.emacs.metadata

@@ -0,0 +1,2 @@
+53c01d987b2613701f42d9f941c2d5225a5874c4 SOURCES/emacs-26.1.tar.xz
+c962aff1571d9fb346775ec4329877dbb63307d6 SOURCES/package-keyring.gpg

.gitignore

@@ -1,4 +1,2 @@
 SOURCES/emacs-26.1.tar.xz
 SOURCES/package-keyring.gpg
-/emacs-26.1.tar.xz
-/package-keyring.gpg

SPECS/emacs.spec

@@ -5,7 +5,7 @@ Summary:       GNU Emacs text editor
 Name:          emacs
 Epoch:         1
 Version:       26.1
-Release:       13%{?dist}
+Release:       11%{?dist}
 License:       GPLv3+ and CC0-1.0
 URL:           http://www.gnu.org/software/emacs/
 Group:         Applications/Editors
@@ -29,10 +29,6 @@ Patch4:        emacs-mh-rmail-nonempty-dir.patch
 Patch5:        emacs-etags-local-command-injection-vulnerability.patch
 Patch6:        emacs-htmlfontify-command-injection-vulnerability.patch
 Patch7:        emacs-ob-latex-command-injection-vulnerability.patch
-Patch8:        emacs-consider-org-file-contents-unsafe.patch
-Patch9:        emacs-org-link-expand-abbrev-unsafe-elisp.patch
-Patch10:       emacs-mark-contents-untrusted.patch
-Patch11:       emacs-man-el-shell-injection-vulnerability.patch
 
 BuildRequires: atk-devel
 BuildRequires: cairo-devel
@@ -72,6 +68,7 @@ BuildRequires: desktop-file-utils
 BuildRequires: libacl-devel
 
 BuildRequires: gtk3-devel
+BuildRequires: webkit2gtk3-devel
 
 # For lucid
 BuildRequires: Xaw3d-devel
@@ -191,10 +188,6 @@ packages that add functionality to Emacs.
 %patch5 -p1 -b .etags-local-command-injection-vulnerability
 %patch6 -p1 -b .htmlfontify-command-injection-vulnerability
 %patch7 -p1 -b .ob-latex-command-injection-vulnerability
-%patch8 -p1 -b .consider-org-file-contents-unsafe
-%patch9 -p1 -b .org-link-expand-abbrev-unsafe-elisp
-%patch10 -p1 -b .mark-contents-untrusted
-%patch11 -p1 -b .emacs-man-el-shell-injection-vulnerability
 autoconf
 
 # We prefer our emacs.desktop file
@@ -250,7 +243,7 @@ ln -s ../configure .
 
 %configure --with-dbus --with-gif --with-jpeg --with-png --with-rsvg \
            --with-tiff --with-xft --with-xpm --with-x-toolkit=gtk3 --with-gpm=no \
-           --with-modules
+           --with-xwidgets --with-modules
 make bootstrap
 %{setarch} make %{?_smp_mflags}
 cd ..
@@ -481,15 +474,6 @@ fi
 %dir %{_datadir}/emacs/site-lisp/site-start.d
 
 %changelog
-* Wed Feb 19 2025 Jacek Migacz <jmigacz@redhat.com> - 1:26.1-13
-- Fix man.el shell injection vulnerability (RHEL-79016)
-
-* Fri Aug 23 2024 Jacek Migacz <jmigacz@redhat.com> - 1:26.1-12
-- org-file-contents: Consider all remote files unsafe (CVE-2024-30205)
-- org-link-expand-abbrev: Do not evaluate arbitrary unsafe Elisp code (CVE-2024-39331)
-- Make Gnus treats inline MIME contents as untrusted (CVE-2024-30203)
-- Disable xwidgets (RHEL-14549)
-
 * Wed Apr 12 2023 Jacek Migacz <jmigacz@redhat.com> - 1:26.1-11
 - Bump version
 

