.emacs.metadata

@@ -1 +0,0 @@
-53c01d987b2613701f42d9f941c2d5225a5874c4 SOURCES/emacs-26.1.tar.xz

.gitignore

@@ -1 +1,4 @@
 SOURCES/emacs-26.1.tar.xz
+SOURCES/package-keyring.gpg
+/emacs-26.1.tar.xz
+/package-keyring.gpg

emacs-CVE-2024-53920.patch

@@ -0,0 +1,238 @@
+---
+ emacs-27.2/doc/emacs/misc.texi          |   33 +++++++++++++++++
+ emacs-27.2/lisp/emacs-lisp/macroexp.el  |   10 ++++-
+ emacs-27.2/lisp/files.el                |   60 +++++++++++++++++++++++++++++---
+ emacs-27.2/lisp/ielm.el                 |    3 +
+ emacs-27.2/lisp/progmodes/elisp-mode.el |   58 +++++++++++++++++++++++++-----
+ emacs-27.2/lisp/simple.el               |    1 
+ 6 files changed, 189 insertions(+), 20 deletions(-)
+
+--- emacs-27.2/doc/emacs/misc.texi
++++ emacs-27.2/doc/emacs/misc.texi	2025-03-03 09:18:41.368169799 +0000
+@@ -279,6 +279,39 @@ trusted and the default checking for the
+ you can set @code{enable-local-variables} to @code{:all}.  @xref{Safe
+ File Variables}.
+ 
++@cindex trusted files and directories
++Loading a file of Emacs Lisp code with @code{load-file} or
++@code{load-library} (@pxref{Lisp Libraries}) can execute some of the
++Lisp code in the file being loaded, so you should only load Lisp files
++whose source you trust.  However, some Emacs features can in certain
++situations execute Lisp code even without your explicit command or
++request.  For example, Flymake, the on-the-fly syntax checker for Emacs
++(@pxref{Top,,, flymake, GNU Flymake}), if it is enabled, can
++automatically execute some of the code in a Lisp file you visit as part
++of its syntax-checking job.  Similarly, some completion commands
++(@pxref{Completion}) in buffers visiting Lisp files sometimes need to
++expand Lisp macros for best results.  In these cases, just visiting a
++Lisp file and performing some editing in it could trigger execution of
++Lisp code.  If the visited file came from an untrusted source, it could
++include dangerous or even malicious code that Emacs would execute in
++those situations.
++
++To protect against this, Emacs disables execution of Lisp code by
++Flymake, completion, and some other features, unless the visited file is
++@dfn{trusted}.  It is up to you to specify which files on your system
++should be trusted, by customizing the user option
++@code{trusted-content}.
++
++@defopt trusted-content
++The value of this option is @code{nil} by default, which means no file
++is trusted.  You can customize the variable to be a list of one or more
++names of trusted files and directories.  A file name that ends in a
++slash @file{/} is interpreted as a directory, which means all its files
++and subdirectories are also trusted.  A special value @code{:all} means
++@emph{all} the files and directories on your system should be trusted;
++@strong{this is not recommended}, as it opens a gaping security hole.
++@end defopt
++
+ @xref{Security Considerations,,, elisp, The Emacs Lisp Reference
+ Manual}, for more information about security considerations when using
+ Emacs as part of a larger application.
+--- emacs-27.2/lisp/emacs-lisp/macroexp.el
++++ emacs-27.2/lisp/emacs-lisp/macroexp.el	2025-03-03 09:18:41.368169799 +0000
+@@ -94,12 +94,20 @@ each clause."
+ 	(macroexp--all-forms clause skip)
+       clause)))
+ 
++(defvar macroexp-inhibit-compiler-macros nil
++  "Inhibit application of compiler macros if non-nil.")
++
+ (defun macroexp--compiler-macro (handler form)
++  "Apply compiler macro HANDLER to FORM and return the result.
++Unless `macroexp-inhibit-compiler-macros' is non-nil, in which
++case return FORM unchanged."
++  (if macroexp-inhibit-compiler-macros
++      form
+   (condition-case err
+       (apply handler form (cdr form))
+     (error
+      (message "Compiler-macro error for %S: %S" (car form) err)
+-           form)))
++           form)))) 
+ 
+ (defun macroexp--funcall-if-compiled (_form)
+   "Pseudo function used internally by macroexp to delay warnings.
+--- emacs-27.2/lisp/files.el
++++ emacs-27.2/lisp/files.el	2025-03-03 09:20:04.078645249 +0000
+@@ -591,6 +596,57 @@ buffer contents as untrusted.
+ Some modes may wish to set this to nil to prevent directory-local
+ settings being applied, but still respect file-local ones.")
+ 
++(defcustom trusted-content nil
++  "List of files and directories whose content we trust.
++Be extra careful here since trusting means that Emacs might execute the
++code contained within those files and directories without an explicit
++request by the user.
++One important case when this might happen is when `flymake-mode' is
++enabled (for example, when it is added to a mode hook).
++Each element of the list should be a string:
++- If it ends in \"/\", it is considered as a directory name and means that
++  Emacs should trust all the files whose name has this directory as a prefix.
++- Otherwise, it is considered a file name.
++Use abbreviated file names.  For example, an entry \"~/mycode/\" means
++that Emacs will trust all the files in your directory \"mycode\".
++This variable can also be set to `:all', in which case Emacs will trust
++all files, which opens a gaping security hole.  Emacs Lisp authors
++should note that this value must never be set by a major or minor mode."
++  :type '(choice (repeat :tag "List" file)
++                 (const :tag "Trust everything (DANGEROUS!)" :all))
++  :version "27.2")
++(put 'trusted-content 'risky-local-variable t)
++
++(defun trusted-content-p ()
++  "Return non-nil if we trust the contents of the current buffer.
++Here, \"trust\" means that we are willing to run code found inside of it.
++See also `trusted-content'."
++  ;; We compare with `buffer-file-truename' i.s.o `buffer-file-name'
++  ;; to try and avoid marking as trusted a file that's merely accessed
++  ;; via a symlink that happens to be inside a trusted dir.
++  (and (not untrusted-content)
++       (or
++        (eq trusted-content :all)
++        (and
++         buffer-file-truename
++         (with-demoted-errors "trusted-content-p: %S"
++           (let ((exists (file-exists-p buffer-file-truename)))
++             (or
++              ;; We can't avoid trusting the user's init file.
