Org Mode vulnerability CVE-2023-28617 is fixed (1/2)

https://security-tracker.debian.org/tracker/CVE-2023-28617

This upstream patch (1/2) has been incorporated to fix the problem:

  * lisp/ob-latex.el: Fix command injection vulnerability

  (org-babel-execute:latex):
  Replaced the `(shell-command "mv BAR NEWBAR")' with `rename-file'.

  TINYCHANGE

Origin: https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=a8006ea580ed74f27f974d60b598143b04ad1741
Bug-Debian: https://bugs.debian.org/1033342

diff --git a/lisp/org/ob-latex.el b/lisp/org/ob-latex.el
index 7253803af9e4dfcaed8ec669cc2d302b2c6f791b..73139c836b8d6860d7714cb97747bb46de91789b 100644 (file)
--- a/lisp/org/ob-latex.el
+++ b/lisp/org/ob-latex.el
@@ -205,17 +205,14 @@ This function is called by `org-babel-execute-src-block'."
            (if (string-suffix-p ".svg" out-file)
                (progn
                  (shell-command "pwd")
-                 (shell-command (format "mv %s %s"
-                                        (concat (file-name-sans-extension tex-file) "-1.svg")
-                                        out-file)))
+                  (rename-file (concat (file-name-sans-extension tex-file) "-1.svg")
+                               out-file t))
              (error "SVG file produced but HTML file requested")))
           ((file-exists-p (concat (file-name-sans-extension tex-file) ".html"))
            (if (string-suffix-p ".html" out-file)
-               (shell-command "mv %s %s"
-                              (concat (file-name-sans-extension tex-file)
-                                      ".html")
-                              out-file)
-             (error "HTML file produced but SVG file requested")))))
+                (rename-file (concat (file-name-sans-extension tex-file) ".html")
+                             out-file t)
+              (error "HTML file produced but SVG file requested")))))
         ((or (string= "pdf" extension) imagemagick)
          (with-temp-file tex-file
            (require 'ox-latex)