import UBI emacs-27.2-10.el9_4

2024-09-09 20:53:29 +00:00 · 2024-09-09 20:53:29 +00:00 · 443cbf996b
commit 443cbf996b
parent 3f0799447b
2 changed files with 78 additions and 4 deletions
--- a/SOURCES/emacs-org-link-expand-abbrev-unsafe-elisp.patch
+++ b/SOURCES/emacs-org-link-expand-abbrev-unsafe-elisp.patch
@ -0,0 +1,68 @@
 From f4cc61636947b5c2f0afc67174dd369fe3277aa8 Mon Sep 17 00:00:00 2001
 From: Ihor Radchenko <yantar92@posteo.net>
 Date: Tue, 18 Jun 2024 13:06:44 +0200
 Subject: org-link-expand-abbrev: Do not evaluate arbitrary unsafe Elisp code
 * lisp/org/ol.el (org-link-expand-abbrev): Refuse expanding %(...) link
 abbrevs that specify unsafe function.  Instead, display a warning, and
 do not expand the abbrev.  Clear all the text properties from the
 returned link, to avoid any potential vulnerabilities caused by
 properties that may contain arbitrary Elisp.
 ---
 lisp/org/ol.el | 40 +++++++++++++++++++++++++++++-----------
 1 file changed, 29 insertions(+), 11 deletions(-)
 diff --git a/lisp/org/ol.el b/lisp/org/ol.el
 index 7a7f4f5..8a556c7 100644
 --- a/lisp/org/ol.el
 +++ b/lisp/org/ol.el
@@ -1152,17 +1152,35 @@ Abbreviations are defined in `org-link-abbrev-alist'."
       (if (not as)
 	  link
 	(setq rpl (cdr as))
 -	(cond
 -	 ((symbolp rpl) (funcall rpl tag))
 -	 ((string-match "%(\\([^)]+\\))" rpl)
 -	  (replace-match
 -	   (save-match-data
 -	     (funcall (intern-soft (match-string 1 rpl)) tag))
 -	   t t rpl))
 -	 ((string-match "%s" rpl) (replace-match (or tag "") t t rpl))
 -	 ((string-match "%h" rpl)
 -	  (replace-match (url-hexify-string (or tag "")) t t rpl))
 -	 (t (concat rpl tag)))))))
 +        ;; Drop any potentially dangerous text properties like
 +        ;; `modification-hooks' that may be used as an attack vector.
 +        (substring-no-properties
 +	 (cond
 +	  ((symbolp rpl) (funcall rpl tag))
 +	  ((string-match "%(\\([^)]+\\))" rpl)
 +           (let ((rpl-fun-symbol (intern-soft (match-string 1 rpl))))
 +             ;; Using `unsafep-function' is not quite enough because
 +             ;; Emacs considers functions like `genenv' safe, while
 +             ;; they can potentially be used to expose private system
 +             ;; data to attacker if abbreviated link is clicked.
 +             (if (or (eq t (get rpl-fun-symbol 'org-link-abbrev-safe))
 +                     (eq t (get rpl-fun-symbol 'pure)))
 +                 (replace-match
 +	          (save-match-data
 +	            (funcall (intern-soft (match-string 1 rpl)) tag))
 +	          t t rpl)
 +               (org-display-warning
 +                (format "Disabling unsafe link abbrev: %s
 +You may mark function safe via (put '%s 'org-link-abbrev-safe t)"
 +                        rpl (match-string 1 rpl)))
 +               (setq org-link-abbrev-alist-local (delete as org-link-abbrev-alist-local)
 +                     org-link-abbrev-alist (delete as org-link-abbrev-alist))
 +               link
 +	       )))
 +	  ((string-match "%s" rpl) (replace-match (or tag "") t t rpl))
 +	  ((string-match "%h" rpl)
 +	   (replace-match (url-hexify-string (or tag "")) t t rpl))
 +	  (t (concat rpl tag))))))))
 (defun org-link-open (link &optional arg)
   "Open a link object LINK.
 -- 
 cgit v1.1
--- a/SPECS/emacs.spec
+++ b/SPECS/emacs.spec
@ -5,7 +5,7 @@ Summary:       GNU Emacs text editor
 Name:          emacs
 Epoch:         1
 Version:       27.2
-Release:       9%{?dist}
+Release:       10%{?dist}
 License:       GPLv3+ and CC0-1.0
 URL:           http://www.gnu.org/software/emacs/
 Source0:       https://ftp.gnu.org/gnu/emacs/emacs-%{version}.tar.xz
@ -33,6 +33,8 @@ Patch6:        emacs-etags-local-command-injection-vulnerability.patch
 Patch7:        emacs-htmlfontify-command-injection-vulnerability.patch
 Patch8:        emacs-ruby-mode-local-command-injection-vulnerability.patch
 Patch9:        emacs-ob-latex-command-injection-vulnerability.patch
 Patch10:       emacs-org-link-expand-abbrev-unsafe-elisp.patch
 BuildRequires: gcc
 BuildRequires: atk-devel
 BuildRequires: cairo-devel
@ -75,7 +77,6 @@ BuildRequires: jansson-devel
 BuildRequires: systemd-devel
 BuildRequires: gtk3-devel
 BuildRequires: webkit2gtk3-devel
 BuildRequires: gnupg2
@ -201,6 +202,7 @@ Development header files for Emacs.
 %patch7 -p1 -b .htmlfontify-command-injection-vulnerability
 %patch8 -p1 -b .ruby-mode-local-command-injection-vulnerability
 %patch9 -p1 -b .ob-latex-command-injection-vulnerability
 %patch10 -p1 -b .org-link-expand-abbrev-unsafe-elisp
 autoconf
 # We prefer our emacs.desktop file
@ -253,7 +255,7 @@ ln -s ../configure .
 %configure --with-dbus --with-gif --with-jpeg --with-png --with-rsvg \
           --with-tiff --with-xft --with-xpm --with-x-toolkit=gtk3 --with-gpm=no \
-           --with-xwidgets --with-modules --with-harfbuzz --with-cairo --with-json
+           --with-modules --with-harfbuzz --with-cairo --with-json
 make bootstrap
 %{setarch} %make_build
 cd ..
@ -491,7 +493,11 @@ rm %{buildroot}%{_datadir}/icons/hicolor/scalable/mimetypes/emacs-document23.svg
 %{_includedir}/emacs-module.h
 %changelog
-* Sun Apr 2 2023 Jacek Migacz <jmigacz@redhat.com> - 1:27.2-9
+* Fri Aug 23 2024 Jacek Migacz <jmigacz@redhat.com> - 1:27.2-10
 - org-link-expand-abbrev: Do not evaluate arbitrary unsafe Elisp code (CVE-2024-39331)
 - Disable xwidgets (RHEL-33447)
 * Sun Apr 02 2023 Jacek Migacz <jmigacz@redhat.com> - 1:27.2-9
 - Fix etags local command injection vulnerability (#2175190)
 - Fix htmlfontify.el command injection vulnerability (#2175179)
 - Fix ruby-mode.el local command injection vulnerability (#2175142)