.emacs.metadata

@@ -0,0 +1 @@
+8d18e2bfb6e28cf060ce7587290954e9c582aa25 SOURCES/emacs-27.2.tar.xz

.gitignore

@@ -1,4 +1 @@
-SOURCES/emacs-26.1.tar.xz
-SOURCES/package-keyring.gpg
-/emacs-26.1.tar.xz
-/package-keyring.gpg
+SOURCES/emacs-27.2.tar.xz

SOURCES/emacs-27.2.tar.xz.sig

@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1
+
+iQEcBAABAgAGBQJgXHmkAAoJEJHBJi8B6405d2EIAIPafSj+sV3Hemu9CSPL+F38
+KutOo7nUF1AO0tgdijPGZ4BTBsWnsum0dLQ/JLtor7/NQuqrZTMJQbrorLluwCR7
+p1aVtwQ+enWn3G0Aq/4uWo0xaMCvJlEPOQuYE8Dtt12PFZzmfAE1r4KZa4cL073h
+suugT/tz7awq7QS6GbjI88mkJXVMuEwVYPPS2tzBUTkA2152dikFSyqBhUnIo3Ni
+eDN6NvSYBpL1I9HgNYuiBJp9xv8CzGtwm/7Nidntzl9SPVQlZkZIHNj8tRbE67Ge
+R0EXBgnDsSKlRUM51R7PejnSG6134VcLCaItMF6dIiVBu6BwQXw1t+zdqnzG6v8=
+=L6J6
+-----END PGP SIGNATURE-----

SOURCES/emacs-64KB-page-size-for-pdump.patch

@@ -0,0 +1,31 @@
+From 216c65b135c2b0be7e048cdc6683873b03b99b9a Mon Sep 17 00:00:00 2001
+From: Lars Ingebrigtsen <larsi@gnus.org>
+Date: Sun, 28 Mar 2021 19:13:00 +0200
+Subject: [PATCH] Use a 64KB page size for pdump
+
+* src/pdumper.c (dump_get_page_size): Use a 64KB page size on all
+architectures, as this many vary between systems (bug#47125).
+---
+ src/pdumper.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/src/pdumper.c b/src/pdumper.c
+index 337742fda4..fdd9b3bacb 100644
+--- a/src/pdumper.c
++++ b/src/pdumper.c
+@@ -162,11 +162,7 @@ ptrdiff_t_to_dump_off (ptrdiff_t value)
+ static int
+ dump_get_page_size (void)
+ {
+-#if defined (WINDOWSNT) || defined (CYGWIN)
+-  return 64 * 1024;  /* Worst-case allocation granularity.  */
+-#else
+-  return getpagesize ();
+-#endif
++  return 64 * 1024;
+ }
+ 
+ #define dump_offsetof(type, member)                             \
+-- 
+2.36.1
+

SOURCES/emacs-glibc-2.34.patch

@@ -0,0 +1,40 @@
+From f97e07ea807cc6d38774a3888a15091b20645ac6 Mon Sep 17 00:00:00 2001
+From: Paul Eggert <eggert@cs.ucla.edu>
+Date: Tue, 9 Mar 2021 11:22:59 -0800
+Subject: [PATCH] Port alternate signal stack to upcoming glibc 2.34
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+* src/sysdep.c (sigsegv_stack): Increase size to 64 KiB and align
+it to max_align_t.  This copies from Gnulib’s c-stack.c, and works
+around a portability bug in draft glibc 2.34, which no longer
+defines SIGSTKSZ when _GNU_SOURCE is defined.
+---
+ src/sysdep.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/src/sysdep.c b/src/sysdep.c
+index 941b4e2fa2..24d8832b2f 100644
+--- a/src/sysdep.c
++++ b/src/sysdep.c
+@@ -1785,7 +1785,15 @@ handle_arith_signal (int sig)
+ 
+ /* Alternate stack used by SIGSEGV handler below.  */
+ 
+-static unsigned char sigsegv_stack[SIGSTKSZ];
++/* Storage for the alternate signal stack.
++   64 KiB is not too large for Emacs, and is large enough
++   for all known platforms.  Smaller sizes may run into trouble.
++   For example, libsigsegv 2.6 through 2.8 have a bug where some
++   architectures use more than the Linux default of an 8 KiB alternate
++   stack when deciding if a fault was caused by stack overflow.  */
++static max_align_t sigsegv_stack[(64 * 1024
++				  + sizeof (max_align_t) - 1)
++				 / sizeof (max_align_t)];
+ 
+ 
+ /* Return true if SIGINFO indicates a stack overflow.  */
+-- 
+2.29.2
+

SOURCES/emacs-latex-preview.patch

@@ -0,0 +1,57 @@
+From 6f9ea396f49cbe38c2173e0a72ba6af3e03b271c Mon Sep 17 00:00:00 2001
+From: Ihor Radchenko <yantar92@posteo.net>
+Date: Tue, 20 Feb 2024 12:47:24 +0300
+Subject: org-latex-preview: Add protection when `untrusted-content' is non-nil
+
+* lisp/org/org.el (org--latex-preview-when-risky): New variable
+controlling how to handle LaTeX previews in Org files from untrusted
+origin.
+(org-latex-preview): Consult `org--latex-preview-when-risky' before
+generating previews.
+
+This patch adds a layer of protection when LaTeX preview is requested
+for an email attachment, where `untrusted-content' is set to non-nil.
+---
+ lisp/org/org.el | 19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+
+diff --git a/lisp/org/org.el b/lisp/org/org.el
+index c75afbf..0f5d17d 100644
+--- a/lisp/org/org.el
++++ b/lisp/org/org.el
+@@ -1140,6 +1140,24 @@ the following lines anywhere in the buffer:
+   :package-version '(Org . "8.0")
+   :type 'boolean)
+ 
++(defvar untrusted-content) ; defined in files.el
++(defvar org--latex-preview-when-risky nil
++  "If non-nil, enable LaTeX preview in Org buffers from unsafe source.
++
++Some specially designed LaTeX code may generate huge pdf or log files
++that may exhaust disk space.
++
++This variable controls how to handle LaTeX preview when rendering LaTeX
++fragments that originate from incoming email messages.  It has no effect
++when Org mode is unable to determine the origin of the Org buffer.
++
++An Org buffer is considered to be from unsafe source when the
++variable `untrusted-content' has a non-nil value in the buffer.
++
++If this variable is non-nil, LaTeX previews are rendered unconditionally.
++
++This variable may be renamed or changed in the future.")
++
+ (defcustom org-insert-mode-line-in-empty-file nil
+   "Non-nil means insert the first line setting Org mode in empty files.
+ When the function `org-mode' is called interactively in an empty file, this
+@@ -15695,6 +15713,7 @@ fragments in the buffer."
+   (interactive "P")
+   (cond
+    ((not (display-graphic-p)) nil)
++   ((and untrusted-content (not org--latex-preview-when-risky)) nil)
+    ;; Clear whole buffer.
+    ((equal arg '(64))
+     (org-clear-latex-preview (point-min) (point-max))
+-- 
+cgit v1.1
+

SOURCES/emacs-man-el-shell-injection-vulnerability.patch

@@ -29,6 +29,29 @@ index 55cb938..d963964 100644
        (if Man-downcase-section-letters-flag
  	  (setq section (downcase section)))
        (while slist
+diff --git a/test/lisp/man-tests.el b/test/lisp/man-tests.el
+index 140482e..11f5f80 100644
+--- a/test/lisp/man-tests.el
++++ b/test/lisp/man-tests.el
+@@ -161,6 +161,18 @@ DESCRIPTION
+           (let ((button (button-at (match-beginning 0))))
+             (should (and button (eq 'Man-xref-header-file (button-type button))))))))))
+ 
++(ert-deftest man-tests-Man-translate-references ()
++  (should (equal (Man-translate-references "basename")
++                 "basename"))
++  (should (equal (Man-translate-references "basename(3)")
++                 "3 basename"))
++  (should (equal (Man-translate-references "basename(3v)")
++                 "3v basename"))
++  (should (equal (Man-translate-references ";id")
++                 "\\;id"))
++  (should (equal (Man-translate-references "-k basename")
++                 "-k basename")))
++
+ (provide 'man-tests)
+ 
+ ;;; man-tests.el ends here
 -- 
 cgit v1.1
 

