On 12/03/2023 18:28, Ihor Radchenko wrote:
lux writes:
Ok, I'll undo this part of the changes first, and repost patch.
From b48784a16c5806694498f072ffdd98e5a3c144b5 Mon Sep 17 00:00:00 2001
From: Xi Lu
Date: Sat, 11 Mar 2023 18:53:37 +0800
Subject: [PATCH] * lisp/ob-latex.el: Fix command injection vulnerability
Applied, onto bugfix.
https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=a8006ea58
So the fix is included into org-mode-9.6.2.
I just have noticed that it is tracked as a CVE record:
https://www.cve.org/CVERecord?id=CVE-2023-28617
https://nvd.nist.gov/vuln/detail/CVE-2023-28617
CVE-2023-28617
org-babel-execute:latex in ob-latex.el in Org Mode through 9.6.1 for GNU
Emacs allows attackers to execute arbitrary commands via a file name or
directory name that contains shell metacharacters.
Base Score: 7.8 HIGH
