Received: (at 48676) by debbugs.gnu.org; 27 May 2021 02:54:19 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed May 26 22:54:19 2021
Received: from localhost ([127.0.0.1]:50376 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1lm6A6-00020V-SP
for submit <at> debbugs.gnu.org; Wed, 26 May 2021 22:54:19 -0400
Received: from relay-egress-host.us-east-2.a.mail.umich.edu
([18.219.209.13]:48318 helo=joyful-pryderi.relay-egress.a.mail.umich.edu)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <minshall@HIDDEN>) id 1lm6A4-00020I-Fs
for 48676 <at> debbugs.gnu.org; Wed, 26 May 2021 22:54:16 -0400
Received: from shaggy-alux.authn-relay.a.mail.umich.edu
(ip-10-0-74-243.us-east-2.compute.internal [10.0.74.243])
by joyful-pryderi.relay-egress.a.mail.umich.edu with ESMTPS
id 60AF09D2.B252B.7065D8E5.1224308; Wed, 26 May 2021 22:54:10 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umich.edu;
s=relay-2018-08-29; t=1622084050;
bh=jeJ3Nq/QViL185aDFTFzng7gdFvbeZlA4oMvc2Z0hf0=;
h=From:To:cc:Subject:In-reply-to:Date;
b=Cf1/YxGU/rDGwNOwfd0GMptAJllg+JJkwhy0+pt5Ryios+hDaV1MefAE98BbMHKnq
YCbD9DIVV8KTOfJNDNFH77QoqAyeK4zPCGaFc2hbUHpihLhwNs2qpBFKksGJgi/obe
A9Iei4M7VwEIDZAq7calka5EM8ZKYuYroQpizbofeihG9/+CSBby5YRkVUpknfcGg7
O/7SfZqJ0Fz4XsdWytvae+2eJpyMfvP9S2fxFs951zroevee6MBPBbwq55qf9WTACg
AZRBxEx3zeEBijmooNA5YWv8p9DdOixgTtcLzfPnyhhp8qPP+LB92cMl2dENnlFHGX
yBnzwvOuGweGA==
Authentication-Results: shaggy-alux.authn-relay.a.mail.umich.edu;
iprev=fail policy.iprev=88.236.240.114 (Mismatch);
auth=pass smtp.auth=minshall
Received: from localhost (Mismatch [88.236.240.114])
by shaggy-alux.authn-relay.a.mail.umich.edu with ESMTPSA
id 60AF09CF.F13A9.DE8AB7C.1769026; Wed, 26 May 2021 22:54:08 -0400
From: Greg Minshall <minshall@HIDDEN>
To: Glenn Morris <rgm@HIDDEN>
Subject: Re: bug#48676: Arbitrary code execution in Org export macros
In-reply-to: Your message of "Wed, 26 May 2021 11:52:04 -0400."
<2nk0nl7asb.fsf@HIDDEN>
X-Mailer: MH-E 8.6+git; nmh 1.7.1; GNU Emacs 27.2
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <4005253.1622084044.1@HIDDEN>
Date: Thu, 27 May 2021 05:54:04 +0300
Message-ID: <4005254.1622084044@HIDDEN>
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 48676
Cc: 48676 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)
Glenn,
thanks for the report.
i guess my take is that macro-evaluation, and that of other forms,
should be subject to the same restrictions as that of source block
evaluation. i.e., prompting for permission to execute, subject to
=org-confirm-babel-evaluate= (or, more specific variables).
cheers, Greg
> Package: emacs,org-mode
> Version: 28.0.50
> Severity: important
> Tags: security
>
> emacs -Q hello.org, where hello.org contains:
>
> #+macro: hello (eval (shell-command-to-string "touch /tmp/HELLO"))
> Hello. {{{hello}}}
>
> Then:
> M-x org-export-dispatch
> t A
>
> -> now /tmp/HELLO exist, with no prompting.
>
> This seems contrary to normal Emacs practice for risky local variables,
> and to the section "Code Evaluation and Security Issues" in the Org manual
> (which does not mention macros).
bug-gnu-emacs@HIDDEN, emacs-orgmode@HIDDEN:bug#48676; Package emacs,org-mode.
