packages/emacs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:20087d728be0766611b2bfdd3cb5af22f194fdbc
Branches Tags
packages:main
..
compare: packages:95117865654d74e8a473e5e2f7f13148e0195a00
Branches Tags
packages:main

No commits in common. "20087d728be0766611b2bfdd3cb5af22f194fdbc" and "95117865654d74e8a473e5e2f7f13148e0195a00" have entirely different histories.
20087d728b ... 9511786565

19 changed files with 667 additions and 403 deletions
Show Stats Expand all files Collapse all files

32
backport-0001-CVE-2023-28617.patch Normal file
View File

@ -0,0 +1,32 @@
From 8f8ec2ccf3f5ef8f38d68ec84a7e4739c45db485 Mon Sep 17 00:00:00 2001
From: Xi Lu <lx@shellcodes.org>
Date: Sat, 18 Feb 2023 18:03:28 +0800
Subject: * lisp/ob-latex.el (org-babel-execute:latex): Fix command injection
vulnerability
Link: https://orgmode.org/list/tencent_5C4D5D0DEFDDBBFC66F855703927E60C7706@qq.com
TINYCHANGE
Reference:https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=8f8ec2ccf3f5ef8f38d68ec84a7e4739c45db485
Conflict:NA
---
lisp/org/ob-latex.el | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lisp/org/ob-latex.el b/lisp/org/ob-latex.el
index 428907a..a0154bf 100644
--- a/lisp/org/ob-latex.el
+++ b/lisp/org/ob-latex.el
@@ -180,7 +180,7 @@ This function is called by `org-babel-execute-src-block'."
tmp-pdf
(list org-babel-latex-pdf-svg-process)
extension err-msg log-buf)))
- (shell-command (format "mv %s %s" img-out out-file)))))
+ (rename-file img-out out-file t))))
((string-suffix-p ".tikz" out-file)
(when (file-exists-p out-file) (delete-file out-file))
(with-temp-file out-file
--
cgit v1.1

25
backport-0002-CVE-2022-48337.patch Normal file
View File

@ -0,0 +1,25 @@
From c6ece14812f32a7f9f0d69497c886d178730a75f Mon Sep 17 00:00:00 2001
From: Super User <root@localhost.localdomain>
Date: Mon, 25 Sep 2023 14:14:02 +0800
Subject: [PATCH] backport 0002 CVE-2022-48337
---
lib-src/etags.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/lib-src/etags.c b/lib-src/etags.c
index a6bd7f6..ea80ba6 100644
--- a/lib-src/etags.c
+++ b/lib-src/etags.c
@@ -1714,6 +1714,8 @@ process_file_name (char *file, language *lang)
int buf_len = strlen (compr->command) + strlen (" > ") + strlen (new_real_name) + strlen (new_tmp_name) + 1;
char *cmd = xmalloc (buf_len);
snprintf (cmd, buf_len, "%s %s > %s", compr->command, new_real_name, new_tmp_name);
+ free (new_real_name);
+ free (new_tmp_name);
#endif
inf = (system (cmd) == -1
? NULL
--
2.41.0

46
backport-0002-CVE-2023-28617.patch Normal file
View File

@ -0,0 +1,46 @@
From a8006ea580ed74f27f974d60b598143b04ad1741 Mon Sep 17 00:00:00 2001
From: Xi Lu <lx@shellcodes.org>
Date: Sat, 11 Mar 2023 18:53:37 +0800
Subject: * lisp/ob-latex.el: Fix command injection vulnerability
(org-babel-execute:latex):
Replaced the `(shell-command "mv BAR NEWBAR")' with `rename-file'.
TINYCHANGE
Reference:https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=a8006ea580ed74f27f974d60b598143b04ad1741
Conflict:NA
---
lisp/org/ob-latex.el | 13 +++++--------
1 file changed, 5 insertions(+), 8 deletions(-)
diff --git a/lisp/org/ob-latex.el b/lisp/org/ob-latex.el
index a2c24b3..ce39628 100644
--- a/lisp/org/ob-latex.el
+++ b/lisp/org/ob-latex.el
@@ -218,17 +218,14 @@ This function is called by `org-babel-execute-src-block'."
(if (string-suffix-p ".svg" out-file)
(progn
(shell-command "pwd")
- (shell-command (format "mv %s %s"
- (concat (file-name-sans-extension tex-file) "-1.svg")
- out-file)))
+ (rename-file (concat (file-name-sans-extension tex-file) "-1.svg")
+ out-file t))
(error "SVG file produced but HTML file requested")))
((file-exists-p (concat (file-name-sans-extension tex-file) ".html"))
(if (string-suffix-p ".html" out-file)
- (shell-command "mv %s %s"
- (concat (file-name-sans-extension tex-file)
- ".html")
- out-file)
- (error "HTML file produced but SVG file requested")))))
+ (rename-file (concat (file-name-sans-extension tex-file) ".html")
+ out-file t)
+ (error "HTML file produced but SVG file requested")))))
((or (string= "pdf" extension) imagemagick)
(with-temp-file tex-file
(require 'ox-latex)
--
cgit v1.1