++              (if (and exists user-init-file)
++                  (file-equal-p buffer-file-truename user-init-file)
++                (equal buffer-file-truename user-init-file))
++              (let ((file (abbreviate-file-name buffer-file-truename))
++                    (trusted nil))
++                (dolist (tf trusted-content)
++                  (when (or (if exists (file-equal-p tf file) (equal tf file))
++                            ;; We don't use `file-in-directory-p' here, because
++                            ;; we want to err on the conservative side: "guilty
++                            ;; until proven innocent".
++                            (and (string-suffix-p "/" tf)
++                                 (string-prefix-p tf file)))
++                    (setq trusted t)))
++                trusted))))))))
+ ;; This is an odd variable IMO.
+ ;; You might wonder why it is needed, when we could just do:
+ ;; (set (make-local-variable 'enable-local-variables) nil)
+--- emacs-27.2/lisp/ielm.el
++++ emacs-27.2/lisp/ielm.el	2025-03-03 09:18:41.372169725 +0000
+@@ -616,7 +616,8 @@ See `inferior-emacs-lisp-mode' for detai
+     (unless (comint-check-proc "*ielm*")
+       (with-current-buffer (get-buffer-create "*ielm*")
+         (unless (zerop (buffer-size)) (setq old-point (point)))
+-        (inferior-emacs-lisp-mode)))
++        (inferior-emacs-lisp-mode)
++        (setq-local trusted-content :all)))
+     (pop-to-buffer-same-window "*ielm*")
+     (when old-point (push-mark old-point))))
+ 
+--- emacs-27.2/lisp/progmodes/elisp-mode.el
++++ emacs-27.2/lisp/progmodes/elisp-mode.el	2025-03-03 09:18:41.372169725 +0000
+@@ -333,6 +333,43 @@ Blank lines separate paragraphs.  Semico
+ 
+ (defvar warning-minimum-log-level)
+ 
++(defvar elisp--local-macroenv
++  `((cl-eval-when . ,(lambda (&rest args) `(progn . ,(cdr args))))
++    (eval-when-compile . ,(lambda (&rest args) `(progn . ,args)))
++    (eval-and-compile . ,(lambda (&rest args) `(progn . ,args))))
++  "Environment to use while tentatively expanding macros.
++This is used to try and avoid the most egregious problems linked to the
++use of `macroexpand-all' as a way to find the \"underlying raw code\".")
++
++(defvar elisp--macroexpand-untrusted-warning t)
++
++(defun elisp--safe-macroexpand-all (sexp)
++  (if (not (trusted-content-p))
++      ;; FIXME: We should try and do better here, either using a notion
++      ;; of "safe" macros, or with `bwrap', or ...
++      (progn
++        (when elisp--macroexpand-untrusted-warning
++          (setq-local elisp--macroexpand-untrusted-warning nil) ;Don't spam!
++          (let ((inhibit-message t))      ;Only log.
++            (message "Completion of local vars is disabled in %s (untrusted content)"
++                     (buffer-name))))
++        sexp)
++    (let ((macroexpand-advice
++           (lambda (expander form &rest args)
++             (condition-case err
++                 (apply expander form args)
++               (error
++                (message "Ignoring macroexpansion error: %S" err) form)))))
++      (unwind-protect
++          ;; Silence any macro expansion errors when
++          ;; attempting completion at point (bug#58148).
++          (let ((inhibit-message t)
++                (macroexp-inhibit-compiler-macros t)
++                (warning-minimum-log-level :emergency))
++            (advice-add 'macroexpand-1 :around macroexpand-advice)
++            (macroexpand-all sexp elisp--local-macroenv))
++        (advice-remove 'macroexpand-1 macroexpand-advice)))))
++
+ (defun elisp--local-variables ()
+   "Return a list of locally let-bound variables at point."
+   (save-excursion
+@@ -348,17 +385,8 @@ Blank lines separate paragraphs.  Semico
+                        (car (read-from-string
+                              (concat txt "elisp--witness--lisp" closer)))
+                      ((invalid-read-syntax end-of-file) nil)))
+-             (macroexpand-advice (lambda (expander form &rest args)
+-                                   (condition-case nil
+-                                       (apply expander form args)
+-                                     (error form))))
+-             (sexp
+-              (unwind-protect
+-                  (let ((warning-minimum-log-level :emergency))
+-                    (advice-add 'macroexpand :around macroexpand-advice)
+-                    (macroexpand-all sexp))
+-                (advice-remove 'macroexpand macroexpand-advice)))
+-             (vars (elisp--local-variables-1 nil sexp)))
++             (vars (elisp--local-variables-1
++                    nil (elisp--safe-macroexpand-all sexp))))
+         (delq nil
+               (mapcar (lambda (var)
+                         (and (symbolp var)
+@@ -1721,6 +1749,14 @@ directory of the buffer being compiled,
+   "A Flymake backend for elisp byte compilation.
+ Spawn an Emacs process that byte-compiles a file representing the
+ current buffer state and calls REPORT-FN when done."
++  (unless (trusted-content-p)
++    ;; FIXME: Use `bwrap' and friends to compile untrusted content.
++    ;; FIXME: We emit a message *and* signal an error, because by default
++    ;; Flymake doesn't display the warning it puts into "*flmake log*".
++    (message "Disabling elisp-flymake-byte-compile in %s (untrusted content)"
++             (buffer-name))
++    (error "Disabling elisp-flymake-byte-compile in %s (untrusted content)"
++           (buffer-name)))
+   (when elisp-flymake--byte-compile-process
+     (when (process-live-p elisp-flymake--byte-compile-process)
+       (kill-process elisp-flymake--byte-compile-process)))
+--- emacs-27.2/lisp/simple.el
++++ emacs-27.2/lisp/simple.el	2025-03-03 09:18:41.372169725 +0000
+@@ -1621,6 +1621,7 @@ display the result of expression evaluat
+           (eldoc-mode 1)
+           (add-hook 'completion-at-point-functions
+                     #'elisp-completion-at-point nil t)
++          (setq-local trusted-content :all)
+           (run-hooks 'eval-expression-minibuffer-setup-hook))
+       (read-from-minibuffer prompt initial-contents
+                             read-expression-map t

