPB3xIy/H/veExD0xOK+RBFem2e2e9fF1qHb0eSIRDRPJbn8nTnLgRf
 e8NV7r1eCVjonQYue38g8R7D4bl22xzHCwIFZIMKrLFcClIA+kWQ4WSRoQ0BvUihgWC3
 dp3/uibbK9FWFJhs9nu8wA5kMt7W1y1MVxQKAVkaARVGIggh0+f735YdN5I2QRIraN4k
 sHoqQxDnNMYQFSFdAJln3y00tnqkJYjeRB2Nzoalhcahny2+k9SaYrpY8Hf608Dl2S7x
 BKjNvAgIWr1iJwymBlVo+q6kcmhPYOeddu84FETbZF+PIwT4QUmiRFlhhiVtEZsHYts8
 CYow==
X-Gm-Message-State: AOAM532pXatqDc60Uyv9J0YEVIAX4V4bmTMGpUkCBInkjn/DU0r26nCJ
 P3wEnkM7XT6Y5ZOtJVxN607I3uhkSjkTTmFdqOE=
X-Google-Smtp-Source: ABdhPJzzmgT+yNhKBIhaTiR3WJkG8J3JxHjcd+frvF1vuV3bi1MyST/U4Y2Sr2gwaZq8ud9ODDs84xuhxe8+8t0Wv6M=
X-Received: by 2002:a54:4e82:: with SMTP id c2mr4722276oiy.137.1622098951908; 
 Thu, 27 May 2021 00:02:31 -0700 (PDT)
MIME-Version: 1.0
References: <2nk0nl7asb.fsf@fencepost.gnu.org>
In-Reply-To: <2nk0nl7asb.fsf@fencepost.gnu.org>
From: Rafael Ramirez Morales <rafael.ramirezmorales@gmail.com>
Date: Thu, 27 May 2021 09:02:20 +0200
Message-ID: <CAL1NY7bbWcCX7Ni1t+LcxL9_jdBmCgKkfj9u=xUqxaLoxJkJig@mail.gmail.com>
Content-Type: multipart/alternative; boundary="000000000000d1af9d05c34a57cb"
X-Mailman-Approved-At: Thu, 27 May 2021 08:07:20 -0400
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: emacs-orgmode@gnu.org
List-Id: "General discussions about Org-mode." <emacs-orgmode.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-orgmode>,
 <mailto:emacs-orgmode-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/emacs-orgmode>
List-Post: <mailto:emacs-orgmode@gnu.org>
List-Help: <mailto:emacs-orgmode-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-orgmode>,
 <mailto:emacs-orgmode-request@gnu.org?subject=subscribe>
Cc: 48676@debbugs.gnu.org
Errors-To: emacs-orgmode-bounces+larch=yhetil.org@gnu.org
Sender: "Emacs-orgmode" <emacs-orgmode-bounces+larch=yhetil.org@gnu.org>
X-Migadu-Flow: FLOW_IN
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1622117560;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:resent-cc:resent-from:resent-sender:
	 resent-message-id:in-reply-to:in-reply-to:references:references:
	 list-id:list-help:list-unsubscribe:list-subscribe:list-post:
	 dkim-signature; bh=8WM6UbgaHpHTgnZ7mAOmu+GpC30S8Ljl8NJ0OFIgPT0=;
	b=K2tJqco6t1rOWTzIwSWgotEYVd/HEO8Iftoi4kdCluHOWfv30VI9p8uvt1tqEMFmTHhMM2
	0yy3wYzDKlcccw6eXh0v/NAvih8rDsYEN/S1B6Yc24xXCPMkeC53UHLwXbvQi7FizhNSeG
	n6B9OHGtG6pgWE3nmbxd70Qhm4UxG6NLHSZC3ealaeJ3am75O6eYbQ7M8Vpokpsd6oFM4e
	7le+GDPh+MN6uVlrZnRY9nfjqNuFGcTVEWYp3MqJiiim+CMVHX0kF6yGVzQdJPv7bC+Qen
	uYGIYIllo15t37I//ZtwmHkpxt91Nivm3cxSvIh7+mMQgmoF5yt0SobGz7IJww==
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1622117560; a=rsa-sha256; cv=none;
	b=PrRJLqxNmQlKaO+SX5NcF+lvneSGc+vRhuhDlDHjltHtakKCvqtd/n0wvp9YIO52XyHCZS
	ihduimQRTf9cq3wHx6Yd82oLYVelJgG8h5aGoUp5eBkGCesYhOQwbGcAgGsneYDJY6RmeH
	f5Bcj48gTkVa7pe0b1OUTTsHU2eeQhTiG787E3ZIfF9kFkdJ5reZNyUoPY9WS0TkPWbRhg
	XBYz4+hmcwvAUXI0WIyrOYLnmfMaW2Dd3GKChBxacoXjPI0Aq/paQQOpuZDdTgGXiJ/srm
	ZZ1ytgAB6ww39uaWb6BbT36nLjIc+XEQ+nyOC2I28ZfxBwMKPCt31BcEgDsboQ==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20161025 header.b=m8BjRRWN;
	dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none);
	spf=pass (aspmx1.migadu.com: domain of emacs-orgmode-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=emacs-orgmode-bounces@gnu.org
X-Migadu-Spam-Score: -1.33
Authentication-Results: aspmx1.migadu.com;
	dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20161025 header.b=m8BjRRWN;
	dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none);
	spf=pass (aspmx1.migadu.com: domain of emacs-orgmode-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=emacs-orgmode-bounces@gnu.org
X-Migadu-Queue-Id: CAAAC22165
X-Spam-Score: -1.33
X-Migadu-Scanner: scn1.migadu.com
X-TUID: iCCsL7SFD7YK