272
backport-CVE-2022-45939.patch Normal file
View File

@ -0,0 +1,272 @@
From d48bb4874bc6cd3e69c7a15fc3c91cc141025c51 Mon Sep 17 00:00:00 2001
From: lu4nx <lx@shellcodes.org>
Date: Fri, 25 Nov 2022 14:38:29 +0800
Subject: Fixed ctags local command execute vulnerability
* lib-src/etags.c:
(clean_matched_file_tag): New function
(do_move_file): New function
(readline_internal):
Add `leave_cr` parameter, if true, include the \r character
* test/manual/etags/CTAGS.good_crlf: New file
* test/manual/etags/CTAGS.good_update: New file
* test/manual/etags/crlf: New file
* test/manual/etags/Makefile: Add `ctags -u` test cases
Conflict:Removed test case related code, so the patch is over 9000 lines, it's too big
Reference:https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=d48bb4874bc6cd3e69c7a15fc3c91cc141025c51
---
lib-src/etags.c | 149 +-
1 files changed, 113 insertions(+), 36 deletions(-)
diff --git a/lib-src/etags.c b/lib-src/etags.c
index 3107c7b..b6f51df 100644
--- a/lib-src/etags.c
+++ b/lib-src/etags.c
@@ -375,7 +375,7 @@ static void just_read_file (FILE *);
static language *get_language_from_langname (const char *);
static void readline (linebuffer *, FILE *);
-static ptrdiff_t readline_internal (linebuffer *, FILE *, char const *);
+static ptrdiff_t readline_internal (linebuffer *, FILE *, char const *, const bool);
static bool nocase_tail (const char *);
static void get_tag (char *, char **);
static void get_lispy_tag (char *);
@@ -399,7 +399,9 @@ static void free_fdesc (fdesc *);
static void pfnote (char *, bool, char *, ptrdiff_t, intmax_t, intmax_t);
static void invalidate_nodes (fdesc *, node **);
static void put_entries (node *);
+static void clean_matched_file_tag (char const * const, char const * const);
+static void do_move_file (const char *, const char *);
static char *concat (const char *, const char *, const char *);
static char *skip_spaces (char *);
static char *skip_non_spaces (char *);
@@ -1332,7 +1334,7 @@ main (int argc, char **argv)
if (parsing_stdin)
fatal ("cannot parse standard input "
"AND read file names from it");
- while (readline_internal (&filename_lb, stdin, "-") > 0)
+ while (readline_internal (&filename_lb, stdin, "-", false) > 0)
process_file_name (filename_lb.buffer, lang);
}
else
@@ -1380,9 +1382,6 @@ main (int argc, char **argv)
/* From here on, we are in (CTAGS && !cxref_style) */
if (update)
{
- char *cmd =
- xmalloc (strlen (tagfile) + whatlen_max +
- sizeof "mv..OTAGS;grep -Fv '\t\t' OTAGS >;rm OTAGS");
for (i = 0; i < current_arg; ++i)
{
switch (argbuffer[i].arg_type)
@@ -1393,17 +1392,8 @@ main (int argc, char **argv)
default:
continue; /* the for loop */
}
- char *z = stpcpy (cmd, "mv ");
- z = stpcpy (z, tagfile);
- z = stpcpy (z, " OTAGS;grep -Fv '\t");
- z = stpcpy (z, argbuffer[i].what);
- z = stpcpy (z, "\t' OTAGS >");
- z = stpcpy (z, tagfile);
- strcpy (z, ";rm OTAGS");
- if (system (cmd) != EXIT_SUCCESS)
- fatal ("failed to execute shell command");
+ clean_matched_file_tag (tagfile, argbuffer[i].what);
}
- free (cmd);
append_to_tagfile = true;
}
@@ -1448,6 +1438,51 @@ main (int argc, char **argv)
return EXIT_SUCCESS;
}
+/*
+ * Equivalent to: mv tags OTAGS;grep -Fv ' filename ' OTAGS >tags;rm OTAGS
+ */
+static void
+clean_matched_file_tag (const char* tagfile, const char* match_file_name)
+{
+ FILE *otags_f = fopen ("OTAGS", "wb");
+ FILE *tag_f = fopen (tagfile, "rb");
+
+ if (otags_f == NULL)
+ pfatal ("OTAGS");
+
+ if (tag_f == NULL)
+ pfatal (tagfile);
+
+ int buf_len = strlen (match_file_name) + sizeof ("\t\t ") + 1;
+ char *buf = xmalloc (buf_len);
+ snprintf (buf, buf_len, "\t%s\t", match_file_name);
+
+ linebuffer line;
+ linebuffer_init (&line);
+ while (readline_internal (&line, tag_f, tagfile, true) > 0)
+ {
+ if (ferror (tag_f))
+ pfatal (tagfile);
+
+ if (strstr (line.buffer, buf) == NULL)
+ {
+ fprintf (otags_f, "%s\n", line.buffer);
+ if (ferror (tag_f))
+ pfatal (tagfile);
+ }
+ }
+ free (buf);
+ free (line.buffer);
+
+ if (fclose (otags_f) == EOF)
+ pfatal ("OTAGS");
+
+ if (fclose (tag_f) == EOF)
+ pfatal (tagfile);
+
+ do_move_file ("OTAGS", tagfile);
+ return;
+}
/*
* Return a compressor given the file name. If EXTPTR is non-zero,
@@ -1831,7 +1866,7 @@ find_entries (FILE *inf)
/* Else look for sharp-bang as the first two characters. */
if (parser == NULL
- && readline_internal (&lb, inf, infilename) > 0
+ && readline_internal (&lb, inf, infilename, false) > 0
&& lb.len >= 2
&& lb.buffer[0] == '#'
&& lb.buffer[1] == '!')
@@ -6878,7 +6913,7 @@ analyze_regex (char *regex_arg)
if (regexfp == NULL)
pfatal (regexfile);
linebuffer_init (&regexbuf);
- while (readline_internal (&regexbuf, regexfp, regexfile) > 0)
+ while (readline_internal (&regexbuf, regexfp, regexfile, false) > 0)
analyze_regex (regexbuf.buffer);
free (regexbuf.buffer);
if (fclose (regexfp) != 0)
@@ -7226,11 +7261,13 @@ get_lispy_tag (register char *bp)
/*
* Read a line of text from `stream' into `lbp', excluding the
- * newline or CR-NL, if any. Return the number of characters read from
- * `stream', which is the length of the line including the newline.
+ * newline or CR-NL (if `leave_cr` is false), if any. Return the
+ * number of characters read from `stream', which is the length
+ * of the line including the newline.
*
- * On DOS or Windows we do not count the CR character, if any before the
- * NL, in the returned length; this mirrors the behavior of Emacs on those
+ * On DOS or Windows, if `leave_cr` is false, we do not count the
+ * CR character, if any before the NL, in the returned length;
+ * this mirrors the behavior of Emacs on those
* platforms (for text files, it translates CR-NL to NL as it reads in the
* file).
*
@@ -7238,7 +7275,7 @@ get_lispy_tag (register char *bp)
* appended to `filebuf'.
*/
static ptrdiff_t
-readline_internal (linebuffer *lbp, FILE *stream, char const *filename)
+readline_internal (linebuffer *lbp, FILE *stream, char const *filename, const bool leave_cr)
{
char *buffer = lbp->buffer;
char *p = lbp->buffer;
@@ -7268,19 +7305,19 @@ readline_internal (linebuffer *lbp, FILE *stream, char const *filename)
break;
}
if (c == '\n')
- {
- if (p > buffer && p[-1] == '\r')
- {
- p -= 1;
- chars_deleted = 2;
- }
- else
- {
- chars_deleted = 1;
- }
- *p = '\0';
- break;
- }
+ {
+ if (!leave_cr && p > buffer && p[-1] == '\r')
+ {
+ p -= 1;
+ chars_deleted = 2;
+ }
+ else
+ {
+ chars_deleted = 1;
+ }
+ *p = '\0';
+ break;
+ }
*p++ = c;
}
lbp->len = p - buffer;
@@ -7311,7 +7348,7 @@ static void
readline (linebuffer *lbp, FILE *stream)
{
linecharno = charno; /* update global char number of line start */
- ptrdiff_t result = readline_internal (lbp, stream, infilename);
+ ptrdiff_t result = readline_internal (lbp, stream, infilename, false);
lineno += 1; /* increment global line number */
charno += result; /* increment global char number */
@@ -7669,6 +7706,46 @@ etags_mktmp (void)
return templt;
}
+static void
+do_move_file(const char *src_file, const char *dst_file)
+{
+ if (rename (src_file, dst_file) == 0)
+ return;
+
+ FILE *src_f = fopen (src_file, "rb");
+ FILE *dst_f = fopen (dst_file, "wb");
+
+ if (src_f == NULL)
+ pfatal (src_file);
+
+ if (dst_f == NULL)
+ pfatal (dst_file);
+
+ int c;
+ while ((c = fgetc (src_f)) != EOF)
+ {
+ if (ferror (src_f))
+ pfatal (src_file);
+
+ if (ferror (dst_f))
+ pfatal (dst_file);
+
+ if (fputc (c, dst_f) == EOF)
+ pfatal ("cannot write");
+ }
+
+ if (fclose (src_f) == EOF)
+ pfatal (src_file);
+
+ if (fclose (dst_f) == EOF)
+ pfatal (dst_file);
+
+ if (unlink (src_file) == -1)
+ pfatal ("unlink error");
+
+ return;
+}
+
/* Return a newly allocated string containing the file name of FILE
relative to the absolute directory DIR (which should end with a slash). */
static char *
--
cgit v1.1