emacs-consider-org-file-contents-unsafe.patch

@@ -0,0 +1,36 @@
+From 2bc865ace050ff118db43f01457f95f95112b877 Mon Sep 17 00:00:00 2001
+From: Ihor Radchenko <yantar92@posteo.net>
+Date: Tue, 20 Feb 2024 14:59:20 +0300
+Subject: org-file-contents: Consider all remote files unsafe
+
+* lisp/org/org.el (org-file-contents): When loading files, consider all
+remote files (like TRAMP-fetched files) unsafe, in addition to URLs.
+---
+ lisp/org/org.el | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/lisp/org/org.el b/lisp/org/org.el
+index 0f5d17d..76559c9 100644
+--- a/lisp/org/org.el
++++ b/lisp/org/org.el
+@@ -4576,12 +4576,16 @@ from file or URL, and return nil.
+ If NOCACHE is non-nil, do a fresh fetch of FILE even if cached version
+ is available.  This option applies only if FILE is a URL."
+   (let* ((is-url (org-file-url-p file))
++         (is-remote (condition-case nil
++                        (file-remote-p file)
++                      ;; In case of error, be safe.
++                      (t t)))
+          (cache (and is-url
+                      (not nocache)
+                      (gethash file org--file-cache))))
+     (cond
+      (cache)
+-     (is-url
++     ((or is-url is-remote)
+       (with-current-buffer (url-retrieve-synchronously file)
+ 	(goto-char (point-min))
+ 	;; Move point to after the url-retrieve header.
+-- 
+cgit v1.1
+

