.emacs.metadata

@@ -1,2 +0,0 @@
-53c01d987b2613701f42d9f941c2d5225a5874c4 SOURCES/emacs-26.1.tar.xz
-c962aff1571d9fb346775ec4329877dbb63307d6 SOURCES/package-keyring.gpg

.gitignore

@@ -1,2 +1,4 @@
 SOURCES/emacs-26.1.tar.xz
 SOURCES/package-keyring.gpg
+/emacs-26.1.tar.xz
+/package-keyring.gpg

emacs-consider-org-file-contents-unsafe.patch

@@ -0,0 +1,36 @@
+From 2bc865ace050ff118db43f01457f95f95112b877 Mon Sep 17 00:00:00 2001
+From: Ihor Radchenko <yantar92@posteo.net>
+Date: Tue, 20 Feb 2024 14:59:20 +0300
+Subject: org-file-contents: Consider all remote files unsafe
+
+* lisp/org/org.el (org-file-contents): When loading files, consider all
+remote files (like TRAMP-fetched files) unsafe, in addition to URLs.
+---
+ lisp/org/org.el | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/lisp/org/org.el b/lisp/org/org.el
+index 0f5d17d..76559c9 100644
+--- a/lisp/org/org.el
++++ b/lisp/org/org.el
+@@ -4576,12 +4576,16 @@ from file or URL, and return nil.
+ If NOCACHE is non-nil, do a fresh fetch of FILE even if cached version
+ is available.  This option applies only if FILE is a URL."
+   (let* ((is-url (org-file-url-p file))
++         (is-remote (condition-case nil
++                        (file-remote-p file)
++                      ;; In case of error, be safe.
++                      (t t)))
+          (cache (and is-url
+                      (not nocache)
+                      (gethash file org--file-cache))))
+     (cond
+      (cache)
+-     (is-url
++     ((or is-url is-remote)
+       (with-current-buffer (url-retrieve-synchronously file)
+ 	(goto-char (point-min))
+ 	;; Move point to after the url-retrieve header.
+-- 
+cgit v1.1
+

emacs-mark-contents-untrusted.patch

@@ -0,0 +1,25 @@
+From 937b9042ad7426acdcca33e3d931d8f495bdd804 Mon Sep 17 00:00:00 2001
+From: Ihor Radchenko <yantar92@posteo.net>
+Date: Tue, 20 Feb 2024 12:44:30 +0300
+Subject: * lisp/gnus/mm-view.el (mm-display-inline-fontify): Mark contents
+ untrusted.
+
+---
+ lisp/gnus/mm-view.el | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/lisp/gnus/mm-view.el b/lisp/gnus/mm-view.el
+index 2e1261c..5f234e5 100644
+--- a/lisp/gnus/mm-view.el
++++ b/lisp/gnus/mm-view.el
+@@ -504,6 +504,7 @@ If MODE is not set, try to find mode automatically."
+ 	  (setq coding-system (mm-find-buffer-file-coding-system)))
+ 	(setq text (buffer-string))))
+     (with-temp-buffer
++      (setq untrusted-content t)
+       (buffer-disable-undo)
+       (mm-enable-multibyte)
+       (insert (cond ((eq charset 'gnus-decoded)
+-- 
+cgit v1.1
+

emacs-org-link-expand-abbrev-unsafe-elisp.patch

@@ -0,0 +1,78 @@
+From f4cc61636947b5c2f0afc67174dd369fe3277aa8 Mon Sep 17 00:00:00 2001
+From: Ihor Radchenko <yantar92@posteo.net>
+Date: Tue, 18 Jun 2024 13:06:44 +0200
+Subject: org-link-expand-abbrev: Do not evaluate arbitrary unsafe Elisp code
+
+* lisp/org/org.el (org-link-expand-abbrev): Refuse expanding %(...) link
+abbrevs that specify unsafe function.  Instead, display a warning, and
+do not expand the abbrev.  Clear all the text properties from the
+returned link, to avoid any potential vulnerabilities caused by
+properties that may contain arbitrary Elisp.
+---
+ lisp/org/org.el | 40 +++++++++++++++++++++++++++++-----------
+ 1 file changed, 29 insertions(+), 11 deletions(-)
+
+diff --git a/lisp/org/org.el b/lisp/org/org.el
+index 7a7f4f5..8a556c7 100644
+--- a/lisp/org/org.el
++++ b/lisp/org/org.el
+@@ -1152,26 +1152,44 @@ Abbreviations are defined in `org-link-abbrev-alist'."
+ 
+ (defun org-link-expand-abbrev (link)
+   "Apply replacements as defined in `org-link-abbrev-alist'."
+-  (if (string-match "^\\([^:]*\\)\\(::?\\(.*\\)\\)?$" link)
++  (if (not (string-match "^\\([^:]*\\)\\(::?\\(.*\\)\\)?$" link)) link
+       (let* ((key (match-string 1 link))
+ 	     (as (or (assoc key org-link-abbrev-alist-local)
+ 		     (assoc key org-link-abbrev-alist)))
+ 	     (tag (and (match-end 2) (match-string 3 link)))
+ 	     rpl)
+ 	(if (not as)
+ 	    link
+ 	  (setq rpl (cdr as))
+-	  (cond
+-	   ((symbolp rpl) (funcall rpl tag))
+-	   ((string-match "%(\\([^)]+\\))" rpl)
+-	    (replace-match
+-	     (save-match-data
+-	       (funcall (intern-soft (match-string 1 rpl)) tag)) t t rpl))
+-	   ((string-match "%s" rpl) (replace-match (or tag "") t t rpl))
+-	   ((string-match "%h" rpl)
+-	    (replace-match (url-hexify-string (or tag "")) t t rpl))
+-	   (t (concat rpl tag)))))
+-    link))
++        ;; Drop any potentially dangerous text properties like
++        ;; `modification-hooks' that may be used as an attack vector.
++        (substring-no-properties
++	 (cond
++	  ((symbolp rpl) (funcall rpl tag))
++	  ((string-match "%(\\([^)]+\\))" rpl)
++           (let ((rpl-fun-symbol (intern-soft (match-string 1 rpl))))
++             ;; Using `unsafep-function' is not quite enough because
++             ;; Emacs considers functions like `genenv' safe, while
++             ;; they can potentially be used to expose private system
++             ;; data to attacker if abbreviated link is clicked.
++             (if (or (eq t (get rpl-fun-symbol 'org-link-abbrev-safe))
++                     (eq t (get rpl-fun-symbol 'pure)))
++                 (replace-match
++	          (save-match-data
++	            (funcall (intern-soft (match-string 1 rpl)) tag))
++	          t t rpl)
++               (org-display-warning
++                (format "Disabling unsafe link abbrev: %s
++You may mark function safe via (put '%s 'org-link-abbrev-safe t)"
++                        rpl (match-string 1 rpl)))
++               (setq org-link-abbrev-alist-local (delete as org-link-abbrev-alist-local)
++                     org-link-abbrev-alist (delete as org-link-abbrev-alist))
++               link
++	       )))
++	  ((string-match "%s" rpl) (replace-match (or tag "") t t rpl))
++	  ((string-match "%h" rpl)
++	   (replace-match (url-hexify-string (or tag "")) t t rpl))
++	  (t (concat rpl tag))))))))
+ 
+ ;;; Storing and inserting links
+ 
+-- 
+cgit v1.1
+