SOURCES/emacs-org-link-expand-abbrev-unsafe-elisp.patch

@@ -3,44 +3,34 @@ From: Ihor Radchenko <yantar92@posteo.net>
 Date: Tue, 18 Jun 2024 13:06:44 +0200
 Subject: org-link-expand-abbrev: Do not evaluate arbitrary unsafe Elisp code
 
-* lisp/org/org.el (org-link-expand-abbrev): Refuse expanding %(...) link
+* lisp/org/ol.el (org-link-expand-abbrev): Refuse expanding %(...) link
 abbrevs that specify unsafe function.  Instead, display a warning, and
 do not expand the abbrev.  Clear all the text properties from the
 returned link, to avoid any potential vulnerabilities caused by
 properties that may contain arbitrary Elisp.
 ---
- lisp/org/org.el | 40 +++++++++++++++++++++++++++++-----------
+ lisp/org/ol.el | 40 +++++++++++++++++++++++++++++-----------
  1 file changed, 29 insertions(+), 11 deletions(-)
 
-diff --git a/lisp/org/org.el b/lisp/org/org.el
+diff --git a/lisp/org/ol.el b/lisp/org/ol.el
 index 7a7f4f5..8a556c7 100644
---- a/lisp/org/org.el
-+++ b/lisp/org/org.el
-@@ -1152,26 +1152,44 @@ Abbreviations are defined in `org-link-abbrev-alist'."
- 
- (defun org-link-expand-abbrev (link)
-   "Apply replacements as defined in `org-link-abbrev-alist'."
--  (if (string-match "^\\([^:]*\\)\\(::?\\(.*\\)\\)?$" link)
-+  (if (not (string-match "^\\([^:]*\\)\\(::?\\(.*\\)\\)?$" link)) link
-       (let* ((key (match-string 1 link))
- 	     (as (or (assoc key org-link-abbrev-alist-local)
- 		     (assoc key org-link-abbrev-alist)))
- 	     (tag (and (match-end 2) (match-string 3 link)))
- 	     rpl)
- 	(if (not as)
- 	    link
- 	  (setq rpl (cdr as))
--	  (cond
--	   ((symbolp rpl) (funcall rpl tag))
--	   ((string-match "%(\\([^)]+\\))" rpl)
--	    (replace-match
--	     (save-match-data
--	       (funcall (intern-soft (match-string 1 rpl)) tag)) t t rpl))
--	   ((string-match "%s" rpl) (replace-match (or tag "") t t rpl))
--	   ((string-match "%h" rpl)
--	    (replace-match (url-hexify-string (or tag "")) t t rpl))
--	   (t (concat rpl tag)))))
--    link))
+--- a/lisp/org/ol.el
++++ b/lisp/org/ol.el
+@@ -1152,17 +1152,35 @@ Abbreviations are defined in `org-link-abbrev-alist'."
+       (if (not as)
+ 	  link
+ 	(setq rpl (cdr as))
+-	(cond
+-	 ((symbolp rpl) (funcall rpl tag))
+-	 ((string-match "%(\\([^)]+\\))" rpl)
+-	  (replace-match
+-	   (save-match-data
+-	     (funcall (intern-soft (match-string 1 rpl)) tag))
+-	   t t rpl))
+-	 ((string-match "%s" rpl) (replace-match (or tag "") t t rpl))
+-	 ((string-match "%h" rpl)
+-	  (replace-match (url-hexify-string (or tag "")) t t rpl))
+-	 (t (concat rpl tag)))))))
 +        ;; Drop any potentially dangerous text properties like
 +        ;; `modification-hooks' that may be used as an attack vector.
 +        (substring-no-properties
@@ -71,8 +61,8 @@ index 7a7f4f5..8a556c7 100644
 +	   (replace-match (url-hexify-string (or tag "")) t t rpl))
 +	  (t (concat rpl tag))))))))
  
- ;;; Storing and inserting links
- 
+ (defun org-link-open (link &optional arg)
+   "Open a link object LINK.
 -- 
 cgit v1.1
 

SOURCES/emacs-ruby-mode-local-command-injection-vulnerability.patch

@@ -0,0 +1,28 @@
+From 9a3b08061feea14d6f37685ca1ab8801758bfd1c Mon Sep 17 00:00:00 2001
+From: Xi Lu <lx@shellcodes.org>
+Date: Fri, 23 Dec 2022 12:52:48 +0800
+Subject: [PATCH] Fix ruby-mode.el local command injection vulnerability
+ (bug#60268)
+
+* lisp/progmodes/ruby-mode.el
+(ruby-find-library-file): Fix local command injection vulnerability.
+---
+ lisp/progmodes/ruby-mode.el | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lisp/progmodes/ruby-mode.el b/lisp/progmodes/ruby-mode.el
+index 1f3e9b6ae7b..a4aa61905e4 100644
+--- a/lisp/progmodes/ruby-mode.el
++++ b/lisp/progmodes/ruby-mode.el
+@@ -1820,7 +1820,7 @@ ruby-find-library-file
+       (setq feature-name (read-string "Feature name: " init))))
+   (let ((out
+          (substring
+-          (shell-command-to-string (concat "gem which " feature-name))
++          (shell-command-to-string (concat "gem which " (shell-quote-argument feature-name)))
+           0 -1)))
+     (if (string-match-p "\\`ERROR" out)
+         (user-error "%s" out)
+-- 
+2.36.1
+

SOURCES/gpgkey-E6C9029C363AD41D787A8EBB91C1262F01EB8D39.gpg

@@ -0,0 +1,29 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQENBF+pf4UBCAC6vjkWLSAsQpe8YIGKLQzNOJx/IjGtCdFF8uzmO5jmME+SD8RO
+uJN+t5KXVw58uzu75EFD0vHTY9e+udJ2gkpuy0NnzkFcbumdLLo2ERKCoSctZZRh
+zKXI5z5cHxCqW0B2ygHRrRLtoNlGID7bAgcgSViT1ptGqTXO7zGVu4Airok7dNzc
+PtHgns8GlR5YAFX0TvE6oGd0l2VPghNeVJKJOjrbfhoDxl3ucFpqbqMH8z9HTLDO
+Fpz8UaYYUdJMi3xX6vwTZxI2sM2RRVLUpZyllAkSMI4lln1OOgazM/62DJUs/rKI
+HKBnF6h3/qsJUjUYXaAHbrXY26mWllAd536lABEBAAG0I0VsaSBaYXJldHNraWkg
+KGVsaXopIDxlbGl6QGdudS5vcmc+iQE4BBMBAgAiBQJfqX+FAhsDBgsJCAcDAgYV
+CAIJCgsEFgIDAQIeAQIXgAAKCRCRwSYvAeuNOYUQB/4/iIKKOG45ijNaRoTvmJJZ
+Mvj1S07WQxEm7c5SHEeEQbLOAxB9vESOV7sLueuN3oqEndtzyYt4x1WTSBmHFF7h
+5fcCMjBs41siOIp5Sj/xD0Bvaa0IKGCRSZ7PAo8Mq3wgajXpTpn9vxE2PmtzA8Kd
+EE0K1+f9pVAfOpUIcCl44rIxLUW352XG0y7iz6c/O6LB1deOKMiKFctKO7pBti1d
+JEm1ImewLH3H8uTbwspLOs3EB8xhsESxmTidnze68HX2jt+2EeMgCdkiNU+LWbex
+QZPfIS7+ZmE06ll0v6+Jy7ZdTkCCRypKWTnW7pIFsq/p4kybV8O/kHSV6B4vvQBf
+uQENBF+pf4UBCACvFrdx/m22lgObypSmSS4TNlNvQnMUorrMmp0U32hv5adt6CKX
+eMjk05F+GcIfVMrpxqMBn4sEUIXWhhogQJa9ZbWEP/HbS8XjMMbz0Q0Siaty9+DS
+spK/9u2GWKsz3uQzLCexIJtzmXvjAVmvoMCAU/F2t038ggygjYLRgyLRNLgbbart
+u2dMkvrfxRjheip60S4S3utOcwUf/qdoa1grNannCFluHr/ftXCeeuGB4H8iO0BX
+WNby6NZPizxJttx9gdcH8/OmDOJkXyRMTT/3sSem76CSOjfXcz7saJlg680NQhG5
+TmuYERjJD4+U02K5RuqTsEnOuWeFy4p+/mslABEBAAGJAR8EGAECAAkFAl+pf4UC
+GwwACgkQkcEmLwHrjTno7Af/a1XoLHxAUkS43nmF8iazn3ZnuwWKWLEAsNrxk56y
+UxhUPRzNs0/fsABDQR1o0DyTqbScKOcOMSG2YMCctLiDd7FdfMWwkUsV9GUpPBiR
+tD60Ewmn9sbNJKrEoZ5L6sqOUEslJRVABu5taOzVIRfeUPPaMRjvCcr0d+epKjW8
+1J9Aqj8SskuNkHwvHchTYFYVT22aemjjZ1MGOUm7QiybWQgYL6aSPV2gR+NQQ7pE
+hOBoEi6GLEiBkoYOIXvmxsqQLBrUPbsJq8lItYEaw4HGt8BaPxtK2yZ9mSqC2xhW
+Yr1j1YAIHffzubC0jxc5znXERsRANoJOwNUXmiddD7UM9A==
+=g4R7
+-----END PGP PUBLIC KEY BLOCK-----

