SB2025032701 - Ubuntu update for org-mode

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) OS Command Injection (CVE-ID: CVE-2023-28617)

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation within the org-babel-execute:latex in ob-latex.el when processing file or directory names. A remote attacker can trick the victim to open a specially crafted file and execute arbitrary OS commands on the target system via a file name or directory name that contains shell metacharacters.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

2) Use of Potentially Dangerous Function (CVE-ID: CVE-2024-30202)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to usage of dangerous method when processing untrusted files. A remote attacker can trick the victim to open a specially crafted document and execute arbitrary Lisp code as part of turning on Org mode.

3) Insufficient verification of data authenticity (CVE-ID: CVE-2024-30205)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to Emacs in Org mode considers contents of remote files to be trusted. A remote attacker can trick the victim to open a specially crafted file and execute arbitrary code on the system.

4) Use of Potentially Dangerous Function (CVE-ID: CVE-2024-39331)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to org-link-expand-abbrev in lisp/ol.el expands a %(...) link abbrev even when it specifies an unsafe function. A remote attacker can execute arbitrary OS commands on the system.

Remediation

Install update from vendor's website.

References

• https://ubuntu.com/security/notices/USN-7375-1