From: Xi Lu <lx@shellcodes.org>
Date: Sat, 18 Feb 2023 10:03:28 +0000 (+0800)
Subject: Org Mode vulnerability CVE-2023-28617 is fixed (2/2)
X-Git-Tag: archive/raspbian/1%29.2+1-2+rpi1~1^2~39^2
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=023ac1eff558f6fb387fea1629b084c8929de18d;p=emacs.git

Org Mode vulnerability CVE-2023-28617 is fixed (2/2)

https://security-tracker.debian.org/tracker/CVE-2023-28617

This upstream patch (2/2) has been incorporated to fix the problem:

Org Mode command injection vulnerability has been fixed (CVE-2023-28617)

  * lisp/ob-latex.el (org-babel-execute:latex): Fix command injection vulnerability

  Link: https://orgmode.org/list/tencent_5C4D5D0DEFDDBBFC66F855703927E60C7706@qq.com

  TINYCHANGE

Origin: https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=8f8ec2ccf3f5ef8f38d68ec84a7e4739c45db485
Bug-Debian: https://bugs.debian.org/1033342
---

diff --git a/lisp/org/ob-latex.el b/lisp/org/ob-latex.el
index 73139c836b8..1c5df6fe85d 100644
--- a/lisp/org/ob-latex.el
+++ b/lisp/org/ob-latex.el
@@ -167,7 +167,7 @@ This function is called by `org-babel-execute-src-block'."
 	                     tmp-pdf
                              (list org-babel-latex-pdf-svg-process)
                              extension err-msg log-buf)))
-              (shell-command (format "mv %s %s" img-out out-file)))))
+              (rename-file img-out out-file t))))
          ((string-suffix-p ".tikz" out-file)
 	  (when (file-exists-p out-file) (delete-file out-file))
 	  (with-temp-file out-file