diff --git a/SOURCES/emacs-org-link-expand-abbrev-unsafe-elisp.patch b/SOURCES/emacs-org-link-expand-abbrev-unsafe-elisp.patch new file mode 100644 index 0000000..fffc2cc --- /dev/null +++ b/SOURCES/emacs-org-link-expand-abbrev-unsafe-elisp.patch @@ -0,0 +1,68 @@ +From f4cc61636947b5c2f0afc67174dd369fe3277aa8 Mon Sep 17 00:00:00 2001 +From: Ihor Radchenko +Date: Tue, 18 Jun 2024 13:06:44 +0200 +Subject: org-link-expand-abbrev: Do not evaluate arbitrary unsafe Elisp code + +* lisp/org/ol.el (org-link-expand-abbrev): Refuse expanding %(...) link +abbrevs that specify unsafe function. Instead, display a warning, and +do not expand the abbrev. Clear all the text properties from the +returned link, to avoid any potential vulnerabilities caused by +properties that may contain arbitrary Elisp. +--- + lisp/org/ol.el | 40 +++++++++++++++++++++++++++++----------- + 1 file changed, 29 insertions(+), 11 deletions(-) + +diff --git a/lisp/org/ol.el b/lisp/org/ol.el +index 7a7f4f5..8a556c7 100644 +--- a/lisp/org/ol.el ++++ b/lisp/org/ol.el +@@ -1152,17 +1152,35 @@ Abbreviations are defined in `org-link-abbrev-alist'." + (if (not as) + link + (setq rpl (cdr as)) +- (cond +- ((symbolp rpl) (funcall rpl tag)) +- ((string-match "%(\\([^)]+\\))" rpl) +- (replace-match +- (save-match-data +- (funcall (intern-soft (match-string 1 rpl)) tag)) +- t t rpl)) +- ((string-match "%s" rpl) (replace-match (or tag "") t t rpl)) +- ((string-match "%h" rpl) +- (replace-match (url-hexify-string (or tag "")) t t rpl)) +- (t (concat rpl tag))))))) ++ ;; Drop any potentially dangerous text properties like ++ ;; `modification-hooks' that may be used as an attack vector. ++ (substring-no-properties ++ (cond ++ ((symbolp rpl) (funcall rpl tag)) ++ ((string-match "%(\\([^)]+\\))" rpl) ++ (let ((rpl-fun-symbol (intern-soft (match-string 1 rpl)))) ++ ;; Using `unsafep-function' is not quite enough because ++ ;; Emacs considers functions like `genenv' safe, while ++ ;; they can potentially be used to expose private system ++ ;; data to attacker if abbreviated link is clicked. ++ (if (or (eq t (get rpl-fun-symbol 'org-link-abbrev-safe)) ++ (eq t (get rpl-fun-symbol 'pure))) ++ (replace-match ++ (save-match-data ++ (funcall (intern-soft (match-string 1 rpl)) tag)) ++ t t rpl) ++ (org-display-warning ++ (format "Disabling unsafe link abbrev: %s ++You may mark function safe via (put '%s 'org-link-abbrev-safe t)" ++ rpl (match-string 1 rpl))) ++ (setq org-link-abbrev-alist-local (delete as org-link-abbrev-alist-local) ++ org-link-abbrev-alist (delete as org-link-abbrev-alist)) ++ link ++ ))) ++ ((string-match "%s" rpl) (replace-match (or tag "") t t rpl)) ++ ((string-match "%h" rpl) ++ (replace-match (url-hexify-string (or tag "")) t t rpl)) ++ (t (concat rpl tag)))))))) + + (defun org-link-open (link &optional arg) + "Open a link object LINK. +-- +cgit v1.1 + diff --git a/SPECS/emacs.spec b/SPECS/emacs.spec index 1f3a346..4a28c92 100644 --- a/SPECS/emacs.spec +++ b/SPECS/emacs.spec @@ -5,7 +5,7 @@ Summary: GNU Emacs text editor Name: emacs Epoch: 1 Version: 27.2 -Release: 9%{?dist} +Release: 10%{?dist} License: GPLv3+ and CC0-1.0 URL: http://www.gnu.org/software/emacs/ Source0: https://ftp.gnu.org/gnu/emacs/emacs-%{version}.tar.xz @@ -33,6 +33,8 @@ Patch6: emacs-etags-local-command-injection-vulnerability.patch Patch7: emacs-htmlfontify-command-injection-vulnerability.patch Patch8: emacs-ruby-mode-local-command-injection-vulnerability.patch Patch9: emacs-ob-latex-command-injection-vulnerability.patch +Patch10: emacs-org-link-expand-abbrev-unsafe-elisp.patch + BuildRequires: gcc BuildRequires: atk-devel BuildRequires: cairo-devel @@ -75,7 +77,6 @@ BuildRequires: jansson-devel BuildRequires: systemd-devel BuildRequires: gtk3-devel -BuildRequires: webkit2gtk3-devel BuildRequires: gnupg2 @@ -201,6 +202,7 @@ Development header files for Emacs. %patch7 -p1 -b .htmlfontify-command-injection-vulnerability %patch8 -p1 -b .ruby-mode-local-command-injection-vulnerability %patch9 -p1 -b .ob-latex-command-injection-vulnerability +%patch10 -p1 -b .org-link-expand-abbrev-unsafe-elisp autoconf # We prefer our emacs.desktop file @@ -253,7 +255,7 @@ ln -s ../configure . %configure --with-dbus --with-gif --with-jpeg --with-png --with-rsvg \ --with-tiff --with-xft --with-xpm --with-x-toolkit=gtk3 --with-gpm=no \ - --with-xwidgets --with-modules --with-harfbuzz --with-cairo --with-json + --with-modules --with-harfbuzz --with-cairo --with-json make bootstrap %{setarch} %make_build cd .. @@ -491,7 +493,11 @@ rm %{buildroot}%{_datadir}/icons/hicolor/scalable/mimetypes/emacs-document23.svg %{_includedir}/emacs-module.h %changelog -* Sun Apr 2 2023 Jacek Migacz - 1:27.2-9 +* Fri Aug 23 2024 Jacek Migacz - 1:27.2-10 +- org-link-expand-abbrev: Do not evaluate arbitrary unsafe Elisp code (CVE-2024-39331) +- Disable xwidgets (RHEL-33447) + +* Sun Apr 02 2023 Jacek Migacz - 1:27.2-9 - Fix etags local command injection vulnerability (#2175190) - Fix htmlfontify.el command injection vulnerability (#2175179) - Fix ruby-mode.el local command injection vulnerability (#2175142)