1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.RC

  • Bug#1067663: org-mode: Org mode 9.6.23 that fixes several critical

    From David Bremner@21:1/5 to All on Mon Mar 25 11:10:01 2024
    Package: org-mode
    Version: 9.6.10+dfsg-1
    Severity: grave
    Tags: security upstream
    Justification: user security hole
    X-Debbugs-Cc: debian-emacsen@lists.debian.org, Debian Security Team <team@security.debian.org>

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256

    In https://list.orgmode.org/87o7b3eczr.fsf@bzg.fr/T/#t, Ihor Radchenko writes


    I just released Org mode 9.6.23 that fixes several critical
    vulnerabilities. The release is coordinated with emergency Emacs 29.3
    release
    (https://lists.gnu.org/archive/html/info-gnu/2024-03/msg00005.html).

    Please upgrade your Org mode *and* Emacs ASAP.

    The vulnerabilities involve arbitrary Elisp and LaTeX evaluation when
    previewing attachments in Emacs or when opening third-party Org files.


    - -- System Information:
    Debian Release: trixie/sid
    APT prefers testing-debug
    APT policy: (500, 'testing-debug'), (500, 'testing')
    Architecture: amd64 (x86_64)
    Foreign Architectures: arm64

    Kernel: Linux 6.6.15-amd64 (SMP w/20 CPU threads; PREEMPT)
    Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8), LANGUAGE=en_CA:en
    Shell: /bin/sh linked to /usr/bin/dash
    Init: systemd (via /run/systemd/system)
    LSM: AppArmor: enabled

    Versions of packages org-mode depends on:
    ii elpa-org 9.6.10+dfsg-1

    org-mode recommends no packages.

    org-mode suggests no packages.

    - -- no debconf information

    -----BEGIN PGP SIGNATURE-----

    iQIzBAEBCAAdFiEEkiyHYXwaY0SiY6fqA0U5G1WqFSEFAmYBSjMACgkQA0U5G1Wq FSHjuA/+PbZdJex2gariys1U8zA9ExAUW0TKE2Pt/k/bngZt9+B7JGm1bNqSMkBm mPN+6uIEZdmmasNCqHzNwlxPyezWnL1ik4n3lfz1fkXMSf7YWExcL/rnBvsc6aqi yzTB0IPP2+1Jx0BV3ysiX62eRlLXiv3NlJQuKHyOwVCjOUDJUdN25YgZQ7b4Q2/S 4lC6O1wkmJqyV/PopvHIeFTo76l8Cg612ZGFrdniXkWB4zUSl2MdfsduimFO4xfp /izY1u7nCT+bdsKT6OdvKqV5bStEukiklo/A2V9KTWrAQ2xeNwgE0gtP6MYzVfZ+ f7of4+SCqt0dZMwLiuZse+XA82nPnDqSdiT5A5EGRQ8am5BQ9d0weOoaQMho3vym bUQO0rdU0MCrZR3MxCH4YPKm1ge1wPS7zLL48/+6PFhlHHkmQ1t98EzCbJ+gEgJW Qm/wnT0ctJRmp2uqGDpRLeI0t+YU/kyfaaHS/rB7XSkQN6vBmJKnClGmgFnhVphR hrQVVpJjD0SeZSv9uOUI17HfPz9v3pIKLCMs4R2+WTddxf6bdXytFmlOWBlcvEpE 0ocIW00D68jDWx0Bq1PItEJ11V9GbcqrigtBHfEocYVnL4hB3x5lkaGkMF5P2gOn 4OL3eC+UqJoEpr53PiD5fdbo7WkeI3NCdDBqb/GDn9Kj4HQyZqY=
    =aTCW
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Debian Bug Tracking System@21:1/5 to All on Mon Mar 25 22:30:01 2024
    This is a multi-part message in MIME format...

    Your message dated Mon, 25 Mar 2024 21:19:46 +0000
    with message-id <E1rorjO-00FQUa-88@fasolo.debian.org>
    and subject line Bug#1067663: fixed in org-mode 9.6.23+dfsg-1
    has caused the Debian Bug report #1067663,
    regarding org-mode: CVE-2024-30202 CVE-2024-30205
    to be marked as done.

    This means that you claim that the problem has been dealt with.
    If this is not the case it is now your responsibility to reopen the
    Bug report if necessary, and/or fix the problem forthwith.

    (NB: If you are a system administrator and have no idea what this
    message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org
    immediately.)


    --
    1067663: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067663
    Debian Bug Tracking System
    Contact owner@bugs.debian.org with problems

    Received: (at submit) by bugs.debian.org; 25 Mar 2024 09:56:10 +0000 X-Spam-Checker-Version: SpamAssassin 3.4.6-bugs.debian.org_2005_01_02
    (2021-04-09) on buxtehude.debian.org
    X-Spam-Level:
    X-Spam-Status: No, score=-22.9 required=4.0 tests=BAYES_00,
    BODY_INCLUDES_PACKAGE,FOURLA,FROMDEVELOPER,FVGT_m_MULTI_ODD,
    HAS_PACKAGE,PGPSIGNATURE,SPF_HELO_NONE,SPF_NONE,XMAILER_REPORTBUG
    autolearn=ham autolearn_force=no
    version=3.4.6-bugs.debian.org_2005_01_02
    X-Spam-Bayes: score:0.0000 Tokens: new, 79; hammy, 150; neutral, 118; spammy,
    0. spammytokens: hammytokens:0.000-+--sk:iQIzBAE, 0.000-+--sk:iqizbae,
    0.000-+--XDebbugsCc, 0.000-+--X-Debbugs-Cc, 0.000-+--trixie Return-path: <bremner@debian.org>
    Received: from phubs.tethera.net ([192.99.9.157]:53116)
    by buxtehude.debian.org with esmtps (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256)
    (Exim
  • From Nicholas D Steeves@21:1/5 to All on Tue Mar 26 01:40:01 2024
    fixed 1067663 org-mode/9.5.2+dfsh-5
    found 1067663 org-mode/9.6.7+dfsg-1
    thanks

    9.5.2+dfsh-5 in stable/bookworm is an empty package that depends on the org-mode bundled with stable/bookworm's Emacs, so I'm marking this CVE
    as fixed there. Elpa-org in stable/bookworm will be fixed by a security
    upload of Emacs.

    I'm skipping 9.6.6+dfsg-1~exp1, since it's not relevant anymore.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)