Make Gnus treats inline MIME contents as untrusted

Resolves: RHEL-36242
This commit is contained in:
Jacek Migacz 2024-08-22 13:42:02 +02:00
parent b7f3072615
commit c63afbc67e
2 changed files with 28 additions and 0 deletions

View File

@ -0,0 +1,25 @@
From 937b9042ad7426acdcca33e3d931d8f495bdd804 Mon Sep 17 00:00:00 2001
From: Ihor Radchenko <yantar92@posteo.net>
Date: Tue, 20 Feb 2024 12:44:30 +0300
Subject: * lisp/gnus/mm-view.el (mm-display-inline-fontify): Mark contents
untrusted.
---
lisp/gnus/mm-view.el | 1 +
1 file changed, 1 insertion(+)
diff --git a/lisp/gnus/mm-view.el b/lisp/gnus/mm-view.el
index 2e1261c..5f234e5 100644
--- a/lisp/gnus/mm-view.el
+++ b/lisp/gnus/mm-view.el
@@ -504,6 +504,7 @@ If MODE is not set, try to find mode automatically."
(setq coding-system (mm-find-buffer-file-coding-system)))
(setq text (buffer-string))))
(with-temp-buffer
+ (setq untrusted-content t)
(buffer-disable-undo)
(mm-enable-multibyte)
(insert (cond ((eq charset 'gnus-decoded)
--
cgit v1.1

View File

@ -34,6 +34,7 @@ Patch7: emacs-htmlfontify-command-injection-vulnerability.patch
Patch8: emacs-ruby-mode-local-command-injection-vulnerability.patch Patch8: emacs-ruby-mode-local-command-injection-vulnerability.patch
Patch9: emacs-ob-latex-command-injection-vulnerability.patch Patch9: emacs-ob-latex-command-injection-vulnerability.patch
Patch10: emacs-consider-org-file-contents-unsafe.patch Patch10: emacs-consider-org-file-contents-unsafe.patch
Patch11: emacs-mark-contents-untrusted.patch
BuildRequires: gcc BuildRequires: gcc
BuildRequires: atk-devel BuildRequires: atk-devel
BuildRequires: cairo-devel BuildRequires: cairo-devel
@ -202,6 +203,7 @@ Development header files for Emacs.
%patch8 -p1 -b .ruby-mode-local-command-injection-vulnerability %patch8 -p1 -b .ruby-mode-local-command-injection-vulnerability
%patch9 -p1 -b .ob-latex-command-injection-vulnerability %patch9 -p1 -b .ob-latex-command-injection-vulnerability
%patch10 -p1 -b .consider-org-file-contents-unsafe %patch10 -p1 -b .consider-org-file-contents-unsafe
%patch11 -p1 -b .mark-contents-untrusted
autoconf autoconf
# We prefer our emacs.desktop file # We prefer our emacs.desktop file
@ -495,6 +497,7 @@ rm %{buildroot}%{_datadir}/icons/hicolor/scalable/mimetypes/emacs-document23.svg
* Fri Mar 15 2024 Jacek Migacz <jmigacz@redhat.com> - 1:27.2-10 * Fri Mar 15 2024 Jacek Migacz <jmigacz@redhat.com> - 1:27.2-10
- Disable xwidgets (RHEL-14551) - Disable xwidgets (RHEL-14551)
- org-file-contents: Consider all remote files unsafe (CVE-2024-30205) - org-file-contents: Consider all remote files unsafe (CVE-2024-30205)
- Make Gnus treats inline MIME contents as untrusted (CVE-2024-30203)
* Sun Apr 2 2023 Jacek Migacz <jmigacz@redhat.com> - 1:27.2-9 * Sun Apr 2 2023 Jacek Migacz <jmigacz@redhat.com> - 1:27.2-9
- Fix etags local command injection vulnerability (#2175190) - Fix etags local command injection vulnerability (#2175190)