Max Nikulin <maniku...@gmail.com> writes: >> But this patch literally fixed the problem. What else should we do? > > Do you really think that it was the last unsafe shell command in the Org > code?
No, but I prefer concrete examples. The CVE you linked to refers to an already fixed bug. > https://git.savannah.gnu.org/cgit/emacs/org-mode.git/tree/lisp/ob-ditaa.el#n101 > and (shell-command pdf-cmd) below The only unsafe part there is `java' that is taken from :java header argument. I am unsure how to fix this issue without feature regression. > https://git.savannah.gnu.org/cgit/emacs/org-mode.git/tree/lisp/ob-lilypond.el#n194 May you provide a patch? >>> I suppose, the issue has been received too much attention already: >>> >>> - https://security-tracker.debian.org/tracker/CVE-2023-28617 >>> - https://ubuntu.com/security/notices/USN-6003-1 >>> - https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2023-28617 >> >> These appear to be different issues. > > Linux distributions had to react to the CVE with formally high score and > updated Emacs packages applying 2 tiny patches from this thread. Sure, but I have applied both the patches onto bugfix. That's why I asked you what else we should do. -- Ihor Radchenko // yantar92, Org mode contributor, Learn more about Org mode at <https://orgmode.org/>. Support Org development at <https://liberapay.com/org-mode>, or support my work at <https://liberapay.com/yantar92>
