Bug#1067630: Fix arbitrary Lisp execution vulnerability (CVE-2024-30202)

[Benjamin Moody]

Dear maintainers:

This bug report refers to a couple of distinct issues:

1. Evaluating arbitrary Lisp code when a file is opened.

2. Evaluating arbitrary LaTeX code in various circumstances.

While the second issue is important to consider, I'd like to
focus on the first part.  This is a grave security issue
affecting Debian stable, and the fix is simple.


To check whether or not you have a vulnerable version of
org-mode, create a file called "foo.org" containing the following
text:

#+MACRO: x (eval (syntax-propertize-rules ((insert (upcase "vulnerable\n")))))

Then open foo.org in Emacs.  If the word "VULNERABLE" appears,
you are using a vulnerable version.


Below is the patch from Emacs 29.3 that fixes this bug.  It
applies cleanly against the version in bookworm (1:28.2+1-15):

diff --git a/lisp/org/org-macro.el b/lisp/org/org-macro.el
index 776d162..0be51ee 100644
--- a/lisp/org/org-macro.el
+++ b/lisp/org/org-macro.el
@@ -109,6 +109,13 @@ previous one, unless VALUE is nil.  Return the updated 
list."
   (let ((new-templates nil))
     (pcase-dolist (`(,name . ,value) templates)
       (let ((old-definition (assoc name new-templates)))
+        ;; This code can be evaluated unconditionally, as a part of
+        ;; loading Org mode.  We *must not* evaluate any code present
+        ;; inside the Org buffer while loading.  Org buffers may come
+        ;; from various sources, like received email messages from
+        ;; potentially malicious senders.  Org mode might be used to
+        ;; preview such messages and no code evaluation from inside the
+        ;; received Org text should ever happen without user consent.
         (when (and (stringp value) (string-match-p "\\`(eval\\>" value))
           ;; Pre-process the evaluation form for faster macro expansion.
           (let* ((args (org-macro--makeargs value))
@@ -121,7 +128,7 @@ previous one, unless VALUE is nil.  Return the updated 
list."
                      (cadr (read value))
                    (error
                      (user-error "Invalid definition for macro %S" name)))))
-           (setq value (eval (macroexpand-all `(lambda ,args ,body)) t))))
+           (setq value `(lambda ,args ,body))))
         (cond ((and value old-definition) (setcdr old-definition value))
              (old-definition)
              (t (push (cons name (or value "")) new-templates)))))

Source: 
https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=befa9fcaae29a6c9a283ba371c3c5234c7f644eb

Please add this patch to the Emacs source package, and make a
security update, as soon as possible.