From f2d8a46ab3e7785ecd103c103141f2d597c831b3 Mon Sep 17 00:00:00 2001
From: Jacek Migacz <jmigacz@redhat.com>
Date: Fri, 23 Aug 2024 10:59:42 +0200
Subject: [PATCH] org-link-expand-abbrev: Do not evaluate arbitrary unsafe
 Elisp code

Resolves: RHEL-44689
---
 ...-org-link-expand-abbrev-unsafe-elisp.patch | 78 +++++++++++++++++++
 emacs.spec                                    |  3 +
 2 files changed, 81 insertions(+)
 create mode 100644 emacs-org-link-expand-abbrev-unsafe-elisp.patch

diff --git a/emacs-org-link-expand-abbrev-unsafe-elisp.patch b/emacs-org-link-expand-abbrev-unsafe-elisp.patch
new file mode 100644
index 0000000..18a0050
--- /dev/null
+++ b/emacs-org-link-expand-abbrev-unsafe-elisp.patch
@@ -0,0 +1,78 @@
+From f4cc61636947b5c2f0afc67174dd369fe3277aa8 Mon Sep 17 00:00:00 2001
+From: Ihor Radchenko <yantar92@posteo.net>
+Date: Tue, 18 Jun 2024 13:06:44 +0200
+Subject: org-link-expand-abbrev: Do not evaluate arbitrary unsafe Elisp code
+
+* lisp/org/org.el (org-link-expand-abbrev): Refuse expanding %(...) link
+abbrevs that specify unsafe function.  Instead, display a warning, and
+do not expand the abbrev.  Clear all the text properties from the
+returned link, to avoid any potential vulnerabilities caused by
+properties that may contain arbitrary Elisp.
+---
+ lisp/org/org.el | 40 +++++++++++++++++++++++++++++-----------
+ 1 file changed, 29 insertions(+), 11 deletions(-)
+
+diff --git a/lisp/org/org.el b/lisp/org/org.el
+index 7a7f4f5..8a556c7 100644
+--- a/lisp/org/org.el
++++ b/lisp/org/org.el
+@@ -1152,26 +1152,44 @@ Abbreviations are defined in `org-link-abbrev-alist'."
+ 
+ (defun org-link-expand-abbrev (link)
+   "Apply replacements as defined in `org-link-abbrev-alist'."
+-  (if (string-match "^\\([^:]*\\)\\(::?\\(.*\\)\\)?$" link)
++  (if (not (string-match "^\\([^:]*\\)\\(::?\\(.*\\)\\)?$" link)) link
+       (let* ((key (match-string 1 link))
+ 	     (as (or (assoc key org-link-abbrev-alist-local)
+ 		     (assoc key org-link-abbrev-alist)))
+ 	     (tag (and (match-end 2) (match-string 3 link)))
+ 	     rpl)
+ 	(if (not as)
+ 	    link
+ 	  (setq rpl (cdr as))
+-	  (cond
+-	   ((symbolp rpl) (funcall rpl tag))
+-	   ((string-match "%(\\([^)]+\\))" rpl)
+-	    (replace-match
+-	     (save-match-data
+-	       (funcall (intern-soft (match-string 1 rpl)) tag)) t t rpl))
+-	   ((string-match "%s" rpl) (replace-match (or tag "") t t rpl))
+-	   ((string-match "%h" rpl)
+-	    (replace-match (url-hexify-string (or tag "")) t t rpl))
+-	   (t (concat rpl tag)))))
+-    link))
++        ;; Drop any potentially dangerous text properties like
++        ;; `modification-hooks' that may be used as an attack vector.
++        (substring-no-properties
++	 (cond
++	  ((symbolp rpl) (funcall rpl tag))
++	  ((string-match "%(\\([^)]+\\))" rpl)
++           (let ((rpl-fun-symbol (intern-soft (match-string 1 rpl))))
++             ;; Using `unsafep-function' is not quite enough because
++             ;; Emacs considers functions like `genenv' safe, while
++             ;; they can potentially be used to expose private system
++             ;; data to attacker if abbreviated link is clicked.
++             (if (or (eq t (get rpl-fun-symbol 'org-link-abbrev-safe))
++                     (eq t (get rpl-fun-symbol 'pure)))
++                 (replace-match
++	          (save-match-data
++	            (funcall (intern-soft (match-string 1 rpl)) tag))
++	          t t rpl)
++               (org-display-warning
++                (format "Disabling unsafe link abbrev: %s
++You may mark function safe via (put '%s 'org-link-abbrev-safe t)"
++                        rpl (match-string 1 rpl)))
++               (setq org-link-abbrev-alist-local (delete as org-link-abbrev-alist-local)
++                     org-link-abbrev-alist (delete as org-link-abbrev-alist))
++               link
++	       )))
++	  ((string-match "%s" rpl) (replace-match (or tag "") t t rpl))
++	  ((string-match "%h" rpl)
++	   (replace-match (url-hexify-string (or tag "")) t t rpl))
++	  (t (concat rpl tag))))))))
+ 
+ ;;; Storing and inserting links
+ 
+-- 
+cgit v1.1
+
diff --git a/emacs.spec b/emacs.spec
index 61f95cf..177c600 100644
--- a/emacs.spec
+++ b/emacs.spec
@@ -30,6 +30,7 @@ Patch5:        emacs-etags-local-command-injection-vulnerability.patch
 Patch6:        emacs-htmlfontify-command-injection-vulnerability.patch
 Patch7:        emacs-ob-latex-command-injection-vulnerability.patch
 Patch8:        emacs-consider-org-file-contents-unsafe.patch
+Patch9:        emacs-org-link-expand-abbrev-unsafe-elisp.patch
 
 BuildRequires: atk-devel
 BuildRequires: cairo-devel
@@ -190,6 +191,7 @@ packages that add functionality to Emacs.
 %patch6 -p1 -b .htmlfontify-command-injection-vulnerability
 %patch7 -p1 -b .ob-latex-command-injection-vulnerability
 %patch8 -p1 -b .consider-org-file-contents-unsafe
+%patch9 -p1 -b .org-link-expand-abbrev-unsafe-elisp
 autoconf
 
 # We prefer our emacs.desktop file
@@ -478,6 +480,7 @@ fi
 %changelog
 * Fri Aug 23 2024 Jacek Migacz <jmigacz@redhat.com> - 1:26.1-12
 - org-file-contents: Consider all remote files unsafe (CVE-2024-30205)
+- org-link-expand-abbrev: Do not evaluate arbitrary unsafe Elisp code (CVE-2024-39331)
 
 * Wed Apr 12 2023 Jacek Migacz <jmigacz@redhat.com> - 1:26.1-11
 - Bump version