Compare commits
No commits in common. 'c9' and 'i9-test' have entirely different histories.
@ -1 +1,2 @@
|
||||
8d18e2bfb6e28cf060ce7587290954e9c582aa25 SOURCES/emacs-27.2.tar.xz
|
||||
4898b4750740a0b711bb140a2fad512d80a991b0 SOURCES/gpgkey-E6C9029C363AD41D787A8EBB91C1262F01EB8D39.gpg
|
||||
|
||||
@ -1 +1,2 @@
|
||||
SOURCES/emacs-27.2.tar.xz
|
||||
SOURCES/gpgkey-E6C9029C363AD41D787A8EBB91C1262F01EB8D39.gpg
|
||||
|
||||
@ -1,105 +0,0 @@
|
||||
From 01a4035c869b91c153af9a9132c87adb7669ea1c Mon Sep 17 00:00:00 2001
|
||||
From: lu4nx <lx@shellcodes.org>
|
||||
Date: Tue, 6 Dec 2022 15:42:40 +0800
|
||||
Subject: [PATCH] Fix etags local command injection vulnerability
|
||||
|
||||
* lib-src/etags.c: (escape_shell_arg_string): New function.
|
||||
(process_file_name): Use it to quote file names passed to the
|
||||
shell. (Bug#59817)
|
||||
---
|
||||
lib-src/etags.c | 63 +++++++++++++++++++++++++++++++++++++++++++++----
|
||||
1 file changed, 58 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/lib-src/etags.c b/lib-src/etags.c
|
||||
index d1d20858cdd..ba0092cc637 100644
|
||||
--- a/lib-src/etags.c
|
||||
+++ b/lib-src/etags.c
|
||||
@@ -399,6 +399,7 @@ static void put_entries (node *);
|
||||
static void clean_matched_file_tag (char const * const, char const * const);
|
||||
|
||||
static void do_move_file (const char *, const char *);
|
||||
+static char *escape_shell_arg_string (char *);
|
||||
static char *concat (const char *, const char *, const char *);
|
||||
static char *skip_spaces (char *);
|
||||
static char *skip_non_spaces (char *);
|
||||
@@ -1670,13 +1671,16 @@ process_file_name (char *file, language *lang)
|
||||
else
|
||||
{
|
||||
#if MSDOS || defined (DOS_NT)
|
||||
- char *cmd1 = concat (compr->command, " \"", real_name);
|
||||
- char *cmd = concat (cmd1, "\" > ", tmp_name);
|
||||
+ int buf_len = strlen (compr->command) + strlen (" \"\" > \"\"") + strlen (real_name) + strlen (tmp_name) + 1;
|
||||
+ char *cmd = xmalloc (buf_len);
|
||||
+ snprintf (cmd, buf_len, "%s \"%s\" > \"%s\"", compr->command, real_name, tmp_name);
|
||||
#else
|
||||
- char *cmd1 = concat (compr->command, " '", real_name);
|
||||
- char *cmd = concat (cmd1, "' > ", tmp_name);
|
||||
+ char *new_real_name = escape_shell_arg_string (real_name);
|
||||
+ char *new_tmp_name = escape_shell_arg_string (tmp_name);
|
||||
+ int buf_len = strlen (compr->command) + strlen (" > ") + strlen (new_real_name) + strlen (new_tmp_name) + 1;
|
||||
+ char *cmd = xmalloc (buf_len);
|
||||
+ snprintf (cmd, buf_len, "%s %s > %s", compr->command, new_real_name, new_tmp_name);
|
||||
#endif
|
||||
- free (cmd1);
|
||||
int tmp_errno;
|
||||
if (system (cmd) == -1)
|
||||
{
|
||||
@@ -7124,6 +7128,55 @@ etags_mktmp (void)
|
||||
return templt;
|
||||
}
|
||||
|
||||
+/*
|
||||
+ * Adds single quotes around a string, if found single quotes, escaped it.
