packages/emacs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!66 fix CVE-2022-48337 CVE-2022-48338 CVE-2022-48339

Browse Source 
From: @zppzhangpan 
Reviewed-by: @t_feng 
Signed-off-by: @t_feng
This commit is contained in:
openeuler-ci-bot 2023-02-27 01:24:56 +00:00 committed by Gitee
commit 555d8bf97c
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
4 changed files with 172 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

107
backport-CVE-2022-48337.patch Normal file
View File

@ -0,0 +1,107 @@
From 01a4035c869b91c153af9a9132c87adb7669ea1c Mon Sep 17 00:00:00 2001
From: lu4nx <lx@shellcodes.org>
Date: Tue, 6 Dec 2022 15:42:40 +0800
Subject: Fix etags local command injection vulnerability
* lib-src/etags.c: (escape_shell_arg_string): New function.
(process_file_name): Use it to quote file names passed to the
shell. (Bug#59817)
Reference:https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=01a4035c869b91c153af9a9132c87adb7669ea1c
Conflict:NA
---
lib-src/etags.c | 63 ++++++++++++++++++++++++++++++++++++++++++++++++++++-----
1 file changed, 58 insertions(+), 5 deletions(-)
diff --git a/lib-src/etags.c b/lib-src/etags.c
index d1d2085..ba0092c 100644
--- a/lib-src/etags.c
+++ b/lib-src/etags.c
@@ -401,6 +401,7 @@ static void invalidate_nodes (fdesc *, node **);
static void put_entries (node *);
static void clean_matched_file_tag (char const * const, char const * const);
+static char *escape_shell_arg_string (char *);
static void do_move_file (const char *, const char *);
static char *concat (const char *, const char *, const char *);
static char *skip_spaces (char *);
@@ -1713,13 +1714,16 @@ process_file_name (char *file, language *lang)
else
{
#if MSDOS || defined (DOS_NT)
- char *cmd1 = concat (compr->command, " \"", real_name);
- char *cmd = concat (cmd1, "\" > ", tmp_name);
+ int buf_len = strlen (compr->command) + strlen (" \"\" > \"\"") + strlen (real_name) + strlen (tmp_name) + 1;
+ char *cmd = xmalloc (buf_len);
+ snprintf (cmd, buf_len, "%s \"%s\" > \"%s\"", compr->command, real_name, tmp_name);
#else
- char *cmd1 = concat (compr->command, " '", real_name);
- char *cmd = concat (cmd1, "' > ", tmp_name);
+ char *new_real_name = escape_shell_arg_string (real_name);
+ char *new_tmp_name = escape_shell_arg_string (tmp_name);
+ int buf_len = strlen (compr->command) + strlen (" > ") + strlen (new_real_name) + strlen (new_tmp_name) + 1;
+ char *cmd = xmalloc (buf_len);
+ snprintf (cmd, buf_len, "%s %s > %s", compr->command, new_real_name, new_tmp_name);
#endif
- free (cmd1);
inf = (system (cmd) == -1
? NULL
: fopen (tmp_name, "r" FOPEN_BINARY));
@@ -7707,6 +7711,55 @@ etags_mktmp (void)
return templt;
}
+/*
+ * Adds single quotes around a string, if found single quotes, escaped it.
+ * Return a newly-allocated string.
+ *
+ * For example:
+ * escape_shell_arg_string("test.txt") => 'test.txt'
+ * escape_shell_arg_string("'test.txt") => ''\''test.txt'
+ */
+static char *
+escape_shell_arg_string (char *str)
+{
+ char *p = str;
+ int need_space = 2; /* ' at begin and end */
+
+ while (*p != '\0')
+ {
+ if (*p == '\'')
+ need_space += 4; /* ' to '\'', length is 4 */
+ else
+ need_space++;
+
+ p++;
+ }
+
+ char *new_str = xnew (need_space + 1, char);
+ new_str[0] = '\'';
+ new_str[need_space-1] = '\'';
+
+ int i = 1; /* skip first byte */
+ p = str;
+ while (*p != '\0')
+ {
+ new_str[i] = *p;
+ if (*p == '\'')
+ {
+ new_str[i+1] = '\\';
+ new_str[i+2] = '\'';
+ new_str[i+3] = '\'';
+ i += 3;
+ }
+
+ i++;
+ p++;
+ }
+
+ new_str[need_space] = '\0';
+ return new_str;
+}
+
static void
do_move_file(const char *src_file, const char *dst_file)
{
--
cgit v1.1