107
backport-CVE-2022-48337.patch Normal file
View File

@ -0,0 +1,107 @@
From 01a4035c869b91c153af9a9132c87adb7669ea1c Mon Sep 17 00:00:00 2001
From: lu4nx <lx@shellcodes.org>
Date: Tue, 6 Dec 2022 15:42:40 +0800
Subject: Fix etags local command injection vulnerability
* lib-src/etags.c: (escape_shell_arg_string): New function.
(process_file_name): Use it to quote file names passed to the
shell. (Bug#59817)
Reference:https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=01a4035c869b91c153af9a9132c87adb7669ea1c
Conflict:NA
---
lib-src/etags.c | 63 ++++++++++++++++++++++++++++++++++++++++++++++++++++-----
1 file changed, 58 insertions(+), 5 deletions(-)
diff --git a/lib-src/etags.c b/lib-src/etags.c
index d1d2085..ba0092c 100644
--- a/lib-src/etags.c
+++ b/lib-src/etags.c
@@ -401,6 +401,7 @@ static void invalidate_nodes (fdesc *, node **);
static void put_entries (node *);
static void clean_matched_file_tag (char const * const, char const * const);
+static char *escape_shell_arg_string (char *);
static void do_move_file (const char *, const char *);
static char *concat (const char *, const char *, const char *);
static char *skip_spaces (char *);
@@ -1713,13 +1714,16 @@ process_file_name (char *file, language *lang)
else
{
#if MSDOS || defined (DOS_NT)
- char *cmd1 = concat (compr->command, " \"", real_name);
- char *cmd = concat (cmd1, "\" > ", tmp_name);
+ int buf_len = strlen (compr->command) + strlen (" \"\" > \"\"") + strlen (real_name) + strlen (tmp_name) + 1;
+ char *cmd = xmalloc (buf_len);
+ snprintf (cmd, buf_len, "%s \"%s\" > \"%s\"", compr->command, real_name, tmp_name);
#else
- char *cmd1 = concat (compr->command, " '", real_name);
- char *cmd = concat (cmd1, "' > ", tmp_name);
+ char *new_real_name = escape_shell_arg_string (real_name);
+ char *new_tmp_name = escape_shell_arg_string (tmp_name);
+ int buf_len = strlen (compr->command) + strlen (" > ") + strlen (new_real_name) + strlen (new_tmp_name) + 1;
+ char *cmd = xmalloc (buf_len);
+ snprintf (cmd, buf_len, "%s %s > %s", compr->command, new_real_name, new_tmp_name);
#endif
- free (cmd1);
inf = (system (cmd) == -1
? NULL
: fopen (tmp_name, "r" FOPEN_BINARY));
@@ -7707,6 +7711,55 @@ etags_mktmp (void)
return templt;
}
+/*
+ * Adds single quotes around a string, if found single quotes, escaped it.
+ * Return a newly-allocated string.
+ *
+ * For example:
+ * escape_shell_arg_string("test.txt") => 'test.txt'
+ * escape_shell_arg_string("'test.txt") => ''\''test.txt'
+ */
+static char *
+escape_shell_arg_string (char *str)
+{
+ char *p = str;
+ int need_space = 2; /* ' at begin and end */
+
+ while (*p != '\0')
+ {
+ if (*p == '\'')
+ need_space += 4; /* ' to '\'', length is 4 */
+ else
+ need_space++;
+
+ p++;
+ }
+
+ char *new_str = xnew (need_space + 1, char);
+ new_str[0] = '\'';
+ new_str[need_space-1] = '\'';
+
+ int i = 1; /* skip first byte */
+ p = str;
+ while (*p != '\0')
+ {
+ new_str[i] = *p;
+ if (*p == '\'')
+ {
+ new_str[i+1] = '\\';
+ new_str[i+2] = '\'';
+ new_str[i+3] = '\'';
+ i += 3;
+ }
+
+ i++;
+ p++;
+ }
+
+ new_str[need_space] = '\0';
+ return new_str;
+}
+
static void
do_move_file(const char *src_file, const char *dst_file)
{
--
cgit v1.1

