On 02/05/2023 18:21, Ihor Radchenko wrote:
Max Nikulin writes:
I posted the links as a reminder that shell commands should be avoided
when possible (and it does not break TRAMP) and arguments should be
escaped otherwise.
But this patch literally fixed the problem. What else should we do?
Do you really think that it was the last unsafe shell command in the Org
code?
https://git.savannah.gnu.org/cgit/emacs/org-mode.git/tree/lisp/ob-ditaa.el#n101
and (shell-command pdf-cmd) below
https://git.savannah.gnu.org/cgit/emacs/org-mode.git/tree/lisp/ob-lilypond.el#n194
Of course, you may say that expanding shell constructs in :file header
argument is a feature that allows more flexibility. Personally, I
inspect Org files obtained from external resources in some dumb enough
viewer before opening them in Emacs.
I suppose, the issue has been received too much attention already:
- https://security-tracker.debian.org/tracker/CVE-2023-28617
- https://ubuntu.com/security/notices/USN-6003-1
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2023-28617
These appear to be different issues.
Linux distributions had to react to the CVE with formally high score and
updated Emacs packages applying 2 tiny patches from this thread.