SPECS/emacs.spec

@@ -4,37 +4,41 @@
 Summary:       GNU Emacs text editor
 Name:          emacs
 Epoch:         1
-Version:       26.1
-Release:       15%{?dist}
+Version:       27.2
+Release:       13%{?dist}
 License:       GPLv3+ and CC0-1.0
 URL:           http://www.gnu.org/software/emacs/
-Group:         Applications/Editors
 Source0:       https://ftp.gnu.org/gnu/emacs/emacs-%{version}.tar.xz
-Source1:       emacs.desktop
-Source3:       dotemacs.el
-Source4:       site-start.el
-Source5:       default.el
+Source1:       https://ftp.gnu.org/gnu/emacs/emacs-%{version}.tar.xz.sig
+# generate the keyring via:
+# wget https://ftp.gnu.org/gnu/gnu-keyring.gpg
+# gpg2 --keyring ./gnu-keyring.gpg --armor --export E6C9029C363AD41D787A8EBB91C1262F01EB8D39 > gpgkey-E6C9029C363AD41D787A8EBB91C1262F01EB8D39.gpg
+Source2:       gpgkey-E6C9029C363AD41D787A8EBB91C1262F01EB8D39.gpg
+Source3:       emacs.desktop
+Source4:       dotemacs.el
+Source5:       site-start.el
+Source6:       default.el
 # Emacs Terminal Mode, #551949, #617355
-Source6:       emacs-terminal.desktop
-Source7:       emacs-terminal.sh
-Source8:       emacs.service
-Source9:       %{name}.appdata.xml
-# rhbz#1810729
-Source10:      package-keyring.gpg
+Source7:       emacs-terminal.desktop
+Source8:       emacs-terminal.sh
+Source9:       emacs.service
+Source10:      %{name}.appdata.xml
 # rhbz#713600
 Patch1:        emacs-spellchecker.patch
 Patch2:        emacs-system-crypto-policies.patch
-Patch3:        emacs-ctags-local-command-execute-vulnerability.patch
-Patch4:        emacs-mh-rmail-nonempty-dir.patch
-Patch5:        emacs-etags-local-command-injection-vulnerability.patch
-Patch6:        emacs-htmlfontify-command-injection-vulnerability.patch
-Patch7:        emacs-ob-latex-command-injection-vulnerability.patch
-Patch8:        emacs-consider-org-file-contents-unsafe.patch
-Patch9:        emacs-org-link-expand-abbrev-unsafe-elisp.patch
-Patch10:       emacs-mark-contents-untrusted.patch
-Patch11:       emacs-man-el-shell-injection-vulnerability.patch
-Patch12:       emacs-CVE-2024-53920.patch
-
+Patch3:        emacs-glibc-2.34.patch
+Patch4:        emacs-ctags-local-command-execute-vulnerability.patch
+Patch5:        emacs-64KB-page-size-for-pdump.patch
+Patch6:        emacs-etags-local-command-injection-vulnerability.patch
+Patch7:        emacs-htmlfontify-command-injection-vulnerability.patch
+Patch8:        emacs-ruby-mode-local-command-injection-vulnerability.patch
+Patch9:        emacs-ob-latex-command-injection-vulnerability.patch
+Patch10:       emacs-consider-org-file-contents-unsafe.patch
+Patch11:       emacs-mark-contents-untrusted.patch
+Patch12:       emacs-latex-preview.patch
+Patch13:       emacs-org-link-expand-abbrev-unsafe-elisp.patch
+Patch14:       emacs-man-el-shell-injection-vulnerability.patch
+BuildRequires: gcc
 BuildRequires: atk-devel
 BuildRequires: cairo-devel
 BuildRequires: freetype-devel
@@ -60,26 +64,33 @@ BuildRequires: librsvg2-devel
 BuildRequires: m17n-lib-devel
 BuildRequires: libotf-devel
 BuildRequires: libselinux-devel
-BuildRequires: GConf2-devel
 BuildRequires: alsa-lib-devel
 BuildRequires: gpm-devel
 BuildRequires: liblockfile-devel
 BuildRequires: libxml2-devel
+BuildRequires: autoconf
 BuildRequires: bzip2
 BuildRequires: cairo
 BuildRequires: texinfo
 BuildRequires: gzip
 BuildRequires: desktop-file-utils
 BuildRequires: libacl-devel
+BuildRequires: harfbuzz-devel
+BuildRequires: jansson-devel
+BuildRequires: systemd-devel
 
 BuildRequires: gtk3-devel
 
+BuildRequires: gnupg2
+
 # For lucid
 BuildRequires: Xaw3d-devel
 
 %ifarch %{ix86}
 BuildRequires: util-linux
 %endif
+BuildRequires: make
+
 
 # Emacs doesn't run without dejavu-sans-mono-fonts, rhbz#732422
 Requires:      desktop-file-utils
@@ -105,7 +116,6 @@ This package provides an emacs binary with support for X windows.
 
 %package lucid
 Summary:       GNU Emacs text editor with LUCID toolkit X support
-Group:         Applications/Editors
 Requires(preun): %{_sbindir}/alternatives
 Requires(posttrans): %{_sbindir}/alternatives
 Requires:      emacs-common = %{epoch}:%{version}-%{release}
@@ -122,7 +132,6 @@ using LUCID toolkit.
 
 %package nox
 Summary:       GNU Emacs text editor without X support
-Group:         Applications/Editors
 Requires(preun): %{_sbindir}/alternatives
 Requires(posttrans): %{_sbindir}/alternatives
 Requires:      emacs-common = %{epoch}:%{version}-%{release}
@@ -142,11 +151,8 @@ Summary:       Emacs common files
 # The entire source code is GPLv3+ except lib-src/etags.c which is
 # also BSD.  Manual (info) is GFDL.
 License:       GPLv3+ and GFDL and BSD
-Group:         Applications/Editors
-Requires(preun): /sbin/install-info
 Requires(preun): %{_sbindir}/alternatives
 Requires(posttrans): %{_sbindir}/alternatives
-Requires(post): /sbin/install-info
 Requires:      %{name}-filesystem = %{epoch}:%{version}-%{release}
 Provides:      %{name}-el = %{epoch}:%{version}-%{release}
 Obsoletes:     emacs-el < 1:24.3-29
@@ -162,7 +168,6 @@ or emacs-nox.
 
 %package terminal
 Summary:       A desktop menu item for GNU Emacs terminal.
-Group:         Applications/Editors
 Requires:      emacs = %{epoch}:%{version}-%{release}
 BuildArch:     noarch
 
@@ -175,35 +180,40 @@ removed when another terminal becomes capable of handling Malayalam.
 
 %package filesystem
 Summary:       Emacs filesystem layout
-Group:         Applications/Editors
 BuildArch:     noarch
 
 %description filesystem
 This package provides some directories which are required by other
 packages that add functionality to Emacs.
 