emacs-ctags-local-command-execute-vulnerability.patch

@@ -0,0 +1,223 @@
+diff --git a/lib-src/etags.c b/lib-src/etags.c
+index 588921bc70..a156444281 100644
+--- a/lib-src/etags.c
++++ b/lib-src/etags.c
+@@ -371,7 +371,7 @@ static void just_read_file (FILE *);
+
+ static language *get_language_from_langname (const char *);
+ static void readline (linebuffer *, FILE *);
+-static long readline_internal (linebuffer *, FILE *, char const *);
++static long readline_internal (linebuffer *, FILE *, char const *, const bool);
+ static bool nocase_tail (const char *);
+ static void get_tag (char *, char **);
+ static void get_lispy_tag (char *);
+@@ -394,7 +394,9 @@ static void free_fdesc (fdesc *);
+ static void pfnote (char *, bool, char *, int, int, long);
+ static void invalidate_nodes (fdesc *, node **);
+ static void put_entries (node *);
++static void clean_matched_file_tag (char const * const, char const * const);
+
++static void do_move_file (const char *, const char *);
+ static char *concat (const char *, const char *, const char *);
+ static char *skip_spaces (char *);
+ static char *skip_non_spaces (char *);
+@@ -1307,7 +1309,7 @@ main (int argc, char **argv)
+ 		  if (parsing_stdin)
+ 		    fatal ("cannot parse standard input "
+ 			   "AND read file names from it");
+-		  while (readline_internal (&filename_lb, stdin, "-") > 0)
++		  while (readline_internal (&filename_lb, stdin, "-", false) > 0)
+ 		    process_file_name (filename_lb.buffer, lang);
+ 		}
+ 	      else
+@@ -1355,9 +1357,6 @@ main (int argc, char **argv)
+   /* From here on, we are in (CTAGS && !cxref_style) */
+   if (update)
+     {
+-      char *cmd =
+-	xmalloc (strlen (tagfile) + whatlen_max +
+-		 sizeof "mv..OTAGS;grep -Fv '\t\t' OTAGS >;rm OTAGS");
+       for (i = 0; i < current_arg; ++i)
+ 	{
+ 	  switch (argbuffer[i].arg_type)
+@@ -1368,17 +1367,8 @@ main (int argc, char **argv)
+ 	    default:
+ 	      continue;		/* the for loop */
+ 	    }
+-	  char *z = stpcpy (cmd, "mv ");
+-	  z = stpcpy (z, tagfile);
+-	  z = stpcpy (z, " OTAGS;grep -Fv '\t");
+-	  z = stpcpy (z, argbuffer[i].what);
+-	  z = stpcpy (z, "\t' OTAGS >");
+-	  z = stpcpy (z, tagfile);
+-	  strcpy (z, ";rm OTAGS");
+-	  if (system (cmd) != EXIT_SUCCESS)
+-	    fatal ("failed to execute shell command");
++	  clean_matched_file_tag (tagfile, argbuffer[i].what);
+ 	}
+-      free (cmd);
+       append_to_tagfile = true;
+     }
+
+@@ -1407,6 +1397,51 @@ main (int argc, char **argv)
+   return EXIT_SUCCESS;
+ }
+
++/*
++ * Equivalent to: mv tags OTAGS;grep -Fv ' filename ' OTAGS >tags;rm OTAGS
++ */
++static void
++clean_matched_file_tag (const char* tagfile, const char* match_file_name)
++{
++  FILE *otags_f = fopen ("OTAGS", "wb");
++  FILE *tag_f = fopen (tagfile, "rb");
++
++  if (otags_f == NULL)
++    pfatal ("OTAGS");
++
++  if (tag_f == NULL)
++    pfatal (tagfile);
++
++  int buf_len = strlen (match_file_name) + sizeof ("\t\t ") + 1;
++  char *buf = xmalloc (buf_len);
++  snprintf (buf, buf_len, "\t%s\t", match_file_name);
++
++  linebuffer line;
++  linebuffer_init (&line);
++  while (readline_internal (&line, tag_f, tagfile, true) > 0)
++    {
++      if (ferror (tag_f))
++        pfatal (tagfile);
++
++      if (strstr (line.buffer, buf) == NULL)
++        {
++          fprintf (otags_f, "%s\n", line.buffer);
++          if (ferror (tag_f))
++            pfatal (tagfile);
++        }
++    }
++  free (buf);
++  free (line.buffer);
++
++  if (fclose (otags_f) == EOF)
++    pfatal ("OTAGS");
++
++  if (fclose (tag_f) == EOF)
++    pfatal (tagfile);
++
++  do_move_file ("OTAGS", tagfile);
++  return;
++}
+
+ /*
+  * Return a compressor given the file name.  If EXTPTR is non-zero,
+@@ -1794,7 +1829,7 @@ find_entries (FILE *inf)
+
+   /* Else look for sharp-bang as the first two characters. */
+   if (parser == NULL
+-      && readline_internal (&lb, inf, infilename) > 0
++      && readline_internal (&lb, inf, infilename, false) > 0
+       && lb.len >= 2
+       && lb.buffer[0] == '#'
+       && lb.buffer[1] == '!')
+@@ -6293,7 +6328,7 @@ analyze_regex (char *regex_arg)
+ 	if (regexfp == NULL)
+ 	  pfatal (regexfile);
+ 	linebuffer_init (&regexbuf);
+-	while (readline_internal (&regexbuf, regexfp, regexfile) > 0)
++	while (readline_internal (&regexbuf, regexfp, regexfile, false) > 0)
+ 	  analyze_regex (regexbuf.buffer);
+ 	free (regexbuf.buffer);
+ 	if (fclose (regexfp) != 0)
+@@ -6648,11 +6683,13 @@ get_lispy_tag (register char *bp)
+
+ /*
+  * Read a line of text from `stream' into `lbp', excluding the
+- * newline or CR-NL, if any.  Return the number of characters read from
+- * `stream', which is the length of the line including the newline.
++ * newline or CR-NL (if `leave_cr` is false), if any.  Return the
++ * number of characters read from `stream', which is the length
++ * of the line including the newline.
+  *
+- * On DOS or Windows we do not count the CR character, if any before the
+- * NL, in the returned length; this mirrors the behavior of Emacs on those
++ * On DOS or Windows, if `leave_cr` is false, we do not count the
++ * CR character, if any before the NL, in the returned length;
++ * this mirrors the behavior of Emacs on those
+  * platforms (for text files, it translates CR-NL to NL as it reads in the
+  * file).
+  *
+@@ -6660,7 +6697,7 @@ get_lispy_tag (register char *bp)
+  * appended to `filebuf'.
+  */
+ static long
+-readline_internal (linebuffer *lbp, FILE *stream, char const *filename)
++readline_internal (linebuffer *lbp, FILE *stream, char const *filename, const bool leave_cr)
+ {
+   char *buffer = lbp->buffer;
+   char *p = lbp->buffer;
+@@ -6691,7 +6728,7 @@ readline_internal (linebuffer *lbp, FILE *stream, char const *filename)
+ 	}
+       if (c == '\n')
+ 	{
+-	  if (p > buffer && p[-1] == '\r')
++	  if (!leave_cr && p > buffer && p[-1] == '\r')
+ 	    {
+ 	      p -= 1;
+ 	      chars_deleted = 2;
+@@ -6736,7 +6773,7 @@ readline (linebuffer *lbp, FILE *stream)
+   long result;
+
+   linecharno = charno;		/* update global char number of line start */
+-  result = readline_internal (lbp, stream, infilename); /* read line */
++  result = readline_internal (lbp, stream, infilename, false); /* read line */
+   lineno += 1;			/* increment global line number */
+   charno += result;		/* increment global char number */
+
+@@ -7104,6 +7141,46 @@ etags_mktmp (void)
+   return templt;
+ }
+
++static void
++do_move_file(const char *src_file, const char *dst_file)
++{
++  if (rename (src_file, dst_file) == 0)
++    return;
++
++  FILE *src_f = fopen (src_file, "rb");
++  FILE *dst_f = fopen (dst_file, "wb");
++
++  if (src_f == NULL)
++    pfatal (src_file);
++
++  if (dst_f == NULL)
++    pfatal (dst_file);
++
++  int c;
++  while ((c = fgetc (src_f)) != EOF)
++    {
++      if (ferror (src_f))
++        pfatal (src_file);
++
++      if (ferror (dst_f))
++        pfatal (dst_file);
++
++      if (fputc (c, dst_f) == EOF)
++        pfatal ("cannot write");
++    }
++
++  if (fclose (src_f) == EOF)
++    pfatal (src_file);
++
++  if (fclose (dst_f) == EOF)
++    pfatal (dst_file);
++
++  if (unlink (src_file) == -1)
++    pfatal ("unlink error");
++
++  return;
++}
++
+ /* Return a newly allocated string containing the file name of FILE
+    relative to the absolute directory DIR (which should end with a slash). */
+ static char *

