import UBI emacs-26.1-11.el8

2023-11-14 18:59:53 +00:00 · 2023-11-14 18:59:53 +00:00 · 5b15598541
parent a4323ecdc7
commit 5b15598541
3 changed files with 143 additions and 9 deletions
--- a/SOURCES/emacs-etags-local-command-injection-vulnerability.patch
+++ b/SOURCES/emacs-etags-local-command-injection-vulnerability.patch
@ -0,0 +1,105 @@
+From 01a4035c869b91c153af9a9132c87adb7669ea1c Mon Sep 17 00:00:00 2001
+From: lu4nx <lx@shellcodes.org>
+Date: Tue, 6 Dec 2022 15:42:40 +0800
+Subject: [PATCH] Fix etags local command injection vulnerability
+
+* lib-src/etags.c: (escape_shell_arg_string): New function.
+(process_file_name): Use it to quote file names passed to the
+shell.  (Bug#59817)
+---
+ lib-src/etags.c | 63 +++++++++++++++++++++++++++++++++++++++++++++----
+ 1 file changed, 58 insertions(+), 5 deletions(-)
+
+diff --git a/lib-src/etags.c b/lib-src/etags.c
+index d1d20858cdd..ba0092cc637 100644
+--- a/lib-src/etags.c
+++ b/lib-src/etags.c
+@@ -399,6 +399,7 @@ static void put_entries (node *);
+ static void clean_matched_file_tag (char const * const, char const * const);
+ 
+ static void do_move_file (const char *, const char *);
+static char *escape_shell_arg_string (char *);
+ static char *concat (const char *, const char *, const char *);
+ static char *skip_spaces (char *);
+ static char *skip_non_spaces (char *);
+@@ -1670,13 +1671,16 @@ process_file_name (char *file, language *lang)
+       else
+ 	{
+ #if MSDOS || defined (DOS_NT)
+-	  char *cmd1 = concat (compr->command, " \"", real_name);
+-	  char *cmd = concat (cmd1, "\" > ", tmp_name);
+          int buf_len = strlen (compr->command) + strlen (" \"\" > \"\"") + strlen (real_name) + strlen (tmp_name) + 1;
+          char *cmd = xmalloc (buf_len);
+          snprintf (cmd, buf_len, "%s \"%s\" > \"%s\"", compr->command, real_name, tmp_name);
+ #else
+-	  char *cmd1 = concat (compr->command, " '", real_name);
+-	  char *cmd = concat (cmd1, "' > ", tmp_name);
+          char *new_real_name = escape_shell_arg_string (real_name);
+          char *new_tmp_name = escape_shell_arg_string (tmp_name);
+          int buf_len = strlen (compr->command) + strlen ("  > ") + strlen (new_real_name) + strlen (new_tmp_name) + 1;
+          char *cmd = xmalloc (buf_len);
+          snprintf (cmd, buf_len, "%s %s > %s", compr->command, new_real_name, new_tmp_name);
+ #endif
+-	  free (cmd1);
+ 	  int tmp_errno;
+ 	  if (system (cmd) == -1)
+ 	    {
+@@ -7124,6 +7128,55 @@ etags_mktmp (void)
+   return templt;
+ }
+ 
+/*
+ * Adds single quotes around a string, if found single quotes, escaped it.
+ * Return a newly-allocated string.
+ *
+ * For example:
+ * escape_shell_arg_string("test.txt") => 'test.txt'
+ * escape_shell_arg_string("'test.txt") => ''\''test.txt'
+ */
+static char *
+escape_shell_arg_string (char *str)
+{
+  char *p = str;
+  int need_space = 2;           /* ' at begin and end */
+
+  while (*p != '\0')
+    {
+      if (*p == '\'')
+        need_space += 4;        /* ' to '\'', length is 4 */
+      else
+        need_space++;
+
+      p++;
+    }
+
+  char *new_str = xnew (need_space + 1, char);
+  new_str[0] = '\'';
+  new_str[need_space-1] = '\'';
+
+  int i = 1;                    /* skip first byte */
+  p = str;
+  while (*p != '\0')
+    {
+      new_str[i] = *p;
+      if (*p == '\'')
+        {
+          new_str[i+1] = '\\';
+          new_str[i+2] = '\'';
+          new_str[i+3] = '\'';
+          i += 3;
+        }
+
+      i++;
+      p++;
+    }
+
+  new_str[need_space] = '\0';
+  return new_str;
+}
+
+ static void
+ do_move_file(const char *src_file, const char *dst_file)
+ {
+-- 
+2.36.1
+
--- a/SOURCES/emacs-htmlfontify-command-injection-vulnerability.patch
+++ b/SOURCES/emacs-htmlfontify-command-injection-vulnerability.patch
@ -0,0 +1,26 @@
+From 1b4dc4691c1f87fc970fbe568b43869a15ad0d4c Mon Sep 17 00:00:00 2001
+From: Xi Lu <lx@shellcodes.org>
+Date: Sat, 24 Dec 2022 16:28:54 +0800
+Subject: [PATCH] Fix htmlfontify.el command injection vulnerability.
+
+* lisp/htmlfontify.el (hfy-text-p): Fix command injection
+vulnerability.  (Bug#60295)
+---
+ lisp/htmlfontify.el | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lisp/htmlfontify.el b/lisp/htmlfontify.el
+index df4c6ab079c..389b92939cc 100644
+--- a/lisp/htmlfontify.el
+++ b/lisp/htmlfontify.el
+@@ -1912,7 +1912,7 @@ hfy-make-directory
+ 
+ (defun hfy-text-p (srcdir file)
+   "Is SRCDIR/FILE text?  Uses `hfy-istext-command' to determine this."
+-  (let* ((cmd (format hfy-istext-command (expand-file-name file srcdir)))
+  (let* ((cmd (format hfy-istext-command (shell-quote-argument (expand-file-name file srcdir))))
+          (rsp (shell-command-to-string    cmd)))
+     (string-match "text" rsp)))
+ 
+-- 
+2.36.1
--- a/SPECS/emacs.spec
+++ b/SPECS/emacs.spec
@ -5,7 +5,7 @@ Summary:       GNU Emacs text editor
 Name:          emacs
 Epoch:         1
 Version:       26.1
-Release:       10%{?dist}.2
+Release:       11%{?dist}
 License:       GPLv3+ and CC0-1.0
 URL:           http://www.gnu.org/software/emacs/
 Group:         Applications/Editors
@ -26,7 +26,9 @@ Patch1:        emacs-spellchecker.patch
 Patch2:        emacs-system-crypto-policies.patch
 Patch3:        emacs-ctags-local-command-execute-vulnerability.patch
 Patch4:        emacs-mh-rmail-nonempty-dir.patch
-Patch5:        emacs-ob-latex-command-injection-vulnerability.patch
+Patch5:        emacs-etags-local-command-injection-vulnerability.patch
+Patch6:        emacs-htmlfontify-command-injection-vulnerability.patch
+Patch7:        emacs-ob-latex-command-injection-vulnerability.patch

