https://security-tracker.debian.org/tracker/CVE-2023-28617
This upstream patch (1/2) has been incorporated to fix the problem:
* lisp/ob-latex.el: Fix command injection vulnerability
(org-babel-execute:latex):
Replaced the `(shell-command "mv BAR NEWBAR")' with `rename-file'.
TINYCHANGE
Origin: https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=
a8006ea580ed74f27f974d60b598143b04ad1741
Bug-Debian: https://bugs.debian.org/
1033342
Gbp-Pq: Name 0027-Org-Mode-vulnerability-CVE-2023-28617-is-fixed-1-2.patch
(if (string-suffix-p ".svg" out-file)
(progn
(shell-command "pwd")
- (shell-command (format "mv %s %s"
- (concat (file-name-sans-extension tex-file) "-1.svg")
- out-file)))
+ (rename-file (concat (file-name-sans-extension tex-file) "-1.svg")
+ out-file t))
(error "SVG file produced but HTML file requested")))
((file-exists-p (concat (file-name-sans-extension tex-file) ".html"))
(if (string-suffix-p ".html" out-file)
- (shell-command "mv %s %s"
- (concat (file-name-sans-extension tex-file)
- ".html")
- out-file)
- (error "HTML file produced but SVG file requested")))))
+ (rename-file (concat (file-name-sans-extension tex-file) ".html")
+ out-file t)
+ (error "HTML file produced but SVG file requested")))))
((or (string= "pdf" extension) imagemagick)
(with-temp-file tex-file
(require 'ox-latex)
projects / emacs.git / commitdiff