org-link-expand-abbrev: Do not evaluate arbitrary unsafe Elisp code
Resolves: RHEL-44691
This commit is contained in:
Jacek Migacz
parent
d5803a7a83
commit
361d7975e8
68
emacs-org-link-expand-abbrev-unsafe-elisp.patch
Normal file
68
emacs-org-link-expand-abbrev-unsafe-elisp.patch
Normal file
@ -0,0 +1,68 @@
|
|||||||
|
From f4cc61636947b5c2f0afc67174dd369fe3277aa8 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Ihor Radchenko <yantar92@posteo.net>
|
||||||
|
Date: Tue, 18 Jun 2024 13:06:44 +0200
|
||||||
|
Subject: org-link-expand-abbrev: Do not evaluate arbitrary unsafe Elisp code
|
||||||
|
|
||||||
|
* lisp/org/ol.el (org-link-expand-abbrev): Refuse expanding %(...) link
|
||||||
|
abbrevs that specify unsafe function. Instead, display a warning, and
|
||||||
|
do not expand the abbrev. Clear all the text properties from the
|
||||||
|
returned link, to avoid any potential vulnerabilities caused by
|
||||||
|
properties that may contain arbitrary Elisp.
|
||||||
|
---
|
||||||
|
lisp/org/ol.el | 40 +++++++++++++++++++++++++++++-----------
|
||||||
|
1 file changed, 29 insertions(+), 11 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lisp/org/ol.el b/lisp/org/ol.el
|
||||||
|
index 7a7f4f5..8a556c7 100644
|
||||||
|
--- a/lisp/org/ol.el
|
||||||
|
+++ b/lisp/org/ol.el
|
||||||
|
@@ -1152,17 +1152,35 @@ Abbreviations are defined in `org-link-abbrev-alist'."
|
||||||
|
(if (not as)
|
||||||
|
link
|
||||||
|
(setq rpl (cdr as))
|
||||||
|
- (cond
|
||||||
|
- ((symbolp rpl) (funcall rpl tag))
|
||||||
|
- ((string-match "%(\\([^)]+\\))" rpl)
|
||||||
|
- (replace-match
|
||||||
|
- (save-match-data
|
||||||
|
- (funcall (intern-soft (match-string 1 rpl)) tag))
|
||||||
|
- t t rpl))
|
||||||
|
- ((string-match "%s" rpl) (replace-match (or tag "") t t rpl))
|
||||||
|
- ((string-match "%h" rpl)
|
||||||
|
- (replace-match (url-hexify-string (or tag "")) t t rpl))
|
||||||
|
- (t (concat rpl tag)))))))
|
||||||
|
+ ;; Drop any potentially dangerous text properties like
|
||||||
|
+ ;; `modification-hooks' that may be used as an attack vector.
|
||||||
|
+ (substring-no-properties
|
||||||
|
+ (cond
|
||||||
|
+ ((symbolp rpl) (funcall rpl tag))
|
||||||
|
+ ((string-match "%(\\([^)]+\\))" rpl)
|
||||||
|
+ (let ((rpl-fun-symbol (intern-soft (match-string 1 rpl))))
|
||||||
|
+ ;; Using `unsafep-function' is not quite enough because
|
||||||
|
+ ;; Emacs considers functions like `genenv' safe, while
|
||||||
|
+ ;; they can potentially be used to expose private system
|
||||||
|
+ ;; data to attacker if abbreviated link is clicked.