 BuildRequires: atk-devel
 BuildRequires: cairo-devel
@ -183,7 +185,9 @@ packages that add functionality to Emacs.
 %patch2 -p1 -b .system-crypto-policies
 %patch3 -p1 -b .ctags-local-command-execute-vulnerability
 %patch4 -p1 -b .mh-rmail-nonempty-dir.patch
-%patch5 -p1 -b .ob-latex-command-injection-vulnerability
+%patch5 -p1 -b .etags-local-command-injection-vulnerability
+%patch6 -p1 -b .htmlfontify-command-injection-vulnerability
+%patch7 -p1 -b .ob-latex-command-injection-vulnerability
 autoconf

 # We prefer our emacs.desktop file
@ -470,14 +474,13 @@ fi
 %dir %{_datadir}/emacs/site-lisp/site-start.d

 %changelog
-* Thu Apr 13 2023 Jacek Migacz <jmigacz@redhat.com> - 1:26.1-10.2
- Bump release
-
-* Thu Apr 13 2023 Jacek Migacz <jmigacz@redhat.com> - 1:26.1-10.1
- Bump release
+* Wed Apr 12 2023 Jacek Migacz <jmigacz@redhat.com> - 1:26.1-11
+- Bump version

 * Fri Apr 7 2023 Jacek Migacz <jmigacz@redhat.com> - 1:26.1-10
- Fix ob-latex.el command injection vulnerability (#2180586)
+- Fix etags local command injection vulnerability (#2175189)
+- Fix htmlfontify.el command injection vulnerability (#2175178)
+- Fix ob-latex.el command injection vulnerability (#2180587)

 * Tue Jan 10 2023 Jacek Migacz <jmigacz@redhat.com> - 1:26.1-9
 - Fix MH-E mail composition with GNU Mailutils (#1991156)