org-file-contents: Consider all remote files unsafe

Resolves: RHEL-36245
2024-08-22 13:24:25 +02:00 · 2024-08-22 13:24:25 +02:00 · b7f3072615
commit b7f3072615
parent c4333b322f
2 changed files with 39 additions and 0 deletions
--- a/emacs-consider-org-file-contents-unsafe.patch
+++ b/emacs-consider-org-file-contents-unsafe.patch
@ -0,0 +1,36 @@
+From 2bc865ace050ff118db43f01457f95f95112b877 Mon Sep 17 00:00:00 2001
+From: Ihor Radchenko <yantar92@posteo.net>
+Date: Tue, 20 Feb 2024 14:59:20 +0300
+Subject: org-file-contents: Consider all remote files unsafe
+
+* lisp/org/org.el (org-file-contents): When loading files, consider all
+remote files (like TRAMP-fetched files) unsafe, in addition to URLs.
+---
+ lisp/org/org.el | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/lisp/org/org.el b/lisp/org/org.el
+index 0f5d17d..76559c9 100644
+--- a/lisp/org/org.el
+++ b/lisp/org/org.el
+@@ -4576,12 +4576,16 @@ from file or URL, and return nil.
+ If NOCACHE is non-nil, do a fresh fetch of FILE even if cached version
+ is available.  This option applies only if FILE is a URL."
+   (let* ((is-url (org-file-url-p file))
+         (is-remote (condition-case nil
+                        (file-remote-p file)
+                      ;; In case of error, be safe.
+                      (t t)))
+          (cache (and is-url
+                      (not nocache)
+                      (gethash file org--file-cache))))
+     (cond
+      (cache)
+-     (is-url
+     ((or is-url is-remote)
+       (with-current-buffer (url-retrieve-synchronously file)
+ 	(goto-char (point-min))
+ 	;; Move point to after the url-retrieve header.
+-- 
+cgit v1.1
+
--- a/emacs.spec
+++ b/emacs.spec
@ -33,6 +33,7 @@ Patch6:        emacs-etags-local-command-injection-vulnerability.patch
 Patch7:        emacs-htmlfontify-command-injection-vulnerability.patch
 Patch8:        emacs-ruby-mode-local-command-injection-vulnerability.patch
 Patch9:        emacs-ob-latex-command-injection-vulnerability.patch
+Patch10:       emacs-consider-org-file-contents-unsafe.patch
 BuildRequires: gcc
 BuildRequires: atk-devel
 BuildRequires: cairo-devel
@ -200,6 +201,7 @@ Development header files for Emacs.
 %patch7 -p1 -b .htmlfontify-command-injection-vulnerability
 %patch8 -p1 -b .ruby-mode-local-command-injection-vulnerability
 %patch9 -p1 -b .ob-latex-command-injection-vulnerability
+%patch10 -p1 -b .consider-org-file-contents-unsafe
 autoconf

 # We prefer our emacs.desktop file
@ -492,6 +494,7 @@ rm %{buildroot}%{_datadir}/icons/hicolor/scalable/mimetypes/emacs-document23.svg
 %changelog
 * Fri Mar 15 2024 Jacek Migacz <jmigacz@redhat.com> - 1:27.2-10
 - Disable xwidgets (RHEL-14551)
+- org-file-contents: Consider all remote files unsafe (CVE-2024-30205)

 * Sun Apr 2 2023 Jacek Migacz <jmigacz@redhat.com> - 1:27.2-9
 - Fix etags local command injection vulnerability (#2175190)