From c63afbc67e84c38611b7bc88bd0f1f5866b1e5f7 Mon Sep 17 00:00:00 2001 From: Jacek Migacz Date: Thu, 22 Aug 2024 13:42:02 +0200 Subject: [PATCH] Make Gnus treats inline MIME contents as untrusted Resolves: RHEL-36242 --- emacs-mark-contents-untrusted.patch | 25 +++++++++++++++++++++++++ emacs.spec | 3 +++ 2 files changed, 28 insertions(+) create mode 100644 emacs-mark-contents-untrusted.patch diff --git a/emacs-mark-contents-untrusted.patch b/emacs-mark-contents-untrusted.patch new file mode 100644 index 0000000..31e8437 --- /dev/null +++ b/emacs-mark-contents-untrusted.patch @@ -0,0 +1,25 @@ +From 937b9042ad7426acdcca33e3d931d8f495bdd804 Mon Sep 17 00:00:00 2001 +From: Ihor Radchenko +Date: Tue, 20 Feb 2024 12:44:30 +0300 +Subject: * lisp/gnus/mm-view.el (mm-display-inline-fontify): Mark contents + untrusted. + +--- + lisp/gnus/mm-view.el | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lisp/gnus/mm-view.el b/lisp/gnus/mm-view.el +index 2e1261c..5f234e5 100644 +--- a/lisp/gnus/mm-view.el ++++ b/lisp/gnus/mm-view.el +@@ -504,6 +504,7 @@ If MODE is not set, try to find mode automatically." + (setq coding-system (mm-find-buffer-file-coding-system))) + (setq text (buffer-string)))) + (with-temp-buffer ++ (setq untrusted-content t) + (buffer-disable-undo) + (mm-enable-multibyte) + (insert (cond ((eq charset 'gnus-decoded) +-- +cgit v1.1 + diff --git a/emacs.spec b/emacs.spec index 6a9a22a..7d845e4 100644 --- a/emacs.spec +++ b/emacs.spec @@ -34,6 +34,7 @@ Patch7: emacs-htmlfontify-command-injection-vulnerability.patch Patch8: emacs-ruby-mode-local-command-injection-vulnerability.patch Patch9: emacs-ob-latex-command-injection-vulnerability.patch Patch10: emacs-consider-org-file-contents-unsafe.patch +Patch11: emacs-mark-contents-untrusted.patch BuildRequires: gcc BuildRequires: atk-devel BuildRequires: cairo-devel @@ -202,6 +203,7 @@ Development header files for Emacs. %patch8 -p1 -b .ruby-mode-local-command-injection-vulnerability %patch9 -p1 -b .ob-latex-command-injection-vulnerability %patch10 -p1 -b .consider-org-file-contents-unsafe +%patch11 -p1 -b .mark-contents-untrusted autoconf # We prefer our emacs.desktop file @@ -495,6 +497,7 @@ rm %{buildroot}%{_datadir}/icons/hicolor/scalable/mimetypes/emacs-document23.svg * Fri Mar 15 2024 Jacek Migacz - 1:27.2-10 - Disable xwidgets (RHEL-14551) - org-file-contents: Consider all remote files unsafe (CVE-2024-30205) +- Make Gnus treats inline MIME contents as untrusted (CVE-2024-30203) * Sun Apr 2 2023 Jacek Migacz - 1:27.2-9 - Fix etags local command injection vulnerability (#2175190)