|
||||
+ * Return a newly-allocated string.
|
||||
+ *
|
||||
+ * For example:
|
||||
+ * escape_shell_arg_string("test.txt") => 'test.txt'
|
||||
+ * escape_shell_arg_string("'test.txt") => ''\''test.txt'
|
||||
+ */
|
||||
+static char *
|
||||
+escape_shell_arg_string (char *str)
|
||||
+{
|
||||
+ char *p = str;
|
||||
+ int need_space = 2; /* ' at begin and end */
|
||||
+
|
||||
+ while (*p != '\0')
|
||||
+ {
|
||||
+ if (*p == '\'')
|
||||
+ need_space += 4; /* ' to '\'', length is 4 */
|
||||
+ else
|
||||
+ need_space++;
|
||||
+
|
||||
+ p++;
|
||||
+ }
|
||||
+
|
||||
+ char *new_str = xnew (need_space + 1, char);
|
||||
+ new_str[0] = '\'';
|
||||
+ new_str[need_space-1] = '\'';
|
||||
+
|
||||
+ int i = 1; /* skip first byte */
|
||||
+ p = str;
|
||||
+ while (*p != '\0')
|
||||
+ {
|
||||
+ new_str[i] = *p;
|
||||
+ if (*p == '\'')
|
||||
+ {
|
||||
+ new_str[i+1] = '\\';
|
||||
+ new_str[i+2] = '\'';
|
||||
+ new_str[i+3] = '\'';
|
||||
+ i += 3;
|
||||
+ }
|
||||
+
|
||||
+ i++;
|
||||
+ p++;
|
||||
+ }
|
||||
+
|
||||
+ new_str[need_space] = '\0';
|
||||
+ return new_str;
|
||||
+}
|
||||
+
|
||||
static void
|
||||
do_move_file(const char *src_file, const char *dst_file)
|
||||
{
|
||||
--
|
||||
2.36.1
|
||||
|
||||
@ -1,26 +0,0 @@
|
||||
From 1b4dc4691c1f87fc970fbe568b43869a15ad0d4c Mon Sep 17 00:00:00 2001
|
||||
From: Xi Lu <lx@shellcodes.org>
|
||||
Date: Sat, 24 Dec 2022 16:28:54 +0800
|
||||
Subject: [PATCH] Fix htmlfontify.el command injection vulnerability.
|
||||
|
||||
* lisp/htmlfontify.el (hfy-text-p): Fix command injection
|
||||
vulnerability. (Bug#60295)
|
||||
---
|
||||
lisp/htmlfontify.el | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/lisp/htmlfontify.el b/lisp/htmlfontify.el
|
||||
index df4c6ab079c..389b92939cc 100644
|
||||
--- a/lisp/htmlfontify.el
|
||||
+++ b/lisp/htmlfontify.el
|
||||
@@ -1912,7 +1912,7 @@ hfy-make-directory
|
||||
|
||||
(defun hfy-text-p (srcdir file)
|
||||
"Is SRCDIR/FILE text? Uses `hfy-istext-command' to determine this."
|
||||
- (let* ((cmd (format hfy-istext-command (expand-file-name file srcdir)))
|
||||
+ (let* ((cmd (format hfy-istext-command (shell-quote-argument (expand-file-name file srcdir))))
|
||||
(rsp (shell-command-to-string cmd)))
|
||||
(string-match "text" rsp)))
|
||||
|
||||
--
|
||||
2.36.1
|
||||
@ -1,43 +0,0 @@
|
||||
From a8006ea580ed74f27f974d60b598143b04ad1741 Mon Sep 17 00:00:00 2001
|
||||
From: Xi Lu <lx@shellcodes.org>
|
||||
Date: Sat, 11 Mar 2023 18:53:37 +0800
|
||||
Subject: * lisp/org/ob-latex.el: Fix command injection vulnerability
|
||||
|
||||
(org-babel-execute:latex):
|
||||
Replaced the `(shell-command "mv BAR NEWBAR")' with `rename-file'.
