Headline
CVE-2023-27985: #60204 - 28.2; Invalid Exec key in etc/emacsclient-mail.desktop
emacsclient-mail.desktop in Emacs 28.1 through 28.2 is vulnerable to shell command injections through a crafted mailto: URI. This is related to lack of compliance with the Desktop Entry Specification.
Previous Next
Reported by: Ulrich Müller <ulm <at> gentoo.org>
Date: Mon, 19 Dec 2022 16:15:02 UTC
Severity: normal
Found in version 28.2
Done: Eli Zaretskii <eliz <at> gnu.org>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 60204 in the body.
You can then email your comments to 60204 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded to bug-gnu-emacs <at> gnu.org:
bug#60204; Package emacs. (Mon, 19 Dec 2022 16:15:02 GMT) Full text and rfc822 format available.
Acknowledgement sent to Ulrich Müller <ulm <at> gentoo.org>:
New bug report received and forwarded. Copy sent to bug-gnu-emacs <at> gnu.org. (Mon, 19 Dec 2022 16:15:02 GMT) Full text and rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
Apparently the emacsclient-mail.desktop file doesn’t conform to the Desktop Entry Specification at https://specifications.freedesktop.org/desktop-entry-spec/desktop-entry-spec-latest.html#exec-variables which says about the Exec key:
| Field codes must not be used inside a quoted argument, the result of | field code expansion inside a quoted argument is undefined.
However, the %u field code is used inside a quoted argument of the Exec key in both the [Desktop Entry] and [Desktop Action new-window] sections.
See patch included below.
From 1ee6903cccde01c36dd58951102252abadada994 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulrich=20M=C3=BCller?= <ulm <at> gentoo.org> Date: Mon, 19 Dec 2022 16:51:20 +0100 Subject: [PATCH] Fix quoted argument in emacsclient-mail.desktop Exec key
* etc/emacsclient-mail.desktop (Exec): The Desktop Entry Specification does not allow field codes like %u inside a quoted argument. Work around it by passing %u as first parameter ($1) to the shell wrapper. * etc/emacsclient.desktop (Exec): Use `sh` rather than `placeholder` as the command name of the shell wrapper.
etc/emacsclient-mail.desktop | 4 +±- etc/emacsclient.desktop | 2 ± 2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/etc/emacsclient-mail.desktop b/etc/emacsclient-mail.desktop index b575a41758a…91df122c594 100644 — a/etc/emacsclient-mail.desktop +++ b/etc/emacsclient-mail.desktop @@ -1,7 +1,7 @@ [Desktop Entry] Categories=Network;Email; Comment=GNU Emacs is an extensible, customizable text editor - and more -Exec=sh -c “exec emacsclient --alternate-editor= --display=\\"\\$DISPLAY\\” --eval \\\\(message-mailto\\\\ \\\\\\"%u\\\\\\"\\\\)" +Exec=sh -c “exec emacsclient --alternate-editor= --display=\\"\\$DISPLAY\\” --eval \\"(message-mailto \\\\\\"\\$1\\\\\\")\\"" sh %u Icon=emacs Name=Emacs (Mail, Client) MimeType=x-scheme-handler/mailto; @@ -13,7 +13,7 @@ Actions=new-window;new-instance;
[Desktop Action new-window] Name=New Window -Exec=emacsclient --alternate-editor= --create-frame --eval "(message-mailto \\"%u\\")" +Exec=sh -c “exec emacsclient --alternate-editor= --create-frame --eval \\”(message-mailto \\\\\\"\\$1\\\\\\")\\"" sh %u
[Desktop Action new-instance] Name=New Instance diff --git a/etc/emacsclient.desktop b/etc/emacsclient.desktop index 1ecdecffafd…a9f840c7033 100644 — a/etc/emacsclient.desktop +++ b/etc/emacsclient.desktop @@ -3,7 +3,7 @@ Name=Emacs (Client) GenericName=Text Editor Comment=Edit text MimeType=text/english;text/plain;text/x-makefile;text/x-c++hdr;text/x-c++src;text/x-chdr;text/x-csrc;text/x-java;text/x-moc;text/x-pascal;text/x-tcl;text/x-tex;application/x-shellscript;text/x-c;text/x-c++; -Exec=sh -c “if [ -n \\"\\$*\\” ]; then exec emacsclient --alternate-editor= --display=\\"\\$DISPLAY\\" \\"\\$@\\"; else exec emacsclient --alternate-editor= --create-frame; fi" placeholder %F +Exec=sh -c “if [ -n \\"\\$*\\” ]; then exec emacsclient --alternate-editor= --display=\\"\\$DISPLAY\\" \\"\\$@\\"; else exec emacsclient --alternate-editor= --create-frame; fi" sh %F Icon=emacs Type=Application Terminal=false – 2.39.0
Reply sent to Eli Zaretskii <eliz <at> gnu.org>:
You have taken responsibility. (Sat, 24 Dec 2022 07:22:01 GMT) Full text and rfc822 format available.
Notification sent to Ulrich Müller <ulm <at> gentoo.org>:
bug acknowledged by developer. (Sat, 24 Dec 2022 07:22:02 GMT) Full text and rfc822 format available.
Message #10 received at 60204-done <at> debbugs.gnu.org (full text, mbox):
> From: Ulrich Müller <ulm <at> gentoo.org>
Date: Mon, 19 Dec 2022 17:14:09 +0100
Apparently the emacsclient-mail.desktop file doesn’t conform to the Desktop Entry Specification at https://specifications.freedesktop.org/desktop-entry-spec/desktop-entry-spec-latest.html#exec-variables which says about the Exec key:
| Field codes must not be used inside a quoted argument, the result of | field code expansion inside a quoted argument is undefined.
However, the %u field code is used inside a quoted argument of the Exec key in both the [Desktop Entry] and [Desktop Action new-window] sections.
See patch included below.
Thanks, I installed this on the emacs-29 branch, and I’m closing the bug.
bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Sat, 21 Jan 2023 12:24:04 GMT) Full text and rfc822 format available.
This bug report was last modified 46 days ago.
Previous Next
GNU bug tracking system
Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.