diff --git a/SOURCES/emacs-consider-org-file-contents-unsafe.patch b/SOURCES/emacs-consider-org-file-contents-unsafe.patch new file mode 100644 index 0000000..146dc64 --- /dev/null +++ b/SOURCES/emacs-consider-org-file-contents-unsafe.patch @@ -0,0 +1,36 @@ +From 2bc865ace050ff118db43f01457f95f95112b877 Mon Sep 17 00:00:00 2001 +From: Ihor Radchenko +Date: Tue, 20 Feb 2024 14:59:20 +0300 +Subject: org-file-contents: Consider all remote files unsafe + +* lisp/org/org.el (org-file-contents): When loading files, consider all +remote files (like TRAMP-fetched files) unsafe, in addition to URLs. +--- + lisp/org/org.el | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/lisp/org/org.el b/lisp/org/org.el +index 0f5d17d..76559c9 100644 +--- a/lisp/org/org.el ++++ b/lisp/org/org.el +@@ -4576,12 +4576,16 @@ from file or URL, and return nil. + If NOCACHE is non-nil, do a fresh fetch of FILE even if cached version + is available. This option applies only if FILE is a URL." + (let* ((is-url (org-file-url-p file)) ++ (is-remote (condition-case nil ++ (file-remote-p file) ++ ;; In case of error, be safe. ++ (t t))) + (cache (and is-url + (not nocache) + (gethash file org--file-cache)))) + (cond + (cache) +- (is-url ++ ((or is-url is-remote) + (with-current-buffer (url-retrieve-synchronously file) + (goto-char (point-min)) + ;; Move point to after the url-retrieve header. +-- +cgit v1.1 + diff --git a/SOURCES/emacs-mark-contents-untrusted.patch b/SOURCES/emacs-mark-contents-untrusted.patch new file mode 100644 index 0000000..31e8437 --- /dev/null +++ b/SOURCES/emacs-mark-contents-untrusted.patch @@ -0,0 +1,25 @@ +From 937b9042ad7426acdcca33e3d931d8f495bdd804 Mon Sep 17 00:00:00 2001 +From: Ihor Radchenko +Date: Tue, 20 Feb 2024 12:44:30 +0300 +Subject: * lisp/gnus/mm-view.el (mm-display-inline-fontify): Mark contents + untrusted. + +--- + lisp/gnus/mm-view.el | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lisp/gnus/mm-view.el b/lisp/gnus/mm-view.el +index 2e1261c..5f234e5 100644 +--- a/lisp/gnus/mm-view.el ++++ b/lisp/gnus/mm-view.el +@@ -504,6 +504,7 @@ If MODE is not set, try to find mode automatically." + (setq coding-system (mm-find-buffer-file-coding-system))) + (setq text (buffer-string)))) + (with-temp-buffer ++ (setq untrusted-content t) + (buffer-disable-undo) + (mm-enable-multibyte) + (insert (cond ((eq charset 'gnus-decoded) +-- +cgit v1.1 + diff --git a/SOURCES/emacs-org-link-expand-abbrev-unsafe-elisp.patch b/SOURCES/emacs-org-link-expand-abbrev-unsafe-elisp.patch new file mode 100644 index 0000000..18a0050 --- /dev/null +++ b/SOURCES/emacs-org-link-expand-abbrev-unsafe-elisp.patch @@ -0,0 +1,78 @@ +From f4cc61636947b5c2f0afc67174dd369fe3277aa8 Mon Sep 17 00:00:00 2001 +From: Ihor Radchenko +Date: Tue, 18 Jun 2024 13:06:44 +0200 +Subject: org-link-expand-abbrev: Do not evaluate arbitrary unsafe Elisp code + +* lisp/org/org.el (org-link-expand-abbrev): Refuse expanding %(...) link +abbrevs that specify unsafe function. Instead, display a warning, and +do not expand the abbrev. Clear all the text properties from the +returned link, to avoid any potential vulnerabilities caused by +properties that may contain arbitrary Elisp. +--- + lisp/org/org.el | 40 +++++++++++++++++++++++++++++----------- + 1 file changed, 29 insertions(+), 11 deletions(-) + +diff --git a/lisp/org/org.el b/lisp/org/org.el +index 7a7f4f5..8a556c7 100644 +--- a/lisp/org/org.el ++++ b/lisp/org/org.el +@@ -1152,26 +1152,44 @@ Abbreviations are defined in `org-link-abbrev-alist'." + + (defun org-link-expand-abbrev (link) + "Apply replacements as defined in `org-link-abbrev-alist'." +- (if (string-match "^\\([^:]*\\)\\(::?\\(.*\\)\\)?$" link) ++ (if (not (string-match "^\\([^:]*\\)\\(::?\\(.*\\)\\)?