+%package devel
+Summary: Development header files for Emacs
+
+%description devel
+Development header files for Emacs.
+
 %prep
+%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
 %setup -q
 
-%patch1 -p1 -b .spellchecker
-%patch2 -p1 -b .system-crypto-policies
-%patch3 -p1 -b .ctags-local-command-execute-vulnerability
-%patch4 -p1 -b .mh-rmail-nonempty-dir.patch
-%patch5 -p1 -b .etags-local-command-injection-vulnerability
-%patch6 -p1 -b .htmlfontify-command-injection-vulnerability
-%patch7 -p1 -b .ob-latex-command-injection-vulnerability
-%patch8 -p1 -b .consider-org-file-contents-unsafe
-%patch9 -p1 -b .org-link-expand-abbrev-unsafe-elisp
-%patch10 -p1 -b .mark-contents-untrusted
-%patch11 -p1 -b .emacs-man-el-shell-injection-vulnerability
-%patch12 -p1 -b .CVE-2024-53920
+%patch -P 1 -p1 -b .spellchecker
+%patch -P 2 -p1 -b .system-crypto-policies
+%patch -P 3 -p1 -b .glibc2.34
+%patch -P 4 -p1 -b .ctags-local-command-execute-vulnerability
+%patch -P 5 -p1 -b .64KB-page-size-for-pdump
+%patch -P 6 -p1 -b .etags-local-command-injection-vulnerability
+%patch -P 7 -p1 -b .htmlfontify-command-injection-vulnerability
+%patch -P 8 -p1 -b .ruby-mode-local-command-injection-vulnerability
+%patch -P 9 -p1 -b .ob-latex-command-injection-vulnerability
+%patch -P 10 -p1 -b .consider-org-file-contents-unsafe
+%patch -P 11 -p1 -b .mark-contents-untrusted
+%patch -P 12 -p1 -b .latex-preview
+%patch -P 13 -p1 -b .org-link-expand-abbrev-unsafe-elisp
+%patch -P 14 -p1 -b .man-el-shell-injection-vulnerability
 autoconf
 
 # We prefer our emacs.desktop file
-cp %SOURCE1 etc/emacs.desktop
-
-# GPG key for GNU ELPA packages backported from Emacs 26.3 (#1810729)
-cp %SOURCE10 etc/package-keyring.gpg
+cp %SOURCE3 etc/emacs.desktop
 
 grep -v "tetris.elc" lisp/Makefile.in > lisp/Makefile.in.new \
    && mv lisp/Makefile.in.new lisp/Makefile.in
@@ -243,8 +253,8 @@ ln -s ../../%{name}/%{version}/etc/NEWS doc
 
 
 %build
-export CFLAGS="-DMAIL_USE_LOCKF $RPM_OPT_FLAGS"
-export LDFLAGS="$LDFLAGS -Wl,-z,relro,-z,now -fpie"
+export CFLAGS="-DMAIL_USE_LOCKF %{build_cflags}"
+%set_build_flags
 
 # Build GTK+ binary
 mkdir build-gtk && cd build-gtk
@@ -252,9 +262,9 @@ ln -s ../configure .
 
 %configure --with-dbus --with-gif --with-jpeg --with-png --with-rsvg \
            --with-tiff --with-xft --with-xpm --with-x-toolkit=gtk3 --with-gpm=no \
-           --with-modules
+           --with-modules --with-harfbuzz --with-cairo --with-json
 make bootstrap
-%{setarch} make %{?_smp_mflags}
+%{setarch} %make_build
 cd ..
 
 # Build Lucid binary
@@ -263,16 +273,16 @@ ln -s ../configure .
 
 %configure --with-dbus --with-gif --with-jpeg --with-png --with-rsvg \
            --with-tiff --with-xft --with-xpm --with-x-toolkit=lucid --with-gpm=no \
-           --with-modules
+           --with-modules --with-harfbuzz --with-cairo --with-json
 make bootstrap
-%{setarch} make %{?_smp_mflags}
+%{setarch} %make_build
 cd ..
 
 # Build binary without X support
 mkdir build-nox && cd build-nox
 ln -s ../configure .
-%configure --with-x=no --with-modules
-%{setarch} make %{?_smp_mflags}
+%configure --with-x=no --with-modules --with-json
+%{setarch} %make_build
 cd ..
 
 # Remove versioned file so that we end up with .1 suffix and only one DOC file
@@ -300,29 +310,37 @@ EOF
 
 %install
 cd build-gtk
-make install INSTALL="%{__install} -p" DESTDIR=%{buildroot}
+%make_install
 cd ..
 
 # Let alternatives manage the symlink
 rm %{buildroot}%{_bindir}/emacs
 touch %{buildroot}%{_bindir}/emacs
 
+# Remove emacs.pdmp from common
+rm %{buildroot}%{emacs_libexecdir}/emacs.pdmp
+
 # Do not compress the files which implement compression itself (#484830)
 gunzip %{buildroot}%{_datadir}/emacs/%{version}/lisp/jka-compr.el.gz
 gunzip %{buildroot}%{_datadir}/emacs/%{version}/lisp/jka-cmpr-hook.el.gz
 
+# Install emacs.pdmp of the emacs with GTK+
+install -p -m 0644 build-gtk/src/emacs.pdmp %{buildroot}%{_bindir}/emacs-%{version}.pdmp
+
 # Install the emacs with LUCID toolkit
 install -p -m 0755 build-lucid/src/emacs %{buildroot}%{_bindir}/emacs-%{version}-lucid
+install -p -m 0644 build-lucid/src/emacs.pdmp %{buildroot}%{_bindir}/emacs-%{version}-lucid.pdmp
 
 # Install the emacs without X
 install -p -m 0755 build-nox/src/emacs %{buildroot}%{_bindir}/emacs-%{version}-nox
+install -p -m 0644 build-nox/src/emacs.pdmp %{buildroot}%{_bindir}/emacs-%{version}-nox.pdmp
 
 # Make sure movemail isn't setgid
 chmod 755 %{buildroot}%{emacs_libexecdir}/movemail
 
 mkdir -p %{buildroot}%{site_lisp}
-install -p -m 0644 %SOURCE4 %{buildroot}%{site_lisp}/site-start.el
-install -p -m 0644 %SOURCE5 %{buildroot}%{site_lisp}
+install -p -m 0644 %SOURCE5 %{buildroot}%{site_lisp}/site-start.el
+install -p -m 0644 %SOURCE6 %{buildroot}%{site_lisp}
 
 # This solves bz#474958, "update-directory-autoloads" now finally
 # works the path is different each version, so we'll generate it here
@@ -340,7 +358,7 @@ mkdir -p %{buildroot}%{site_lisp}/site-start.d
 
 # Default initialization file
 mkdir -p %{buildroot}%{_sysconfdir}/skel
-install -p -m 0644 %SOURCE3 %{buildroot}%{_sysconfdir}/skel/.emacs
+install -p -m 0644 %SOURCE4 %{buildroot}%{_sysconfdir}/skel/.emacs
 
 # Install pkgconfig file
 mkdir -p %{buildroot}/%{pkgconfig}
@@ -348,30 +366,32 @@ install -p -m 0644 emacs.pc %{buildroot}/%{pkgconfig}
 
 # Install app data
 mkdir -p %{buildroot}/%{_datadir}/appdata
-cp -a %SOURCE9 %{buildroot}/%{_datadir}/appdata
+cp -a %SOURCE10 %{buildroot}/%{_datadir}/appdata
+# Upstream ships its own appdata file, but it's quite terse.
+rm %{buildroot}/%{_datadir}/metainfo/emacs.appdata.xml
 
 # Install rpm macro definition file
 mkdir -p %{buildroot}%{_rpmconfigdir}/macros.d
 install -p -m 0644 macros.emacs %{buildroot}%{_rpmconfigdir}/macros.d/
 
 # Installing emacs-terminal binary
-install -p -m 755 %SOURCE7 %{buildroot}%{_bindir}/emacs-terminal
+install -p -m 755 %SOURCE8 %{buildroot}%{_bindir}/emacs-terminal
 
 # After everything is installed, remove info dir
 rm -f %{buildroot}%{_infodir}/dir
 
 # Installing service file
 mkdir -p %{buildroot}%{_userunitdir}
-install -p -m 0644 %SOURCE8 %{buildroot}%{_userunitdir}/emacs.service
+install -p -m 0644 %SOURCE9 %{buildroot}%{_userunitdir}/emacs.service
 # Emacs 26.1 installs the upstream unit file to /usr/lib64 on 64bit archs, we don't want that
 rm -f %{buildroot}/usr/lib64/systemd/user/emacs.service
 
 # Install desktop files
 mkdir -p %{buildroot}%{_datadir}/applications
 desktop-file-install --dir=%{buildroot}%{_datadir}/applications \
-                     %SOURCE1
+                     %SOURCE3
 desktop-file-install --dir=%{buildroot}%{_datadir}/applications \
-                     %SOURCE6
+                     %SOURCE7
 