|
||||||
|
+ (if (or (eq t (get rpl-fun-symbol 'org-link-abbrev-safe))
|
||||||
|
+ (eq t (get rpl-fun-symbol 'pure)))
|
||||||
|
+ (replace-match
|
||||||
|
+ (save-match-data
|
||||||
|
+ (funcall (intern-soft (match-string 1 rpl)) tag))
|
||||||
|
+ t t rpl)
|
||||||
|
+ (org-display-warning
|
||||||
|
+ (format "Disabling unsafe link abbrev: %s
|
||||||
|
+You may mark function safe via (put '%s 'org-link-abbrev-safe t)"
|
||||||
|
+ rpl (match-string 1 rpl)))
|
||||||
|
+ (setq org-link-abbrev-alist-local (delete as org-link-abbrev-alist-local)
|
||||||
|
+ org-link-abbrev-alist (delete as org-link-abbrev-alist))
|
||||||
|
+ link
|
||||||
|
+ )))
|
||||||
|
+ ((string-match "%s" rpl) (replace-match (or tag "") t t rpl))
|
||||||
|
+ ((string-match "%h" rpl)
|
||||||
|
+ (replace-match (url-hexify-string (or tag "")) t t rpl))
|
||||||
|
+ (t (concat rpl tag))))))))
|
||||||
|
|
||||||
|
(defun org-link-open (link &optional arg)
|
||||||
|
"Open a link object LINK.
|
||||||
|
--
|
||||||
|
cgit v1.1
|
||||||
|
|
||||||
@ -36,6 +36,7 @@ Patch9: emacs-ob-latex-command-injection-vulnerability.patch
|
|||||||
Patch10: emacs-consider-org-file-contents-unsafe.patch
|
Patch10: emacs-consider-org-file-contents-unsafe.patch
|
||||||
Patch11: emacs-mark-contents-untrusted.patch
|
Patch11: emacs-mark-contents-untrusted.patch
|
||||||
Patch12: emacs-latex-preview.patch
|
Patch12: emacs-latex-preview.patch
|
||||||
|
Patch13: emacs-org-link-expand-abbrev-unsafe-elisp.patch
|
||||||
BuildRequires: gcc
|
BuildRequires: gcc
|
||||||
BuildRequires: atk-devel
|
BuildRequires: atk-devel
|
||||||
BuildRequires: cairo-devel
|
BuildRequires: cairo-devel
|
||||||
@ -206,6 +207,7 @@ Development header files for Emacs.
|
|||||||
%patch10 -p1 -b .consider-org-file-contents-unsafe
|
%patch10 -p1 -b .consider-org-file-contents-unsafe
|
||||||
%patch11 -p1 -b .mark-contents-untrusted
|
%patch11 -p1 -b .mark-contents-untrusted
|
||||||
%patch12 -p1 -b .latex-preview
|
%patch12 -p1 -b .latex-preview
|
||||||
|
%patch13 -p1 -b .org-link-expand-abbrev-unsafe-elisp
|
||||||
autoconf
|
autoconf
|
||||||
|
|
||||||
# We prefer our emacs.desktop file
|
# We prefer our emacs.desktop file
|
||||||
@ -501,6 +503,7 @@ rm %{buildroot}%{_datadir}/icons/hicolor/scalable/mimetypes/emacs-document23.svg
|
|||||||
- org-file-contents: Consider all remote files unsafe (CVE-2024-30205)
|
- org-file-contents: Consider all remote files unsafe (CVE-2024-30205)
|
||||||
- Make Gnus treats inline MIME contents as untrusted (CVE-2024-30203)
|
- Make Gnus treats inline MIME contents as untrusted (CVE-2024-30203)
|
||||||
- Add protection for LaTeX preview (CVE-2024-30204)
|
- Add protection for LaTeX preview (CVE-2024-30204)
|
||||||
|
- org-link-expand-abbrev: Do not evaluate arbitrary unsafe Elisp code (CVE-2024-39331)
|
||||||
|
|
||||||
* Sun Apr 2 2023 Jacek Migacz <jmigacz@redhat.com> - 1:27.2-9
|
* Sun Apr 2 2023 Jacek Migacz <jmigacz@redhat.com> - 1:27.2-9
|
||||||
- Fix etags local command injection vulnerability (#2175190)
|
- Fix etags local command injection vulnerability (#2175190)
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user