29
backport-CVE-2022-48338.patch Normal file
View File

@ -0,0 +1,29 @@
From 9a3b08061feea14d6f37685ca1ab8801758bfd1c Mon Sep 17 00:00:00 2001
From: Xi Lu <lx@shellcodes.org>
Date: Fri, 23 Dec 2022 12:52:48 +0800
Subject: Fix ruby-mode.el local command injection vulnerability (bug#60268)
* lisp/progmodes/ruby-mode.el
(ruby-find-library-file): Fix local command injection vulnerability.
Reference:https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=9a3b08061feea14d6f37685ca1ab8801758bfd1c
Conflict:NA
---
lisp/progmodes/ruby-mode.el | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lisp/progmodes/ruby-mode.el b/lisp/progmodes/ruby-mode.el
index 1f3e9b6..a4aa619 100644
--- a/lisp/progmodes/ruby-mode.el
+++ b/lisp/progmodes/ruby-mode.el
@@ -1899,7 +1899,7 @@ or `gem' statement around point."
(setq feature-name (read-string "Feature name: " init))))
(let ((out
(substring
- (shell-command-to-string (concat "gem which " feature-name))
+ (shell-command-to-string (concat "gem which " (shell-quote-argument feature-name)))
0 -1)))
(if (string-match-p "\\`ERROR" out)
(user-error "%s" out)
--
cgit v1.1

29
backport-CVE-2022-48339.patch Normal file
View File

@ -0,0 +1,29 @@
From 1b4dc4691c1f87fc970fbe568b43869a15ad0d4c Mon Sep 17 00:00:00 2001
From: Xi Lu <lx@shellcodes.org>
Date: Sat, 24 Dec 2022 16:28:54 +0800
Subject: Fix htmlfontify.el command injection vulnerability.
* lisp/htmlfontify.el (hfy-text-p): Fix command injection
vulnerability. (Bug#60295)
Reference:https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=1b4dc4691c1f87fc970fbe568b43869a15ad0d4c
Conflict:NA
---
lisp/htmlfontify.el | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lisp/htmlfontify.el b/lisp/htmlfontify.el
index df4c6ab..389b929 100644
--- a/lisp/htmlfontify.el
+++ b/lisp/htmlfontify.el
@@ -1850,7 +1850,7 @@ Hardly bombproof, but good enough in the context in which it is being used."
(defun hfy-text-p (srcdir file)
"Is SRCDIR/FILE text? Use `hfy-istext-command' to determine this."
- (let* ((cmd (format hfy-istext-command (expand-file-name file srcdir)))
+ (let* ((cmd (format hfy-istext-command (shell-quote-argument (expand-file-name file srcdir))))
(rsp (shell-command-to-string cmd)))
(string-match "text" rsp)))
--
cgit v1.1

64
backport-CVE-2023-27985.patch Normal file
View File

@ -0,0 +1,64 @@
From d32091199ae5de590a83f1542a01d75fba000467 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ulrich=20M=C3=BCller?= <ulm@gentoo.org>
Date: Mon, 19 Dec 2022 16:51:20 +0100
Subject: Fix quoted argument in emacsclient-mail.desktop Exec key
Apparently the emacsclient-mail.desktop file doesn't conform to the
Desktop Entry Specification at
https://specifications.freedesktop.org/desktop-entry-spec/desktop-entry-spec-latest.html#exec-variables
which says about the Exec key:
| Field codes must not be used inside a quoted argument, the result of
| field code expansion inside a quoted argument is undefined.
However, the %u field code is used inside a quoted argument of the
Exec key in both the [Desktop Entry] and [Desktop Action new-window]
sections.
* etc/emacsclient-mail.desktop (Exec): The Desktop Entry
Specification does not allow field codes like %u inside a quoted
argument. Work around it by passing %u as first parameter ($1)
to the shell wrapper.
* etc/emacsclient.desktop (Exec): Use `sh` rather than `placeholder`
as the command name of the shell wrapper. (Bug#60204)
---
etc/emacsclient-mail.desktop | 4 ++--
etc/emacsclient.desktop | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/etc/emacsclient-mail.desktop b/etc/emacsclient-mail.desktop
index b575a41..91df122 100644
--- a/etc/emacsclient-mail.desktop
+++ b/etc/emacsclient-mail.desktop
@@ -1,7 +1,7 @@
[Desktop Entry]
Categories=Network;Email;
Comment=GNU Emacs is an extensible, customizable text editor - and more
-Exec=sh -c "exec emacsclient --alternate-editor= --display=\\"\\$DISPLAY\\" --eval \\\\(message-mailto\\\\ \\\\\\"%u\\\\\\"\\\\)"
+Exec=sh -c "exec emacsclient --alternate-editor= --display=\\"\\$DISPLAY\\" --eval \\"(message-mailto \\\\\\"\\$1\\\\\\")\\"" sh %u
Icon=emacs
Name=Emacs (Mail, Client)
MimeType=x-scheme-handler/mailto;
@@ -13,7 +13,7 @@ Actions=new-window;new-instance;
[Desktop Action new-window]
Name=New Window
-Exec=emacsclient --alternate-editor= --create-frame --eval "(message-mailto \\"%u\\")"
+Exec=sh -c "exec emacsclient --alternate-editor= --create-frame --eval \\"(message-mailto \\\\\\"\\$1\\\\\\")\\"" sh %u
[Desktop Action new-instance]
Name=New Instance
diff --git a/etc/emacsclient.desktop b/etc/emacsclient.desktop
index 1ecdecf..a9f840c7 100644
--- a/etc/emacsclient.desktop
+++ b/etc/emacsclient.desktop
@@ -3,7 +3,7 @@ Name=Emacs (Client)
GenericName=Text Editor
Comment=Edit text
MimeType=text/english;text/plain;text/x-makefile;text/x-c++hdr;text/x-c++src;text/x-chdr;text/x-csrc;text/x-java;text/x-moc;text/x-pascal;text/x-tcl;text/x-tex;application/x-shellscript;text/x-c;text/x-c++;
-Exec=sh -c "if [ -n \\"\\$*\\" ]; then exec emacsclient --alternate-editor= --display=\\"\\$DISPLAY\\" \\"\\$@\\"; else exec emacsclient --alternate-editor= --create-frame; fi" placeholder %F
+Exec=sh -c "if [ -n \\"\\$*\\" ]; then exec emacsclient --alternate-editor= --display=\\"\\$DISPLAY\\" \\"\\$@\\"; else exec emacsclient --alternate-editor= --create-frame; fi" sh %F
Icon=emacs
Type=Application
Terminal=false
--
cgit v1.1

