Techly NewsGet the app

Get the latest tech news

Arbitrary shell command evaluation in Org Mode (GNU Emacs)


-sec mailing list archives Arbitrary shell command evaluation in Org mode (GNU Emacs) From: Ihor Radchenko <yantar92 () posteo net> Date: Sun, 23 Jun 2024 08:41:15 +0000 Hi, Here is a vulnerability in Emacs Org mode. Reproducer is the following .org file: #+LINK: shell %(shell-command-to-string) [[shell:touch ~/hacked.txt]] When sent by email and previewed in Emacs or when opened in Emacs as a file, the above Org file will evaluate "touch ~/hacked.txt" without any prompts.

From: Ihor Radchenko <yantar92 () posteo net> Date: Sun, 23 Jun 2024 08:41:15 +0000 By Date Arbitrary shell command evaluation in Org mode (GNU Emacs) Ihor Radchenko (Jun 23)

Get the Android app

Or read this on Hacker News

Read more on:

Photo of emacs

emacs

Photo of GNU Emacs

GNU Emacs

Photo of Org Mode

Org Mode

Related news:

News photo

Emacs in fifty keystrokes

News photo

Emacs Easydraw – drawing tool inside Emacs

News photo

Emacs used as a message router in Germany's ATC systems in the 1990s (2021)

« Jabra Elite 8 Active Gen 2 review: Going out in style
SquirrelFS: Using the Rust compiler to check file-system crash consistency »