rpms
/
emacs
20
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: rpms:027293d5d7e9d8cab2dd6da6b1c72fb96beb32be
Branches Tags
rpms:i10cs
rpms:cs10
rpms:i8
rpms:i8c
rpms:c8
rpms:i9
rpms:i9c
rpms:c9
rpms:i9-beta
rpms:i9c-beta
rpms:c9-beta
rpms:i9-test
..
compare: rpms:da5f46d3e9d0faf756f1b9ed254632dac2616508
Branches Tags
rpms:i10cs
rpms:cs10
rpms:i8
rpms:i8c
rpms:c8
rpms:i9
rpms:i9c
rpms:c9
rpms:i9-beta
rpms:i9c-beta
rpms:c9-beta
rpms:i9-test

No commits in common. '027293d5d7e9d8cab2dd6da6b1c72fb96beb32be' and 'da5f46d3e9d0faf756f1b9ed254632dac2616508' have entirely different histories.
027293d5d7 ... da5f46d3e9

5 changed files with 11 additions and 115 deletions
Show Stats

1
.emacs.metadata
Unescape View File

@ -1 +1,2 @@
8d18e2bfb6e28cf060ce7587290954e9c582aa25 SOURCES/emacs-27.2.tar.xz 8d18e2bfb6e28cf060ce7587290954e9c582aa25 SOURCES/emacs-27.2.tar.xz
4898b4750740a0b711bb140a2fad512d80a991b0 SOURCES/gpgkey-E6C9029C363AD41D787A8EBB91C1262F01EB8D39.gpg

1
.gitignore vendored
Unescape View File

@ -1 +1,2 @@
SOURCES/emacs-27.2.tar.xz SOURCES/emacs-27.2.tar.xz
SOURCES/gpgkey-E6C9029C363AD41D787A8EBB91C1262F01EB8D39.gpg

68
SOURCES/emacs-org-link-expand-abbrev-unsafe-elisp.patch
Unescape View File

@ -1,68 +0,0 @@
From f4cc61636947b5c2f0afc67174dd369fe3277aa8 Mon Sep 17 00:00:00 2001
From: Ihor Radchenko <yantar92@posteo.net>
Date: Tue, 18 Jun 2024 13:06:44 +0200
Subject: org-link-expand-abbrev: Do not evaluate arbitrary unsafe Elisp code
* lisp/org/ol.el (org-link-expand-abbrev): Refuse expanding %(...) link
abbrevs that specify unsafe function. Instead, display a warning, and
do not expand the abbrev. Clear all the text properties from the
returned link, to avoid any potential vulnerabilities caused by
properties that may contain arbitrary Elisp.
---
lisp/org/ol.el | 40 +++++++++++++++++++++++++++++-----------
1 file changed, 29 insertions(+), 11 deletions(-)
diff --git a/lisp/org/ol.el b/lisp/org/ol.el
index 7a7f4f5..8a556c7 100644
--- a/lisp/org/ol.el
+++ b/lisp/org/ol.el
@@ -1152,17 +1152,35 @@ Abbreviations are defined in `org-link-abbrev-alist'."
(if (not as)
link
(setq rpl (cdr as))
- (cond
- ((symbolp rpl) (funcall rpl tag))
- ((string-match "%(\\([^)]+\\))" rpl)
- (replace-match
- (save-match-data
- (funcall (intern-soft (match-string 1 rpl)) tag))
- t t rpl))
- ((string-match "%s" rpl) (replace-match (or tag "") t t rpl))
- ((string-match "%h" rpl)
- (replace-match (url-hexify-string (or tag "")) t t rpl))
- (t (concat rpl tag)))))))
+ ;; Drop any potentially dangerous text properties like
+ ;; `modification-hooks' that may be used as an attack vector.
+ (substring-no-properties
+ (cond
+ ((symbolp rpl) (funcall rpl tag))
+ ((string-match "%(\\([^)]+\\))" rpl)
+ (let ((rpl-fun-symbol (intern-soft (match-string 1 rpl))))
+ ;; Using `unsafep-function' is not quite enough because
+ ;; Emacs considers functions like `genenv' safe, while
+ ;; they can potentially be used to expose private system
+ ;; data to attacker if abbreviated link is clicked.
+ (if (or (eq t (get rpl-fun-symbol 'org-link-abbrev-safe))
+ (eq t (get rpl-fun-symbol 'pure)))
+ (replace-match
+ (save-match-data
+ (funcall (intern-soft (match-string 1 rpl)) tag))
+ t t rpl)
+ (org-display-warning
+ (format "Disabling unsafe link abbrev: %s
+You may mark function safe via (put '%s 'org-link-abbrev-safe t)"
+ rpl (match-string 1 rpl)))
+ (setq org-link-abbrev-alist-local (delete as org-link-abbrev-alist-local)
+ org-link-abbrev-alist (delete as org-link-abbrev-alist))
+ link
+ )))
+ ((string-match "%s" rpl) (replace-match (or tag "") t t rpl))
+ ((string-match "%h" rpl)
+ (replace-match (url-hexify-string (or tag "")) t t rpl))
+ (t (concat rpl tag))))))))
(defun org-link-open (link &optional arg)
"Open a link object LINK.
--
cgit v1.1

