Fix ruby-mode.el local command injection vulnerability

Resolves: #2175142
This commit is contained in:
Jacek Migacz 2023-03-17 14:52:31 +01:00
parent 5d4251db80
commit dacb373157
2 changed files with 30 additions and 0 deletions

View File

@ -0,0 +1,28 @@
From 9a3b08061feea14d6f37685ca1ab8801758bfd1c Mon Sep 17 00:00:00 2001
From: Xi Lu <lx@shellcodes.org>
Date: Fri, 23 Dec 2022 12:52:48 +0800
Subject: [PATCH] Fix ruby-mode.el local command injection vulnerability
(bug#60268)
* lisp/progmodes/ruby-mode.el
(ruby-find-library-file): Fix local command injection vulnerability.
---
lisp/progmodes/ruby-mode.el | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lisp/progmodes/ruby-mode.el b/lisp/progmodes/ruby-mode.el
index 1f3e9b6ae7b..a4aa61905e4 100644
--- a/lisp/progmodes/ruby-mode.el
+++ b/lisp/progmodes/ruby-mode.el
@@ -1820,7 +1820,7 @@ ruby-find-library-file
(setq feature-name (read-string "Feature name: " init))))
(let ((out
(substring
- (shell-command-to-string (concat "gem which " feature-name))
+ (shell-command-to-string (concat "gem which " (shell-quote-argument feature-name)))
0 -1)))
(if (string-match-p "\\`ERROR" out)
(user-error "%s" out)
--
2.36.1

View File

@ -31,6 +31,7 @@ Patch4: emacs-ctags-local-command-execute-vulnerability.patch
Patch5: emacs-64KB-page-size-for-pdump.patch
Patch6: emacs-etags-local-command-injection-vulnerability.patch
Patch7: emacs-htmlfontify-command-injection-vulnerability.patch
Patch8: emacs-ruby-mode-local-command-injection-vulnerability.patch
BuildRequires: gcc
BuildRequires: atk-devel
BuildRequires: cairo-devel
@ -197,6 +198,7 @@ Development header files for Emacs.
%patch5 -p1 -b .64KB-page-size-for-pdump
%patch6 -p1 -b .etags-local-command-injection-vulnerability
%patch7 -p1 -b .htmlfontify-command-injection-vulnerability
%patch8 -p1 -b .ruby-mode-local-command-injection-vulnerability
autoconf
# We prefer our emacs.desktop file