emacs-etags-local-command-injection-vulnerability.patch

@@ -0,0 +1,105 @@
+From 01a4035c869b91c153af9a9132c87adb7669ea1c Mon Sep 17 00:00:00 2001
+From: lu4nx <lx@shellcodes.org>
+Date: Tue, 6 Dec 2022 15:42:40 +0800
+Subject: [PATCH] Fix etags local command injection vulnerability
+
+* lib-src/etags.c: (escape_shell_arg_string): New function.
+(process_file_name): Use it to quote file names passed to the
+shell.  (Bug#59817)
+---
+ lib-src/etags.c | 63 +++++++++++++++++++++++++++++++++++++++++++++----
+ 1 file changed, 58 insertions(+), 5 deletions(-)
+
+diff --git a/lib-src/etags.c b/lib-src/etags.c
+index d1d20858cdd..ba0092cc637 100644
+--- a/lib-src/etags.c
++++ b/lib-src/etags.c
+@@ -399,6 +399,7 @@ static void put_entries (node *);
+ static void clean_matched_file_tag (char const * const, char const * const);
+ 
+ static void do_move_file (const char *, const char *);
++static char *escape_shell_arg_string (char *);
+ static char *concat (const char *, const char *, const char *);
+ static char *skip_spaces (char *);
+ static char *skip_non_spaces (char *);
+@@ -1670,13 +1671,16 @@ process_file_name (char *file, language *lang)
+       else
+ 	{
+ #if MSDOS || defined (DOS_NT)
+-	  char *cmd1 = concat (compr->command, " \"", real_name);
+-	  char *cmd = concat (cmd1, "\" > ", tmp_name);
++          int buf_len = strlen (compr->command) + strlen (" \"\" > \"\"") + strlen (real_name) + strlen (tmp_name) + 1;
++          char *cmd = xmalloc (buf_len);
++          snprintf (cmd, buf_len, "%s \"%s\" > \"%s\"", compr->command, real_name, tmp_name);
+ #else
+-	  char *cmd1 = concat (compr->command, " '", real_name);
+-	  char *cmd = concat (cmd1, "' > ", tmp_name);
++          char *new_real_name = escape_shell_arg_string (real_name);
++          char *new_tmp_name = escape_shell_arg_string (tmp_name);
++          int buf_len = strlen (compr->command) + strlen ("  > ") + strlen (new_real_name) + strlen (new_tmp_name) + 1;
++          char *cmd = xmalloc (buf_len);
++          snprintf (cmd, buf_len, "%s %s > %s", compr->command, new_real_name, new_tmp_name);
+ #endif
+-	  free (cmd1);
+ 	  int tmp_errno;
+ 	  if (system (cmd) == -1)
+ 	    {
+@@ -7124,6 +7128,55 @@ etags_mktmp (void)
+   return templt;
+ }
+ 
++/*
++ * Adds single quotes around a string, if found single quotes, escaped it.
++ * Return a newly-allocated string.
++ *
++ * For example:
++ * escape_shell_arg_string("test.txt") => 'test.txt'
++ * escape_shell_arg_string("'test.txt") => ''\''test.txt'
++ */
++static char *
++escape_shell_arg_string (char *str)
++{
++  char *p = str;
++  int need_space = 2;           /* ' at begin and end */
++
++  while (*p != '\0')
++    {
++      if (*p == '\'')
++        need_space += 4;        /* ' to '\'', length is 4 */
++      else
++        need_space++;
++
++      p++;
++    }
++
++  char *new_str = xnew (need_space + 1, char);
++  new_str[0] = '\'';
++  new_str[need_space-1] = '\'';
++
++  int i = 1;                    /* skip first byte */
++  p = str;
++  while (*p != '\0')
++    {
++      new_str[i] = *p;
++      if (*p == '\'')
++        {
++          new_str[i+1] = '\\';
++          new_str[i+2] = '\'';
++          new_str[i+3] = '\'';
++          i += 3;
++        }
++
++      i++;
++      p++;
++    }
++
++  new_str[need_space] = '\0';
++  return new_str;
++}
++
+ static void
+ do_move_file(const char *src_file, const char *dst_file)
+ {
+-- 
+2.36.1
+

emacs-htmlfontify-command-injection-vulnerability.patch

@@ -0,0 +1,26 @@
+From 1b4dc4691c1f87fc970fbe568b43869a15ad0d4c Mon Sep 17 00:00:00 2001
+From: Xi Lu <lx@shellcodes.org>
+Date: Sat, 24 Dec 2022 16:28:54 +0800
+Subject: [PATCH] Fix htmlfontify.el command injection vulnerability.
+
+* lisp/htmlfontify.el (hfy-text-p): Fix command injection
+vulnerability.  (Bug#60295)
+---
+ lisp/htmlfontify.el | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lisp/htmlfontify.el b/lisp/htmlfontify.el
+index df4c6ab079c..389b92939cc 100644
+--- a/lisp/htmlfontify.el
++++ b/lisp/htmlfontify.el
+@@ -1912,7 +1912,7 @@ hfy-make-directory
+ 
+ (defun hfy-text-p (srcdir file)
+   "Is SRCDIR/FILE text?  Uses `hfy-istext-command' to determine this."
+-  (let* ((cmd (format hfy-istext-command (expand-file-name file srcdir)))
++  (let* ((cmd (format hfy-istext-command (shell-quote-argument (expand-file-name file srcdir))))
+          (rsp (shell-command-to-string    cmd)))
+     (string-match "text" rsp)))
+ 
+-- 
+2.36.1

