rpms/emacs
7
0
Fork 0
Code Issues Pull Requests Releases Activity

org-file-contents: Consider all remote files unsafe

Browse Source 
Resolves: RHEL-36246
This commit is contained in:
Jacek Migacz 2024-08-23 10:46:34 +02:00
parent 7ca8fd8820
commit 61e2934cff
2 changed files with 41 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
emacs-consider-org-file-contents-unsafe.patch Normal file
View File

@ -0,0 +1,36 @@
From 2bc865ace050ff118db43f01457f95f95112b877 Mon Sep 17 00:00:00 2001
From: Ihor Radchenko <yantar92@posteo.net>
Date: Tue, 20 Feb 2024 14:59:20 +0300
Subject: org-file-contents: Consider all remote files unsafe
* lisp/org/org.el (org-file-contents): When loading files, consider all
remote files (like TRAMP-fetched files) unsafe, in addition to URLs.
---
lisp/org/org.el | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/lisp/org/org.el b/lisp/org/org.el
index 0f5d17d..76559c9 100644
--- a/lisp/org/org.el
+++ b/lisp/org/org.el
@@ -4576,12 +4576,16 @@ from file or URL, and return nil.
If NOCACHE is non-nil, do a fresh fetch of FILE even if cached version
is available. This option applies only if FILE is a URL."
(let* ((is-url (org-file-url-p file))
+ (is-remote (condition-case nil
+ (file-remote-p file)
+ ;; In case of error, be safe.
+ (t t)))
(cache (and is-url
(not nocache)
(gethash file org--file-cache))))
(cond
(cache)
- (is-url
+ ((or is-url is-remote)
(with-current-buffer (url-retrieve-synchronously file)
(goto-char (point-min))
;; Move point to after the url-retrieve header.
--
cgit v1.1

5
emacs.spec
View File

@ -29,6 +29,7 @@ Patch4: emacs-mh-rmail-nonempty-dir.patch
Patch5: emacs-etags-local-command-injection-vulnerability.patch Patch5: emacs-etags-local-command-injection-vulnerability.patch
Patch6: emacs-htmlfontify-command-injection-vulnerability.patch Patch6: emacs-htmlfontify-command-injection-vulnerability.patch
Patch7: emacs-ob-latex-command-injection-vulnerability.patch Patch7: emacs-ob-latex-command-injection-vulnerability.patch
Patch8: emacs-consider-org-file-contents-unsafe.patch
BuildRequires: atk-devel BuildRequires: atk-devel
BuildRequires: cairo-devel BuildRequires: cairo-devel
@ -188,6 +189,7 @@ packages that add functionality to Emacs.
%patch5 -p1 -b .etags-local-command-injection-vulnerability %patch5 -p1 -b .etags-local-command-injection-vulnerability
%patch6 -p1 -b .htmlfontify-command-injection-vulnerability %patch6 -p1 -b .htmlfontify-command-injection-vulnerability
%patch7 -p1 -b .ob-latex-command-injection-vulnerability %patch7 -p1 -b .ob-latex-command-injection-vulnerability
%patch8 -p1 -b .consider-org-file-contents-unsafe
autoconf autoconf
# We prefer our emacs.desktop file # We prefer our emacs.desktop file
@ -474,6 +476,9 @@ fi
%dir %{_datadir}/emacs/site-lisp/site-start.d %dir %{_datadir}/emacs/site-lisp/site-start.d
%changelog %changelog
* Fri Aug 23 2024 Jacek Migacz <jmigacz@redhat.com> - 1:26.1-12
- org-file-contents: Consider all remote files unsafe (CVE-2024-30205)
* Wed Apr 12 2023 Jacek Migacz <jmigacz@redhat.com> - 1:26.1-11 * Wed Apr 12 2023 Jacek Migacz <jmigacz@redhat.com> - 1:26.1-11
- Bump version - Bump version