29
backport-CVE-2022-48338.patch Normal file
View File

@ -0,0 +1,29 @@
From 9a3b08061feea14d6f37685ca1ab8801758bfd1c Mon Sep 17 00:00:00 2001
From: Xi Lu <lx@shellcodes.org>
Date: Fri, 23 Dec 2022 12:52:48 +0800
Subject: Fix ruby-mode.el local command injection vulnerability (bug#60268)
* lisp/progmodes/ruby-mode.el
(ruby-find-library-file): Fix local command injection vulnerability.
Reference:https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=9a3b08061feea14d6f37685ca1ab8801758bfd1c
Conflict:NA
---
lisp/progmodes/ruby-mode.el | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lisp/progmodes/ruby-mode.el b/lisp/progmodes/ruby-mode.el
index 1f3e9b6..a4aa619 100644
--- a/lisp/progmodes/ruby-mode.el
+++ b/lisp/progmodes/ruby-mode.el
@@ -1899,7 +1899,7 @@ or `gem' statement around point."
(setq feature-name (read-string "Feature name: " init))))
(let ((out
(substring
- (shell-command-to-string (concat "gem which " feature-name))
+ (shell-command-to-string (concat "gem which " (shell-quote-argument feature-name)))
0 -1)))
(if (string-match-p "\\`ERROR" out)
(user-error "%s" out)
--
cgit v1.1

29
backport-CVE-2022-48339.patch Normal file
View File

@ -0,0 +1,29 @@
From 1b4dc4691c1f87fc970fbe568b43869a15ad0d4c Mon Sep 17 00:00:00 2001
From: Xi Lu <lx@shellcodes.org>
Date: Sat, 24 Dec 2022 16:28:54 +0800
Subject: Fix htmlfontify.el command injection vulnerability.
* lisp/htmlfontify.el (hfy-text-p): Fix command injection
vulnerability. (Bug#60295)
Reference:https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=1b4dc4691c1f87fc970fbe568b43869a15ad0d4c
Conflict:NA
---
lisp/htmlfontify.el | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lisp/htmlfontify.el b/lisp/htmlfontify.el
index df4c6ab..389b929 100644
--- a/lisp/htmlfontify.el
+++ b/lisp/htmlfontify.el
@@ -1850,7 +1850,7 @@ Hardly bombproof, but good enough in the context in which it is being used."
(defun hfy-text-p (srcdir file)
"Is SRCDIR/FILE text? Use `hfy-istext-command' to determine this."
- (let* ((cmd (format hfy-istext-command (expand-file-name file srcdir)))
+ (let* ((cmd (format hfy-istext-command (shell-quote-argument (expand-file-name file srcdir))))
(rsp (shell-command-to-string cmd)))
(string-match "text" rsp)))
--
cgit v1.1

8
emacs.spec
View File

@ -8,7 +8,7 @@
Name: emacs Name: emacs
Epoch: 1 Epoch: 1
Version: 28.2 Version: 28.2
Release: 1 Release: 2
Summary: An extensible GNU text editor Summary: An extensible GNU text editor
License: GPLv3+ and CC0-1.0 License: GPLv3+ and CC0-1.0
URL: http://www.gnu.org/software/emacs URL: http://www.gnu.org/software/emacs
@ -28,6 +28,9 @@ Patch6001: emacs-spellchecker.patch
Patch6002: emacs-system-crypto-policies.patch Patch6002: emacs-system-crypto-policies.patch
Patch6003: backport-CVE-2022-45939.patch Patch6003: backport-CVE-2022-45939.patch
Patch6004: backport-CVE-2022-48337.patch
Patch6005: backport-CVE-2022-48338.patch
Patch6006: backport-CVE-2022-48339.patch
Patch9000: emacs-deal-taboo-words.patch Patch9000: emacs-deal-taboo-words.patch
BuildRequires: gcc atk-devel cairo-devel freetype-devel fontconfig-devel dbus-devel giflib-devel BuildRequires: gcc atk-devel cairo-devel freetype-devel fontconfig-devel dbus-devel giflib-devel
@ -411,6 +414,9 @@ fi
%{_mandir}/*/* %{_mandir}/*/*
%changelog %changelog
* Wed Feb 22 2023 zhangpan <zhangpan103@h-partners.com> - 1:28.2-2
- fix CVE-2022-48337 CVE-2022-48338 CVE-2022-48339
* Thu Feb 02 2023 zhouwenpei <zhouwenpei1@h-partners.com> - 1:28.2-1 * Thu Feb 02 2023 zhouwenpei <zhouwenpei1@h-partners.com> - 1:28.2-1
- update to 28.2 - update to 28.2