Fix man.el shell injection vulnerability

Resolves: RHEL-79025
2025-02-19 21:15:25 +01:00 · 2025-02-19 21:15:25 +01:00 · 8e595a514f
commit 8e595a514f
parent 361d7975e8
2 changed files with 63 additions and 1 deletions
--- a/emacs-man-el-shell-injection-vulnerability.patch
+++ b/emacs-man-el-shell-injection-vulnerability.patch
@ -0,0 +1,57 @@
 From 820f0793f0b46448928905552726c1f1b999062f Mon Sep 17 00:00:00 2001
 From: Xi Lu <lx@shellcodes.org>
 Date: Tue, 10 Oct 2023 22:20:05 +0800
 Subject: Fix man.el shell injection vulnerability
 * lisp/man.el (Man-translate-references): Fix shell injection
 vulnerability.  (Bug#66390)
 * test/lisp/man-tests.el (man-tests-Man-translate-references): New
 test.
 ---
 lisp/man.el            |  6 +++++-
 test/lisp/man-tests.el | 12 ++++++++++++
 2 files changed, 17 insertions(+), 1 deletion(-)
 diff --git a/lisp/man.el b/lisp/man.el
 index 55cb938..d963964 100644
 --- a/lisp/man.el
 +++ b/lisp/man.el
@@ -761,7 +761,11 @@ and the `Man-section-translations-alist' variables)."
       (setq name (match-string 2 ref)
 	    section (match-string 1 ref))))
     (if (string= name "")
 -	ref				; Return the reference as is
 +        ;; see Bug#66390
 +	(mapconcat 'identity
 +                   (mapcar #'shell-quote-argument
 +                           (split-string ref "\\s-+"))
 +                   " ")                 ; Return the reference as is
       (if Man-downcase-section-letters-flag
 	  (setq section (downcase section)))
       (while slist
 diff --git a/test/lisp/man-tests.el b/test/lisp/man-tests.el
 index 140482e..11f5f80 100644
 --- a/test/lisp/man-tests.el
 +++ b/test/lisp/man-tests.el
@@ -161,6 +161,18 @@ DESCRIPTION
           (let ((button (button-at (match-beginning 0))))
             (should (and button (eq 'Man-xref-header-file (button-type button))))))))))
 +(ert-deftest man-tests-Man-translate-references ()
 +  (should (equal (Man-translate-references "basename")
 +                 "basename"))
 +  (should (equal (Man-translate-references "basename(3)")
 +                 "3 basename"))
 +  (should (equal (Man-translate-references "basename(3v)")
 +                 "3v basename"))
 +  (should (equal (Man-translate-references ";id")
 +                 "\\;id"))
 +  (should (equal (Man-translate-references "-k basename")
 +                 "-k basename")))
 +
 (provide 'man-tests)
 ;;; man-tests.el ends here
 -- 
 cgit v1.1
--- a/emacs.spec
+++ b/emacs.spec
@ -5,7 +5,7 @@ Summary:       GNU Emacs text editor
 Name:          emacs
 Epoch:         1
 Version:       27.2
-Release:       10%{?dist}
+Release:       11%{?dist}
 License:       GPLv3+ and CC0-1.0
 URL:           http://www.gnu.org/software/emacs/
 Source0:       https://ftp.gnu.org/gnu/emacs/emacs-%{version}.tar.xz
@ -37,6 +37,7 @@ Patch10:       emacs-consider-org-file-contents-unsafe.patch
 Patch11:       emacs-mark-contents-untrusted.patch
 Patch12:       emacs-latex-preview.patch
 Patch13:       emacs-org-link-expand-abbrev-unsafe-elisp.patch
 Patch14:       emacs-man-el-shell-injection-vulnerability.patch
 BuildRequires: gcc
 BuildRequires: atk-devel
 BuildRequires: cairo-devel
@ -208,6 +209,7 @@ Development header files for Emacs.
 %patch11 -p1 -b .mark-contents-untrusted
 %patch12 -p1 -b .latex-preview
 %patch13 -p1 -b .org-link-expand-abbrev-unsafe-elisp
 %patch14 -p1 -b .man-el-shell-injection-vulnerability
 autoconf
 # We prefer our emacs.desktop file
@ -498,6 +500,9 @@ rm %{buildroot}%{_datadir}/icons/hicolor/scalable/mimetypes/emacs-document23.svg
 %{_includedir}/emacs-module.h
 %changelog
 * Wed Feb 19 2025 Jacek Migacz <jmigacz@redhat.com> - 1:27.2-11
 - Fix man.el shell injection vulnerability (RHEL-79025)
 * Fri Mar 15 2024 Jacek Migacz <jmigacz@redhat.com> - 1:27.2-10
 - Disable xwidgets (RHEL-14551)
 - org-file-contents: Consider all remote files unsafe (CVE-2024-30205)