From b7f3072615db8c1b04b519801c1b1196f8c5d2a9 Mon Sep 17 00:00:00 2001 From: Jacek Migacz Date: Thu, 22 Aug 2024 13:24:25 +0200 Subject: [PATCH] org-file-contents: Consider all remote files unsafe Resolves: RHEL-36245 --- emacs-consider-org-file-contents-unsafe.patch | 36 +++++++++++++++++++ emacs.spec | 3 ++ 2 files changed, 39 insertions(+) create mode 100644 emacs-consider-org-file-contents-unsafe.patch diff --git a/emacs-consider-org-file-contents-unsafe.patch b/emacs-consider-org-file-contents-unsafe.patch new file mode 100644 index 0000000..146dc64 --- /dev/null +++ b/emacs-consider-org-file-contents-unsafe.patch @@ -0,0 +1,36 @@ +From 2bc865ace050ff118db43f01457f95f95112b877 Mon Sep 17 00:00:00 2001 +From: Ihor Radchenko +Date: Tue, 20 Feb 2024 14:59:20 +0300 +Subject: org-file-contents: Consider all remote files unsafe + +* lisp/org/org.el (org-file-contents): When loading files, consider all +remote files (like TRAMP-fetched files) unsafe, in addition to URLs. +--- + lisp/org/org.el | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/lisp/org/org.el b/lisp/org/org.el +index 0f5d17d..76559c9 100644 +--- a/lisp/org/org.el ++++ b/lisp/org/org.el +@@ -4576,12 +4576,16 @@ from file or URL, and return nil. + If NOCACHE is non-nil, do a fresh fetch of FILE even if cached version + is available. This option applies only if FILE is a URL." + (let* ((is-url (org-file-url-p file)) ++ (is-remote (condition-case nil ++ (file-remote-p file) ++ ;; In case of error, be safe. ++ (t t))) + (cache (and is-url + (not nocache) + (gethash file org--file-cache)))) + (cond + (cache) +- (is-url ++ ((or is-url is-remote) + (with-current-buffer (url-retrieve-synchronously file) + (goto-char (point-min)) + ;; Move point to after the url-retrieve header. +-- +cgit v1.1 + diff --git a/emacs.spec b/emacs.spec index 19be248..6a9a22a 100644 --- a/emacs.spec +++ b/emacs.spec @@ -33,6 +33,7 @@ Patch6: emacs-etags-local-command-injection-vulnerability.patch Patch7: emacs-htmlfontify-command-injection-vulnerability.patch Patch8: emacs-ruby-mode-local-command-injection-vulnerability.patch Patch9: emacs-ob-latex-command-injection-vulnerability.patch +Patch10: emacs-consider-org-file-contents-unsafe.patch BuildRequires: gcc BuildRequires: atk-devel BuildRequires: cairo-devel @@ -200,6 +201,7 @@ Development header files for Emacs. %patch7 -p1 -b .htmlfontify-command-injection-vulnerability %patch8 -p1 -b .ruby-mode-local-command-injection-vulnerability %patch9 -p1 -b .ob-latex-command-injection-vulnerability +%patch10 -p1 -b .consider-org-file-contents-unsafe autoconf # We prefer our emacs.desktop file @@ -492,6 +494,7 @@ rm %{buildroot}%{_datadir}/icons/hicolor/scalable/mimetypes/emacs-document23.svg %changelog * Fri Mar 15 2024 Jacek Migacz - 1:27.2-10 - Disable xwidgets (RHEL-14551) +- org-file-contents: Consider all remote files unsafe (CVE-2024-30205) * Sun Apr 2 2023 Jacek Migacz - 1:27.2-9 - Fix etags local command injection vulnerability (#2175190)