From debbugs-submit-bounces@debbugs.gnu.org Wed May 26 11:52:14 2021 Received: (at submit) by debbugs.gnu.org; 26 May 2021 15:52:14 +0000 Received: from localhost ([127.0.0.1]:49761 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1llvpO-0001xI-0e for submit@debbugs.gnu.org; Wed, 26 May 2021 11:52:14 -0400 Received: from eggs.gnu.org ([209.51.188.92]:36614) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1llvpM-0001x5-2Q for submit@debbugs.gnu.org; Wed, 26 May 2021 11:52:12 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:37996) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1llvpG-0003g6-QR for submit@debbugs.gnu.org; Wed, 26 May 2021 11:52:06 -0400 Received: from rgm by fencepost.gnu.org with local (Exim 4.90_1) (envelope-from ) id 1llvpE-0007OY-SY; Wed, 26 May 2021 11:52:05 -0400 From: Glenn Morris To: submit@debbugs.gnu.org Subject: Arbitrary code execution in Org export macros X-Spook: Ruby Ridge Snow Intiso Minox JPL BND BMDO Beltran-Leyva X-Ran: AEID5HY`jU\**5u#\,;a=Md@p)X[{jh1|>Dh9Gmj4A8F`=]fNlt%R?eV0nq6_]-IWnFQ-O X-Hue: black X-Debbugs-No-Ack: yes X-Attribution: GM Date: Wed, 26 May 2021 11:52:04 -0400 Message-ID: <2nk0nl7asb.fsf@fencepost.gnu.org> User-Agent: Gnus (www.gnus.org), GNU Emacs (www.gnu.org/software/emacs/) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Package: emacs,org-mode Version: 28.0.50 Severity: important Tags: security emacs -Q hello.org, where hello.org contains: #+macro: hello (eval (shell-command-to-string "touch /tmp/HELLO")) Hello. {{{hello}}} Then: M-x org-export-dispatch t A -> now /tmp/HELLO exist, with no prompting. This seems contrary to normal Emacs practice for risky local variables, and to the section "Code Evaluation and Security Issues" in the Org manual (which does not mention macros). From debbugs-submit-bounces@debbugs.gnu.org Wed May 26 14:00:29 2021 Received: (at 48676) by debbugs.gnu.org; 26 May 2021 18:00:29 +0000 Received: from localhost ([127.0.0.1]:49867 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1llxpU-0005sW-RR for submit@debbugs.gnu.org; Wed, 26 May 2021 14:00:29 -0400 Received: from mail-wm1-f53.google.com ([209.85.128.53]:52868) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1llxpS-0005lR-VM for 48676@debbugs.gnu.org; Wed, 26 May 2021 14:00:27 -0400 Received: by mail-wm1-f53.google.com with SMTP id z130so1235014wmg.2 for <48676@debbugs.gnu.org>; Wed, 26 May 2021 11:00:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=n9MlvkpcSOs33tOeMuyToLKZBoVys6xJSJkK8dmolDE=; b=DpZi9o6PMlY3HAdV0Vr4rGXGa350OeXj9aGog2m/XpuOxXGHMOEHGBT8ms9zA+rgG9 ogNoeBlePVUs+8wZ7ha4pFbzLAgztF9CTdYNffSdBRghqDKoZeimTXd0BxYxwJZ67aVv pq9dADxPeeDLE7B+3rdRAFhkBVqpmCkcNZ4MKvGx+aaYQzklmNa7OShoJm+wpCyqqg+r Lj/8dNkbbKcpxaryy0+Yszv5hLQZtt46j6/GeufwSMK69ZrZ24/YxLL8gJDE4RMeOWcj Ewx/Hjzyif/72iv8ZrR8INujDAU+C6KQ+Eq5e5HZU1wLwtFy3coEbsgYx5PHc5VUk7OO 5TaQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=n9MlvkpcSOs33tOeMuyToLKZBoVys6xJSJkK8dmolDE=; b=T8JtaJZwD8NXv5ONi+v/dQjXfJzL8Z6Yw63+qwMzKYLTboaMmY+W4NjQbhGmCU/oeF pV+Xi6xCUxe1lVu4qjgD42gi/sWXzUkyqgTewoO0B+qdwzYZ2lTw1s/KCcJX3+3njNyW fjVbOiA2yoSJZ9vaz90/aB1gF3TZx4ubx5P+8OpprTga71s4TtOCFkUyInM8KXCv1huq 7+klCKAa3xOIBbaS0P4kIITsZMqt2AjB1+jNT6MrU+daY5RJDgiaj8FZyKIQ3uaNYAih ZI5cmt0x7MJ5GfUaeUWYZFUbIRFdlZ/4I+6eHbYOPLCM513AQJe8DBAxcZmSCsbSz75a x0WQ== X-Gm-Message-State: AOAM530Xfupfkf+Kcuu25M+TxMxv3/FJl7Jqa4vUiRkKppOjCNcCnc4w PUFlWyUJJPgCe1GkGzyK3vhvyn/V3wC1tQ0ffhw= X-Google-Smtp-Source: ABdhPJwfrGdSt7zLEoxZtoWLSPtmVBaY71Y9zc1JFJbi5QqDWgslW0w4LbaKg3Z1Wlju1fGSS9x7QhDmyH45CSTZ9m0= X-Received: by 2002:a1c:c911:: with SMTP id f17mr30720631wmb.45.1622052020840; Wed, 26 May 2021 11:00:20 -0700 (PDT) MIME-Version: 1.0 References: <2nk0nl7asb.fsf@fencepost.gnu.org> <87mtsho240.fsf@gmail.com> In-Reply-To: <87mtsho240.fsf@gmail.com> From: Tom Gillespie Date: Wed, 26 May 2021 11:00:09 -0700 Message-ID: Subject: Re: bug#48676: Arbitrary code execution in Org export macros To: Timothy Content-Type: text/plain; charset="UTF-8" X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 48676 Cc: Glenn Morris , 48676@debbugs.gnu.org, emacs-orgmode X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi Glenn, The definition for local variables doesn't cover things like org macros, though the spirit of the policy is something worth keeping in mind. Running M-x org-export-dispatch and hitting two keys means that the user has to do something to trigger code execution, much like they would have to intentionally accept certain risky local variables. That said, the fact that many org operations can run arbitrary code is definitely something that needs clearer documentation. It might make sense to add a setting to detect closures that appear in org files to ask for permission before running, but it likely should not be on by default. For a fairly extensive discussion of code execution in org see this thread from Nov 2020. https://orgmode.org/list/robi94$ma$1@ciao.gmane.io/#t Best, Tom From debbugs-submit-bounces@debbugs.gnu.org Wed May 26 14:23:52 2021 Received: (at 48676) by debbugs.gnu.org; 26 May 2021 18:23:52 +0000 Received: from localhost ([127.0.0.1]:49897 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1llyC7-0008DH-LM for submit@debbugs.gnu.org; Wed, 26 May 2021 14:23:52 -0400 Received: from mail-pj1-f48.google.com ([209.85.216.48]:43601) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1llx0L-00042k-I6 for 48676@debbugs.gnu.org; Wed, 26 May 2021 13:07:40 -0400 Received: by mail-pj1-f48.google.com with SMTP id ep16-20020a17090ae650b029015d00f578a8so721070pjb.2 for <48676@debbugs.gnu.org>; Wed, 26 May 2021 10:07:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=references:user-agent:from:to:cc:subject:in-reply-to:message-id :date:mime-version; bh=+VvLj+D+39pXou7UlH1yiTznCzqmGqMWezWI4DFfVHM=; b=aV1BoZAfPbvl31/K3dSQcUgA2kk1mlPYW0nMCxdO89VSUl8lxMlouwaqlXZvLSe/NH PX4rDYM/Jae0Qc5DW4hHCGgy1LZVtFX8hWb8FOLcm2Mh0kWl45bEc9Ft5NkDnzj2rEHo o+SX6k7H1v1t7JSTzlO4dhvL9eq5vTD1QfGFjR/Vl7qCHtwEnes3CSbZw29ckE+631Se +GuaK6cBxW9LaBYv3I3WOCqBmAaoW8UqV49f29p44ToWt+37KJKD+YWZgqRsEq+6oyk9 4GekQoKaCIDbR/TwqfMvlz4w5vEQHqTKnIoGrF/N1+/c12rfA9+ZSOuSeO1yX5afHR2M DUNA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:references:user-agent:from:to:cc:subject :in-reply-to:message-id:date:mime-version; bh=+VvLj+D+39pXou7UlH1yiTznCzqmGqMWezWI4DFfVHM=; b=E3w1rHetHa+r9vagEImv5MjI6/Y3Pf0Nx5+AXB0sFjxXG7m4amCv5WPGFVU+xDCNm1 dMwNjYndVmHBktv/55U1JHzEHZ+YWhqHVDfCIPSWCkHJqPiccK98ozKmWPy0KeWkT1di 0XuLqmroC58YbvUxzHe+NkjFeE2Xm2w+TPBfT32Nbqul9fyMzmSzTrsQiudi3E8BsPR1 HnqUU0kDLKOsW9NcHlbWkrjZJEiL0jtlJGvO+oOL9E0T1Mywe5buwf41ZKB73UP2m2Ms HyeEvRoUerDYZGBpi4K9iiuamAWxv6DSDVZdapTE7luywty/4UrB7GUlRomUy+NKBO2D BUNg== X-Gm-Message-State: AOAM533tw1UsYBUfOP2+iGP3gTHFpWGkjq6vTVIuMvfwQfwE/Pwe1hF6 DPdsyqxr5dQZJChrSvLQYj0= X-Google-Smtp-Source: ABdhPJwKPEOMK86BSRORQ2HK8siD7Ef35IT85Y40tsV1sKkaWODJ9sCtoibvV6KRmZ1f3HEr1srNXw== X-Received: by 2002:a17:902:a586:b029:fe:459b:2ce0 with SMTP id az6-20020a170902a586b02900fe459b2ce0mr996265plb.40.1622048851677; Wed, 26 May 2021 10:07:31 -0700 (PDT) Received: from localhost (180-150-91-8.b4965b.per.nbn.aussiebb.net. [180.150.91.8]) by smtp.gmail.com with ESMTPSA id r5sm4730962pjd.2.2021.05.26.10.07.30 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 26 May 2021 10:07:31 -0700 (PDT) References: <2nk0nl7asb.fsf@fencepost.gnu.org> User-agent: mu4e 1.4.15; emacs 28.0.50 From: Timothy To: Glenn Morris Subject: Re: bug#48676: Arbitrary code execution in Org export macros In-reply-to: <2nk0nl7asb.fsf@fencepost.gnu.org> Message-ID: <87mtsho240.fsf@gmail.com> Date: Thu, 27 May 2021 01:07:27 +0800 MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 48676 X-Mailman-Approved-At: Wed, 26 May 2021 14:23:50 -0400 Cc: 48676@debbugs.gnu.org, emacs-orgmode@gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Thanks for reporting this. Glenn Morris writes: > This seems contrary to normal Emacs practice for risky local variables, Hmm, correct me if I'm wrong but the issue with risky local variables is that they affect Emacs before the user sees them in the file? If this is an important distinction, it means this particular type of concern does not apply to Org #+macro statements, as they are not executed when the user opens the file. That said, if one were making say an automated Org file exporter or something, I could see this being problematic. Perhaps a var set to allow macros by default could be a good idea. > and to the section "Code Evaluation and Security Issues" in the Org manual > (which does not mention macros). Looks like this should be updated regardless of the above. -- Timothy From debbugs-submit-bounces@debbugs.gnu.org Wed May 26 22:54:19 2021 Received: (at 48676) by debbugs.gnu.org; 27 May 2021 02:54:19 +0000 Received: from localhost ([127.0.0.1]:50376 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lm6A6-00020V-SP for submit@debbugs.gnu.org; Wed, 26 May 2021 22:54:19 -0400 Received: from relay-egress-host.us-east-2.a.mail.umich.edu ([18.219.209.13]:48318 helo=joyful-pryderi.relay-egress.a.mail.umich.edu) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lm6A4-00020I-Fs for 48676@debbugs.gnu.org; Wed, 26 May 2021 22:54:16 -0400 Received: from shaggy-alux.authn-relay.a.mail.umich.edu (ip-10-0-74-243.us-east-2.compute.internal [10.0.74.243]) by joyful-pryderi.relay-egress.a.mail.umich.edu with ESMTPS id 60AF09D2.B252B.7065D8E5.1224308; Wed, 26 May 2021 22:54:10 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umich.edu; s=relay-2018-08-29; t=1622084050; bh=jeJ3Nq/QViL185aDFTFzng7gdFvbeZlA4oMvc2Z0hf0=; h=From:To:cc:Subject:In-reply-to:Date; b=Cf1/YxGU/rDGwNOwfd0GMptAJllg+JJkwhy0+pt5Ryios+hDaV1MefAE98BbMHKnq YCbD9DIVV8KTOfJNDNFH77QoqAyeK4zPCGaFc2hbUHpihLhwNs2qpBFKksGJgi/obe A9Iei4M7VwEIDZAq7calka5EM8ZKYuYroQpizbofeihG9/+CSBby5YRkVUpknfcGg7 O/7SfZqJ0Fz4XsdWytvae+2eJpyMfvP9S2fxFs951zroevee6MBPBbwq55qf9WTACg AZRBxEx3zeEBijmooNA5YWv8p9DdOixgTtcLzfPnyhhp8qPP+LB92cMl2dENnlFHGX yBnzwvOuGweGA== Authentication-Results: shaggy-alux.authn-relay.a.mail.umich.edu; iprev=fail policy.iprev=88.236.240.114 (Mismatch); auth=pass smtp.auth=minshall Received: from localhost (Mismatch [88.236.240.114]) by shaggy-alux.authn-relay.a.mail.umich.edu with ESMTPSA id 60AF09CF.F13A9.DE8AB7C.1769026; Wed, 26 May 2021 22:54:08 -0400 From: Greg Minshall To: Glenn Morris Subject: Re: bug#48676: Arbitrary code execution in Org export macros In-reply-to: Your message of "Wed, 26 May 2021 11:52:04 -0400." <2nk0nl7asb.fsf@fencepost.gnu.org> X-Mailer: MH-E 8.6+git; nmh 1.7.1; GNU Emacs 27.2 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <4005253.1622084044.1@apollo2.minshall.org> Date: Thu, 27 May 2021 05:54:04 +0300 Message-ID: <4005254.1622084044@apollo2.minshall.org> X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 48676 Cc: 48676@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Glenn, thanks for the report. i guess my take is that macro-evaluation, and that of other forms, should be subject to the same restrictions as that of source block evaluation. i.e., prompting for permission to execute, subject to =org-confirm-babel-evaluate= (or, more specific variables). cheers, Greg > Package: emacs,org-mode > Version: 28.0.50 > Severity: important > Tags: security > > emacs -Q hello.org, where