--000000000000d1af9d05c34a57cb
Content-Type: text/plain; charset="UTF-8"

Just a couple of questions:
who is the owner of the HELLO file?
OR
who is the owner of the "touch" process?

Is the owner the unprivileged user or the "emacs" system?

Thanks.

On Wed, 26 May 2021 at 17:53, Glenn Morris <rgm@gnu.org> wrote:

> Package: emacs,org-mode
> Version: 28.0.50
> Severity: important
> Tags: security
>
> emacs -Q hello.org, where hello.org contains:
>
> #+macro: hello (eval (shell-command-to-string "touch /tmp/HELLO"))
> Hello. {{{hello}}}
>
> Then:
> M-x org-export-dispatch
> t A
>
> -> now /tmp/HELLO exist, with no prompting.
>
> This seems contrary to normal Emacs practice for risky local variables,
> and to the section "Code Evaluation and Security Issues" in the Org manual
> (which does not mention macros).
>
>

--000000000000d1af9d05c34a57cb
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"ltr"><div>Just a couple of questions:</div><di=
v>who is the owner of the HELLO file?</div><div>OR</div><div>who is the own=
er of the &quot;touch&quot; process?</div><div><br></div><div>Is the owner =
the unprivileged user or the &quot;emacs&quot; system?</div><div><br></div>=
<div>Thanks.<br></div></div><br><div class=3D"gmail_quote"><div dir=3D"ltr"=
 class=3D"gmail_attr">On Wed, 26 May 2021 at 17:53, Glenn Morris &lt;<a hre=
f=3D"mailto:rgm@gnu.org">rgm@gnu.org</a>&gt; wrote:<br></div><blockquote cl=
ass=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid=
 rgb(204,204,204);padding-left:1ex">Package: emacs,org-mode<br>
Version: 28.0.50<br>
Severity: important<br>
Tags: security<br>
<br>
emacs -Q <a href=3D"http://hello.org" rel=3D"noreferrer" target=3D"_blank">=
hello.org</a>, where <a href=3D"http://hello.org" rel=3D"noreferrer" target=
=3D"_blank">hello.org</a> contains:<br>
<br>
#+macro: hello (eval (shell-command-to-string &quot;touch /tmp/HELLO&quot;)=
)<br>
Hello. {{{hello}}}<br>
<br>
Then:<br>
M-x org-export-dispatch<br>
t A<br>
<br>
-&gt; now /tmp/HELLO exist, with no prompting.<br>
<br>
This seems contrary to normal Emacs practice for risky local variables,<br>
and to the section &quot;Code Evaluation and Security Issues&quot; in the O=
rg manual<br>
(which does not mention macros).<br>
<br>
</blockquote></div></div>

--000000000000d1af9d05c34a57cb--