Fix htmlfontify.el command injection vulnerability

Resolves: #2175178
This commit is contained in:
Jacek Migacz 2023-03-17 12:19:22 +01:00
parent 69cda0c205
commit 5aade31796
2 changed files with 28 additions and 0 deletions

View File

@ -0,0 +1,26 @@
From 1b4dc4691c1f87fc970fbe568b43869a15ad0d4c Mon Sep 17 00:00:00 2001
From: Xi Lu <lx@shellcodes.org>
Date: Sat, 24 Dec 2022 16:28:54 +0800
Subject: [PATCH] Fix htmlfontify.el command injection vulnerability.
* lisp/htmlfontify.el (hfy-text-p): Fix command injection
vulnerability. (Bug#60295)
---
lisp/htmlfontify.el | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lisp/htmlfontify.el b/lisp/htmlfontify.el
index df4c6ab079c..389b92939cc 100644
--- a/lisp/htmlfontify.el
+++ b/lisp/htmlfontify.el
@@ -1912,7 +1912,7 @@ hfy-make-directory
(defun hfy-text-p (srcdir file)
"Is SRCDIR/FILE text? Uses `hfy-istext-command' to determine this."
- (let* ((cmd (format hfy-istext-command (expand-file-name file srcdir)))
+ (let* ((cmd (format hfy-istext-command (shell-quote-argument (expand-file-name file srcdir))))
(rsp (shell-command-to-string cmd)))
(string-match "text" rsp)))
--
2.36.1

View File

@ -27,6 +27,7 @@ Patch2: emacs-system-crypto-policies.patch
Patch3: emacs-ctags-local-command-execute-vulnerability.patch
Patch4: emacs-mh-rmail-nonempty-dir.patch
Patch5: emacs-etags-local-command-injection-vulnerability.patch
Patch6: emacs-htmlfontify-command-injection-vulnerability.patch
BuildRequires: atk-devel
BuildRequires: cairo-devel
@ -184,6 +185,7 @@ packages that add functionality to Emacs.
%patch3 -p1 -b .ctags-local-command-execute-vulnerability
%patch4 -p1 -b .mh-rmail-nonempty-dir.patch
%patch5 -p1 -b .etags-local-command-injection-vulnerability
%patch6 -p1 -b .htmlfontify-command-injection-vulnerability
autoconf
# We prefer our emacs.desktop file