hello.org contains: > > #+macro: hello (eval (shell-command-to-string "touch /tmp/HELLO")) > Hello. {{{hello}}} > > Then: > M-x org-export-dispatch > t A > > -> now /tmp/HELLO exist, with no prompting. > > This seems contrary to normal Emacs practice for risky local variables, > and to the section "Code Evaluation and Security Issues" in the Org manual > (which does not mention macros). From debbugs-submit-bounces@debbugs.gnu.org Thu May 27 08:07:22 2021 Received: (at 48676) by debbugs.gnu.org; 27 May 2021 12:07:22 +0000 Received: from localhost ([127.0.0.1]:50781 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lmEnJ-0005SC-R2 for submit@debbugs.gnu.org; Thu, 27 May 2021 08:07:22 -0400 Received: from mail-oi1-f169.google.com ([209.85.167.169]:34741) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lmA2P-00044x-TY for 48676@debbugs.gnu.org; Thu, 27 May 2021 03:02:38 -0400 Received: by mail-oi1-f169.google.com with SMTP id u11so4183330oiv.1 for <48676@debbugs.gnu.org>; Thu, 27 May 2021 00:02:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=8WM6UbgaHpHTgnZ7mAOmu+GpC30S8Ljl8NJ0OFIgPT0=; b=m8BjRRWNUzVqFwes59Xy3coeL9wBluIMpy2LOBGayhFIFtx01cxKTooJhgOKCSVUEx LvOpu5hTdl5Ea6K20pfLzf4gn/P50dkFjo/LjlvAZCvIimNmlBVBbuuw/IE3u8645qYC 6Sa/N4UzKGvUrub8rzwNq7w8Vu9oTnv9PpP658Oa8v07cc6PDYRgFjwPmiZuD4uYkNM9 tL8IjZxOsRPwa8TTLFU4tw33eYboQEGuLT4uMpLYb+GOZYI74ZuxAmh2rR0OABR5v5WS K2/78cX/k7yjTorYXeONIhFidzOKnBUAO4XDfZFERUH6CROQnEEJ7vNslVeLqMUdkaft tVSA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=8WM6UbgaHpHTgnZ7mAOmu+GpC30S8Ljl8NJ0OFIgPT0=; b=gABeR/EnsQyoPB3xIy/H/veExD0xOK+RBFem2e2e9fF1qHb0eSIRDRPJbn8nTnLgRf e8NV7r1eCVjonQYue38g8R7D4bl22xzHCwIFZIMKrLFcClIA+kWQ4WSRoQ0BvUihgWC3 dp3/uibbK9FWFJhs9nu8wA5kMt7W1y1MVxQKAVkaARVGIggh0+f735YdN5I2QRIraN4k sHoqQxDnNMYQFSFdAJln3y00tnqkJYjeRB2Nzoalhcahny2+k9SaYrpY8Hf608Dl2S7x BKjNvAgIWr1iJwymBlVo+q6kcmhPYOeddu84FETbZF+PIwT4QUmiRFlhhiVtEZsHYts8 CYow== X-Gm-Message-State: AOAM532pXatqDc60Uyv9J0YEVIAX4V4bmTMGpUkCBInkjn/DU0r26nCJ P3wEnkM7XT6Y5ZOtJVxN607I3uhkSjkTTmFdqOE= X-Google-Smtp-Source: ABdhPJzzmgT+yNhKBIhaTiR3WJkG8J3JxHjcd+frvF1vuV3bi1MyST/U4Y2Sr2gwaZq8ud9ODDs84xuhxe8+8t0Wv6M= X-Received: by 2002:a54:4e82:: with SMTP id c2mr4722276oiy.137.1622098951908; Thu, 27 May 2021 00:02:31 -0700 (PDT) MIME-Version: 1.0 References: <2nk0nl7asb.fsf@fencepost.gnu.org> In-Reply-To: <2nk0nl7asb.fsf@fencepost.gnu.org> From: Rafael Ramirez Morales Date: Thu, 27 May 2021 09:02:20 +0200 Message-ID: Subject: Re: bug#48676: Arbitrary code execution in Org export macros To: Glenn Morris Content-Type: multipart/alternative; boundary="000000000000d1af9d05c34a57cb" X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 48676 X-Mailman-Approved-At: Thu, 27 May 2021 08:07:20 -0400 Cc: 48676@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --000000000000d1af9d05c34a57cb Content-Type: text/plain; charset="UTF-8" Just a couple of questions: who is the owner of the HELLO file? OR who is the owner of the "touch" process? Is the owner the unprivileged user or the "emacs" system? Thanks. On Wed, 26 May 2021 at 17:53, Glenn Morris wrote: > Package: emacs,org-mode > Version: 28.0.50 > Severity: important > Tags: security > > emacs -Q hello.org, where hello.org contains: > > #+macro: hello (eval (shell-command-to-string "touch /tmp/HELLO")) > Hello. {{{hello}}} > > Then: > M-x org-export-dispatch > t A > > -> now /tmp/HELLO exist, with no prompting. > > This seems contrary to normal Emacs practice for risky local variables, > and to the section "Code Evaluation and Security Issues" in the Org manual > (which does not mention macros). > > --000000000000d1af9d05c34a57cb Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Just a couple of questions:
who is the owner of the HELLO file?