emacs.spec

@@ -5,7 +5,7 @@ Summary:       GNU Emacs text editor
 Name:          emacs
 Epoch:         1
 Version:       26.1
-Release:       11%{?dist}
+Release:       12%{?dist}
 License:       GPLv3+ and CC0-1.0
 URL:           http://www.gnu.org/software/emacs/
 Group:         Applications/Editors
@@ -29,6 +29,9 @@ Patch4:        emacs-mh-rmail-nonempty-dir.patch
 Patch5:        emacs-etags-local-command-injection-vulnerability.patch
 Patch6:        emacs-htmlfontify-command-injection-vulnerability.patch
 Patch7:        emacs-ob-latex-command-injection-vulnerability.patch
+Patch8:        emacs-consider-org-file-contents-unsafe.patch
+Patch9:        emacs-org-link-expand-abbrev-unsafe-elisp.patch
+Patch10:       emacs-mark-contents-untrusted.patch
 
 BuildRequires: atk-devel
 BuildRequires: cairo-devel
@@ -68,7 +71,6 @@ BuildRequires: desktop-file-utils
 BuildRequires: libacl-devel
 
 BuildRequires: gtk3-devel
-BuildRequires: webkit2gtk3-devel
 
 # For lucid
 BuildRequires: Xaw3d-devel
@@ -188,6 +190,9 @@ packages that add functionality to Emacs.
 %patch5 -p1 -b .etags-local-command-injection-vulnerability
 %patch6 -p1 -b .htmlfontify-command-injection-vulnerability
 %patch7 -p1 -b .ob-latex-command-injection-vulnerability
+%patch8 -p1 -b .consider-org-file-contents-unsafe
+%patch9 -p1 -b .org-link-expand-abbrev-unsafe-elisp
+%patch10 -p1 -b .mark-contents-untrusted
 autoconf
 
 # We prefer our emacs.desktop file
@@ -243,7 +248,7 @@ ln -s ../configure .
 
 %configure --with-dbus --with-gif --with-jpeg --with-png --with-rsvg \
            --with-tiff --with-xft --with-xpm --with-x-toolkit=gtk3 --with-gpm=no \
-           --with-xwidgets --with-modules
+           --with-modules
 make bootstrap
 %{setarch} make %{?_smp_mflags}
 cd ..
@@ -474,6 +479,12 @@ fi
 %dir %{_datadir}/emacs/site-lisp/site-start.d
 
 %changelog
+* Fri Aug 23 2024 Jacek Migacz <jmigacz@redhat.com> - 1:26.1-12
+- org-file-contents: Consider all remote files unsafe (CVE-2024-30205)
+- org-link-expand-abbrev: Do not evaluate arbitrary unsafe Elisp code (CVE-2024-39331)
+- Make Gnus treats inline MIME contents as untrusted (CVE-2024-30203)
+- Disable xwidgets (RHEL-14549)
+
 * Wed Apr 12 2023 Jacek Migacz <jmigacz@redhat.com> - 1:26.1-11
 - Bump version
 

gating.yaml

@@ -0,0 +1,6 @@
+--- !Policy
+product_versions:
+  - rhel-8
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}

sources

@@ -0,0 +1,2 @@
+SHA512 (emacs-26.1.tar.xz) = 537c2cfdd281151b360002419dde6280c313e07a937ed96405c67f754b3401ec5541091a3c0aa6690929bc33dd79e8e0d8844e7a6b014b7798c63cb15de210c2
+SHA512 (package-keyring.gpg) = ca0dfa2edda9a6de5837dd6d754d574b13e007561e8dcc99c178d24f6a5dbb6880edc95db9d6afbea8bdf0b409671657fe22a778003ea0ccf351dce5e4fd429f