import emacs-26.1-10.el8_8.2

c8 imports/c8/emacs-26.1-10.el8_8.2
CentOS Sources 2 years ago committed by MSVSphere Packaging Team
parent eb8a64fd38
commit bfbd7b95db

@ -0,0 +1,43 @@
From a8006ea580ed74f27f974d60b598143b04ad1741 Mon Sep 17 00:00:00 2001
From: Xi Lu <lx@shellcodes.org>
Date: Sat, 11 Mar 2023 18:53:37 +0800
Subject: * lisp/org/ob-latex.el: Fix command injection vulnerability
(org-babel-execute:latex):
Replaced the `(shell-command "mv BAR NEWBAR")' with `rename-file'.
TINYCHANGE
---
lisp/org/ob-latex.el | 13 +++++--------
1 file changed, 5 insertions(+), 8 deletions(-)
diff --git a/lisp/org/ob-latex.el b/lisp/org/ob-latex.el
index a2c24b3..ce39628 100644
--- a/lisp/org/ob-latex.el
+++ b/lisp/org/ob-latex.el
@@ -218,17 +218,14 @@ This function is called by `org-babel-execute-src-block'."
(if (string-suffix-p ".svg" out-file)
(progn
(shell-command "pwd")
- (shell-command (format "mv %s %s"
- (concat (file-name-sans-extension tex-file) "-1.svg")
- out-file)))
+ (rename-file (concat (file-name-sans-extension tex-file) "-1.svg")
+ out-file t))
(error "SVG file produced but HTML file requested")))
((file-exists-p (concat (file-name-sans-extension tex-file) ".html"))
(if (string-suffix-p ".html" out-file)
- (shell-command "mv %s %s"
- (concat (file-name-sans-extension tex-file)
- ".html")
- out-file)
- (error "HTML file produced but SVG file requested")))))
+ (rename-file (concat (file-name-sans-extension tex-file) ".html")
+ out-file t)
+ (error "HTML file produced but SVG file requested")))))
((or (string= "pdf" extension) imagemagick)
(with-temp-file tex-file
(require 'ox-latex)
--
cgit v1.1

@ -5,7 +5,7 @@ Summary: GNU Emacs text editor
Name: emacs
Epoch: 1
Version: 26.1
Release: 9%{?dist}
Release: 10%{?dist}.2
License: GPLv3+ and CC0-1.0
URL: http://www.gnu.org/software/emacs/
Group: Applications/Editors
@ -26,6 +26,7 @@ Patch1: emacs-spellchecker.patch
Patch2: emacs-system-crypto-policies.patch
Patch3: emacs-ctags-local-command-execute-vulnerability.patch
Patch4: emacs-mh-rmail-nonempty-dir.patch
Patch5: emacs-ob-latex-command-injection-vulnerability.patch
BuildRequires: atk-devel
BuildRequires: cairo-devel
@ -182,6 +183,7 @@ packages that add functionality to Emacs.
%patch2 -p1 -b .system-crypto-policies
%patch3 -p1 -b .ctags-local-command-execute-vulnerability
%patch4 -p1 -b .mh-rmail-nonempty-dir.patch
%patch5 -p1 -b .ob-latex-command-injection-vulnerability
autoconf
# We prefer our emacs.desktop file
@ -468,6 +470,15 @@ fi
%dir %{_datadir}/emacs/site-lisp/site-start.d
%changelog
* Thu Apr 13 2023 Jacek Migacz <jmigacz@redhat.com> - 1:26.1-10.2
- Bump release
* Thu Apr 13 2023 Jacek Migacz <jmigacz@redhat.com> - 1:26.1-10.1
- Bump release
* Fri Apr 7 2023 Jacek Migacz <jmigacz@redhat.com> - 1:26.1-10
- Fix ob-latex.el command injection vulnerability (#2180586)
* Tue Jan 10 2023 Jacek Migacz <jmigacz@redhat.com> - 1:26.1-9
- Fix MH-E mail composition with GNU Mailutils (#1991156)

Loading…
Cancel
Save