|
||||
|
||||
TINYCHANGE
|
||||
---
|
||||
lisp/org/ob-latex.el | 13 +++++--------
|
||||
1 file changed, 5 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/lisp/org/ob-latex.el b/lisp/org/ob-latex.el
|
||||
index a2c24b3..ce39628 100644
|
||||
--- a/lisp/org/ob-latex.el
|
||||
+++ b/lisp/org/ob-latex.el
|
||||
@@ -218,17 +218,14 @@ This function is called by `org-babel-execute-src-block'."
|
||||
(if (string-suffix-p ".svg" out-file)
|
||||
(progn
|
||||
(shell-command "pwd")
|
||||
- (shell-command (format "mv %s %s"
|
||||
- (concat (file-name-sans-extension tex-file) "-1.svg")
|
||||
- out-file)))
|
||||
+ (rename-file (concat (file-name-sans-extension tex-file) "-1.svg")
|
||||
+ out-file t))
|
||||
(error "SVG file produced but HTML file requested")))
|
||||
((file-exists-p (concat (file-name-sans-extension tex-file) ".html"))
|
||||
(if (string-suffix-p ".html" out-file)
|
||||
- (shell-command "mv %s %s"
|
||||
- (concat (file-name-sans-extension tex-file)
|
||||
- ".html")
|
||||
- out-file)
|
||||
- (error "HTML file produced but SVG file requested")))))
|
||||
+ (rename-file (concat (file-name-sans-extension tex-file) ".html")
|
||||
+ out-file t)
|
||||
+ (error "HTML file produced but SVG file requested")))))
|
||||
((or (string= "pdf" extension) imagemagick)
|
||||
(with-temp-file tex-file
|
||||
(require 'ox-latex)
|
||||
--
|
||||
cgit v1.1
|
||||
|
||||
@ -1,68 +0,0 @@
|
||||
From f4cc61636947b5c2f0afc67174dd369fe3277aa8 Mon Sep 17 00:00:00 2001
|
||||
From: Ihor Radchenko <yantar92@posteo.net>
|
||||
Date: Tue, 18 Jun 2024 13:06:44 +0200
|
||||
Subject: org-link-expand-abbrev: Do not evaluate arbitrary unsafe Elisp code
|
||||
|
||||
* lisp/org/ol.el (org-link-expand-abbrev): Refuse expanding %(...) link
|
||||
abbrevs that specify unsafe function. Instead, display a warning, and
|
||||
do not expand the abbrev. Clear all the text properties from the
|
||||
returned link, to avoid any potential vulnerabilities caused by
|
||||
properties that may contain arbitrary Elisp.
|
||||
---
|
||||
lisp/org/ol.el | 40 +++++++++++++++++++++++++++++-----------
|
||||
1 file changed, 29 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/lisp/org/ol.el b/lisp/org/ol.el
|
||||
index 7a7f4f5..8a556c7 100644
|
||||
--- a/lisp/org/ol.el
|
||||
+++ b/lisp/org/ol.el
|
||||
@@ -1152,17 +1152,35 @@ Abbreviations are defined in `org-link-abbrev-alist'."
|
||||
(if (not as)
|
||||
link
|
||||
(setq rpl (cdr as))
|
||||
- (cond
|
||||
- ((symbolp rpl) (funcall rpl tag))
|
||||
- ((string-match "%(\\([^)]+\\))" rpl)
|
||||
- (replace-match
|
||||
- (save-match-data
|
||||
- (funcall (intern-soft (match-string 1 rpl)) tag))
|
||||
- t t rpl))
|
||||
- ((string-match "%s" rpl) (replace-match (or tag "") t t rpl))
|
||||
- ((string-match "%h" rpl)
|
||||
- (replace-match (url-hexify-string (or tag "")) t t rpl))
|
||||
- (t (concat rpl tag)))))))
|
||||
+ ;; Drop any potentially dangerous text properties like
|
||||
+ ;; `modification-hooks' that may be used as an attack vector.