emacs-consider-org-file-contents-unsafe.patch

@@ -1,36 +0,0 @@
-From 2bc865ace050ff118db43f01457f95f95112b877 Mon Sep 17 00:00:00 2001
-From: Ihor Radchenko <yantar92@posteo.net>
-Date: Tue, 20 Feb 2024 14:59:20 +0300
-Subject: org-file-contents: Consider all remote files unsafe
-
-* lisp/org/org.el (org-file-contents): When loading files, consider all
-remote files (like TRAMP-fetched files) unsafe, in addition to URLs.
----
- lisp/org/org.el | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/lisp/org/org.el b/lisp/org/org.el
-index 0f5d17d..76559c9 100644
---- a/lisp/org/org.el
-+++ b/lisp/org/org.el
-@@ -4576,12 +4576,16 @@ from file or URL, and return nil.
- If NOCACHE is non-nil, do a fresh fetch of FILE even if cached version
- is available.  This option applies only if FILE is a URL."
-   (let* ((is-url (org-file-url-p file))
-+         (is-remote (condition-case nil
-+                        (file-remote-p file)
-+                      ;; In case of error, be safe.
-+                      (t t)))
-          (cache (and is-url
-                      (not nocache)
-                      (gethash file org--file-cache))))
-     (cond
-      (cache)
--     (is-url
-+     ((or is-url is-remote)
-       (with-current-buffer (url-retrieve-synchronously file)
- 	(goto-char (point-min))
- 	;; Move point to after the url-retrieve header.
--- 
-cgit v1.1
-

emacs-man-el-shell-injection-vulnerability.patch

@@ -1,34 +0,0 @@
-From 820f0793f0b46448928905552726c1f1b999062f Mon Sep 17 00:00:00 2001
-From: Xi Lu <lx@shellcodes.org>
-Date: Tue, 10 Oct 2023 22:20:05 +0800
-Subject: Fix man.el shell injection vulnerability
-
-* lisp/man.el (Man-translate-references): Fix shell injection
-vulnerability.  (Bug#66390)
-* test/lisp/man-tests.el (man-tests-Man-translate-references): New
-test.
----
- lisp/man.el            |  6 +++++-
- test/lisp/man-tests.el | 12 ++++++++++++
- 2 files changed, 17 insertions(+), 1 deletion(-)
-
-diff --git a/lisp/man.el b/lisp/man.el
-index 55cb938..d963964 100644
---- a/lisp/man.el
-+++ b/lisp/man.el
-@@ -761,7 +761,11 @@ and the `Man-section-translations-alist' variables)."
-       (setq name (match-string 2 ref)
- 	    section (match-string 1 ref))))
-     (if (string= name "")
--	ref				; Return the reference as is
-+        ;; see Bug#66390
-+	(mapconcat 'identity
-+                   (mapcar #'shell-quote-argument
-+                           (split-string ref "\\s-+"))
-+                   " ")                 ; Return the reference as is
-       (if Man-downcase-section-letters-flag
- 	  (setq section (downcase section)))
-       (while slist
--- 
-cgit v1.1
-

emacs-mark-contents-untrusted.patch

@@ -1,25 +0,0 @@
-From 937b9042ad7426acdcca33e3d931d8f495bdd804 Mon Sep 17 00:00:00 2001
-From: Ihor Radchenko <yantar92@posteo.net>
-Date: Tue, 20 Feb 2024 12:44:30 +0300
-Subject: * lisp/gnus/mm-view.el (mm-display-inline-fontify): Mark contents
- untrusted.
-
----
- lisp/gnus/mm-view.el | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/lisp/gnus/mm-view.el b/lisp/gnus/mm-view.el
-index 2e1261c..5f234e5 100644
---- a/lisp/gnus/mm-view.el
-+++ b/lisp/gnus/mm-view.el
-@@ -504,6 +504,7 @@ If MODE is not set, try to find mode automatically."
- 	  (setq coding-system (mm-find-buffer-file-coding-system)))
- 	(setq text (buffer-string))))
-     (with-temp-buffer
-+      (setq untrusted-content t)
-       (buffer-disable-undo)
-       (mm-enable-multibyte)
-       (insert (cond ((eq charset 'gnus-decoded)
--- 
-cgit v1.1
-