OR
who is the own= er of the "touch" process?

Is the owner = the unprivileged user or the "emacs" system?

=
Thanks.

On Wed, 26 May 2021 at 17:53, Glenn Morris <rgm@gnu.org> wrote:
Package: emacs,org-mode
Version: 28.0.50
Severity: important
Tags: security

emacs -Q = hello.org, where hello.org contains:

#+macro: hello (eval (shell-command-to-string "touch /tmp/HELLO")= )
Hello. {{{hello}}}

Then:
M-x org-export-dispatch
t A

-> now /tmp/HELLO exist, with no prompting.

This seems contrary to normal Emacs practice for risky local variables,
and to the section "Code Evaluation and Security Issues" in the O= rg manual
(which does not mention macros).

--000000000000d1af9d05c34a57cb-- From debbugs-submit-bounces@debbugs.gnu.org Mon Jun 20 20:37:49 2022 Received: (at 48676) by debbugs.gnu.org; 21 Jun 2022 00:37:49 +0000 Received: from localhost ([127.0.0.1]:58627 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1o3Rtn-0003Oo-Iu for submit@debbugs.gnu.org; Mon, 20 Jun 2022 20:37:49 -0400 Received: from shell1.rawbw.com ([198.144.192.42]:37550 ident=root) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1o3Rtj-0003Ob-9K for 48676@debbugs.gnu.org; Mon, 20 Jun 2022 20:37:41 -0400 Received: from alto (135-180-174-172.dsl.dynamic.sonic.net [135.180.174.172] (may be forged)) (authenticated bits=0) by shell1.rawbw.com (8.15.1/8.15.1) with ESMTPSA id 25L0bUBA081931 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for <48676@debbugs.gnu.org>; Mon, 20 Jun 2022 17:37:36 -0700 (PDT) (envelope-from mkupfer@alum.berkeley.edu) X-Authentication-Warning: shell1.rawbw.com: Host 135-180-174-172.dsl.dynamic.sonic.net [135.180.174.172] (may be forged) claimed to be alto From: Mike Kupfer To: 48676@debbugs.gnu.org Subject: Re: bug#48676: Arbitrary code execution in Org export macros X-Mailer: MH-E 8.6+git; nmh 1.7.1; GNU Emacs 28.1 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <124787.1655771850.1@alto> Date: Mon, 20 Jun 2022 17:37:30 -0700 Message-ID: <124788.1655771850@alto> X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 48676 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) I just verified that this issue is still present in Emacs master (4ae315f7c3). mike From debbugs-submit-bounces@debbugs.gnu.org Fri Feb 07 17:11:57 2025 Received: (at 48676) by debbugs.gnu.org; 7 Feb 2025 22:11:57 +0000 Received: from localhost ([127.0.0.1]:37026 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tgWZp-0000HO-1e for submit@debbugs.gnu.org; Fri, 07 Feb 2025 17:11:57 -0500 Received: from mail-ed1-x533.google.com ([2a00:1450:4864:20::533]:59682) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from ) id 1tgWZk-0000Gt-57 for 48676@debbugs.gnu.org; Fri, 07 Feb 2025 17:11:54 -0500 Received: by mail-ed1-x533.google.com with SMTP id 4fb4d7f45d1cf-5dcdd427227so5070000a12.3 for <48676@debbugs.gnu.org>; Fri, 07 Feb 2025 14:11:52 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1738966306; x=1739571106; darn=debbugs.gnu.org; h=cc:to:subject:message-id:date:mime-version:references:in-reply-to :from:from:to:cc:subject:date:message-id:reply-to; bh=4DTetUh4+IqAhi/pfdtazqi4a5IBLZK7iqn8/LJJGEE=; b=PQcd7vjrKuhTrL6DcP/AIT138GHKqn8nuw4PBWPwDsNPnV8XoqMg8ur9cnXrnwqiXb x8Zvr0GmQALU/oVb1lFFvRRTXnxBEW02Dzo6F6VGc6uLoBg7hh7MHkGZg4aESn0WxAY7 8W0Rct2SX5uW2ZQ5mFqkNcCbsHSByC+dK1gmslVLMyQyCZ1xBR+WQa1m8PgtCz07cH00 T8vP5AMzIByeOpbF8MOqsa9GWyjrXjGfhCEoSyrkvJMYQwreiMNrTef7KKIgLE+9q7Md lTgk3r2C6saPoDbHlnFp39/AZJ8BSKT8dW8b/SHKYNrBHUEhASXfaiYeBd0t5XVJpKpF rHKQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1738966306; x=1739571106; h=cc:to:subject:message-id:date:mime-version:references:in-reply-to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=4DTetUh4+IqAhi/pfdtazqi4a5IBLZK7iqn8/LJJGEE=; b=l/s0DHcXj2A9okrDmznnjFmNcVAKDOsApKt4gcn/AmOQqCAPz9dQVsbyKYbJI9nez4 yeO15F91xUlEu3AV+gI4Sl01UpvTa/IU7xhvFyLhqjNu/7QfjdzOluL7O3B93p9glxN/ 8x+myFKrnbxZcLymsJRAugE+xH0ycIDPDpcJ26u3TRDD5hn0Bzsb027DEsolCPofLG3p yWv1tEVZtXiw7bLxiLT8doWWR+htJ6MT2FTzSpyyFsVIBePXJakznxiigLlnm4Pho/zY jD3PkGh3GcHphnwWo7jwk5h8L7Wdpye0VRpEl/JLPO4t6EQAdWSoAllFw9EAqFDNv9be tsmg== X-Gm-Message-State: AOJu0Yx54IjHbrteG/oveKkHZ0RXLULePrMS1eE8mVhFjw0zef2Kxm5p 3P7PPPa8DgeaLaeXM4Ar4QLDaCkP2qV/mWTkSC/RgPQODYLgTndRcwPn0bym6+yuplmANzVa8fa RwDDAnygXM6QdyUP9MlniYNKi2pw= X-Gm-Gg: ASbGnctS2Dax57jW/mIrlEY9nmo3chDyXGTECDnoiJMz0ifbRufPd302xEqc/vGtzx1 6MCXeyit+jFaGxeZjx0H1u5kZsD2/LJhWAOBkSvX9eivmXn9BuYgx1awXZ2koj4GKsT9TNJDl9g == X-Google-Smtp-Source: AGHT+IGx8uX7u8Okb+aWzf+BRvcsu2W3Lv5UW1tDcVw/X4C8bt+Bj5QQLj5OrUfjgsjYUrrBxbWbIrh8KtGTK5cviJs= X-Received: by 2002:a05:6402:3483:b0:5d3:cff5:634f with SMTP id 4fb4d7f45d1cf-5de450b0e61mr4906306a12.24.1738966305547; Fri, 07 Feb 2025 14:11:45 -0800 (PST) Received: from 753933720722 named unknown by gmailapi.google.com with HTTPREST; Fri, 7 Feb 2025 14:11:45 -0800 From: Stefan Kangas In-Reply-To: <2nk0nl7asb.fsf@fencepost.gnu.org> References: <2nk0nl7asb.fsf@fencepost.gnu.org> MIME-Version: 1.0 Date: Fri, 7 Feb 2025 14:11:45 -0800 X-Gm-Features: AWEUYZkVF2lw4P9SYf3vweKBYMYi_o8Zkb_0KLuXEMK85R4MQwBg94hbhB7X43o Message-ID: Subject: Re: bug#48676: Arbitrary code execution in Org export macros To: Ihor Radchenko Content-Type: text/plain; charset="UTF-8" X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 48676 Cc: Glenn Morris , 48676@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Glenn Morris writes: > Package: emacs,org-mode > Version: 28.0.50 > Severity: important > Tags: security > > emacs -Q hello.org, where hello.org contains: > > #+macro: hello (eval (shell-command-to-string "touch /tmp/HELLO")) > Hello. {{{hello}}} > > Then: > M-x org-export-dispatch > t A > > -> now /tmp/HELLO exist, with no prompting. > > This seems contrary to normal Emacs practice for risky local variables, > and to the section "Code Evaluation and Security Issues" in the Org manual > (which does not mention macros). Ihor, could you please look into this bug? From debbugs-submit-bounces@debbugs.gnu.org Fri Feb 07 23:18:02 2025 Received: (at 48676) by debbugs.gnu.org; 8 Feb 2025 04:18:02 +0000 Received: from localhost ([127.0.0.1]:37730 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tgcI6-0003zW-0D for submit@debbugs.gnu.org; Fri, 07 Feb 2025 23:18:02 -0500 Received: from mail-lf1-x12a.google.com ([2a00:1450:4864:20::12a]:51655) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from ) id 1tgcI3-0003z8-Fc for 48676@debbugs.gnu.org; Fri, 07 Feb 2025 23:18:00 -0500 Received: by mail-lf1-x12a.google.com with SMTP id 2adb3069b0e04-54450213957so1549275e87.3 for <48676@debbugs.gnu.org>; Fri, 07 Feb 2025 20:17:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1738988273; x=1739593073; darn=debbugs.gnu.org; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :sender:from:to:cc:subject:date:message-id:reply-to; bh=c/jej8aHHjg9FgVloWO62qtdL9DsBi9IaHwLjx4Spx0=; b=UIZCMriw7OnjeKk/k/mzYYfnDUZ9ByHAe3yGBiqU19fEuTDD31xsHhsooJ7D6v4TzX 0FLywxrpSK0vJRudls9S4ceo/Nv2Ay4feqjFS1tFwZB59iSXNYGxkQszURNvmqXrf6Rb VCRuksUe2fEnZPZSEi9m0Cd0jt6cWF3XuMZU6Oo7CuLrTVnHqToTONRKmMubNEpJBS7L