 #
 # Create file lists
@@ -417,18 +437,8 @@ rm %{buildroot}%{_datadir}/icons/hicolor/scalable/mimetypes/emacs-document23.svg
 %{_sbindir}/alternatives --install %{_bindir}/emacs emacs %{_bindir}/emacs-%{version}-nox 70
 %{_sbindir}/alternatives --install %{_bindir}/emacs-nox emacs-nox %{_bindir}/emacs-%{version}-nox 60
 
-%post common
-for f in %{info_files}; do
-  /sbin/install-info %{_infodir}/$f.info.gz %{_infodir}/dir 2> /dev/null || :
-done
-
 %preun common
 %{_sbindir}/alternatives --remove emacs.etags %{_bindir}/etags.emacs
-if [ "$1" = 0 ]; then
-  for f in %{info_files}; do
-    /sbin/install-info --delete %{_infodir}/$f.info.gz %{_infodir}/dir 2> /dev/null || :
-  done
-fi
 
 %posttrans common
 %{_sbindir}/alternatives --install %{_bindir}/etags emacs.etags %{_bindir}/etags.emacs 80 \
@@ -436,20 +446,24 @@ fi
 
 %files
 %{_bindir}/emacs-%{version}
+%{_bindir}/emacs-%{version}.pdmp
 %attr(0755,-,-) %ghost %{_bindir}/emacs
 %{_datadir}/applications/emacs.desktop
 %{_datadir}/appdata/%{name}.appdata.xml
 %{_datadir}/icons/hicolor/*/apps/emacs.png
 %{_datadir}/icons/hicolor/scalable/apps/emacs.svg
+%{_datadir}/icons/hicolor/scalable/apps/emacs.ico
 %{_datadir}/icons/hicolor/scalable/mimetypes/emacs-document.svg
 
 %files lucid
 %{_bindir}/emacs-%{version}-lucid
+%{_bindir}/emacs-%{version}-lucid.pdmp
 %attr(0755,-,-) %ghost %{_bindir}/emacs
 %attr(0755,-,-) %ghost %{_bindir}/emacs-lucid
 
 %files nox
 %{_bindir}/emacs-%{version}-nox
+%{_bindir}/emacs-%{version}-nox.pdmp
 %attr(0755,-,-) %ghost %{_bindir}/emacs
 %attr(0755,-,-) %ghost %{_bindir}/emacs-nox
 
@@ -482,53 +496,109 @@ fi
 %dir %{_datadir}/emacs/site-lisp
 %dir %{_datadir}/emacs/site-lisp/site-start.d
 
+%files devel
+%{_includedir}/emacs-module.h
+
 %changelog
-* Wed May 21 2025 Jacek Migacz <jmigacz@redhat.com> - 1:26.1-15
-- Restore definition of variable "enable-dir-local-variables" (RHEL-92830)
+* Mon Feb 24 2025 Jacek Migacz <jmigacz@redhat.com> - 1:27.2-13
+- Bump release
 
-* Mon May 05 2025 Jacek Migacz <jmigacz@redhat.com> - 1:26.1-14
-- Fix arbitrary code execution via Lisp macro expansion (RHEL-69394)
+* Mon Feb 24 2025 Jacek Migacz <jmigacz@redhat.com> - 1:27.2-12
+- Eliminate use of obsolete patch syntax (RHEL-80443)
 
-* Wed Feb 19 2025 Jacek Migacz <jmigacz@redhat.com> - 1:26.1-13
-- Fix man.el shell injection vulnerability (RHEL-79016)
+* Wed Feb 19 2025 Jacek Migacz <jmigacz@redhat.com> - 1:27.2-11
+- Fix man.el shell injection vulnerability (RHEL-79025)
 
-* Fri Aug 23 2024 Jacek Migacz <jmigacz@redhat.com> - 1:26.1-12
+* Fri Mar 15 2024 Jacek Migacz <jmigacz@redhat.com> - 1:27.2-10
+- Disable xwidgets (RHEL-14551)
 - org-file-contents: Consider all remote files unsafe (CVE-2024-30205)
-- org-link-expand-abbrev: Do not evaluate arbitrary unsafe Elisp code (CVE-2024-39331)
 - Make Gnus treats inline MIME contents as untrusted (CVE-2024-30203)
-- Disable xwidgets (RHEL-14549)
+- Add protection for LaTeX preview (CVE-2024-30204)
+- org-link-expand-abbrev: Do not evaluate arbitrary unsafe Elisp code (CVE-2024-39331)
 
-* Wed Apr 12 2023 Jacek Migacz <jmigacz@redhat.com> - 1:26.1-11
-- Bump version
+* Sun Apr 2 2023 Jacek Migacz <jmigacz@redhat.com> - 1:27.2-9
+- Fix etags local command injection vulnerability (#2175190)
+- Fix htmlfontify.el command injection vulnerability (#2175179)
+- Fix ruby-mode.el local command injection vulnerability (#2175142)
+- Fix ob-latex.el command injection vulnerability (#2180590)
 
-* Fri Apr 7 2023 Jacek Migacz <jmigacz@redhat.com> - 1:26.1-10
-- Fix etags local command injection vulnerability (#2175189)
-- Fix htmlfontify.el command injection vulnerability (#2175178)
-- Fix ob-latex.el command injection vulnerability (#2180587)
+* Tue Jan 10 2023 Jacek Migacz <jmigacz@redhat.com> - 1:27.2-8
+- Use a 64KB page size for pdump (#1979804)
 
-* Tue Jan 10 2023 Jacek Migacz <jmigacz@redhat.com> - 1:26.1-9
-- Fix MH-E mail composition with GNU Mailutils (#1991156)
+* Wed Jan 04 2023 Jacek Migacz <jmigacz@redhat.com> - 1:27.2-7
+- Fix ctags local command execute vulnerability (#2149387)
 
-* Thu Jan 05 2023 Jacek Migacz <jmigacz@redhat.com> - 1:26.1-8
-- Fix ctags local command execute vulnerability (#2149386)
+* Wed Sep 22 2021 Jacek Migacz <jmigacz@redhat.com> - 1:27.2-6
+- Adapt hardening options from _hardened_build macro (#2006856)
 
-* Thu Aug 5 2021 Jacek Migacz <jmigacz@redhat.com> - 1:26.1-7
-- provide gating.yaml for CI
+* Wed Aug 18 2021 Jacek Migacz <jmigacz@redhat.com> - 1:27.2-5
+- Provide gating.yaml for CI (#1975151)
 
-* Mon Jul 19 2021 Jacek Migacz <jmigacz@redhat.com> - 1:26.1-6
-- a new GPG key for GNU ELPA packages (#1810729)
+* Tue Aug 10 2021 Jacek Migacz <jmigacz@redhat.com> - 1:27.2-4
+- Fix FTBFS with glibc 2.34 (#1975151)
 
-* Mon Sep 10 2018 Jan Synáček <jsynacek@redhat.com> - 1:26.1-5
-- review annocheck distro flag failures (#1624109)
+* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1:27.2-3
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
 
-* Tue Aug 14 2018 Jan Synáček <jsynacek@redhat.com> - 1:26.1-4
-- remove ImageMagick dependency (#1564992)
+* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 1:27.2-2
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
 
-* Mon Aug 13 2018 Jan Synáček <jsynacek@redhat.com> - 1:26.1-3
+* Sat Mar 27 2021 Bhavin Gandhi <bhavin7392@gmail.com> - 1:27.2-1
+- emacs-27.2 is available
+
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1:27.1-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Tue Aug 18 2020 Jan Synáček <jsynacek@redhat.com> - 1:27.1-2
+- use make macros (original patch provided by Tom Stellard)
+- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
+
+* Tue Aug 11 2020 Bhavin Gandhi <bhavin7392@gmail.com> - 1:27.1-1
+- emacs-27.1 is available (#1867841)
+- Add systemd-devel to support Type=notify in unit file
+- Build with Cairo and Jansson support
+- Remove ImageMagick dependency as it's no longer used
+
+* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1:26.3-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Thu Apr 16 2020 Dan Čermák <dan.cermak@cgc-instruments.com> - 1:26.3-3
+- Drop dependency on GConf2
+
+* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1:26.3-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Sun Sep 08 2019 Maximiliano Sandoval <msandoval@protonmail.com> - 1:26.3-1
+- emacs-26.3 is available (#1747101)
+
+* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1:26.2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Wed Apr 17 2019 Jan Synáček <jsynacek@redhat.com> - 1:26.2-1
+- emacs-26.2 is available (#1699434)
+
+* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1:26.1-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Tue Aug 28 2018 Michael Cronenworth <mike@cchtml.com> - 1:26.1-7
+- Rebuild for new ImageMagick 6.9.10
+
+* Mon Aug 13 2018 Jan Synáček <jsynacek@redhat.com> - 1:26.1-6
 - remove python dependencies, emacs*.py have not been there for a while
 