emacs-man-el-shell-injection-vulnerability.patch

@@ -0,0 +1,34 @@
+From 820f0793f0b46448928905552726c1f1b999062f Mon Sep 17 00:00:00 2001
+From: Xi Lu <lx@shellcodes.org>
+Date: Tue, 10 Oct 2023 22:20:05 +0800
+Subject: Fix man.el shell injection vulnerability
+
+* lisp/man.el (Man-translate-references): Fix shell injection
+vulnerability.  (Bug#66390)
+* test/lisp/man-tests.el (man-tests-Man-translate-references): New
+test.
+---
+ lisp/man.el            |  6 +++++-
+ test/lisp/man-tests.el | 12 ++++++++++++
+ 2 files changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/lisp/man.el b/lisp/man.el
+index 55cb938..d963964 100644
+--- a/lisp/man.el
++++ b/lisp/man.el
+@@ -761,7 +761,11 @@ and the `Man-section-translations-alist' variables)."
+       (setq name (match-string 2 ref)
+ 	    section (match-string 1 ref))))
+     (if (string= name "")
+-	ref				; Return the reference as is
++        ;; see Bug#66390
++	(mapconcat 'identity
++                   (mapcar #'shell-quote-argument
++                           (split-string ref "\\s-+"))
++                   " ")                 ; Return the reference as is
+       (if Man-downcase-section-letters-flag
+ 	  (setq section (downcase section)))
+       (while slist
+-- 
+cgit v1.1
+

emacs-mark-contents-untrusted.patch

@@ -0,0 +1,25 @@
+From 937b9042ad7426acdcca33e3d931d8f495bdd804 Mon Sep 17 00:00:00 2001
+From: Ihor Radchenko <yantar92@posteo.net>
+Date: Tue, 20 Feb 2024 12:44:30 +0300
+Subject: * lisp/gnus/mm-view.el (mm-display-inline-fontify): Mark contents
+ untrusted.
+
+---
+ lisp/gnus/mm-view.el | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/lisp/gnus/mm-view.el b/lisp/gnus/mm-view.el
+index 2e1261c..5f234e5 100644
+--- a/lisp/gnus/mm-view.el
++++ b/lisp/gnus/mm-view.el
+@@ -504,6 +504,7 @@ If MODE is not set, try to find mode automatically."
+ 	  (setq coding-system (mm-find-buffer-file-coding-system)))
+ 	(setq text (buffer-string))))
+     (with-temp-buffer
++      (setq untrusted-content t)
+       (buffer-disable-undo)
+       (mm-enable-multibyte)
+       (insert (cond ((eq charset 'gnus-decoded)
+-- 
+cgit v1.1
+

emacs-mh-rmail-nonempty-dir.patch

@@ -0,0 +1,31 @@
+From b73cde5e2815c531df7f5fd13e214a7d92f78239 Mon Sep 17 00:00:00 2001
+From: Mike Kupfer <mkupfer@alum.berkeley.edu>
+Date: Wed, 4 Jul 2018 15:43:04 -0700
+Subject: [PATCH] Fix MH-E mail composition with GNU Mailutils (SF#485)
+
+* lisp/mh-e/mh-comp.el (mh-bare-components): Recursively delete
+the temporary folder.
+---
+ lisp/mh-e/mh-comp.el | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/lisp/mh-e/mh-comp.el b/lisp/mh-e/mh-comp.el
+index a9f809cfa1..aa22df8b18 100644
+--- a/lisp/mh-e/mh-comp.el
++++ b/lisp/mh-e/mh-comp.el
+@@ -925,8 +925,10 @@ mh-bare-components
+                      (list "-form" mh-comp-formfile)))
+     (setq new (make-temp-file "comp."))
+     (rename-file (concat temp-folder "/" "1") new t)
+-    (delete-file (concat temp-folder "/" ".mh_sequences"))
+-    (delete-directory temp-folder)
++    ;; The temp folder could contain various metadata files.  Rather
++    ;; than trying to enumerate all the known files, just do a
++    ;; recursive delete on the directory.
++    (delete-directory temp-folder t)
+     new))
+ 
+ (defun mh-read-draft (use initial-contents delete-contents-file)
+-- 
+2.36.1
+

emacs-ob-latex-command-injection-vulnerability.patch

@@ -0,0 +1,43 @@
+From a8006ea580ed74f27f974d60b598143b04ad1741 Mon Sep 17 00:00:00 2001
+From: Xi Lu <lx@shellcodes.org>
+Date: Sat, 11 Mar 2023 18:53:37 +0800
+Subject: * lisp/org/ob-latex.el: Fix command injection vulnerability
+
+(org-babel-execute:latex):
+Replaced the `(shell-command "mv BAR NEWBAR")' with `rename-file'.
+
+TINYCHANGE
+---
+ lisp/org/ob-latex.el | 13 +++++--------
+ 1 file changed, 5 insertions(+), 8 deletions(-)
+
+diff --git a/lisp/org/ob-latex.el b/lisp/org/ob-latex.el
+index a2c24b3..ce39628 100644
+--- a/lisp/org/ob-latex.el
++++ b/lisp/org/ob-latex.el
+@@ -218,17 +218,14 @@ This function is called by `org-babel-execute-src-block'."
+ 	    (if (string-suffix-p ".svg" out-file)
+ 		(progn
+ 		  (shell-command "pwd")
+-		  (shell-command (format "mv %s %s"
+-					 (concat (file-name-sans-extension tex-file) "-1.svg")
+-					 out-file)))
++                  (rename-file (concat (file-name-sans-extension tex-file) "-1.svg")
++                               out-file t))
+ 	      (error "SVG file produced but HTML file requested")))
+ 	   ((file-exists-p (concat (file-name-sans-extension tex-file) ".html"))
+ 	    (if (string-suffix-p ".html" out-file)
+-		(shell-command "mv %s %s"
+-			       (concat (file-name-sans-extension tex-file)
+-				       ".html")
+-			       out-file)
+-	      (error "HTML file produced but SVG file requested")))))
++                (rename-file (concat (file-name-sans-extension tex-file) ".html")
++                             out-file t)
++              (error "HTML file produced but SVG file requested")))))
+ 	 ((or (string= "pdf" extension) imagemagick)
+ 	  (with-temp-file tex-file
+ 	    (require 'ox-latex)
+-- 
+cgit v1.1
+