50
backport-CVE-2023-27986.patch Normal file
View File

@ -0,0 +1,50 @@
From 3c1693d08b0a71d40a77e7b40c0ebc42dca2d2cc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ulrich=20M=C3=BCller?= <ulm@gentoo.org>
Date: Tue, 7 Mar 2023 18:25:37 +0100
Subject: Fix Elisp code injection vulnerability in emacsclient-mail.desktop
A crafted mailto URI could contain unescaped double-quote
characters, allowing injection of Elisp code. Therefore, any
'\' and '"' characters are replaced by '\\' and '\"', using Bash
pattern substitution (which is not available in the POSIX shell).
We want to pass literal 'u=${1//\\/\\\\}; u=${u//\"/\\\"};' in the
bash -c command, but in the desktop entry '"', '$', and '\' must
be escaped as '\\"', '\\$', and '\\\\', respectively (backslashes
are expanded twice, see the Desktop Entry Specification).
Reported by Gabriel Corona <gabriel.corona@free.fr>.
* etc/emacsclient-mail.desktop (Exec): Escape backslash and
double-quote characters.
---
etc/emacsclient-mail.desktop | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/etc/emacsclient-mail.desktop b/etc/emacsclient-mail.desktop
index 91df122..49c6f99 100644
--- a/etc/emacsclient-mail.desktop
+++ b/etc/emacsclient-mail.desktop
@@ -1,7 +1,10 @@
[Desktop Entry]
Categories=Network;Email;
Comment=GNU Emacs is an extensible, customizable text editor - and more
-Exec=sh -c "exec emacsclient --alternate-editor= --display=\\"\\$DISPLAY\\" --eval \\"(message-mailto \\\\\\"\\$1\\\\\\")\\"" sh %u
+# We want to pass the following commands to the shell wrapper:
+# u=${1//\\/\\\\}; u=${u//\"/\\\"}; exec emacsclient --alternate-editor= --display="$DISPLAY" --eval "(message-mailto \"$u\")"
+# Special chars '"', '$', and '\' must be escaped as '\\"', '\\$', and '\\\\'.
+Exec=bash -c "u=\\${1//\\\\\\\\/\\\\\\\\\\\\\\\\}; u=\\${u//\\\\\\"/\\\\\\\\\\\\\\"}; exec emacsclient --alternate-editor= --display=\\"\\$DISPLAY\\" --eval \\"(message-mailto \\\\\\"\\$u\\\\\\")\\"" bash %u
Icon=emacs
Name=Emacs (Mail, Client)
MimeType=x-scheme-handler/mailto;
@@ -13,7 +16,7 @@ Actions=new-window;new-instance;
[Desktop Action new-window]
Name=New Window
-Exec=sh -c "exec emacsclient --alternate-editor= --create-frame --eval \\"(message-mailto \\\\\\"\\$1\\\\\\")\\"" sh %u
+Exec=bash -c "u=\\${1//\\\\\\\\/\\\\\\\\\\\\\\\\}; u=\\${u//\\\\\\"/\\\\\\\\\\\\\\"}; exec emacsclient --alternate-editor= --create-frame --eval \\"(message-mailto \\\\\\"\\$u\\\\\\")\\"" bash %u
[Desktop Action new-instance]
Name=New Instance
--
cgit v1.1

45
backport-CVE-2024-30202.patch
View File

@ -1,45 +0,0 @@
From befa9fcaae29a6c9a283ba371c3c5234c7f644eb Mon Sep 17 00:00:00 2001
From: Ihor Radchenko <yantar92@posteo.net>
Date: Tue, 20 Feb 2024 12:19:46 +0300
Subject: org-macro--set-templates: Prevent code evaluation
* lisp/org/org-macro.el (org-macro--set-templates): Get rid of any
risk to evaluate code when `org-macro--set-templates' is called as a
part of major mode initialization. This way, no code evaluation is
ever triggered when user merely opens the file or when
`mm-display-org-inline' invokes Org major mode to fontify mime part
preview in email messages.
---
lisp/org/org-macro.el | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/lisp/org/org-macro.el b/lisp/org/org-macro.el
index 776d162..0be51ee 100644
--- a/lisp/org/org-macro.el
+++ b/lisp/org/org-macro.el
@@ -109,6 +109,13 @@ previous one, unless VALUE is nil. Return the updated list."
(let ((new-templates nil))
(pcase-dolist (`(,name . ,value) templates)
(let ((old-definition (assoc name new-templates)))
+ ;; This code can be evaluated unconditionally, as a part of
+ ;; loading Org mode. We *must not* evaluate any code present
+ ;; inside the Org buffer while loading. Org buffers may come
+ ;; from various sources, like received email messages from
+ ;; potentially malicious senders. Org mode might be used to
+ ;; preview such messages and no code evaluation from inside the
+ ;; received Org text should ever happen without user consent.
(when (and (stringp value) (string-match-p "\\`(eval\\>" value))
;; Pre-process the evaluation form for faster macro expansion.
(let* ((args (org-macro--makeargs value))
@@ -121,7 +128,7 @@ previous one, unless VALUE is nil. Return the updated list."
(cadr (read value))
(error
(user-error "Invalid definition for macro %S" name)))))
- (setq value (eval (macroexpand-all `(lambda ,args ,body)) t))))
+ (setq value `(lambda ,args ,body))))
(cond ((and value old-definition) (setcdr old-definition value))
(old-definition)
(t (push (cons name (or value "")) new-templates)))))
--
cgit v1.1