-* Mon Jun 18 2018 Jan Synáček <jsynacek@redhat.com> - 1:26.1-2
-- remove build dependency on python2 (#1591707)
+* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1:26.1-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Mon Jul 02 2018 Miro Hrončok <mhroncok@redhat.com> - 1:26.1-4
+- Rebuilt for Python 3.7
+
+* Tue Jun 26 2018 Jan Synáček <jsynacek@redhat.com> - 1:26.1-3
+- Refix: Emacs crashes when loading color fonts (#1519038)
+  + emacs SIGABRT after XProtocolError on displaying an email in Gnus (#1591223)
+
+* Tue Jun 19 2018 Miro Hrončok <mhroncok@redhat.com> - 1:26.1-2
+- Rebuilt for Python 3.7
 
 * Wed May 30 2018 Jan Synáček <jsynacek@redhat.com> - 1:26.1-1
 - emacs-26.1 is available (#1583433)

emacs-CVE-2024-53920.patch

@@ -1,238 +0,0 @@
----
- emacs-27.2/doc/emacs/misc.texi          |   33 +++++++++++++++++
- emacs-27.2/lisp/emacs-lisp/macroexp.el  |   10 ++++-
- emacs-27.2/lisp/files.el                |   60 +++++++++++++++++++++++++++++---
- emacs-27.2/lisp/ielm.el                 |    3 +
- emacs-27.2/lisp/progmodes/elisp-mode.el |   58 +++++++++++++++++++++++++-----
- emacs-27.2/lisp/simple.el               |    1 
- 6 files changed, 189 insertions(+), 20 deletions(-)
-
---- emacs-27.2/doc/emacs/misc.texi
-+++ emacs-27.2/doc/emacs/misc.texi	2025-03-03 09:18:41.368169799 +0000
-@@ -279,6 +279,39 @@ trusted and the default checking for the
- you can set @code{enable-local-variables} to @code{:all}.  @xref{Safe
- File Variables}.
- 
-+@cindex trusted files and directories
-+Loading a file of Emacs Lisp code with @code{load-file} or
-+@code{load-library} (@pxref{Lisp Libraries}) can execute some of the
-+Lisp code in the file being loaded, so you should only load Lisp files
-+whose source you trust.  However, some Emacs features can in certain
-+situations execute Lisp code even without your explicit command or
-+request.  For example, Flymake, the on-the-fly syntax checker for Emacs
-+(@pxref{Top,,, flymake, GNU Flymake}), if it is enabled, can
-+automatically execute some of the code in a Lisp file you visit as part
-+of its syntax-checking job.  Similarly, some completion commands
-+(@pxref{Completion}) in buffers visiting Lisp files sometimes need to
-+expand Lisp macros for best results.  In these cases, just visiting a
-+Lisp file and performing some editing in it could trigger execution of
-+Lisp code.  If the visited file came from an untrusted source, it could
-+include dangerous or even malicious code that Emacs would execute in
-+those situations.
-+
-+To protect against this, Emacs disables execution of Lisp code by
-+Flymake, completion, and some other features, unless the visited file is
-+@dfn{trusted}.  It is up to you to specify which files on your system
-+should be trusted, by customizing the user option
-+@code{trusted-content}.
-+
-+@defopt trusted-content
-+The value of this option is @code{nil} by default, which means no file
-+is trusted.  You can customize the variable to be a list of one or more
-+names of trusted files and directories.  A file name that ends in a
-+slash @file{/} is interpreted as a directory, which means all its files
-+and subdirectories are also trusted.  A special value @code{:all} means
-+@emph{all} the files and directories on your system should be trusted;
-+@strong{this is not recommended}, as it opens a gaping security hole.
-+@end defopt
-+
- @xref{Security Considerations,,, elisp, The Emacs Lisp Reference
- Manual}, for more information about security considerations when using
- Emacs as part of a larger application.
---- emacs-27.2/lisp/emacs-lisp/macroexp.el
-+++ emacs-27.2/lisp/emacs-lisp/macroexp.el	2025-03-03 09:18:41.368169799 +0000
-@@ -94,12 +94,20 @@ each clause."
- 	(macroexp--all-forms clause skip)
-       clause)))
- 
-+(defvar macroexp-inhibit-compiler-macros nil
-+  "Inhibit application of compiler macros if non-nil.")
-+
- (defun macroexp--compiler-macro (handler form)
-+  "Apply compiler macro HANDLER to FORM and return the result.
-+Unless `macroexp-inhibit-compiler-macros' is non-nil, in which
-+case return FORM unchanged."
-+  (if macroexp-inhibit-compiler-macros
-+      form
-   (condition-case err
-       (apply handler form (cdr form))
-     (error
-      (message "Compiler-macro error for %S: %S" (car form) err)
--           form)))
-+           form)))) 
- 
- (defun macroexp--funcall-if-compiled (_form)
-   "Pseudo function used internally by macroexp to delay warnings.
---- emacs-27.2/lisp/files.el
-+++ emacs-27.2/lisp/files.el	2025-03-03 09:20:04.078645249 +0000
-@@ -591,6 +596,57 @@ buffer contents as untrusted.
- Some modes may wish to set this to nil to prevent directory-local
- settings being applied, but still respect file-local ones.")
- 
-+(defcustom trusted-content nil
-+  "List of files and directories whose content we trust.
-+Be extra careful here since trusting means that Emacs might execute the
-+code contained within those files and directories without an explicit
-+request by the user.
-+One important case when this might happen is when `flymake-mode' is
-+enabled (for example, when it is added to a mode hook).
-+Each element of the list should be a string:
-+- If it ends in \"/\", it is considered as a directory name and means that
-+  Emacs should trust all the files whose name has this directory as a prefix.
-+- Otherwise, it is considered a file name.
-+Use abbreviated file names.  For example, an entry \"~/mycode/\" means
-+that Emacs will trust all the files in your directory \"mycode\".
-+This variable can also be set to `:all', in which case Emacs will trust
-+all files, which opens a gaping security hole.  Emacs Lisp authors
-+should note that this value must never be set by a major or minor mode."
-+  :type '(choice (repeat :tag "List" file)
-+                 (const :tag "Trust everything (DANGEROUS!)" :all))
-+  :version "27.2")
-+(put 'trusted-content 'risky-local-variable t)
-+
-+(defun trusted-content-p ()
-+  "Return non-nil if we trust the contents of the current buffer.
-+Here, \"trust\" means that we are willing to run code found inside of it.
-+See also `trusted-content'."
-+  ;; We compare with `buffer-file-truename' i.s.o `buffer-file-name'
-+  ;; to try and avoid marking as trusted a file that's merely accessed
-+  ;; via a symlink that happens to be inside a trusted dir.
-+  (and (not untrusted-content)
-+       (or
-+        (eq trusted-content :all)
