GNU bug report logs - #48676
Arbitrary code execution in Org export macros

Previous Next

Packages: org-mode, emacs;

Reported by: Glenn Morris <rgm <at> gnu.org>

Date: Wed, 26 May 2021 15:53:01 UTC

Severity: important

Tags: security

Found in version 28.0.50

Full log

Message #15 received at 48676 <at> debbugs.gnu.org (full text, mbox):

From: Rafael Ramirez Morales <rafael.ramirezmorales <at> gmail.com>
To: Glenn Morris <rgm <at> gnu.org>
Cc: 48676 <at> debbugs.gnu.org
Subject: Re: bug#48676: Arbitrary code execution in Org export macros
Date: Thu, 27 May 2021 09:02:20 +0200

[Message part 1 (text/plain, inline)]
Just a couple of questions:
who is the owner of the HELLO file?
OR
who is the owner of the "touch" process?

Is the owner the unprivileged user or the "emacs" system?

Thanks.

On Wed, 26 May 2021 at 17:53, Glenn Morris <rgm <at> gnu.org> wrote:

> Package: emacs,org-mode
> Version: 28.0.50
> Severity: important
> Tags: security
>
> emacs -Q hello.org, where hello.org contains:
>
> #+macro: hello (eval (shell-command-to-string "touch /tmp/HELLO"))
> Hello. {{{hello}}}
>
> Then:
> M-x org-export-dispatch
> t A
>
> -> now /tmp/HELLO exist, with no prompting.
>
> This seems contrary to normal Emacs practice for risky local variables,
> and to the section "Code Evaluation and Security Issues" in the Org manual
> (which does not mention macros).
>
>

[Message part 2 (text/html, inline)]
This bug report was last modified 92 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.