33
backport-CVE-2024-30203-pre.patch
View File

@ -1,33 +0,0 @@
From ccc188fcf98ad9166ee551fac9d94b2603c3a51b Mon Sep 17 00:00:00 2001
From: Ihor Radchenko <yantar92@posteo.net>
Date: Tue, 20 Feb 2024 12:43:51 +0300
Subject: * lisp/files.el (untrusted-content): New variable.
The new variable is to be used when buffer contents comes from untrusted
source.
---
lisp/files.el | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/lisp/files.el b/lisp/files.el
index c0d26b2..5536af0 100644
--- a/lisp/files.el
+++ b/lisp/files.el
@@ -695,6 +695,14 @@ Also see the `permanently-enabled-local-variables' variable."
Some modes may wish to set this to nil to prevent directory-local
settings being applied, but still respect file-local ones.")
+(defvar-local untrusted-content nil
+ "Non-nil means that current buffer originated from an untrusted source.
+Email clients and some other modes may set this non-nil to mark the
+buffer contents as untrusted.
+
+This variable might be subject to change without notice.")
+(put 'untrusted-content 'permanent-local t)
+
;; This is an odd variable IMO.
;; You might wonder why it is needed, when we could just do:
;; (setq-local enable-local-variables nil)
--
cgit v1.1

25
backport-CVE-2024-30203.patch
View File

@ -1,25 +0,0 @@
From 937b9042ad7426acdcca33e3d931d8f495bdd804 Mon Sep 17 00:00:00 2001
From: Ihor Radchenko <yantar92@posteo.net>
Date: Tue, 20 Feb 2024 12:44:30 +0300
Subject: * lisp/gnus/mm-view.el (mm-display-inline-fontify): Mark contents
untrusted.
---
lisp/gnus/mm-view.el | 1 +
1 file changed, 1 insertion(+)
diff --git a/lisp/gnus/mm-view.el b/lisp/gnus/mm-view.el
index 2e1261c..5f234e5 100644
--- a/lisp/gnus/mm-view.el
+++ b/lisp/gnus/mm-view.el
@@ -504,6 +504,7 @@ If MODE is not set, try to find mode automatically."
(setq coding-system (mm-find-buffer-file-coding-system)))
(setq text (buffer-string))))
(with-temp-buffer
+ (setq untrusted-content t)
(insert (cond ((eq charset 'gnus-decoded)
(with-current-buffer (mm-handle-buffer handle)
(buffer-string)))
--
cgit v1.1

57
backport-CVE-2024-30204.patch
View File

@ -1,57 +0,0 @@
From 6f9ea396f49cbe38c2173e0a72ba6af3e03b271c Mon Sep 17 00:00:00 2001
From: Ihor Radchenko <yantar92@posteo.net>
Date: Tue, 20 Feb 2024 12:47:24 +0300
Subject: org-latex-preview: Add protection when `untrusted-content' is non-nil
* lisp/org/org.el (org--latex-preview-when-risky): New variable
controlling how to handle LaTeX previews in Org files from untrusted
origin.
(org-latex-preview): Consult `org--latex-preview-when-risky' before
generating previews.
This patch adds a layer of protection when LaTeX preview is requested
for an email attachment, where `untrusted-content' is set to non-nil.
---
lisp/org/org.el | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/lisp/org/org.el b/lisp/org/org.el
index c75afbf..0f5d17d 100644
--- a/lisp/org/org.el
+++ b/lisp/org/org.el
@@ -1140,6 +1140,24 @@ the following lines anywhere in the buffer:
:package-version '(Org . "8.0")
:type 'boolean)
+(defvar untrusted-content) ; defined in files.el
+(defvar org--latex-preview-when-risky nil
+ "If non-nil, enable LaTeX preview in Org buffers from unsafe source.
+
+Some specially designed LaTeX code may generate huge pdf or log files
+that may exhaust disk space.
+
+This variable controls how to handle LaTeX preview when rendering LaTeX
+fragments that originate from incoming email messages. It has no effect
+when Org mode is unable to determine the origin of the Org buffer.
+
+An Org buffer is considered to be from unsafe source when the
+variable `untrusted-content' has a non-nil value in the buffer.
+
+If this variable is non-nil, LaTeX previews are rendered unconditionally.
+
+This variable may be renamed or changed in the future.")
+
(defcustom org-insert-mode-line-in-empty-file nil
"Non-nil means insert the first line setting Org mode in empty files.
When the function `org-mode' is called interactively in an empty file, this
@@ -15695,6 +15713,7 @@ fragments in the buffer."
(interactive "P")
(cond
((not (display-graphic-p)) nil)
+ ((and untrusted-content (not org--latex-preview-when-risky)) nil)
;; Clear whole buffer.
((equal arg '(64))
(org-clear-latex-preview (point-min) (point-max))
--
cgit v1.1