$" link)) link + (let* ((key (match-string 1 link)) + (as (or (assoc key org-link-abbrev-alist-local) + (assoc key org-link-abbrev-alist))) + (tag (and (match-end 2) (match-string 3 link))) + rpl) + (if (not as) + link + (setq rpl (cdr as)) +- (cond +- ((symbolp rpl) (funcall rpl tag)) +- ((string-match "%(\\([^)]+\\))" rpl) +- (replace-match +- (save-match-data +- (funcall (intern-soft (match-string 1 rpl)) tag)) t t rpl)) +- ((string-match "%s" rpl) (replace-match (or tag "") t t rpl)) +- ((string-match "%h" rpl) +- (replace-match (url-hexify-string (or tag "")) t t rpl)) +- (t (concat rpl tag))))) +- link)) ++ ;; Drop any potentially dangerous text properties like ++ ;; `modification-hooks' that may be used as an attack vector. ++ (substring-no-properties ++ (cond ++ ((symbolp rpl) (funcall rpl tag)) ++ ((string-match "%(\\([^)]+\\))" rpl) ++ (let ((rpl-fun-symbol (intern-soft (match-string 1 rpl)))) ++ ;; Using `unsafep-function' is not quite enough because ++ ;; Emacs considers functions like `genenv' safe, while ++ ;; they can potentially be used to expose private system ++ ;; data to attacker if abbreviated link is clicked. ++ (if (or (eq t (get rpl-fun-symbol 'org-link-abbrev-safe)) ++ (eq t (get rpl-fun-symbol 'pure))) ++ (replace-match ++ (save-match-data ++ (funcall (intern-soft (match-string 1 rpl)) tag)) ++ t t rpl) ++ (org-display-warning ++ (format "Disabling unsafe link abbrev: %s ++You may mark function safe via (put '%s 'org-link-abbrev-safe t)" ++ rpl (match-string 1 rpl))) ++ (setq org-link-abbrev-alist-local (delete as org-link-abbrev-alist-local) ++ org-link-abbrev-alist (delete as org-link-abbrev-alist)) ++ link ++ ))) ++ ((string-match "%s" rpl) (replace-match (or tag "") t t rpl)) ++ ((string-match "%h" rpl) ++ (replace-match (url-hexify-string (or tag "")) t t rpl)) ++ (t (concat rpl tag)))))))) + + ;;; Storing and inserting links + +-- +cgit v1.1 + diff --git a/SPECS/emacs.spec b/SPECS/emacs.spec index 031e617..3cf75e9 100644 --- a/SPECS/emacs.spec +++ b/SPECS/emacs.spec @@ -5,7 +5,7 @@ Summary: GNU Emacs text editor Name: emacs Epoch: 1 Version: 26.1 -Release: 11%{?dist} +Release: 12%{?dist} License: GPLv3+ and CC0-1.0 URL: http://www.gnu.org/software/emacs/ Group: Applications/Editors @@ -29,6 +29,9 @@ Patch4: emacs-mh-rmail-nonempty-dir.patch Patch5: emacs-etags-local-command-injection-vulnerability.patch Patch6: emacs-htmlfontify-command-injection-vulnerability.patch Patch7: emacs-ob-latex-command-injection-vulnerability.patch +Patch8: emacs-consider-org-file-contents-unsafe.patch +Patch9: emacs-org-link-expand-abbrev-unsafe-elisp.patch +Patch10: emacs-mark-contents-untrusted.patch BuildRequires: atk-devel BuildRequires: cairo-devel @@ -68,7 +71,6 @@ BuildRequires: desktop-file-utils BuildRequires: libacl-devel BuildRequires: gtk3-devel -BuildRequires: webkit2gtk3-devel # For lucid BuildRequires: Xaw3d-devel @@ -188,6 +190,9 @@ packages that add functionality to Emacs. %patch5 -p1 -b .etags-local-command-injection-vulnerability %patch6 -p1 -b .htmlfontify-command-injection-vulnerability %patch7 -p1 -b .ob-latex-command-injection-vulnerability +%patch8 -p1 -b .consider-org-file-contents-unsafe +%patch9 -p1 -b .org-link-expand-abbrev-unsafe-elisp +%patch10 -p1 -b .mark-contents-untrusted autoconf # We prefer our emacs.desktop file @@ -243,7 +248,7 @@ ln -s ../configure . %configure --with-dbus --with-gif --with-jpeg --with-png --with-rsvg \ --with-tiff --with-xft --with-xpm --with-x-toolkit=gtk3 --with-gpm=no \ - --with-xwidgets --with-modules + --with-modules make bootstrap %{setarch} make %{?_smp_mflags} cd .. @@ -474,6 +479,12 @@ fi %dir %{_datadir}/emacs/site-lisp/site-start.d %changelog +* Fri Aug 23 2024 Jacek Migacz - 1:26.1-12 +- org-file-contents: Consider all remote files unsafe (CVE-2024-30205) +- org-link-expand-abbrev: Do not evaluate arbitrary unsafe Elisp code (CVE-2024-39331) +- Make Gnus treats inline MIME contents as untrusted (CVE-2024-30203) +- Disable xwidgets (RHEL-14549) + * Wed Apr 12 2023 Jacek Migacz - 1:26.1-11 - Bump version