Full text available.Received: (at 48676) by debbugs.gnu.org; 26 May 2021 18:23:52 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Wed May 26 14:23:52 2021 Received: from localhost ([127.0.0.1]:49897 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1llyC7-0008DH-LM for submit <at> debbugs.gnu.org; Wed, 26 May 2021 14:23:52 -0400 Received: from mail-pj1-f48.google.com ([209.85.216.48]:43601) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <tecosaur@HIDDEN>) id 1llx0L-00042k-I6 for 48676 <at> debbugs.gnu.org; Wed, 26 May 2021 13:07:40 -0400 Received: by mail-pj1-f48.google.com with SMTP id ep16-20020a17090ae650b029015d00f578a8so721070pjb.2 for <48676 <at> debbugs.gnu.org>; Wed, 26 May 2021 10:07:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=references:user-agent:from:to:cc:subject:in-reply-to:message-id :date:mime-version; bh=+VvLj+D+39pXou7UlH1yiTznCzqmGqMWezWI4DFfVHM=; b=aV1BoZAfPbvl31/K3dSQcUgA2kk1mlPYW0nMCxdO89VSUl8lxMlouwaqlXZvLSe/NH PX4rDYM/Jae0Qc5DW4hHCGgy1LZVtFX8hWb8FOLcm2Mh0kWl45bEc9Ft5NkDnzj2rEHo o+SX6k7H1v1t7JSTzlO4dhvL9eq5vTD1QfGFjR/Vl7qCHtwEnes3CSbZw29ckE+631Se +GuaK6cBxW9LaBYv3I3WOCqBmAaoW8UqV49f29p44ToWt+37KJKD+YWZgqRsEq+6oyk9 4GekQoKaCIDbR/TwqfMvlz4w5vEQHqTKnIoGrF/N1+/c12rfA9+ZSOuSeO1yX5afHR2M DUNA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:references:user-agent:from:to:cc:subject :in-reply-to:message-id:date:mime-version; bh=+VvLj+D+39pXou7UlH1yiTznCzqmGqMWezWI4DFfVHM=; b=E3w1rHetHa+r9vagEImv5MjI6/Y3Pf0Nx5+AXB0sFjxXG7m4amCv5WPGFVU+xDCNm1 dMwNjYndVmHBktv/55U1JHzEHZ+YWhqHVDfCIPSWCkHJqPiccK98ozKmWPy0KeWkT1di 0XuLqmroC58YbvUxzHe+NkjFeE2Xm2w+TPBfT32Nbqul9fyMzmSzTrsQiudi3E8BsPR1 HnqUU0kDLKOsW9NcHlbWkrjZJEiL0jtlJGvO+oOL9E0T1Mywe5buwf41ZKB73UP2m2Ms HyeEvRoUerDYZGBpi4K9iiuamAWxv6DSDVZdapTE7luywty/4UrB7GUlRomUy+NKBO2D BUNg== X-Gm-Message-State: AOAM533tw1UsYBUfOP2+iGP3gTHFpWGkjq6vTVIuMvfwQfwE/Pwe1hF6 DPdsyqxr5dQZJChrSvLQYj0= X-Google-Smtp-Source: ABdhPJwKPEOMK86BSRORQ2HK8siD7Ef35IT85Y40tsV1sKkaWODJ9sCtoibvV6KRmZ1f3HEr1srNXw== X-Received: by 2002:a17:902:a586:b029:fe:459b:2ce0 with SMTP id az6-20020a170902a586b02900fe459b2ce0mr996265plb.40.1622048851677; Wed, 26 May 2021 10:07:31 -0700 (PDT) Received: from localhost (180-150-91-8.b4965b.per.nbn.aussiebb.net. [180.150.91.8]) by smtp.gmail.com with ESMTPSA id r5sm4730962pjd.2.2021.05.26.10.07.30 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 26 May 2021 10:07:31 -0700 (PDT) References: <2nk0nl7asb.fsf@HIDDEN> User-agent: mu4e 1.4.15; emacs 28.0.50 From: Timothy <tecosaur@HIDDEN> To: Glenn Morris <rgm@HIDDEN> Subject: Re: bug#48676: Arbitrary code execution in Org export macros In-reply-to: <2nk0nl7asb.fsf@HIDDEN> Message-ID: <87mtsho240.fsf@HIDDEN> Date: Thu, 27 May 2021 01:07:27 +0800 MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 48676 X-Mailman-Approved-At: Wed, 26 May 2021 14:23:50 -0400 Cc: 48676 <at> debbugs.gnu.org, emacs-orgmode@HIDDEN X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) Thanks for reporting this. Glenn Morris <rgm@HIDDEN> writes: > This seems contrary to normal Emacs practice for risky local variables, Hmm, correct me if I'm wrong but the issue with risky local variables is that they affect Emacs before the user sees them in the file? If this is an important distinction, it means this particular type of concern does not apply to Org #+macro statements, as they are not executed when the user opens the file. That said, if one were making say an automated Org file exporter or something, I could see this being problematic. Perhaps a var set to allow macros by default could be a good idea. > and to the section "Code Evaluation and Security Issues" in the Org manual > (which does not mention macros). Looks like this should be updated regardless of the above. -- Timothy
bug-gnu-emacs@HIDDEN, emacs-orgmode@HIDDEN:bug#48676; Package emacs,org-mode.