36
backport-CVE-2024-30205.patch
View File

@ -1,36 +0,0 @@
From 2bc865ace050ff118db43f01457f95f95112b877 Mon Sep 17 00:00:00 2001
From: Ihor Radchenko <yantar92@posteo.net>
Date: Tue, 20 Feb 2024 14:59:20 +0300
Subject: org-file-contents: Consider all remote files unsafe
* lisp/org/org.el (org-file-contents): When loading files, consider all
remote files (like TRAMP-fetched files) unsafe, in addition to URLs.
---
lisp/org/org.el | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/lisp/org/org.el b/lisp/org/org.el
index 0f5d17d..76559c9 100644
--- a/lisp/org/org.el
+++ b/lisp/org/org.el
@@ -4576,12 +4576,16 @@ from file or URL, and return nil.
If NOCACHE is non-nil, do a fresh fetch of FILE even if cached version
is available. This option applies only if FILE is a URL."
(let* ((is-url (org-url-p file))
+ (is-remote (condition-case nil
+ (file-remote-p file)
+ ;; In case of error, be safe.
+ (t t)))
(cache (and is-url
(not nocache)
(gethash file org--file-cache))))
(cond
(cache)
- (is-url
+ ((or is-url is-remote)
(if (org--should-fetch-remote-resource-p file)
(condition-case error
(with-current-buffer (url-retrieve-synchronously file)
--
cgit v1.1

68
backport-CVE-2024-39331.patch
View File

@ -1,68 +0,0 @@
From c645e1d8205f0f0663ec4a2d27575b238c646c7c Mon Sep 17 00:00:00 2001
From: Ihor Radchenko <yantar92@posteo.net>
Date: Fri, 21 Jun 2024 15:45:25 +0200
Subject: org-link-expand-abbrev: Do not evaluate arbitrary unsafe Elisp code
* lisp/org/ol.el (org-link-expand-abbrev): Refuse expanding %(...)
link abbrevs that specify unsafe function. Instead, display a
warning, and do not expand the abbrev. Clear all the text properties
from the returned link, to avoid any potential vulnerabilities caused
by properties that may contain arbitrary Elisp.
---
lisp/org/ol.el | 40 +++++++++++++++++++++++++++++-----------
1 file changed, 29 insertions(+), 11 deletions(-)
diff --git a/lisp/org/ol.el b/lisp/org/ol.el
index 4c84e62..c34d92b 100644
--- a/lisp/org/ol.el
+++ b/lisp/org/ol.el
@@ -1063,17 +1063,35 @@ Abbreviations are defined in `org-link-abbrev-alist'."
(if (not as)
link
(setq rpl (cdr as))
- (cond
- ((symbolp rpl) (funcall rpl tag))
- ((string-match "%(\\([^)]+\\))" rpl)
- (replace-match
- (save-match-data
- (funcall (intern-soft (match-string 1 rpl)) tag))
- t t rpl))
- ((string-match "%s" rpl) (replace-match (or tag "") t t rpl))
- ((string-match "%h" rpl)
- (replace-match (url-hexify-string (or tag "")) t t rpl))
- (t (concat rpl tag)))))))
+ ;; Drop any potentially dangerous text properties like
+ ;; `modification-hooks' that may be used as an attack vector.
+ (substring-no-properties
+ (cond
+ ((symbolp rpl) (funcall rpl tag))
+ ((string-match "%(\\([^)]+\\))" rpl)
+ (let ((rpl-fun-symbol (intern-soft (match-string 1 rpl))))
+ ;; Using `unsafep-function' is not quite enough because
+ ;; Emacs considers functions like `genenv' safe, while
+ ;; they can potentially be used to expose private system
+ ;; data to attacker if abbreviated link is clicked.
+ (if (or (eq t (get rpl-fun-symbol 'org-link-abbrev-safe))
+ (eq t (get rpl-fun-symbol 'pure)))
+ (replace-match
+ (save-match-data
+ (funcall (intern-soft (match-string 1 rpl)) tag))
+ t t rpl)
+ (org-display-warning
+ (format "Disabling unsafe link abbrev: %s
+You may mark function safe via (put '%s 'org-link-abbrev-safe t)"
+ rpl (match-string 1 rpl)))
+ (setq org-link-abbrev-alist-local (delete as org-link-abbrev-alist-local)
+ org-link-abbrev-alist (delete as org-link-abbrev-alist))
+ link
+ )))
+ ((string-match "%s" rpl) (replace-match (or tag "") t t rpl))
+ ((string-match "%h" rpl)
+ (replace-match (url-hexify-string (or tag "")) t t rpl))
+ (t (concat rpl tag))))))))
(defun org-link-open (link &optional arg)
"Open a link object LINK.
--
cgit v1.1

61
backport-CVE-2025-1244.patch
View File

@ -1,61 +0,0 @@
From 820f0793f0b46448928905552726c1f1b999062f Mon Sep 17 00:00:00 2001
From: Xi Lu <lx@shellcodes.org>
Date: Tue, 10 Oct 2023 22:20:05 +0800
Subject: Fix man.el shell injection vulnerability
* lisp/man.el (Man-translate-references): Fix shell injection
vulnerability. (Bug#66390)
* test/lisp/man-tests.el (man-tests-Man-translate-references): New
test.
Reference:https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=820f0793f0b46448928905552726c1f1b999062f
Conflict:NA
---
lisp/man.el | 6 +++++-
test/lisp/man-tests.el | 12 ++++++++++++
2 files changed, 17 insertions(+), 1 deletion(-)
diff --git a/lisp/man.el b/lisp/man.el
index 55cb938..d963964 100644
--- a/lisp/man.el
+++ b/lisp/man.el
@@ -761,7 +761,11 @@ and the `Man-section-translations-alist' variables)."
(setq name (match-string 2 ref)
section (match-string 1 ref))))
(if (string= name "")
- ref ; Return the reference as is
+ ;; see Bug#66390
+ (mapconcat 'identity
+ (mapcar #'shell-quote-argument
+ (split-string ref "\\s-+"))
+ " ") ; Return the reference as is
(if Man-downcase-section-letters-flag
(setq section (downcase section)))
(while slist
diff --git a/test/lisp/man-tests.el b/test/lisp/man-tests.el
index 140482e..11f5f80 100644
--- a/test/lisp/man-tests.el
+++ b/test/lisp/man-tests.el
@@ -161,6 +161,18 @@ DESCRIPTION
(let ((button (button-at (match-beginning 0))))
(should (and button (eq 'Man-xref-header-file (button-type button))))))))))
+(ert-deftest man-tests-Man-translate-references ()
+ (should (equal (Man-translate-references "basename")
+ "basename"))
+ (should (equal (Man-translate-references "basename(3)")
+ "3 basename"))
+ (should (equal (Man-translate-references "basename(3v)")
+ "3v basename"))
+ (should (equal (Man-translate-references ";id")
+ "\\;id"))
+ (should (equal (Man-translate-references "-k basename")
+ "-k basename")))
+
(provide 'man-tests)
;;; man-tests.el ends here
--
cgit v1.1

BIN
emacs-29.1.tar.xz → emacs-28.2.tar.xz
View File

Binary file not shown.