emacs-org-link-expand-abbrev-unsafe-elisp.patch

@@ -0,0 +1,78 @@
+From f4cc61636947b5c2f0afc67174dd369fe3277aa8 Mon Sep 17 00:00:00 2001
+From: Ihor Radchenko <yantar92@posteo.net>
+Date: Tue, 18 Jun 2024 13:06:44 +0200
+Subject: org-link-expand-abbrev: Do not evaluate arbitrary unsafe Elisp code
+
+* lisp/org/org.el (org-link-expand-abbrev): Refuse expanding %(...) link
+abbrevs that specify unsafe function.  Instead, display a warning, and
+do not expand the abbrev.  Clear all the text properties from the
+returned link, to avoid any potential vulnerabilities caused by
+properties that may contain arbitrary Elisp.
+---
+ lisp/org/org.el | 40 +++++++++++++++++++++++++++++-----------
+ 1 file changed, 29 insertions(+), 11 deletions(-)
+
+diff --git a/lisp/org/org.el b/lisp/org/org.el
+index 7a7f4f5..8a556c7 100644
+--- a/lisp/org/org.el
++++ b/lisp/org/org.el
+@@ -1152,26 +1152,44 @@ Abbreviations are defined in `org-link-abbrev-alist'."
+ 
+ (defun org-link-expand-abbrev (link)
+   "Apply replacements as defined in `org-link-abbrev-alist'."
+-  (if (string-match "^\\([^:]*\\)\\(::?\\(.*\\)\\)?$" link)
++  (if (not (string-match "^\\([^:]*\\)\\(::?\\(.*\\)\\)?$" link)) link
+       (let* ((key (match-string 1 link))
+ 	     (as (or (assoc key org-link-abbrev-alist-local)
+ 		     (assoc key org-link-abbrev-alist)))
+ 	     (tag (and (match-end 2) (match-string 3 link)))
+ 	     rpl)
+ 	(if (not as)
+ 	    link
+ 	  (setq rpl (cdr as))
+-	  (cond
+-	   ((symbolp rpl) (funcall rpl tag))
+-	   ((string-match "%(\\([^)]+\\))" rpl)
+-	    (replace-match
+-	     (save-match-data
+-	       (funcall (intern-soft (match-string 1 rpl)) tag)) t t rpl))
+-	   ((string-match "%s" rpl) (replace-match (or tag "") t t rpl))
+-	   ((string-match "%h" rpl)
+-	    (replace-match (url-hexify-string (or tag "")) t t rpl))
+-	   (t (concat rpl tag)))))
+-    link))
++        ;; Drop any potentially dangerous text properties like
++        ;; `modification-hooks' that may be used as an attack vector.
++        (substring-no-properties
++	 (cond
++	  ((symbolp rpl) (funcall rpl tag))
++	  ((string-match "%(\\([^)]+\\))" rpl)
++           (let ((rpl-fun-symbol (intern-soft (match-string 1 rpl))))
++             ;; Using `unsafep-function' is not quite enough because
++             ;; Emacs considers functions like `genenv' safe, while
++             ;; they can potentially be used to expose private system
++             ;; data to attacker if abbreviated link is clicked.
++             (if (or (eq t (get rpl-fun-symbol 'org-link-abbrev-safe))
++                     (eq t (get rpl-fun-symbol 'pure)))
++                 (replace-match
++	          (save-match-data
++	            (funcall (intern-soft (match-string 1 rpl)) tag))
++	          t t rpl)
++               (org-display-warning
++                (format "Disabling unsafe link abbrev: %s
++You may mark function safe via (put '%s 'org-link-abbrev-safe t)"
++                        rpl (match-string 1 rpl)))
++               (setq org-link-abbrev-alist-local (delete as org-link-abbrev-alist-local)
++                     org-link-abbrev-alist (delete as org-link-abbrev-alist))
++               link
++	       )))
++	  ((string-match "%s" rpl) (replace-match (or tag "") t t rpl))
++	  ((string-match "%h" rpl)
++	   (replace-match (url-hexify-string (or tag "")) t t rpl))
++	  (t (concat rpl tag))))))))
+ 
+ ;;; Storing and inserting links
+ 
+-- 
+cgit v1.1
+

emacs.spec

@@ -5,7 +5,7 @@ Summary:       GNU Emacs text editor
 Name:          emacs
 Epoch:         1
 Version:       26.1
-Release:       5%{?dist}
+Release:       15%{?dist}
 License:       GPLv3+ and CC0-1.0
 URL:           http://www.gnu.org/software/emacs/
 Group:         Applications/Editors
@@ -19,9 +19,21 @@ Source6:       emacs-terminal.desktop
 Source7:       emacs-terminal.sh
 Source8:       emacs.service
 Source9:       %{name}.appdata.xml
+# rhbz#1810729
+Source10:      package-keyring.gpg
 # rhbz#713600
 Patch1:        emacs-spellchecker.patch
 Patch2:        emacs-system-crypto-policies.patch
+Patch3:        emacs-ctags-local-command-execute-vulnerability.patch
+Patch4:        emacs-mh-rmail-nonempty-dir.patch
+Patch5:        emacs-etags-local-command-injection-vulnerability.patch
+Patch6:        emacs-htmlfontify-command-injection-vulnerability.patch
+Patch7:        emacs-ob-latex-command-injection-vulnerability.patch
+Patch8:        emacs-consider-org-file-contents-unsafe.patch
+Patch9:        emacs-org-link-expand-abbrev-unsafe-elisp.patch
+Patch10:       emacs-mark-contents-untrusted.patch
+Patch11:       emacs-man-el-shell-injection-vulnerability.patch
+Patch12:       emacs-CVE-2024-53920.patch
 
