org-file-contents: Consider all remote files unsafe

Resolves: RHEL-36245
2024-08-22 13:24:25 +02:00 · 2024-08-22 13:24:25 +02:00 · b7f3072615
commit b7f3072615
parent c4333b322f
2 changed files with 39 additions and 0 deletions
--- a/emacs-consider-org-file-contents-unsafe.patch
+++ b/emacs-consider-org-file-contents-unsafe.patch
@ -0,0 +1,36 @@
 From 2bc865ace050ff118db43f01457f95f95112b877 Mon Sep 17 00:00:00 2001
 From: Ihor Radchenko <yantar92@posteo.net>
 Date: Tue, 20 Feb 2024 14:59:20 +0300
 Subject: org-file-contents: Consider all remote files unsafe
 * lisp/org/org.el (org-file-contents): When loading files, consider all
 remote files (like TRAMP-fetched files) unsafe, in addition to URLs.
 ---
 lisp/org/org.el | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)
 diff --git a/lisp/org/org.el b/lisp/org/org.el
 index 0f5d17d..76559c9 100644
 --- a/lisp/org/org.el
 +++ b/lisp/org/org.el
@@ -4576,12 +4576,16 @@ from file or URL, and return nil.
 If NOCACHE is non-nil, do a fresh fetch of FILE even if cached version
 is available.  This option applies only if FILE is a URL."
   (let* ((is-url (org-file-url-p file))
 +         (is-remote (condition-case nil
 +                        (file-remote-p file)
 +                      ;; In case of error, be safe.
 +                      (t t)))
          (cache (and is-url
                      (not nocache)
                      (gethash file org--file-cache))))
     (cond
      (cache)
 -     (is-url
 +     ((or is-url is-remote)
       (with-current-buffer (url-retrieve-synchronously file)
 	(goto-char (point-min))
 	;; Move point to after the url-retrieve header.
 -- 
 cgit v1.1
--- a/emacs.spec
+++ b/emacs.spec
@ -33,6 +33,7 @@ Patch6:        emacs-etags-local-command-injection-vulnerability.patch
 Patch7:        emacs-htmlfontify-command-injection-vulnerability.patch
 Patch8:        emacs-ruby-mode-local-command-injection-vulnerability.patch
 Patch9:        emacs-ob-latex-command-injection-vulnerability.patch
 Patch10:       emacs-consider-org-file-contents-unsafe.patch
 BuildRequires: gcc
 BuildRequires: atk-devel
 BuildRequires: cairo-devel
@ -200,6 +201,7 @@ Development header files for Emacs.
 %patch7 -p1 -b .htmlfontify-command-injection-vulnerability
 %patch8 -p1 -b .ruby-mode-local-command-injection-vulnerability
 %patch9 -p1 -b .ob-latex-command-injection-vulnerability
 %patch10 -p1 -b .consider-org-file-contents-unsafe
 autoconf
 # We prefer our emacs.desktop file
@ -492,6 +494,7 @@ rm %{buildroot}%{_datadir}/icons/hicolor/scalable/mimetypes/emacs-document23.svg
 %changelog
 * Fri Mar 15 2024 Jacek Migacz <jmigacz@redhat.com> - 1:27.2-10
 - Disable xwidgets (RHEL-14551)
 - org-file-contents: Consider all remote files unsafe (CVE-2024-30205)
 * Sun Apr 2 2023 Jacek Migacz <jmigacz@redhat.com> - 1:27.2-9
 - Fix etags local command injection vulnerability (#2175190)