packages/emacs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!125 fix CVE-2025-1244

Browse Source 
From: @zppzhangpan 
Reviewed-by: @yanan-rock 
Signed-off-by: @yanan-rock
This commit is contained in:
openeuler-ci-bot 2025-02-17 07:20:07 +00:00 committed by Gitee
commit 16e036447b
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 66 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

61
backport-CVE-2025-1244.patch Normal file
View File

@ -0,0 +1,61 @@
From 820f0793f0b46448928905552726c1f1b999062f Mon Sep 17 00:00:00 2001
From: Xi Lu <lx@shellcodes.org>
Date: Tue, 10 Oct 2023 22:20:05 +0800
Subject: Fix man.el shell injection vulnerability
* lisp/man.el (Man-translate-references): Fix shell injection
vulnerability. (Bug#66390)
* test/lisp/man-tests.el (man-tests-Man-translate-references): New
test.
Reference:https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=820f0793f0b46448928905552726c1f1b999062f
Conflict:NA
---
lisp/man.el | 6 +++++-
test/lisp/man-tests.el | 12 ++++++++++++
2 files changed, 17 insertions(+), 1 deletion(-)
diff --git a/lisp/man.el b/lisp/man.el
index 55cb938..d963964 100644
--- a/lisp/man.el
+++ b/lisp/man.el
@@ -761,7 +761,11 @@ and the `Man-section-translations-alist' variables)."
(setq name (match-string 2 ref)
section (match-string 1 ref))))
(if (string= name "")
- ref ; Return the reference as is
+ ;; see Bug#66390
+ (mapconcat 'identity
+ (mapcar #'shell-quote-argument
+ (split-string ref "\\s-+"))
+ " ") ; Return the reference as is
(if Man-downcase-section-letters-flag
(setq section (downcase section)))
(while slist
diff --git a/test/lisp/man-tests.el b/test/lisp/man-tests.el
index 140482e..11f5f80 100644
--- a/test/lisp/man-tests.el
+++ b/test/lisp/man-tests.el
@@ -161,6 +161,18 @@ DESCRIPTION
(let ((button (button-at (match-beginning 0))))
(should (and button (eq 'Man-xref-header-file (button-type button))))))))))
+(ert-deftest man-tests-Man-translate-references ()
+ (should (equal (Man-translate-references "basename")
+ "basename"))
+ (should (equal (Man-translate-references "basename(3)")
+ "3 basename"))
+ (should (equal (Man-translate-references "basename(3v)")
+ "3v basename"))
+ (should (equal (Man-translate-references ";id")
+ "\\;id"))
+ (should (equal (Man-translate-references "-k basename")
+ "-k basename")))
+
(provide 'man-tests)
;;; man-tests.el ends here
--
cgit v1.1

6
emacs.spec
View File

@ -8,7 +8,7 @@
Name: emacs Name: emacs
Epoch: 1 Epoch: 1
Version: 29.1 Version: 29.1
Release: 3 Release: 4
Summary: An extensible GNU text editor Summary: An extensible GNU text editor
License: GPLv3+ and CC0-1.0 License: GPLv3+ and CC0-1.0
URL: http://www.gnu.org/software/emacs URL: http://www.gnu.org/software/emacs
@ -32,6 +32,7 @@ Patch6005: backport-CVE-2024-30203.patch
Patch6006: backport-CVE-2024-30204.patch Patch6006: backport-CVE-2024-30204.patch
Patch6007: backport-CVE-2024-30205.patch Patch6007: backport-CVE-2024-30205.patch
Patch6008: backport-CVE-2024-39331.patch Patch6008: backport-CVE-2024-39331.patch
Patch6009: backport-CVE-2025-1244.patch
Patch9000: emacs-deal-taboo-words.patch Patch9000: emacs-deal-taboo-words.patch
@ -416,6 +417,9 @@ fi
%{_mandir}/*/* %{_mandir}/*/*
%changelog %changelog
* Thu Feb 13 2025 zhangpan <zhangpan103@h-partners.com> - 1:29.1-4
- fix CVE-2025-1244
* Tue Jul 02 2024 zhangpan <zhangpan103@h-partners.com> - 1:29.1-3 * Tue Jul 02 2024 zhangpan <zhangpan103@h-partners.com> - 1:29.1-3
- fix CVE-2024-39331 - fix CVE-2024-39331