emacs-org-link-expand-abbrev-unsafe-elisp.patch

@@ -1,78 +0,0 @@
-From f4cc61636947b5c2f0afc67174dd369fe3277aa8 Mon Sep 17 00:00:00 2001
-From: Ihor Radchenko <yantar92@posteo.net>
-Date: Tue, 18 Jun 2024 13:06:44 +0200
-Subject: org-link-expand-abbrev: Do not evaluate arbitrary unsafe Elisp code
-
-* lisp/org/org.el (org-link-expand-abbrev): Refuse expanding %(...) link
-abbrevs that specify unsafe function.  Instead, display a warning, and
-do not expand the abbrev.  Clear all the text properties from the
-returned link, to avoid any potential vulnerabilities caused by
-properties that may contain arbitrary Elisp.
----
- lisp/org/org.el | 40 +++++++++++++++++++++++++++++-----------
- 1 file changed, 29 insertions(+), 11 deletions(-)
-
-diff --git a/lisp/org/org.el b/lisp/org/org.el
-index 7a7f4f5..8a556c7 100644
---- a/lisp/org/org.el
-+++ b/lisp/org/org.el
-@@ -1152,26 +1152,44 @@ Abbreviations are defined in `org-link-abbrev-alist'."
- 
- (defun org-link-expand-abbrev (link)
-   "Apply replacements as defined in `org-link-abbrev-alist'."
--  (if (string-match "^\\([^:]*\\)\\(::?\\(.*\\)\\)?$" link)
-+  (if (not (string-match "^\\([^:]*\\)\\(::?\\(.*\\)\\)?$" link)) link
-       (let* ((key (match-string 1 link))
- 	     (as (or (assoc key org-link-abbrev-alist-local)
- 		     (assoc key org-link-abbrev-alist)))
- 	     (tag (and (match-end 2) (match-string 3 link)))
- 	     rpl)
- 	(if (not as)
- 	    link
- 	  (setq rpl (cdr as))
--	  (cond
--	   ((symbolp rpl) (funcall rpl tag))
--	   ((string-match "%(\\([^)]+\\))" rpl)
--	    (replace-match
--	     (save-match-data
--	       (funcall (intern-soft (match-string 1 rpl)) tag)) t t rpl))
--	   ((string-match "%s" rpl) (replace-match (or tag "") t t rpl))
--	   ((string-match "%h" rpl)
--	    (replace-match (url-hexify-string (or tag "")) t t rpl))
--	   (t (concat rpl tag)))))
--    link))
-+        ;; Drop any potentially dangerous text properties like
-+        ;; `modification-hooks' that may be used as an attack vector.
-+        (substring-no-properties
-+	 (cond
-+	  ((symbolp rpl) (funcall rpl tag))
-+	  ((string-match "%(\\([^)]+\\))" rpl)
-+           (let ((rpl-fun-symbol (intern-soft (match-string 1 rpl))))
-+             ;; Using `unsafep-function' is not quite enough because
-+             ;; Emacs considers functions like `genenv' safe, while
-+             ;; they can potentially be used to expose private system
-+             ;; data to attacker if abbreviated link is clicked.
-+             (if (or (eq t (get rpl-fun-symbol 'org-link-abbrev-safe))
-+                     (eq t (get rpl-fun-symbol 'pure)))
-+                 (replace-match
-+	          (save-match-data
-+	            (funcall (intern-soft (match-string 1 rpl)) tag))
-+	          t t rpl)
-+               (org-display-warning
-+                (format "Disabling unsafe link abbrev: %s
-+You may mark function safe via (put '%s 'org-link-abbrev-safe t)"
-+                        rpl (match-string 1 rpl)))
-+               (setq org-link-abbrev-alist-local (delete as org-link-abbrev-alist-local)
-+                     org-link-abbrev-alist (delete as org-link-abbrev-alist))
-+               link
-+	       )))
-+	  ((string-match "%s" rpl) (replace-match (or tag "") t t rpl))
-+	  ((string-match "%h" rpl)
-+	   (replace-match (url-hexify-string (or tag "")) t t rpl))
-+	  (t (concat rpl tag))))))))
- 
- ;;; Storing and inserting links
- 
--- 
-cgit v1.1
-

gating.yaml

@@ -1,6 +0,0 @@
---- !Policy
-product_versions:
-  - rhel-8
-decision_context: osci_compose_gate
-rules:
-  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}

sources

@@ -1,2 +0,0 @@
-SHA512 (emacs-26.1.tar.xz) = 537c2cfdd281151b360002419dde6280c313e07a937ed96405c67f754b3401ec5541091a3c0aa6690929bc33dd79e8e0d8844e7a6b014b7798c63cb15de210c2
-SHA512 (package-keyring.gpg) = ca0dfa2edda9a6de5837dd6d754d574b13e007561e8dcc99c178d24f6a5dbb6880edc95db9d6afbea8bdf0b409671657fe22a778003ea0ccf351dce5e4fd429f