Full text available.
Received: (at 48676) by debbugs.gnu.org; 26 May 2021 18:00:29 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed May 26 14:00:29 2021
Received: from localhost ([127.0.0.1]:49867 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1llxpU-0005sW-RR
for submit <at> debbugs.gnu.org; Wed, 26 May 2021 14:00:29 -0400
Received: from mail-wm1-f53.google.com ([209.85.128.53]:52868)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <tgbugs@HIDDEN>) id 1llxpS-0005lR-VM
for 48676 <at> debbugs.gnu.org; Wed, 26 May 2021 14:00:27 -0400
Received: by mail-wm1-f53.google.com with SMTP id z130so1235014wmg.2
for <48676 <at> debbugs.gnu.org>; Wed, 26 May 2021 11:00:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
h=mime-version:references:in-reply-to:from:date:message-id:subject:to
:cc; bh=n9MlvkpcSOs33tOeMuyToLKZBoVys6xJSJkK8dmolDE=;
b=DpZi9o6PMlY3HAdV0Vr4rGXGa350OeXj9aGog2m/XpuOxXGHMOEHGBT8ms9zA+rgG9
ogNoeBlePVUs+8wZ7ha4pFbzLAgztF9CTdYNffSdBRghqDKoZeimTXd0BxYxwJZ67aVv
pq9dADxPeeDLE7B+3rdRAFhkBVqpmCkcNZ4MKvGx+aaYQzklmNa7OShoJm+wpCyqqg+r
Lj/8dNkbbKcpxaryy0+Yszv5hLQZtt46j6/GeufwSMK69ZrZ24/YxLL8gJDE4RMeOWcj
Ewx/Hjzyif/72iv8ZrR8INujDAU+C6KQ+Eq5e5HZU1wLwtFy3coEbsgYx5PHc5VUk7OO
5TaQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:references:in-reply-to:from:date
:message-id:subject:to:cc;
bh=n9MlvkpcSOs33tOeMuyToLKZBoVys6xJSJkK8dmolDE=;
b=T8JtaJZwD8NXv5ONi+v/dQjXfJzL8Z6Yw63+qwMzKYLTboaMmY+W4NjQbhGmCU/oeF
pV+Xi6xCUxe1lVu4qjgD42gi/sWXzUkyqgTewoO0B+qdwzYZ2lTw1s/KCcJX3+3njNyW
fjVbOiA2yoSJZ9vaz90/aB1gF3TZx4ubx5P+8OpprTga71s4TtOCFkUyInM8KXCv1huq
7+klCKAa3xOIBbaS0P4kIITsZMqt2AjB1+jNT6MrU+daY5RJDgiaj8FZyKIQ3uaNYAih
ZI5cmt0x7MJ5GfUaeUWYZFUbIRFdlZ/4I+6eHbYOPLCM513AQJe8DBAxcZmSCsbSz75a
x0WQ==
X-Gm-Message-State: AOAM530Xfupfkf+Kcuu25M+TxMxv3/FJl7Jqa4vUiRkKppOjCNcCnc4w
PUFlWyUJJPgCe1GkGzyK3vhvyn/V3wC1tQ0ffhw=
X-Google-Smtp-Source: ABdhPJwfrGdSt7zLEoxZtoWLSPtmVBaY71Y9zc1JFJbi5QqDWgslW0w4LbaKg3Z1Wlju1fGSS9x7QhDmyH45CSTZ9m0=
X-Received: by 2002:a1c:c911:: with SMTP id f17mr30720631wmb.45.1622052020840;
Wed, 26 May 2021 11:00:20 -0700 (PDT)
MIME-Version: 1.0
References: <2nk0nl7asb.fsf@HIDDEN> <87mtsho240.fsf@HIDDEN>
In-Reply-To: <87mtsho240.fsf@HIDDEN>
From: Tom Gillespie <tgbugs@HIDDEN>
Date: Wed, 26 May 2021 11:00:09 -0700
Message-ID: <CA+G3_PN-2Kir-YJ=BToXMS69K+Oj2G55EKASAt-7gqHMmnM_rg@HIDDEN>
Subject: Re: bug#48676: Arbitrary code execution in Org export macros
To: Timothy <tecosaur@HIDDEN>
Content-Type: text/plain; charset="UTF-8"
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 48676
Cc: Glenn Morris <rgm@HIDDEN>, 48676 <at> debbugs.gnu.org,
emacs-orgmode <emacs-orgmode@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)
Hi Glenn,
The definition for local variables doesn't cover things like org
macros, though the spirit of the policy is something worth keeping in
mind. Running M-x org-export-dispatch and hitting two keys means that
the user has to do something to trigger code execution, much like they
would have to intentionally accept certain risky local variables.
