OSG-SEC-2023-04-26_2 MEDIUM GNU Emacs Org Mode arbitrary command injection

Dear OSG Security Contacts,

A vulnerability was identified in org-babel-execute:latex in ob-latex.el in Org Mode [1] through 9.6.1 for GNU Emacs. [2] It's unclear how widely this impacts OSG users, but all users of the GNU Emacs editor should install available updates for their OS as a precaution.

IMPACTED VERSIONS:

Org Mode versions 9.6.1 and prior.

WHAT ARE THE VULNERABILITIES:

The vulnerability allows attackers to execute arbitrary commands via a file name or directory name that contains shell metacharacters.

WHAT YOU SHOULD DO:

RHEL 8 & 9 based distributions Update the Emacs packages on your systems. [3]

RHEL 7 based distributions aren't impacted.

For Ubuntu see [4]

For other Debian distributions see [5]

REFERENCES

[1] https://orgmode.org/

[2] https://bugzilla.redhat.com/show_bug.cgi?id=2180544

[3] https://access.redhat.com/security/cve/CVE-2023-28617

[4] https://ubuntu.com/security/CVE-2023-28617

[5] https://security-tracker.debian.org/tracker/CVE-2023-28617

Please contact the OSG security team at [email protected] if you have any questions or concerns. OSG Security Team