29
SOURCES/gpgkey-E6C9029C363AD41D787A8EBB91C1262F01EB8D39.gpg
Unescape View File

@ -1,29 +0,0 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQENBF+pf4UBCAC6vjkWLSAsQpe8YIGKLQzNOJx/IjGtCdFF8uzmO5jmME+SD8RO
uJN+t5KXVw58uzu75EFD0vHTY9e+udJ2gkpuy0NnzkFcbumdLLo2ERKCoSctZZRh
zKXI5z5cHxCqW0B2ygHRrRLtoNlGID7bAgcgSViT1ptGqTXO7zGVu4Airok7dNzc
PtHgns8GlR5YAFX0TvE6oGd0l2VPghNeVJKJOjrbfhoDxl3ucFpqbqMH8z9HTLDO
Fpz8UaYYUdJMi3xX6vwTZxI2sM2RRVLUpZyllAkSMI4lln1OOgazM/62DJUs/rKI
HKBnF6h3/qsJUjUYXaAHbrXY26mWllAd536lABEBAAG0I0VsaSBaYXJldHNraWkg
KGVsaXopIDxlbGl6QGdudS5vcmc+iQE4BBMBAgAiBQJfqX+FAhsDBgsJCAcDAgYV
CAIJCgsEFgIDAQIeAQIXgAAKCRCRwSYvAeuNOYUQB/4/iIKKOG45ijNaRoTvmJJZ
Mvj1S07WQxEm7c5SHEeEQbLOAxB9vESOV7sLueuN3oqEndtzyYt4x1WTSBmHFF7h
5fcCMjBs41siOIp5Sj/xD0Bvaa0IKGCRSZ7PAo8Mq3wgajXpTpn9vxE2PmtzA8Kd
EE0K1+f9pVAfOpUIcCl44rIxLUW352XG0y7iz6c/O6LB1deOKMiKFctKO7pBti1d
JEm1ImewLH3H8uTbwspLOs3EB8xhsESxmTidnze68HX2jt+2EeMgCdkiNU+LWbex
QZPfIS7+ZmE06ll0v6+Jy7ZdTkCCRypKWTnW7pIFsq/p4kybV8O/kHSV6B4vvQBf
uQENBF+pf4UBCACvFrdx/m22lgObypSmSS4TNlNvQnMUorrMmp0U32hv5adt6CKX
eMjk05F+GcIfVMrpxqMBn4sEUIXWhhogQJa9ZbWEP/HbS8XjMMbz0Q0Siaty9+DS
spK/9u2GWKsz3uQzLCexIJtzmXvjAVmvoMCAU/F2t038ggygjYLRgyLRNLgbbart
u2dMkvrfxRjheip60S4S3utOcwUf/qdoa1grNannCFluHr/ftXCeeuGB4H8iO0BX
WNby6NZPizxJttx9gdcH8/OmDOJkXyRMTT/3sSem76CSOjfXcz7saJlg680NQhG5
TmuYERjJD4+U02K5RuqTsEnOuWeFy4p+/mslABEBAAGJAR8EGAECAAkFAl+pf4UC
GwwACgkQkcEmLwHrjTno7Af/a1XoLHxAUkS43nmF8iazn3ZnuwWKWLEAsNrxk56y
UxhUPRzNs0/fsABDQR1o0DyTqbScKOcOMSG2YMCctLiDd7FdfMWwkUsV9GUpPBiR
tD60Ewmn9sbNJKrEoZ5L6sqOUEslJRVABu5taOzVIRfeUPPaMRjvCcr0d+epKjW8
1J9Aqj8SskuNkHwvHchTYFYVT22aemjjZ1MGOUm7QiybWQgYL6aSPV2gR+NQQ7pE
hOBoEi6GLEiBkoYOIXvmxsqQLBrUPbsJq8lItYEaw4HGt8BaPxtK2yZ9mSqC2xhW
Yr1j1YAIHffzubC0jxc5znXERsRANoJOwNUXmiddD7UM9A==
=g4R7
-----END PGP PUBLIC KEY BLOCK-----