|
||||
+ (substring-no-properties
|
||||
+ (cond
|
||||
+ ((symbolp rpl) (funcall rpl tag))
|
||||
+ ((string-match "%(\\([^)]+\\))" rpl)
|
||||
+ (let ((rpl-fun-symbol (intern-soft (match-string 1 rpl))))
|
||||
+ ;; Using `unsafep-function' is not quite enough because
|
||||
+ ;; Emacs considers functions like `genenv' safe, while
|
||||
+ ;; they can potentially be used to expose private system
|
||||
+ ;; data to attacker if abbreviated link is clicked.
|
||||
+ (if (or (eq t (get rpl-fun-symbol 'org-link-abbrev-safe))
|
||||
+ (eq t (get rpl-fun-symbol 'pure)))
|
||||
+ (replace-match
|
||||
+ (save-match-data
|
||||
+ (funcall (intern-soft (match-string 1 rpl)) tag))
|
||||
+ t t rpl)
|
||||
+ (org-display-warning
|
||||
+ (format "Disabling unsafe link abbrev: %s
|
||||
+You may mark function safe via (put '%s 'org-link-abbrev-safe t)"
|
||||
+ rpl (match-string 1 rpl)))
|
||||
+ (setq org-link-abbrev-alist-local (delete as org-link-abbrev-alist-local)
|
||||
+ org-link-abbrev-alist (delete as org-link-abbrev-alist))
|
||||
+ link
|
||||
+ )))
|
||||
+ ((string-match "%s" rpl) (replace-match (or tag "") t t rpl))
|
||||
+ ((string-match "%h" rpl)
|
||||
+ (replace-match (url-hexify-string (or tag "")) t t rpl))
|
||||
+ (t (concat rpl tag))))))))
|
||||
|
||||
(defun org-link-open (link &optional arg)
|
||||
"Open a link object LINK.
|
||||
--
|
||||
cgit v1.1
|
||||
|
||||
@ -1,28 +0,0 @@
|
||||
From 9a3b08061feea14d6f37685ca1ab8801758bfd1c Mon Sep 17 00:00:00 2001
|
||||
From: Xi Lu <lx@shellcodes.org>
|
||||
Date: Fri, 23 Dec 2022 12:52:48 +0800
|
||||
Subject: [PATCH] Fix ruby-mode.el local command injection vulnerability
|
||||
(bug#60268)
|
||||
|
||||
* lisp/progmodes/ruby-mode.el
|
||||
(ruby-find-library-file): Fix local command injection vulnerability.
|
||||
---
|
||||
lisp/progmodes/ruby-mode.el | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/lisp/progmodes/ruby-mode.el b/lisp/progmodes/ruby-mode.el
|
||||
index 1f3e9b6ae7b..a4aa61905e4 100644
|
||||
--- a/lisp/progmodes/ruby-mode.el
|
||||
+++ b/lisp/progmodes/ruby-mode.el
|
||||
@@ -1820,7 +1820,7 @@ ruby-find-library-file
|
||||
(setq feature-name (read-string "Feature name: " init))))
|
||||
(let ((out
|
||||
(substring
|
