diff --git a/SOURCES/emacs-consider-org-file-contents-unsafe.patch b/SOURCES/emacs-consider-org-file-contents-unsafe.patch new file mode 100644 index 0000000..146dc64 --- /dev/null +++ b/SOURCES/emacs-consider-org-file-contents-unsafe.patch @@ -0,0 +1,36 @@ +From 2bc865ace050ff118db43f01457f95f95112b877 Mon Sep 17 00:00:00 2001 +From: Ihor Radchenko +Date: Tue, 20 Feb 2024 14:59:20 +0300 +Subject: org-file-contents: Consider all remote files unsafe + +* lisp/org/org.el (org-file-contents): When loading files, consider all +remote files (like TRAMP-fetched files) unsafe, in addition to URLs. +--- + lisp/org/org.el | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/lisp/org/org.el b/lisp/org/org.el +index 0f5d17d..76559c9 100644 +--- a/lisp/org/org.el ++++ b/lisp/org/org.el +@@ -4576,12 +4576,16 @@ from file or URL, and return nil. + If NOCACHE is non-nil, do a fresh fetch of FILE even if cached version + is available. This option applies only if FILE is a URL." + (let* ((is-url (org-file-url-p file)) ++ (is-remote (condition-case nil ++ (file-remote-p file) ++ ;; In case of error, be safe. ++ (t t))) + (cache (and is-url + (not nocache) + (gethash file org--file-cache)))) + (cond + (cache) +- (is-url ++ ((or is-url is-remote) + (with-current-buffer (url-retrieve-synchronously file) + (goto-char (point-min)) + ;; Move point to after the url-retrieve header. +-- +cgit v1.1 + diff --git a/SOURCES/emacs-etags-local-command-injection-vulnerability.patch b/SOURCES/emacs-etags-local-command-injection-vulnerability.patch new file mode 100644 index 0000000..418b7d7 --- /dev/null +++ b/SOURCES/emacs-etags-local-command-injection-vulnerability.patch @@ -0,0 +1,105 @@ +From 01a4035c869b91c153af9a9132c87adb7669ea1c Mon Sep 17 00:00:00 2001 +From: lu4nx +Date: Tue, 6 Dec 2022 15:42:40 +0800 +Subject: [PATCH] Fix etags local command injection vulnerability + +* lib-src/etags.c: (escape_shell_arg_string): New function. +(process_file_name): Use it to quote file names passed to the +shell. (Bug#59817) +--- + lib-src/etags.c | 63 +++++++++++++++++++++++++++++++++++++++++++++---- + 1 file changed, 58 insertions(+), 5 deletions(-) + +diff --git a/lib-src/etags.c b/lib-src/etags.c +index d1d20858cdd..ba0092cc637 100644 +--- a/lib-src/etags.c ++++ b/lib-src/etags.c +@@ -399,6 +399,7 @@ static void put_entries (node *); + static void clean_matched_file_tag (char const * const, char const * const); + + static void do_move_file (const char *, const char *); ++static char *escape_shell_arg_string (char *); + static char *concat (const char *, const char *, const char *); + static char *skip_spaces (char *); + static char *skip_non_spaces (char *); +@@ -1670,13 +1671,16 @@ process_file_name (char *file, language *lang) + else + { + #if MSDOS || defined (DOS_NT) +- char *cmd1 = concat (compr->command, " \"", real_name); +- char *cmd = concat (cmd1, "\" > ", tmp_name); ++ int buf_len = strlen (compr->command) + strlen (" \"\" > \"\"") + strlen (real_name) + strlen (tmp_name) + 1; ++ char *cmd = xmalloc (buf_len); ++ snprintf (cmd, buf_len, "%s \"%s\" > \"%s\"", compr->command, real_name, tmp_name); + #else +- char *cmd1 = concat (compr->command, " '", real_name); +- char *cmd = concat (cmd1, "' > ", tmp_name); ++ char *new_real_name = escape_shell_arg_string (real_name); ++ char *new_tmp_name = escape_shell_arg_string (tmp_name); ++ int buf_len = strlen (compr->command) + strlen (" > ") + strlen (new_real_name) + strlen (new_tmp_name) + 1; ++ char *cmd = xmalloc (buf_len); ++ snprintf (cmd, buf_len, "%s %s > %s", compr->command, new_real_name, new_tmp_name); + #endif +- free (cmd1); + int tmp_errno; + if (system (cmd) == -1) + { +@@ -7124,6 +7128,55 @@ etags_mktmp (void) + return templt; + } + ++/* ++ * Adds single quotes around a string, if found single quotes, escaped it. ++ * Return a newly-allocated string. ++ * ++ * For example: ++ * escape_shell_arg_string("test.txt") => 'test.txt' ++ * escape_shell_arg_string("'test.txt") => ''\''test.txt' ++ */ ++static char * ++escape_shell_arg_string (char *str) ++{ ++ char *p = str; ++ int need_space = 2; /* ' at begin and end */ ++ ++ while (*p != '\0') ++ { ++ if (*p == '\'') ++ need_space += 4; /* ' to '\'', length is 4 */ ++ else ++ need_space++; ++ ++ p++; ++ } ++ ++ char *new_str = xnew (need_space + 1, char); ++ new_str[0] = '\''; ++ new_str[need_space-1] = '\''; ++ ++ int i = 1; /* skip first byte */ ++ p = str; ++ while (*p != '\0') ++ { ++ new_str[i] = *p; ++ if (*p == '\'') ++ { ++ new_str[i+1] = '\\'; ++ new_str[i+2] = '\''; ++ new_str[i+3] = '\''; ++ i += 3; ++ } ++ ++ i++; ++ p++; ++ } ++ ++ new_str[need_space] = '\0'; ++ return new_str; ++} ++ + static void + do_move_file(const char *src_file, const char *dst_file) + { +-- +2.36.1 + diff --git a/SOURCES/emacs-htmlfontify-command-injection-vulnerability.patch b/SOURCES/emacs-htmlfontify-command-injection-vulnerability.patch new file mode 100644 index 0000000..73122c8 --- /dev/null +++ b/SOURCES/emacs-htmlfontify-command-injection-vulnerability.patch @@ -0,0 +1,26 @@ +From 1b4dc4691c1f87fc970fbe568b43869a15ad0d4c Mon Sep 17 00:00:00 2001 +From: Xi Lu +Date: Sat, 24 Dec 2022 16:28:54 +0800 +Subject: [PATCH] Fix htmlfontify.el command injection vulnerability. + +* lisp/htmlfontify.el (hfy-text-p): Fix command injection +vulnerability. (Bug#60295) +--- + lisp/htmlfontify.el | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lisp/htmlfontify.el b/lisp/htmlfontify.el +index df4c6ab079c..389b92939cc 100644 +--- a/lisp/htmlfontify.el ++++ b/lisp/htmlfontify.el +@@ -1912,7 +1912,7 @@ hfy-make-directory + + (defun hfy-text-p (srcdir file) + "Is SRCDIR/FILE text? Uses `hfy-istext-command' to determine this." +- (let* ((cmd (format hfy-istext-command (expand-file-name file srcdir))) ++ (let* ((cmd (format hfy-istext-command (shell-quote-argument (expand-file-name file srcdir)))) + (rsp (shell-command-to-string cmd))) + (string-match "text" rsp))) + +-- +2.36.1 diff --git a/SOURCES/emacs-mark-contents-untrusted.patch b/SOURCES/emacs-mark-contents-untrusted.patch