27
SPECS/emacs.spec
Unescape View File

@ -5,7 +5,7 @@ Summary: GNU Emacs text editor
Name: emacs Name: emacs
Epoch: 1 Epoch: 1
Version: 27.2 Version: 27.2
Release: 10%{?dist}.inferit Release: 8%{?dist}.1.inferit
License: GPLv3+ and CC0-1.0 License: GPLv3+ and CC0-1.0
URL: http://www.gnu.org/software/emacs/ URL: http://www.gnu.org/software/emacs/
Source0: https://ftp.gnu.org/gnu/emacs/emacs-%{version}.tar.xz Source0: https://ftp.gnu.org/gnu/emacs/emacs-%{version}.tar.xz
@ -33,8 +33,6 @@ Patch6: emacs-etags-local-command-injection-vulnerability.patch
Patch7: emacs-htmlfontify-command-injection-vulnerability.patch Patch7: emacs-htmlfontify-command-injection-vulnerability.patch
Patch8: emacs-ruby-mode-local-command-injection-vulnerability.patch Patch8: emacs-ruby-mode-local-command-injection-vulnerability.patch
Patch9: emacs-ob-latex-command-injection-vulnerability.patch Patch9: emacs-ob-latex-command-injection-vulnerability.patch
Patch10: emacs-org-link-expand-abbrev-unsafe-elisp.patch
BuildRequires: gcc BuildRequires: gcc
BuildRequires: atk-devel BuildRequires: atk-devel
BuildRequires: cairo-devel BuildRequires: cairo-devel
@ -77,6 +75,7 @@ BuildRequires: jansson-devel
BuildRequires: systemd-devel BuildRequires: systemd-devel
BuildRequires: gtk3-devel BuildRequires: gtk3-devel
BuildRequires: webkit2gtk3-devel
BuildRequires: gnupg2 BuildRequires: gnupg2
@ -202,7 +201,6 @@ Development header files for Emacs.
%patch7 -p1 -b .htmlfontify-command-injection-vulnerability %patch7 -p1 -b .htmlfontify-command-injection-vulnerability
%patch8 -p1 -b .ruby-mode-local-command-injection-vulnerability %patch8 -p1 -b .ruby-mode-local-command-injection-vulnerability
%patch9 -p1 -b .ob-latex-command-injection-vulnerability %patch9 -p1 -b .ob-latex-command-injection-vulnerability
%patch10 -p1 -b .org-link-expand-abbrev-unsafe-elisp
autoconf autoconf
# We prefer our emacs.desktop file # We prefer our emacs.desktop file
@ -255,7 +253,7 @@ ln -s ../configure .
%configure --with-dbus --with-gif --with-jpeg --with-png --with-rsvg \ %configure --with-dbus --with-gif --with-jpeg --with-png --with-rsvg \
--with-tiff --with-xft --with-xpm --with-x-toolkit=gtk3 --with-gpm=no \ --with-tiff --with-xft --with-xpm --with-x-toolkit=gtk3 --with-gpm=no \
--with-modules --with-harfbuzz --with-cairo --with-json --with-xwidgets --with-modules --with-harfbuzz --with-cairo --with-json
make bootstrap make bootstrap
%{setarch} %make_build %{setarch} %make_build
cd .. cd ..
@ -493,24 +491,17 @@ rm %{buildroot}%{_datadir}/icons/hicolor/scalable/mimetypes/emacs-document23.svg
%{_includedir}/emacs-module.h %{_includedir}/emacs-module.h
%changelog %changelog
* Tue Sep 10 2024 Sergey Cherevko <s.cherevko@msvsphere-os.ru> - 1:27.2-10.inferit
- Update to 27.2-10
* Fri Aug 23 2024 Jacek Migacz <jmigacz@redhat.com> - 1:27.2-10
- org-link-expand-abbrev: Do not evaluate arbitrary unsafe Elisp code (CVE-2024-39331)
- Disable xwidgets (RHEL-33447)
* Thu Aug 10 2023 Sergey Cherevko <s.cherevko@msvsphere.ru> - 1:27.2-8.1.inferit * Thu Aug 10 2023 Sergey Cherevko <s.cherevko@msvsphere.ru> - 1:27.2-8.1.inferit
- Added Russian description for ArcMenu and gnome-software - Added Russian description for ArcMenu and gnome-software
- Rebuilt for MSVSphere 9.2 - Rebuilt for MSVSphere 9.2
* Sun Apr 02 2023 Jacek Migacz <jmigacz@redhat.com> - 1:27.2-9 * Tue Apr 4 2023 Jacek Migacz <jmigacz@redhat.com> - 1:27.2-8.1
- Fix etags local command injection vulnerability (#2175190) - Fix etags local command injection vulnerability (#2184369)
- Fix htmlfontify.el command injection vulnerability (#2175179) - Fix htmlfontify.el command injection vulnerability (#2184368)
- Fix ruby-mode.el local command injection vulnerability (#2175142) - Fix ruby-mode.el local command injection vulnerability (#2184367)
- Fix ob-latex.el command injection vulnerability (#2180590) - Fix ob-latex.el command injection vulnerability (#2184377)
* Wed Mar 15 2023 MSVSphere Packaging Team <packager@msvsphere.ru> - 1:27.2-8 * Wed Mar 15 2023 MSVSphere Packaging Team <packager@msvsphere.ru> - 27.2-6
- Rebuilt for MSVSphere 9.1. - Rebuilt for MSVSphere 9.1.
* Tue Jan 10 2023 Jacek Migacz <jmigacz@redhat.com> - 1:27.2-8 * Tue Jan 10 2023 Jacek Migacz <jmigacz@redhat.com> - 1:27.2-8

Write Preview
Loading…
Cancel
Save