-+        (and
-+         buffer-file-truename
-+         (with-demoted-errors "trusted-content-p: %S"
-+           (let ((exists (file-exists-p buffer-file-truename)))
-+             (or
-+              ;; We can't avoid trusting the user's init file.
-+              (if (and exists user-init-file)
-+                  (file-equal-p buffer-file-truename user-init-file)
-+                (equal buffer-file-truename user-init-file))
-+              (let ((file (abbreviate-file-name buffer-file-truename))
-+                    (trusted nil))
-+                (dolist (tf trusted-content)
-+                  (when (or (if exists (file-equal-p tf file) (equal tf file))
-+                            ;; We don't use `file-in-directory-p' here, because
-+                            ;; we want to err on the conservative side: "guilty
-+                            ;; until proven innocent".
-+                            (and (string-suffix-p "/" tf)
-+                                 (string-prefix-p tf file)))
-+                    (setq trusted t)))
-+                trusted))))))))
- ;; This is an odd variable IMO.
- ;; You might wonder why it is needed, when we could just do:
- ;; (set (make-local-variable 'enable-local-variables) nil)
---- emacs-27.2/lisp/ielm.el
-+++ emacs-27.2/lisp/ielm.el	2025-03-03 09:18:41.372169725 +0000
-@@ -616,7 +616,8 @@ See `inferior-emacs-lisp-mode' for detai
-     (unless (comint-check-proc "*ielm*")
-       (with-current-buffer (get-buffer-create "*ielm*")
-         (unless (zerop (buffer-size)) (setq old-point (point)))
--        (inferior-emacs-lisp-mode)))
-+        (inferior-emacs-lisp-mode)
-+        (setq-local trusted-content :all)))
-     (pop-to-buffer-same-window "*ielm*")
-     (when old-point (push-mark old-point))))
- 
---- emacs-27.2/lisp/progmodes/elisp-mode.el
-+++ emacs-27.2/lisp/progmodes/elisp-mode.el	2025-03-03 09:18:41.372169725 +0000
-@@ -333,6 +333,43 @@ Blank lines separate paragraphs.  Semico
- 
- (defvar warning-minimum-log-level)
- 
-+(defvar elisp--local-macroenv
-+  `((cl-eval-when . ,(lambda (&rest args) `(progn . ,(cdr args))))
-+    (eval-when-compile . ,(lambda (&rest args) `(progn . ,args)))
-+    (eval-and-compile . ,(lambda (&rest args) `(progn . ,args))))
-+  "Environment to use while tentatively expanding macros.
-+This is used to try and avoid the most egregious problems linked to the
-+use of `macroexpand-all' as a way to find the \"underlying raw code\".")
-+
-+(defvar elisp--macroexpand-untrusted-warning t)
-+
-+(defun elisp--safe-macroexpand-all (sexp)
-+  (if (not (trusted-content-p))
-+      ;; FIXME: We should try and do better here, either using a notion
-+      ;; of "safe" macros, or with `bwrap', or ...
-+      (progn
-+        (when elisp--macroexpand-untrusted-warning
-+          (setq-local elisp--macroexpand-untrusted-warning nil) ;Don't spam!
-+          (let ((inhibit-message t))      ;Only log.
-+            (message "Completion of local vars is disabled in %s (untrusted content)"
-+                     (buffer-name))))
-+        sexp)
-+    (let ((macroexpand-advice
-+           (lambda (expander form &rest args)
-+             (condition-case err
-+                 (apply expander form args)
-+               (error
-+                (message "Ignoring macroexpansion error: %S" err) form)))))
-+      (unwind-protect
-+          ;; Silence any macro expansion errors when
-+          ;; attempting completion at point (bug#58148).
-+          (let ((inhibit-message t)
-+                (macroexp-inhibit-compiler-macros t)
-+                (warning-minimum-log-level :emergency))
-+            (advice-add 'macroexpand-1 :around macroexpand-advice)
-+            (macroexpand-all sexp elisp--local-macroenv))
-+        (advice-remove 'macroexpand-1 macroexpand-advice)))))
-+
- (defun elisp--local-variables ()
-   "Return a list of locally let-bound variables at point."
-   (save-excursion
-@@ -348,17 +385,8 @@ Blank lines separate paragraphs.  Semico
-                        (car (read-from-string
-                              (concat txt "elisp--witness--lisp" closer)))
-                      ((invalid-read-syntax end-of-file) nil)))
--             (macroexpand-advice (lambda (expander form &rest args)
--                                   (condition-case nil
--                                       (apply expander form args)
--                                     (error form))))
--             (sexp
--              (unwind-protect
--                  (let ((warning-minimum-log-level :emergency))
--                    (advice-add 'macroexpand :around macroexpand-advice)
--                    (macroexpand-all sexp))
--                (advice-remove 'macroexpand macroexpand-advice)))
--             (vars (elisp--local-variables-1 nil sexp)))
-+             (vars (elisp--local-variables-1
-+                    nil (elisp--safe-macroexpand-all sexp))))
-         (delq nil
-               (mapcar (lambda (var)
-                         (and (symbolp var)
-@@ -1721,6 +1749,14 @@ directory of the buffer being compiled,
-   "A Flymake backend for elisp byte compilation.
- Spawn an Emacs process that byte-compiles a file representing the
- current buffer state and calls REPORT-FN when done."
-+  (unless (trusted-content-p)
-+    ;; FIXME: Use `bwrap' and friends to compile untrusted content.
-+    ;; FIXME: We emit a message *and* signal an error, because by default
-+    ;; Flymake doesn't display the warning it puts into "*flmake log*".
-+    (message "Disabling elisp-flymake-byte-compile in %s (untrusted content)"
-+             (buffer-name))
-+    (error "Disabling elisp-flymake-byte-compile in %s (untrusted content)"
-+           (buffer-name)))
-   (when elisp-flymake--byte-compile-process
-     (when (process-live-p elisp-flymake--byte-compile-process)
-       (kill-process elisp-flymake--byte-compile-process)))
---- emacs-27.2/lisp/simple.el
-+++ emacs-27.2/lisp/simple.el	2025-03-03 09:18:41.372169725 +0000
-@@ -1621,6 +1621,7 @@ display the result of expression evaluat
-           (eldoc-mode 1)
-           (add-hook 'completion-at-point-functions
-                     #'elisp-completion-at-point nil t)
-+          (setq-local trusted-content :all)
-           (run-hooks 'eval-expression-minibuffer-setup-hook))
-       (read-from-minibuffer prompt initial-contents
-                             read-expression-map t