 BuildRequires: atk-devel
 BuildRequires: cairo-devel
@@ -61,7 +73,6 @@ BuildRequires: desktop-file-utils
 BuildRequires: libacl-devel
 
 BuildRequires: gtk3-devel
-BuildRequires: webkit2gtk3-devel
 
 # For lucid
 BuildRequires: Xaw3d-devel
@@ -176,11 +187,24 @@ packages that add functionality to Emacs.
 
 %patch1 -p1 -b .spellchecker
 %patch2 -p1 -b .system-crypto-policies
+%patch3 -p1 -b .ctags-local-command-execute-vulnerability
+%patch4 -p1 -b .mh-rmail-nonempty-dir.patch
+%patch5 -p1 -b .etags-local-command-injection-vulnerability
+%patch6 -p1 -b .htmlfontify-command-injection-vulnerability
+%patch7 -p1 -b .ob-latex-command-injection-vulnerability
+%patch8 -p1 -b .consider-org-file-contents-unsafe
+%patch9 -p1 -b .org-link-expand-abbrev-unsafe-elisp
+%patch10 -p1 -b .mark-contents-untrusted
+%patch11 -p1 -b .emacs-man-el-shell-injection-vulnerability
+%patch12 -p1 -b .CVE-2024-53920
 autoconf
 
 # We prefer our emacs.desktop file
 cp %SOURCE1 etc/emacs.desktop
 
+# GPG key for GNU ELPA packages backported from Emacs 26.3 (#1810729)
+cp %SOURCE10 etc/package-keyring.gpg
+
 grep -v "tetris.elc" lisp/Makefile.in > lisp/Makefile.in.new \
    && mv lisp/Makefile.in.new lisp/Makefile.in
 grep -v "pong.elc" lisp/Makefile.in > lisp/Makefile.in.new \
@@ -228,7 +252,7 @@ ln -s ../configure .
 
 %configure --with-dbus --with-gif --with-jpeg --with-png --with-rsvg \
            --with-tiff --with-xft --with-xpm --with-x-toolkit=gtk3 --with-gpm=no \
-           --with-xwidgets --with-modules
+           --with-modules
 make bootstrap
 %{setarch} make %{?_smp_mflags}
 cd ..
@@ -459,6 +483,41 @@ fi
 %dir %{_datadir}/emacs/site-lisp/site-start.d
 
 %changelog
+* Wed May 21 2025 Jacek Migacz <jmigacz@redhat.com> - 1:26.1-15
+- Restore definition of variable "enable-dir-local-variables" (RHEL-92830)
+
+* Mon May 05 2025 Jacek Migacz <jmigacz@redhat.com> - 1:26.1-14
+- Fix arbitrary code execution via Lisp macro expansion (RHEL-69394)
+
+* Wed Feb 19 2025 Jacek Migacz <jmigacz@redhat.com> - 1:26.1-13
+- Fix man.el shell injection vulnerability (RHEL-79016)
+
+* Fri Aug 23 2024 Jacek Migacz <jmigacz@redhat.com> - 1:26.1-12
+- org-file-contents: Consider all remote files unsafe (CVE-2024-30205)
+- org-link-expand-abbrev: Do not evaluate arbitrary unsafe Elisp code (CVE-2024-39331)
+- Make Gnus treats inline MIME contents as untrusted (CVE-2024-30203)
+- Disable xwidgets (RHEL-14549)
+
+* Wed Apr 12 2023 Jacek Migacz <jmigacz@redhat.com> - 1:26.1-11
+- Bump version
+
+* Fri Apr 7 2023 Jacek Migacz <jmigacz@redhat.com> - 1:26.1-10
+- Fix etags local command injection vulnerability (#2175189)
+- Fix htmlfontify.el command injection vulnerability (#2175178)
+- Fix ob-latex.el command injection vulnerability (#2180587)
+
+* Tue Jan 10 2023 Jacek Migacz <jmigacz@redhat.com> - 1:26.1-9
+- Fix MH-E mail composition with GNU Mailutils (#1991156)
+
+* Thu Jan 05 2023 Jacek Migacz <jmigacz@redhat.com> - 1:26.1-8
+- Fix ctags local command execute vulnerability (#2149386)
+
+* Thu Aug 5 2021 Jacek Migacz <jmigacz@redhat.com> - 1:26.1-7
+- provide gating.yaml for CI
+
+* Mon Jul 19 2021 Jacek Migacz <jmigacz@redhat.com> - 1:26.1-6
+- a new GPG key for GNU ELPA packages (#1810729)
+
 * Mon Sep 10 2018 Jan Synáček <jsynacek@redhat.com> - 1:26.1-5
 - review annocheck distro flag failures (#1624109)
 

gating.yaml

@@ -0,0 +1,6 @@
+--- !Policy
+product_versions:
+  - rhel-8
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}

sources

@@ -0,0 +1,2 @@
+SHA512 (emacs-26.1.tar.xz) = 537c2cfdd281151b360002419dde6280c313e07a937ed96405c67f754b3401ec5541091a3c0aa6690929bc33dd79e8e0d8844e7a6b014b7798c63cb15de210c2
+SHA512 (package-keyring.gpg) = ca0dfa2edda9a6de5837dd6d754d574b13e007561e8dcc99c178d24f6a5dbb6880edc95db9d6afbea8bdf0b409671657fe22a778003ea0ccf351dce5e4fd429f