[oss-security] Arbitrary shell command evaluation in Org mode (GNU Emacs)
| From: | Ihor Radchenko <yantar92-AT-posteo.net> | |
| To: | oss-security-AT-lists.openwall.com | |
| Subject: | [oss-security] Arbitrary shell command evaluation in Org mode (GNU Emacs) | |
| Date: | Sun, 23 Jun 2024 08:41:15 +0000 | |
| Message-ID: | <87wmmguk44.fsf@localhost> |
Hi, Here is a vulnerability in Emacs Org mode. Reproducer is the following .org file: #+LINK: shell %(shell-command-to-string) [[shell:touch ~/hacked.txt]] When sent by email and previewed in Emacs or when opened in Emacs as a file, the above Org file will evaluate "touch ~/hacked.txt" without any prompts. The fix is attached. It is against Org mode git repository. The fix can be applied to older versions of Org mode/Emacs if deemed necessary. The fix has been included into Emacs 29.4 and Org 9.7.5 (released yesterday).
Attachment: v3-0001-org-link-expand-abbrev-Do-not-evaluate-arbitrary-.patch (type=text/x-patch)>From d1f32835c875d79ec373cc27eb0fa2ef0dd61984 Mon Sep 17 00:00:00 2001 Message-ID: <d1f32835c875d79ec373cc27eb0fa2ef0dd61984.1718785968.git.yantar92@posteo.net> From: Ihor Radchenko <yantar92@posteo.net> Date: Tue, 18 Jun 2024 13:06:44 +0200 Subject: [PATCH v3] org-link-expand-abbrev: Do not evaluate arbitrary unsafe Elisp code * lisp/ol.el (org-link-expand-abbrev): Refuse expanding %(...) link abbrevs that specify unsafe function. Instead, display a warning, and do not expand the abbrev. Clear all the text properties from the returned link, to avoid any potential vulnerabilities caused by properties that may contain arbitrary Elisp. --- lisp/ol.el | 40 +++++++++++++++++++++++++++++----------- 1 file changed, 29 insertions(+), 11 deletions(-) diff --git a/lisp/ol.el b/lisp/ol.el index 7a7f4f558..8a556c7b9 100644 --- a/lisp/ol.el +++ b/lisp/ol.el @@ -1152,17 +1152,35 @@ (defun org-link-expand-abbrev (link) (if (not as) link (setq rpl (cdr as)) - (cond - ((symbolp rpl) (funcall rpl tag)) - ((string-match "%(\\([^)]+\\))" rpl) - (replace-match - (save-match-data - (funcall (intern-soft (match-string 1 rpl)) tag)) - t t rpl)) - ((string-match "%s" rpl) (replace-match (or tag "") t t rpl)) - ((string-match "%h" rpl) - (replace-match (url-hexify-string (or tag "")) t t rpl)) - (t (concat rpl tag))))))) + ;; Drop any potentially dangerous text properties like + ;; `modification-hooks' that may be used as an attack vector. + (substring-no-properties + (cond + ((symbolp rpl) (funcall rpl tag)) + ((string-match "%(\\([^)]+\\))" rpl) + (let ((rpl-fun-symbol (intern-soft (match-string 1 rpl)))) + ;; Using `unsafep-function' is not quite enough because + ;; Emacs considers functions like `genenv' safe, while + ;; they can potentially be used to expose private system + ;; data to attacker if abbreviated link is clicked. + (if (or (eq t (get rpl-fun-symbol 'org-link-abbrev-safe)) + (eq t (get rpl-fun-symbol 'pure))) + (replace-match + (save-match-data + (funcall (intern-soft (match-string 1 rpl)) tag)) + t t rpl) + (org-display-warning + (format "Disabling unsafe link abbrev: %s +You may mark function safe via (put '%s 'org-link-abbrev-safe t)" + rpl (match-string 1 rpl))) + (setq org-link-abbrev-alist-local (delete as org-link-abbrev-alist-local) + org-link-abbrev-alist (delete as org-link-abbrev-alist)) + link + ))) + ((string-match "%s" rpl) (replace-match (or tag "") t t rpl)) + ((string-match "%h" rpl) + (replace-match (url-hexify-string (or tag "")) t t rpl)) + (t (concat rpl tag)))))))) (defun org-link-open (link &optional arg) "Open a link object LINK. -- 2.45.1
Attachment: None (type=text/plain)-- Ihor Radchenko // yantar92, Org mode contributor, Learn more about Org mode at <https://orgmode.org/>. Support Org development at <https://liberapay.com/org-mode>, or support my work at <https://liberapay.com/yantar92>