emacs-ctags-local-command-execute-vulnerability.patch

@@ -1,223 +0,0 @@
-diff --git a/lib-src/etags.c b/lib-src/etags.c
-index 588921bc70..a156444281 100644
---- a/lib-src/etags.c
-+++ b/lib-src/etags.c
-@@ -371,7 +371,7 @@ static void just_read_file (FILE *);
-
- static language *get_language_from_langname (const char *);
- static void readline (linebuffer *, FILE *);
--static long readline_internal (linebuffer *, FILE *, char const *);
-+static long readline_internal (linebuffer *, FILE *, char const *, const bool);
- static bool nocase_tail (const char *);
- static void get_tag (char *, char **);
- static void get_lispy_tag (char *);
-@@ -394,7 +394,9 @@ static void free_fdesc (fdesc *);
- static void pfnote (char *, bool, char *, int, int, long);
- static void invalidate_nodes (fdesc *, node **);
- static void put_entries (node *);
-+static void clean_matched_file_tag (char const * const, char const * const);
-
-+static void do_move_file (const char *, const char *);
- static char *concat (const char *, const char *, const char *);
- static char *skip_spaces (char *);
- static char *skip_non_spaces (char *);
-@@ -1307,7 +1309,7 @@ main (int argc, char **argv)
- 		  if (parsing_stdin)
- 		    fatal ("cannot parse standard input "
- 			   "AND read file names from it");
--		  while (readline_internal (&filename_lb, stdin, "-") > 0)
-+		  while (readline_internal (&filename_lb, stdin, "-", false) > 0)
- 		    process_file_name (filename_lb.buffer, lang);
- 		}
- 	      else
-@@ -1355,9 +1357,6 @@ main (int argc, char **argv)
-   /* From here on, we are in (CTAGS && !cxref_style) */
-   if (update)
-     {
--      char *cmd =
--	xmalloc (strlen (tagfile) + whatlen_max +
--		 sizeof "mv..OTAGS;grep -Fv '\t\t' OTAGS >;rm OTAGS");
-       for (i = 0; i < current_arg; ++i)
- 	{
- 	  switch (argbuffer[i].arg_type)
-@@ -1368,17 +1367,8 @@ main (int argc, char **argv)
- 	    default:
- 	      continue;		/* the for loop */
- 	    }
--	  char *z = stpcpy (cmd, "mv ");
--	  z = stpcpy (z, tagfile);
--	  z = stpcpy (z, " OTAGS;grep -Fv '\t");
--	  z = stpcpy (z, argbuffer[i].what);
--	  z = stpcpy (z, "\t' OTAGS >");
--	  z = stpcpy (z, tagfile);
--	  strcpy (z, ";rm OTAGS");
--	  if (system (cmd) != EXIT_SUCCESS)
--	    fatal ("failed to execute shell command");
-+	  clean_matched_file_tag (tagfile, argbuffer[i].what);
- 	}
--      free (cmd);
-       append_to_tagfile = true;
-     }
-
-@@ -1407,6 +1397,51 @@ main (int argc, char **argv)
-   return EXIT_SUCCESS;
- }
-
-+/*
-+ * Equivalent to: mv tags OTAGS;grep -Fv ' filename ' OTAGS >tags;rm OTAGS
-+ */
-+static void
-+clean_matched_file_tag (const char* tagfile, const char* match_file_name)
-+{
-+  FILE *otags_f = fopen ("OTAGS", "wb");
-+  FILE *tag_f = fopen (tagfile, "rb");
-+
-+  if (otags_f == NULL)
-+    pfatal ("OTAGS");
-+
-+  if (tag_f == NULL)
-+    pfatal (tagfile);
-+
-+  int buf_len = strlen (match_file_name) + sizeof ("\t\t ") + 1;
-+  char *buf = xmalloc (buf_len);
-+  snprintf (buf, buf_len, "\t%s\t", match_file_name);
-+
-+  linebuffer line;
-+  linebuffer_init (&line);
-+  while (readline_internal (&line, tag_f, tagfile, true) > 0)
-+    {
-+      if (ferror (tag_f))
-+        pfatal (tagfile);
-+
-+      if (strstr (line.buffer, buf) == NULL)
-+        {
-+          fprintf (otags_f, "%s\n", line.buffer);
-+          if (ferror (tag_f))
-+            pfatal (tagfile);
-+        }
-+    }
-+  free (buf);
-+  free (line.buffer);
-+
-+  if (fclose (otags_f) == EOF)
-+    pfatal ("OTAGS");
-+
-+  if (fclose (tag_f) == EOF)
-+    pfatal (tagfile);
-+
-+  do_move_file ("OTAGS", tagfile);
-+  return;
-+}
-
- /*
-  * Return a compressor given the file name.  If EXTPTR is non-zero,
-@@ -1794,7 +1829,7 @@ find_entries (FILE *inf)
-
-   /* Else look for sharp-bang as the first two characters. */
-   if (parser == NULL
--      && readline_internal (&lb, inf, infilename) > 0
-+      && readline_internal (&lb, inf, infilename, false) > 0
-       && lb.len >= 2
-       && lb.buffer[0] == '#'
-       && lb.buffer[1] == '!')
-@@ -6293,7 +6328,7 @@ analyze_regex (char *regex_arg)
- 	if (regexfp == NULL)
- 	  pfatal (regexfile);
- 	linebuffer_init (&regexbuf);
--	while (readline_internal (&regexbuf, regexfp, regexfile) > 0)
-+	while (readline_internal (&regexbuf, regexfp, regexfile, false) > 0)
- 	  analyze_regex (regexbuf.buffer);
- 	free (regexbuf.buffer);
- 	if (fclose (regexfp) != 0)
-@@ -6648,11 +6683,13 @@ get_lispy_tag (register char *bp)
-
- /*
-  * Read a line of text from `stream' into `lbp', excluding the
-- * newline or CR-NL, if any.  Return the number of characters read from
-- * `stream', which is the length of the line including the newline.
-+ * newline or CR-NL (if `leave_cr` is false), if any.  Return the
-+ * number of characters read from `stream', which is the length
-+ * of the line including the newline.
-  *
-- * On DOS or Windows we do not count the CR character, if any before the
-- * NL, in the returned length; this mirrors the behavior of Emacs on those
-+ * On DOS or Windows, if `leave_cr` is false, we do not count the
-+ * CR character, if any before the NL, in the returned length;
-+ * this mirrors the behavior of Emacs on those
-  * platforms (for text files, it translates CR-NL to NL as it reads in the
-  * file).
-  *
-@@ -6660,7 +6697,7 @@ get_lispy_tag (register char *bp)
-  * appended to `filebuf'.
-  */
- static long
--readline_internal (linebuffer *lbp, FILE *stream, char const *filename)
-+readline_internal (linebuffer *lbp, FILE *stream, char const *filename, const bool leave_cr)
- {
-   char *buffer = lbp->buffer;
-   char *p = lbp->buffer;
-@@ -6691,7 +6728,7 @@ readline_internal (linebuffer *lbp, FILE *stream, char const *filename)
- 	}
-       if (c == '\n')
- 	{
--	  if (p > buffer && p[-1] == '\r')
-+	  if (!leave_cr && p > buffer && p[-1] == '\r')
- 	    {
- 	      p -= 1;
- 	      chars_deleted = 2;
-@@ -6736,7 +6773,7 @@ readline (linebuffer *lbp, FILE *stream)
-   long result;
-
-   linecharno = charno;		/* update global char number of line start */
--  result = readline_internal (lbp, stream, infilename); /* read line */
-+  result = readline_internal (lbp, stream, infilename, false); /* read line */
-   lineno += 1;			/* increment global line number */
-   charno += result;		/* increment global char number */
-
-@@ -7104,6 +7141,46 @@ etags_mktmp (void)
-   return templt;
- }
-
-+static void
-+do_move_file(const char *src_file, const char *dst_file)
-+{
-+  if (rename (src_file, dst_file) == 0)
-+    return;
-+
-+  FILE *src_f = fopen (src_file, "rb");
-+  FILE *dst_f = fopen (dst_file, "wb");
-+
-+  if (src_f == NULL)
-+    pfatal (src_file);
-+
-+  if (dst_f == NULL)
-+    pfatal (dst_file);
-+
-+  int c;
-+  while ((c = fgetc (src_f)) != EOF)
-+    {
-+      if (ferror (src_f))
-+        pfatal (src_file);
-+
-+      if (ferror (dst_f))
-+        pfatal (dst_file);
-+
-+      if (fputc (c, dst_f) == EOF)
-+        pfatal ("cannot write");
-+    }
-+
-+  if (fclose (src_f) == EOF)
-+    pfatal (src_file);
-+
-+  if (fclose (dst_f) == EOF)
-+    pfatal (dst_file);
-+
-+  if (unlink (src_file) == -1)
-+    pfatal ("unlink error");
-+
-+  return;
-+}
-+
- /* Return a newly allocated string containing the file name of FILE
-    relative to the absolute directory DIR (which should end with a slash). */
- static char *

emacs-mh-rmail-nonempty-dir.patch

@@ -1,31 +0,0 @@
-From b73cde5e2815c531df7f5fd13e214a7d92f78239 Mon Sep 17 00:00:00 2001
-From: Mike Kupfer <mkupfer@alum.berkeley.edu>
-Date: Wed, 4 Jul 2018 15:43:04 -0700
-Subject: [PATCH] Fix MH-E mail composition with GNU Mailutils (SF#485)
-
-* lisp/mh-e/mh-comp.el (mh-bare-components): Recursively delete
-the temporary folder.
----
- lisp/mh-e/mh-comp.el | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/lisp/mh-e/mh-comp.el b/lisp/mh-e/mh-comp.el
-index a9f809cfa1..aa22df8b18 100644
---- a/lisp/mh-e/mh-comp.el
-+++ b/lisp/mh-e/mh-comp.el
-@@ -925,8 +925,10 @@ mh-bare-components
-                      (list "-form" mh-comp-formfile)))
-     (setq new (make-temp-file "comp."))
-     (rename-file (concat temp-folder "/" "1") new t)
--    (delete-file (concat temp-folder "/" ".mh_sequences"))
--    (delete-directory temp-folder)
-+    ;; The temp folder could contain various metadata files.  Rather
-+    ;; than trying to enumerate all the known files, just do a
-+    ;; recursive delete on the directory.
-+    (delete-directory temp-folder t)
-     new))
- 
- (defun mh-read-draft (use initial-contents delete-contents-file)
--- 
-2.36.1
-

gating.yaml

@@ -1,6 +0,0 @@
---- !Policy
-product_versions:
-  - rhel-8
-decision_context: osci_compose_gate
-rules:
-  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}

sources

@@ -1,2 +0,0 @@
-SHA512 (emacs-26.1.tar.xz) = 537c2cfdd281151b360002419dde6280c313e07a937ed96405c67f754b3401ec5541091a3c0aa6690929bc33dd79e8e0d8844e7a6b014b7798c63cb15de210c2
-SHA512 (package-keyring.gpg) = ca0dfa2edda9a6de5837dd6d754d574b13e007561e8dcc99c178d24f6a5dbb6880edc95db9d6afbea8bdf0b409671657fe22a778003ea0ccf351dce5e4fd429f