Version in base suite: 9.4.0+dfsg-1 Base version: org-mode_9.4.0+dfsg-1 Target version: org-mode_9.4.0+dfsg-1+deb11u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/o/org-mode/org-mode_9.4.0+dfsg-1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/o/org-mode/org-mode_9.4.0+dfsg-1+deb11u1.dsc changelog | 10 + patches/0004-Org-Mode-vulnerability-CVE-2023-28617-is-fixed.patch | 51 ++++++++++ patches/series | 2 3 files changed, 62 insertions(+), 1 deletion(-) diff -Nru org-mode-9.4.0+dfsg/debian/changelog org-mode-9.4.0+dfsg/debian/changelog --- org-mode-9.4.0+dfsg/debian/changelog 2020-09-24 14:07:33.000000000 +0000 +++ org-mode-9.4.0+dfsg/debian/changelog 2023-08-03 13:28:47.000000000 +0000 @@ -1,3 +1,13 @@ +org-mode (9.4.0+dfsg-1+deb11u1) bullseye; urgency=medium + + * Team upload. + * Fix Org Mode command injection vulnerability CVE-2023-28617 by backporting + 0004-Org-Mode-vulnerability-CVE-2023-28617-is-fixed.patch like src:emacs + did (Closes: #1033341). Thanks to Rob Browning's work in that package, + fixing org-mode was trivially easy! + + -- Nicholas D Steeves Thu, 03 Aug 2023 09:28:47 -0400 + org-mode (9.4.0+dfsg-1) unstable; urgency=medium * New upstream version 9.4.0+dfsg diff -Nru org-mode-9.4.0+dfsg/debian/patches/0004-Org-Mode-vulnerability-CVE-2023-28617-is-fixed.patch org-mode-9.4.0+dfsg/debian/patches/0004-Org-Mode-vulnerability-CVE-2023-28617-is-fixed.patch --- org-mode-9.4.0+dfsg/debian/patches/0004-Org-Mode-vulnerability-CVE-2023-28617-is-fixed.patch 1970-01-01 00:00:00.000000000 +0000 +++ org-mode-9.4.0+dfsg/debian/patches/0004-Org-Mode-vulnerability-CVE-2023-28617-is-fixed.patch 2023-08-03 13:28:47.000000000 +0000 @@ -0,0 +1,51 @@ +From 320ab831aad7b66605e3778abe51a29cc377fb46 Mon Sep 17 00:00:00 2001 +From: Xi Lu +Date: Sat, 11 Mar 2023 18:53:37 +0800 +Subject: Fix command injection vulnerability CVE-2023-28617 + +https://security-tracker.debian.org/tracker/CVE-2023-28617 + +Trivially backport the following upstream patch like emacs-1:28.2+1-15 did: + + * lisp/ob-latex.el: Fix command injection vulnerability + + (org-babel-execute:latex): + Replaced the `(shell-command "mv BAR NEWBAR")' with `rename-file'. + + TINYCHANGE + +The second patch of the series does not appear to needed by Org-mode 9.4.0. + +Origin: https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=a8006ea580ed74f27f974d60b598143b04ad1741 +Bug-Debian: https://bugs.debian.org/1033341 +--- + lisp/ob-latex.el | 13 +++++-------- + 1 file changed, 5 insertions(+), 8 deletions(-) + +diff --git a/lisp/ob-latex.el b/lisp/ob-latex.el +index 4b343dd..704ae4e 100644 +--- a/lisp/ob-latex.el ++++ b/lisp/ob-latex.el +@@ -152,17 +152,14 @@ This function is called by `org-babel-execute-src-block'." + (if (string-suffix-p ".svg" out-file) + (progn + (shell-command "pwd") +- (shell-command (format "mv %s %s" +- (concat (file-name-sans-extension tex-file) "-1.svg") +- out-file))) ++ (rename-file (concat (file-name-sans-extension tex-file) "-1.svg") ++ out-file t)) + (error "SVG file produced but HTML file requested"))) + ((file-exists-p (concat (file-name-sans-extension tex-file) ".html")) + (if (string-suffix-p ".html" out-file) +- (shell-command "mv %s %s" +- (concat (file-name-sans-extension tex-file) +- ".html") +- out-file) +- (error "HTML file produced but SVG file requested"))))) ++ (rename-file (concat (file-name-sans-extension tex-file) ".html") ++ out-file t) ++ (error "HTML file produced but SVG file requested"))))) + ((or (string= "pdf" extension) imagemagick) + (with-temp-file tex-file + (require 'ox-latex) diff -Nru org-mode-9.4.0+dfsg/debian/patches/series org-mode-9.4.0+dfsg/debian/patches/series --- org-mode-9.4.0+dfsg/debian/patches/series 2020-09-24 14:07:33.000000000 +0000 +++ org-mode-9.4.0+dfsg/debian/patches/series 2023-08-03 13:28:47.000000000 +0000 @@ -1,4 +1,4 @@ 10-shebang.patch #20-links-unescaping.patch 30-local-mk.patch - +0004-Org-Mode-vulnerability-CVE-2023-28617-is-fixed.patch