That said, the fact that many org operations can run arbitrary code is
definitely something that needs clearer documentation. It might make
sense to add a setting to detect closures that appear in org files to
ask for permission before running, but it likely should not be on by
default.
For a fairly extensive discussion of code execution in org see this
thread from Nov 2020.
https://orgmode.org/list/robi94$ma$1@HIDDEN/#t
Best,
Tom
bug-gnu-emacs@HIDDEN, emacs-orgmode@HIDDEN:bug#48676; Package emacs,org-mode.
Full text available.
Received: (at submit) by debbugs.gnu.org; 26 May 2021 15:52:14 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed May 26 11:52:14 2021
Received: from localhost ([127.0.0.1]:49761 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1llvpO-0001xI-0e
for submit <at> debbugs.gnu.org; Wed, 26 May 2021 11:52:14 -0400
Received: from eggs.gnu.org ([209.51.188.92]:36614)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <rgm@HIDDEN>) id 1llvpM-0001x5-2Q
for submit <at> debbugs.gnu.org; Wed, 26 May 2021 11:52:12 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e]:37996)
by eggs.gnu.org with esmtp (Exim 4.90_1)
(envelope-from <rgm@HIDDEN>) id 1llvpG-0003g6-QR
for submit <at> debbugs.gnu.org; Wed, 26 May 2021 11:52:06 -0400
Received: from rgm by fencepost.gnu.org with local (Exim 4.90_1)
(envelope-from <rgm@HIDDEN>)
id 1llvpE-0007OY-SY; Wed, 26 May 2021 11:52:05 -0400
From: Glenn Morris <rgm@HIDDEN>
To: submit <at> debbugs.gnu.org
Subject: Arbitrary code execution in Org export macros
X-Spook: Ruby Ridge Snow Intiso Minox JPL BND BMDO Beltran-Leyva
X-Ran: AEID5HY`jU\**5u#\,;a=Md@p)X[{jh1|>Dh9Gmj4A8F`=]fNlt%R?eV0nq6_]-IWnFQ-O
X-Hue: black
X-Debbugs-No-Ack: yes
X-Attribution: GM
Date: Wed, 26 May 2021 11:52:04 -0400
Message-ID: <2nk0nl7asb.fsf@HIDDEN>
User-Agent: Gnus (www.gnus.org), GNU Emacs (www.gnu.org/software/emacs/)
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)
Package: emacs,org-mode
Version: 28.0.50
Severity: important
Tags: security
emacs -Q hello.org, where hello.org contains:
#+macro: hello (eval (shell-command-to-string "touch /tmp/HELLO"))
Hello. {{{hello}}}
Then:
M-x org-export-dispatch
t A
-> now /tmp/HELLO exist, with no prompting.
This seems contrary to normal Emacs practice for risky local variables,
and to the section "Code Evaluation and Security Issues" in the Org manual
(which does not mention macros).
bug-gnu-emacs@HIDDEN, emacs-orgmode@HIDDEN:bug#48676; Package emacs,org-mode.
Full text available.
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd,
1994-97 Ian Jackson.