HQEu12LxkyRscI085TGJs+mBjo/k3eeO0K9dDidWRy2e497zpIGjC9dLlRUHZSP3NWMA btxMEBmKA8WMw5vA5pAmMKwGVGrSu4qFSqvnbR7N55gCAKf+crBw/pFmn8JwP7LvNe22 /87w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1738988273; x=1739593073; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :sender:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=c/jej8aHHjg9FgVloWO62qtdL9DsBi9IaHwLjx4Spx0=; b=q6OioZhiFwBvYnI0bkXv1fFtUrK1DekBswaWasIqvXbtwLlTCVb7zICcZEJTdurjds aGi5XaOohx5fWUPdiAJyjDJ5ChLd9p1NciFayFjItQSeQ9M0MUvpPb2AMVWhA9HLoIX1 Z0C6KqXhvPsiFpw9eqm1AlpuOeXDBgJ3HlDe3p48ZJ7s4RIELg/7SQbsBdYP+aFnWErs bs7Zg+ATUbGy9rAVK8QLvt4YCd6nmZemZkTQ8qHVOgpdS4IkfDf1qfH6IIPNJdwh7tgE WUjU51NbbiRmgfqDbPWZL9ZJdwbCQGmOsdHiPn8SiC9cPO3ddFhwbb7nhYuhqg5iI1Vi PvCg== X-Forwarded-Encrypted: i=1; AJvYcCW7HlB3OEbN54Bt6AALQ8wNLmB2Q5/maTa5YB69Yr9th5q/Qa2NNOps5eo93T/Sl8pa0LL2JA==@debbugs.gnu.org X-Gm-Message-State: AOJu0YzXpVECxJ+lRaCUcixr9Mfr4ccZWPm9IXKZhLn+n3qw5DmeV8i1 hP4JNT6lDcjxxUtNHdNr6uRipSpEK2Q7NzM3k8jCfhndXerZlnyj X-Gm-Gg: ASbGncv//0hVqJb7I59XFSLst7cB1LrMxT5PtY0+aFTt7vmjiHkbZJOs3aDXLpcAsMM qB4sJRqdbJziwDinjT9A+Mk3OO6eg1A3RQzTmcidOqxpmc1rlA1//ExhRPCH0Vy5CBuO/dzTguh rxG4LJM2sGaK9rxgmjZg8MBB1ghMERmTdMj+iSh8OgQH1ubEDxt2RUEbCLv7DYBH1vnxaRZ7kQV Jrc++tCFJgVynsdb/Z+LaOjCIqcZEJYvu0QaiM2UDmXc8pONsGL02PJVsqLBEXGXrRW7RJiVVmW 0myVkZ3eGXbfqmqXM4dAwEIgF46qwUG1aNZeL90= X-Google-Smtp-Source: AGHT+IG5qaOyVp5cR4XgtdC+A4FtWsVnUl8ww8vDhQuNoewUfzs5Mn27WYzBvSu4Abk3etTVgqqiew== X-Received: by 2002:ac2:4ec9:0:b0:544:f93:6909 with SMTP id 2adb3069b0e04-54414aa8a3fmr1410937e87.30.1738988272581; Fri, 07 Feb 2025 20:17:52 -0800 (PST) Received: from [192.168.1.149] (nat-0-0.nsk.sibset.net. [5.44.169.188]) by smtp.googlemail.com with ESMTPSA id 2adb3069b0e04-54505507243sm53453e87.209.2025.02.07.20.17.51 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 07 Feb 2025 20:17:52 -0800 (PST) Message-ID: Date: Sat, 8 Feb 2025 11:17:51 +0700 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: bug#48676: Arbitrary code execution in Org export macros To: Stefan Kangas , Ihor Radchenko References: <2nk0nl7asb.fsf@fencepost.gnu.org> Content-Language: en-US, ru-RU From: Max Nikulin In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 48676 Cc: Glenn Morris , 48676@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) On 08/02/2025 05:11, Stefan Kangas wrote: > Glenn Morris writes: >> #+macro: hello (eval (shell-command-to-string "touch /tmp/HELLO")) >> Hello. {{{hello}}} >> >> Then: M-x org-export-dispatch t A[...]> Ihor, could you please look into this bug? Disclaimer: I am not Ihor. In my opinion, it is an important, but not an urgent issue. I do not see a way to unintentionally invoke export in default configuration. It requires C-x C-e and a couple of extra keys to select format. User can abort the process after accidental starting export dispatcher. So this issue is less severe than e.g. CVE-2024-53920 (indirectly related to bug#32495 completion and bug#37656 flymake) when it is enough to open some file to cause execution of embedded code. I admit there are user configurations and some packages that may add easy access binding e.g. to copy selection as HTML or as MarkDown that run org-export under the hood. Execution of code really may be surprising for novices, but for experienced Org users it is a powerful feature. I not mind that a warning related to macros may be added to (info "(org) Code-Evaluation-Security") and linked from (info "(org) Exporting") subsection (info "(org) Macro-Replacement"). What