52
emacs-add-sw64-support.patch
View File

@ -1,52 +0,0 @@
From 8fe8fef3274d006bd01900b8aee838c229e81cbd Mon Sep 17 00:00:00 2001
From: mahailiang <mahailiang@uniontech.com>
Date: Thu, 7 Nov 2024 09:46:14 +0800
Subject: [PATCH] add sw64 support
---
configure.ac | 2 +-
src/unexelf.c | 8 +++++++-
2 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/configure.ac b/configure.ac
index ad1068a..dce63ff 100644
--- a/configure.ac
+++ b/configure.ac
@@ -740,7 +740,7 @@ case "${canonical}" in
*-apple-darwin* )
case "${canonical}" in
*-apple-darwin[0-9].*) unported=yes ;;
- i[3456]86-* | x86_64-* | arm-* | aarch64-* ) ;;
+ i[3456]86-* | x86_64-* | arm-* | sw_64-* | aarch64-* ) ;;
* ) unported=yes ;;
esac
opsys=darwin
diff --git a/src/unexelf.c b/src/unexelf.c
index 607ac0c..da5cbd6 100644
--- a/src/unexelf.c
+++ b/src/unexelf.c
@@ -120,7 +120,7 @@ typedef struct {
/*
* NetBSD does not have normal-looking user-land ELF support.
*/
-# if defined __alpha__ || defined __sparc_v9__ || defined _LP64
+# if defined __alpha__ || defined __sparc_v9__ || defined _LP64 || defined __sw_64__
# define ELFSIZE 64
# else
# define ELFSIZE 32
@@ -150,6 +150,12 @@ typedef struct {
# define pHDRR HDRR *
# endif /* __alpha__ */
+# ifdef __sw_64__
+# include <sys/exec_ecoff.h>
+# define HDRR struct ecoff_symhdr
+# define pHDRR HDRR *
+# endif /* __sw_64__ */
+
#ifdef __mips__ /* was in pkgsrc patches for 20.7 */
# define SHT_MIPS_DEBUG DT_MIPS_FLAGS
# define HDRR struct Elf_Shdr
--
2.39.3

39
emacs.spec
View File

@ -7,7 +7,7 @@
Name: emacs
Epoch: 1
Version: 29.1
Version: 28.2
Release: 5
Summary: An extensible GNU text editor
License: GPLv3+ and CC0-1.0
@ -26,16 +26,18 @@ Source7: emacs-terminal.desktop
Patch6001: emacs-spellchecker.patch
#https://src.fedoraproject.org/rpms/emacs/blob/rawhide/f/emacs-system-crypto-policies.patch
Patch6002: emacs-system-crypto-policies.patch
Patch6003: backport-CVE-2024-30202.patch
Patch6004: backport-CVE-2024-30203-pre.patch
Patch6005: backport-CVE-2024-30203.patch
Patch6006: backport-CVE-2024-30204.patch
Patch6007: backport-CVE-2024-30205.patch
Patch6008: backport-CVE-2024-39331.patch
Patch6009: backport-CVE-2025-1244.patch
Patch6003: backport-CVE-2022-45939.patch
Patch6004: backport-CVE-2022-48337.patch
Patch6005: backport-CVE-2022-48338.patch
Patch6006: backport-CVE-2022-48339.patch
Patch6007: backport-CVE-2023-27985.patch
Patch6008: backport-CVE-2023-27986.patch
Patch6009: backport-0001-CVE-2023-28617.patch
Patch6010: backport-0002-CVE-2023-28617.patch
Patch6011: backport-0002-CVE-2022-48337.patch
Patch9000: emacs-deal-taboo-words.patch
Patch9001: emacs-add-sw64-support.patch
BuildRequires: gcc atk-devel cairo-devel freetype-devel fontconfig-devel dbus-devel giflib-devel
BuildRequires: glibc-devel zlib-devel gnutls-devel libselinux-devel GConf2-devel alsa-lib-devel
@ -167,7 +169,7 @@ ln -s ../../%{name}/%{version}/etc/COPYING doc
ln -s ../../%{name}/%{version}/etc/NEWS doc
%build
%ifarch loongarch64 sw_64
%ifarch loongarch64
%_update_config_guess
%_update_config_sub
%endif
@ -241,7 +243,7 @@ cd ..
rm %{buildroot}%{_bindir}/emacs
touch %{buildroot}%{_bindir}/emacs
rm %{buildroot}%{emacs_libexecdir}/emacs-*.pdmp
rm %{buildroot}%{emacs_libexecdir}/emacs.pdmp
gunzip %{buildroot}%{_datadir}/emacs/%{version}/lisp/jka*.el.gz
@ -418,21 +420,6 @@ fi
%{_mandir}/*/*
%changelog
* Wed Mar 12 2025 mahailiang <mahailiang@uniontech.com> - 1:29.1-5
- add sw_64 support
* Thu Feb 13 2025 zhangpan <zhangpan103@h-partners.com> - 1:29.1-4
- fix CVE-2025-1244
* Tue Jul 02 2024 zhangpan <zhangpan103@h-partners.com> - 1:29.1-3
- fix CVE-2024-39331
* Mon Apr 01 2024 lingsheng <lingsheng1@h-partners.com> - 1:29.1-2
- fix CVE-2024-30202 CVE-2024-30203 CVE-2024-30204 CVE-2024-30205
* Tue Jan 23 2024 zhangpan <zhangpan103@h-partners.com> - 1:29.1-1
- update to 29.1
* Mon Sep 25 2023 leeffo <liweiganga@uniontech.com> - 1:28.2-5
- fix CVE-2022-48337