||||
- (shell-command-to-string (concat "gem which " feature-name))
|
||||
+ (shell-command-to-string (concat "gem which " (shell-quote-argument feature-name)))
|
||||
0 -1)))
|
||||
(if (string-match-p "\\`ERROR" out)
|
||||
(user-error "%s" out)
|
||||
--
|
||||
2.36.1
|
||||
|
||||
@ -1,29 +0,0 @@
|
||||
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||
|
||||
mQENBF+pf4UBCAC6vjkWLSAsQpe8YIGKLQzNOJx/IjGtCdFF8uzmO5jmME+SD8RO
|
||||
uJN+t5KXVw58uzu75EFD0vHTY9e+udJ2gkpuy0NnzkFcbumdLLo2ERKCoSctZZRh
|
||||
zKXI5z5cHxCqW0B2ygHRrRLtoNlGID7bAgcgSViT1ptGqTXO7zGVu4Airok7dNzc
|
||||
PtHgns8GlR5YAFX0TvE6oGd0l2VPghNeVJKJOjrbfhoDxl3ucFpqbqMH8z9HTLDO
|
||||
Fpz8UaYYUdJMi3xX6vwTZxI2sM2RRVLUpZyllAkSMI4lln1OOgazM/62DJUs/rKI
|
||||
HKBnF6h3/qsJUjUYXaAHbrXY26mWllAd536lABEBAAG0I0VsaSBaYXJldHNraWkg
|
||||
KGVsaXopIDxlbGl6QGdudS5vcmc+iQE4BBMBAgAiBQJfqX+FAhsDBgsJCAcDAgYV
|
||||
CAIJCgsEFgIDAQIeAQIXgAAKCRCRwSYvAeuNOYUQB/4/iIKKOG45ijNaRoTvmJJZ
|
||||
Mvj1S07WQxEm7c5SHEeEQbLOAxB9vESOV7sLueuN3oqEndtzyYt4x1WTSBmHFF7h
|
||||
5fcCMjBs41siOIp5Sj/xD0Bvaa0IKGCRSZ7PAo8Mq3wgajXpTpn9vxE2PmtzA8Kd
|
||||
EE0K1+f9pVAfOpUIcCl44rIxLUW352XG0y7iz6c/O6LB1deOKMiKFctKO7pBti1d
|
||||
JEm1ImewLH3H8uTbwspLOs3EB8xhsESxmTidnze68HX2jt+2EeMgCdkiNU+LWbex
|
||||
QZPfIS7+ZmE06ll0v6+Jy7ZdTkCCRypKWTnW7pIFsq/p4kybV8O/kHSV6B4vvQBf
|
||||
uQENBF+pf4UBCACvFrdx/m22lgObypSmSS4TNlNvQnMUorrMmp0U32hv5adt6CKX
|
||||
eMjk05F+GcIfVMrpxqMBn4sEUIXWhhogQJa9ZbWEP/HbS8XjMMbz0Q0Siaty9+DS
|
||||
spK/9u2GWKsz3uQzLCexIJtzmXvjAVmvoMCAU/F2t038ggygjYLRgyLRNLgbbart
|
||||
u2dMkvrfxRjheip60S4S3utOcwUf/qdoa1grNannCFluHr/ftXCeeuGB4H8iO0BX
|
||||
WNby6NZPizxJttx9gdcH8/OmDOJkXyRMTT/3sSem76CSOjfXcz7saJlg680NQhG5
|
||||
TmuYERjJD4+U02K5RuqTsEnOuWeFy4p+/mslABEBAAGJAR8EGAECAAkFAl+pf4UC
|
||||
GwwACgkQkcEmLwHrjTno7Af/a1XoLHxAUkS43nmF8iazn3ZnuwWKWLEAsNrxk56y
|
||||
UxhUPRzNs0/fsABDQR1o0DyTqbScKOcOMSG2YMCctLiDd7FdfMWwkUsV9GUpPBiR
|
||||
tD60Ewmn9sbNJKrEoZ5L6sqOUEslJRVABu5taOzVIRfeUPPaMRjvCcr0d+epKjW8
|
||||
1J9Aqj8SskuNkHwvHchTYFYVT22aemjjZ1MGOUm7QiybWQgYL6aSPV2gR+NQQ7pE
|
||||
hOBoEi6GLEiBkoYOIXvmxsqQLBrUPbsJq8lItYEaw4HGt8BaPxtK2yZ9mSqC2xhW
|
||||
Yr1j1YAIHffzubC0jxc5znXERsRANoJOwNUXmiddD7UM9A==
|
||||
=g4R7
|
||||
-----END PGP PUBLIC KEY BLOCK-----
|
||||
Loading…
Reference in new issue