may help to mitigate the issue is the recently introduced `trusted-content' variable (that still may be renamed to `macros-always-safe' or to something even more confusing). Maybe more flexible settings should be implemented. I expect, Glenn does not assume that `org-export' should be affected by user options related to (info "(emacs) File-Variables"), and it was just an example of a similar approach. There was an attempt to fix this kind of issues in Org. Unfortunately a naive approach caused severe user inconvenience and the changes were reverted. I am afraid, as a consequence, some users even disabled existing protection related to `org-babel'. I recall a discussion on the emacs-orgmode mailing list how to manage degree of trust for specific Org mode documents. I do not think it would harm to put eval macros behind `trusted-content' when this variable is available, but it would not be a complete fix. Org supports previous Emacs releases. From debbugs-submit-bounces@debbugs.gnu.org Sat Mar 15 13:37:10 2025 Received: (at 48676) by debbugs.gnu.org; 15 Mar 2025 17:37:11 +0000 Received: from localhost ([127.0.0.1]:43416 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ttVRe-0000o3-Hu for submit@debbugs.gnu.org; Sat, 15 Mar 2025 13:37:10 -0400 Received: from mout02.posteo.de ([185.67.36.66]:56015) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1ttVRZ-0000nK-SD for 48676@debbugs.gnu.org; Sat, 15 Mar 2025 13:37:08 -0400 Received: from submission (posteo.de [185.67.36.169]) by mout02.posteo.de (Postfix) with ESMTPS id 4D88A240101 for <48676@debbugs.gnu.org>; Sat, 15 Mar 2025 18:36:57 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017; t=1742060219; bh=EkzM+N6VYRF/wK/MzxtSFLJr0kZ4yyAqbNVe2C5J2tI=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version:Content-Type: From; b=BkO3IpdF8fVk3fvHDzdDlPzEaqVT5o8JdOq/GfaDAiao8cfcHgvWjbNoq+m/whqIg 7qvZDmFX8uDYcZa35GyqxqCB3JjUDZWJyQBOcCW2uWQyNQ5PcyGsLccpWKhXCmPP+J avShoMQsaNudwiiZvku0os6o394C6GoK8gC+fU7+HAXbR2yZE4M0V74zaMknFra0OO 007PaKnLfGK1WqkdR70Ek4038jtKZRRO6bZpr06KNRLgptzZBP/X3Sb/fVbAxpNnjf r773tCcqds8WBLvqSu5t0wldWwVZputgmmtlEmXGTwwqChA11Pa9N7Y+tWCCTg+1vg M5Si2b5xi/zSg== Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4ZFT2059xTz9rxG; Sat, 15 Mar 2025 18:36:56 +0100 (CET) From: Ihor Radchenko To: Stefan Kangas Subject: Re: bug#48676: Arbitrary code execution in Org export macros In-Reply-To: References: <2nk0nl7asb.fsf@fencepost.gnu.org> Date: Sat, 15 Mar 2025 17:36:20 +0000 Message-ID: <87senefb6z.fsf@localhost> MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 48676 Cc: Glenn Morris , 48676@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Stefan Kangas writes: >> #+macro: hello (eval (shell-command-to-string "touch /tmp/HELLO")) >> Hello. {{{hello}}} >> >> Then: >> M-x org-export-dispatch >> t A >> >> -> now /tmp/HELLO exist, with no prompting. >> >> This seems contrary to normal Emacs practice for risky local variables, >> and to the section "Code Evaluation and Security Issues" in the Org manual >> (which does not mention macros). > > Ihor, could you please look into this bug? This is a known problem. I do not see it as a bug (user needs to execute a command), but indeed code evaluation control should eventually be improved. It should just be designed properly. See more discussion in https://list.orgmode.org/orgmode/87edsd5o89.fsf@localhost/ -- Ihor Radchenko // yantar92, Org mode maintainer, Learn more about Org mode at . Support Org development at , or support my work at