org-file-contents: Consider all remote files unsafe

Resolves: RHEL-36246
2024-08-23 10:46:34 +02:00 · 2024-08-23 10:46:34 +02:00 · 61e2934cff
commit 61e2934cff
parent 7ca8fd8820
2 changed files with 41 additions and 0 deletions
--- a/emacs-consider-org-file-contents-unsafe.patch
+++ b/emacs-consider-org-file-contents-unsafe.patch
@ -0,0 +1,36 @@
+From 2bc865ace050ff118db43f01457f95f95112b877 Mon Sep 17 00:00:00 2001
+From: Ihor Radchenko <yantar92@posteo.net>
+Date: Tue, 20 Feb 2024 14:59:20 +0300
+Subject: org-file-contents: Consider all remote files unsafe
+
+* lisp/org/org.el (org-file-contents): When loading files, consider all
+remote files (like TRAMP-fetched files) unsafe, in addition to URLs.
+---
+ lisp/org/org.el | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/lisp/org/org.el b/lisp/org/org.el
+index 0f5d17d..76559c9 100644
+--- a/lisp/org/org.el
+++ b/lisp/org/org.el
+@@ -4576,12 +4576,16 @@ from file or URL, and return nil.
+ If NOCACHE is non-nil, do a fresh fetch of FILE even if cached version
+ is available.  This option applies only if FILE is a URL."
+   (let* ((is-url (org-file-url-p file))
+         (is-remote (condition-case nil
+                        (file-remote-p file)
+                      ;; In case of error, be safe.
+                      (t t)))
+          (cache (and is-url
+                      (not nocache)
+                      (gethash file org--file-cache))))
+     (cond
+      (cache)
+-     (is-url
+     ((or is-url is-remote)
+       (with-current-buffer (url-retrieve-synchronously file)
+ 	(goto-char (point-min))
+ 	;; Move point to after the url-retrieve header.
+-- 
+cgit v1.1
+
--- a/emacs.spec
+++ b/emacs.spec
@ -29,6 +29,7 @@ Patch4:        emacs-mh-rmail-nonempty-dir.patch
 Patch5:        emacs-etags-local-command-injection-vulnerability.patch
 Patch6:        emacs-htmlfontify-command-injection-vulnerability.patch
 Patch7:        emacs-ob-latex-command-injection-vulnerability.patch
+Patch8:        emacs-consider-org-file-contents-unsafe.patch

 BuildRequires: atk-devel
 BuildRequires: cairo-devel
@ -188,6 +189,7 @@ packages that add functionality to Emacs.
 %patch5 -p1 -b .etags-local-command-injection-vulnerability
 %patch6 -p1 -b .htmlfontify-command-injection-vulnerability
 %patch7 -p1 -b .ob-latex-command-injection-vulnerability
+%patch8 -p1 -b .consider-org-file-contents-unsafe
 autoconf

 # We prefer our emacs.desktop file
@ -474,6 +476,9 @@ fi
 %dir %{_datadir}/emacs/site-lisp/site-start.d

 %changelog
+* Fri Aug 23 2024 Jacek Migacz <jmigacz@redhat.com> - 1:26.1-12
+- org-file-contents: Consider all remote files unsafe (CVE-2024-30205)
+
 * Wed Apr 12 2023 Jacek Migacz <jmigacz@redhat.com> - 1:26.1-11
 - Bump version