new file mode 100644 index 0000000..31e8437 --- /dev/null +++ b/SOURCES/emacs-mark-contents-untrusted.patch @@ -0,0 +1,25 @@ +From 937b9042ad7426acdcca33e3d931d8f495bdd804 Mon Sep 17 00:00:00 2001 +From: Ihor Radchenko +Date: Tue, 20 Feb 2024 12:44:30 +0300 +Subject: * lisp/gnus/mm-view.el (mm-display-inline-fontify): Mark contents + untrusted. + +--- + lisp/gnus/mm-view.el | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lisp/gnus/mm-view.el b/lisp/gnus/mm-view.el +index 2e1261c..5f234e5 100644 +--- a/lisp/gnus/mm-view.el ++++ b/lisp/gnus/mm-view.el +@@ -504,6 +504,7 @@ If MODE is not set, try to find mode automatically." + (setq coding-system (mm-find-buffer-file-coding-system))) + (setq text (buffer-string)))) + (with-temp-buffer ++ (setq untrusted-content t) + (buffer-disable-undo) + (mm-enable-multibyte) + (insert (cond ((eq charset 'gnus-decoded) +-- +cgit v1.1 + diff --git a/SOURCES/emacs-ob-latex-command-injection-vulnerability.patch b/SOURCES/emacs-ob-latex-command-injection-vulnerability.patch new file mode 100644 index 0000000..275ada9 --- /dev/null +++ b/SOURCES/emacs-ob-latex-command-injection-vulnerability.patch @@ -0,0 +1,43 @@ +From a8006ea580ed74f27f974d60b598143b04ad1741 Mon Sep 17 00:00:00 2001 +From: Xi Lu +Date: Sat, 11 Mar 2023 18:53:37 +0800 +Subject: * lisp/org/ob-latex.el: Fix command injection vulnerability + +(org-babel-execute:latex): +Replaced the `(shell-command "mv BAR NEWBAR")' with `rename-file'. + +TINYCHANGE +--- + lisp/org/ob-latex.el | 13 +++++-------- + 1 file changed, 5 insertions(+), 8 deletions(-) + +diff --git a/lisp/org/ob-latex.el b/lisp/org/ob-latex.el +index a2c24b3..ce39628 100644 +--- a/lisp/org/ob-latex.el ++++ b/lisp/org/ob-latex.el +@@ -218,17 +218,14 @@ This function is called by `org-babel-execute-src-block'." + (if (string-suffix-p ".svg" out-file) + (progn + (shell-command "pwd") +- (shell-command (format "mv %s %s" +- (concat (file-name-sans-extension tex-file) "-1.svg") +- out-file))) ++ (rename-file (concat (file-name-sans-extension tex-file) "-1.svg") ++ out-file t)) + (error "SVG file produced but HTML file requested"))) + ((file-exists-p (concat (file-name-sans-extension tex-file) ".html")) + (if (string-suffix-p ".html" out-file) +- (shell-command "mv %s %s" +- (concat (file-name-sans-extension tex-file) +- ".html") +- out-file) +- (error "HTML file produced but SVG file requested"))))) ++ (rename-file (concat (file-name-sans-extension tex-file) ".html") ++ out-file t) ++ (error "HTML file produced but SVG file requested"))))) + ((or (string= "pdf" extension) imagemagick) + (with-temp-file tex-file + (require 'ox-latex) +-- +cgit v1.1 + diff --git a/SOURCES/emacs-org-link-expand-abbrev-unsafe-elisp.patch b/SOURCES/emacs-org-link-expand-abbrev-unsafe-elisp.patch new file mode 100644 index 0000000..18a0050 --- /dev/null +++ b/SOURCES/emacs-org-link-expand-abbrev-unsafe-elisp.patch @@ -0,0 +1,78 @@ +From f4cc61636947b5c2f0afc67174dd369fe3277aa8 Mon Sep 17 00:00:00 2001 +From: Ihor Radchenko +Date: Tue, 18 Jun 2024 13:06:44 +0200 +Subject: org-link-expand-abbrev: Do not evaluate arbitrary unsafe Elisp code + +* lisp/org/org.el (org-link-expand-abbrev): Refuse expanding %(...) link +abbrevs that specify unsafe function. Instead, display a warning, and +do not expand the abbrev. Clear all the text properties from the +returned link, to avoid any potential vulnerabilities caused by +properties that may contain arbitrary Elisp. +--- + lisp/org/org.el | 40 +++++++++++++++++++++++++++++----------- + 1 file changed, 29 insertions(+), 11 deletions(-) + +diff --git a/lisp/org/org.el b/lisp/org/org.el +index 7a7f4f5..8a556c7 100644 +--- a/lisp/org/org.el ++++ b/lisp/org/org.el +@@ -1152,26 +1152,44 @@ Abbreviations are defined in `org-link-abbrev-alist'." + + (defun org-link-expand-abbrev (link) + "Apply replacements as defined in `org-link-abbrev-alist'." +- (if (string-match "^\\([^:]*\\)\\(::?\\(.*\\)\\)?$" link) ++ (if (not (string-match "^\\([^:]*\\)\\(::?\\(.*\\)\\)?$" link)) link + (let* ((key (match-string 1 link)) + (as (or (assoc key org-link-abbrev-alist-local) + (assoc key org-link-abbrev-alist))) + (tag (and (match-end 2) (match-string 3 link))) + rpl) + (if (not as) + link + (setq rpl (cdr as)) +- (cond +- ((symbolp rpl) (funcall rpl tag)) +- ((string-match "%(\\([^)]+\\))" rpl) +- (replace-match +- (save-match-data +- (funcall (intern-soft (match-string 1 rpl)) tag)) t t rpl)) +- ((string-match "%s" rpl) (replace-match (or tag "") t t rpl)) +- ((string-match "%h" rpl) +- (replace-match (url-hexify-string (or tag "")) t t rpl)) +- (t (concat rpl tag))))) +- link)) ++ ;; Drop any potentially dangerous text properties like ++ ;; `modification-hooks' that may be used as an attack vector. ++ (substring-no-properties ++ (cond ++ ((symbolp rpl) (funcall rpl tag)) ++ ((string-match "%(\\([^)]+\\))" rpl) ++ (let ((rpl-fun-symbol (intern-soft (match-string 1 rpl)))) ++ ;; Using `unsafep-function' is not quite enough because ++ ;; Emacs considers functions like `genenv' safe, while ++ ;; they can potentially be used to expose private system ++ ;; data to attacker if abbreviated link is clicked. ++ (if (or (eq t (get rpl-fun-symbol 'org-link-abbrev-safe)) ++ (eq t (get rpl-fun-symbol 'pure))) ++ (replace-match ++ (save-match-data ++ (funcall (intern-soft (match-string 1 rpl)) tag)) ++ t t rpl) ++ (org-display-warning ++ (format "Disabling unsafe link abbrev: %s ++You may mark function safe via (put '%s 'org-link-abbrev-safe t)" ++ rpl (match-string 1 rpl))) ++ (setq org-link-abbrev-alist-local (delete as org-link-abbrev-alist-local) ++ org-link-abbrev-alist (delete as org-link-abbrev-alist)) ++ link ++ ))) ++ ((string-match "%s" rpl) (replace-match (or tag "") t t rpl)) ++ ((string-match "%h" rpl) ++ (replace-match (url-hexify-string (or tag "")) t t rpl)) ++ (t (concat rpl tag)))))))) + + ;;; Storing and inserting links + +-- +cgit v1.1 + diff --git a/SPECS/emacs.spec b/SPECS/emacs.spec index d48fa58..49fac71 100644 --- a/SPECS/emacs.spec +++ b/SPECS/emacs.spec @@ -5,7 +5,7 @@ Summary: GNU Emacs text editor Name: emacs Epoch: 1 Version: 26.1 -Release: 9%{?dist}.inferit +Release: 12%{?dist}.inferit License: GPLv3+ and CC0-1.0 URL: http://www.gnu.org/software/emacs/ Group: Applications/Editors @@ -26,6 +26,12 @@ Patch1: emacs-spellchecker.patch Patch2: emacs-system-crypto-policies.patch Patch3: emacs-ctags-local-command-execute-vulnerability.patch Patch4: emacs-mh-rmail-nonempty-dir.patch +Patch5: emacs-etags-local-command-injection-vulnerability.patch +Patch6: emacs-htmlfontify-command-injection-vulnerability.patch +Patch7: emacs-ob-latex-command-injection-vulnerability.patch +Patch8: emacs-consider-org-file-contents-unsafe.patch +Patch9: emacs-org-link-expand-abbrev-unsafe-elisp.patch +Patch10: emacs-mark-contents-untrusted.patch BuildRequires: atk-devel BuildRequires: cairo-devel @@ -65,7 +71,6 @@ BuildRequires: desktop-file-utils BuildRequires: libacl-devel BuildRequires: gtk3-devel -BuildRequires: webkit2gtk3-devel # For lucid BuildRequires: Xaw3d-devel @@ -182,6 +187,12 @@ packages that add functionality to Emacs. %patch2 -p1 -b .system-crypto-policies %patch3 -p1 -b .ctags-local-command-execute-vulnerability %patch4 -p1 -b .mh-rmail-nonempty-dir.patch +%patch5 -p1 -b .etags-local-command-injection-vulnerability +%patch6 -p1 -b .htmlfontify-command-injection-vulnerability +%patch7 -p1 -b .ob-latex-command-injection-vulnerability +%patch8 -p1 -b .consider-org-file-contents-unsafe +%patch9 -p1 -b .org-link-expand-abbrev-unsafe-elisp +%patch10 -p1 -b .mark-contents-untrusted autoconf # We prefer our emacs.desktop file @@ -237,7 +248,7 @@ ln -s ../configure . %configure --with-dbus --with-gif --with-jpeg --with-png --with-rsvg \ --with-tiff --with-xft --with-xpm --with-x-toolkit=gtk3 --with-gpm=no \ - --with-xwidgets --with-modules + --with-modules make bootstrap %{setarch} make %{?_smp_mflags} cd .. @@ -468,13 +479,30 @@ fi %dir %{_datadir}/emacs/site-lisp/site-start.d %changelog +* Wed Sep 25 2024 Sergey Cherevko - 1:26.1-12.inferit +- Update to 26.1-12 + +* Fri Aug 23 2024 Jacek Migacz - 1:26.1-12 +- org-file-contents: Consider all remote files unsafe (CVE-2024-30205) +- org-link-expand-abbrev: Do not evaluate arbitrary unsafe Elisp code (CVE-2024-39331) +- Make Gnus treats inline MIME contents as untrusted (CVE-2024-30203) +- Disable xwidgets (RHEL-14549) + * Fri Sep 01 2023 Sergey Cherevko - 1:26.1-9.inferit - Added Russian description for ArcMenu and gnome-software - Rebuilt for MSVSphere 8.8 -* Tue Jul 25 2023 MSVSphere Packaging Team - 1:26.1-9 +* Tue Jul 25 2023 MSVSphere Packaging Team - 1:26.1-11 - Rebuilt for MSVSphere 8.8 +* Wed Apr 12 2023 Jacek Migacz - 1:26.1-11 +- Bump version + +* Fri Apr 7 2023 Jacek Migacz - 1:26.1-10 +- Fix etags local command injection vulnerability (#2175189) +- Fix htmlfontify.el command injection vulnerability (#2175178) +- Fix ob-latex.el command injection vulnerability (#2180587) + * Tue Jan 10 2023 Jacek Migacz - 1:26.1-9 - Fix MH-E mail composition with GNU Mailutils (#1991156)