diff --git a/emacs-consider-org-file-contents-unsafe.patch b/emacs-consider-org-file-contents-unsafe.patch new file mode 100644 index 0000000000000000000000000000000000000000..146dc6436f4ba37e338e1732a8cf8bdb337316a0 --- /dev/null +++ b/emacs-consider-org-file-contents-unsafe.patch @@ -0,0 +1,36 @@ +From 2bc865ace050ff118db43f01457f95f95112b877 Mon Sep 17 00:00:00 2001 +From: Ihor Radchenko +Date: Tue, 20 Feb 2024 14:59:20 +0300 +Subject: org-file-contents: Consider all remote files unsafe + +* lisp/org/org.el (org-file-contents): When loading files, consider all +remote files (like TRAMP-fetched files) unsafe, in addition to URLs. +--- + lisp/org/org.el | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/lisp/org/org.el b/lisp/org/org.el +index 0f5d17d..76559c9 100644 +--- a/lisp/org/org.el ++++ b/lisp/org/org.el +@@ -4576,12 +4576,16 @@ from file or URL, and return nil. + If NOCACHE is non-nil, do a fresh fetch of FILE even if cached version + is available. This option applies only if FILE is a URL." + (let* ((is-url (org-file-url-p file)) ++ (is-remote (condition-case nil ++ (file-remote-p file) ++ ;; In case of error, be safe. ++ (t t))) + (cache (and is-url + (not nocache) + (gethash file org--file-cache)))) + (cond + (cache) +- (is-url ++ ((or is-url is-remote) + (with-current-buffer (url-retrieve-synchronously file) + (goto-char (point-min)) + ;; Move point to after the url-retrieve header. +-- +cgit v1.1 + diff --git a/emacs-latex-preview.patch b/emacs-latex-preview.patch new file mode 100644 index 0000000000000000000000000000000000000000..29cbc74e643f863b643d7111e444a38d2fd51760 --- /dev/null +++ b/emacs-latex-preview.patch @@ -0,0 +1,57 @@ +From 6f9ea396f49cbe38c2173e0a72ba6af3e03b271c Mon Sep 17 00:00:00 2001 +From: Ihor Radchenko +Date: Tue, 20 Feb 2024 12:47:24 +0300 +Subject: org-latex-preview: Add protection when `untrusted-content' is non-nil + +* lisp/org/org.el (org--latex-preview-when-risky): New variable +controlling how to handle LaTeX previews in Org files from untrusted +origin. +(org-latex-preview): Consult `org--latex-preview-when-risky' before +generating previews. + +This patch adds a layer of protection when LaTeX preview is requested +for an email attachment, where `untrusted-content' is set to non-nil. +--- + lisp/org/org.el | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +diff --git a/lisp/org/org.el b/lisp/org/org.el +index c75afbf..0f5d17d 100644 +--- a/lisp/org/org.el ++++ b/lisp/org/org.el +@@ -1140,6 +1140,24 @@ the following lines anywhere in the buffer: + :package-version '(Org . "8.0") + :type 'boolean) + ++(defvar untrusted-content) ; defined in files.el ++(defvar org--latex-preview-when-risky nil ++ "If non-nil, enable LaTeX preview in Org buffers from unsafe source. ++ ++Some specially designed LaTeX code may generate huge pdf or log files ++that may exhaust disk space. ++ ++This variable controls how to handle LaTeX preview when rendering LaTeX ++fragments that originate from incoming email messages. It has no effect ++when Org mode is unable to determine the origin of the Org buffer. ++ ++An Org buffer is considered to be from unsafe source when the ++variable `untrusted-content' has a non-nil value in the buffer. ++ ++If this variable is non-nil, LaTeX previews are rendered unconditionally. ++ ++This variable may be renamed or changed in the future.") ++ + (defcustom org-insert-mode-line-in-empty-file nil + "Non-nil means insert the first line setting Org mode in empty files. + When the function `org-mode' is called interactively in an empty file, this +@@ -15695,6 +15713,7 @@ fragments in the buffer." + (interactive "P") + (cond + ((not (display-graphic-p)) nil) ++ ((and untrusted-content (not org--latex-preview-when-risky)) nil) + ;; Clear whole buffer. + ((equal arg '(64)) + (org-clear-latex-preview (point-min) (point-max)) +-- +cgit v1.1 + diff --git a/emacs-mark-contents-untrusted.patch b/emacs-mark-contents-untrusted.patch new file mode 100644 index 0000000000000000000000000000000000000000..31e8437cdf4cacd12e8923a588d1096ffacdf73c --- /dev/null +++ b/emacs-mark-contents-untrusted.patch @@ -0,0 +1,25 @@ +From 937b9042ad7426acdcca33e3d931d8f495bdd804 Mon Sep 17 00:00:00 2001 +From: Ihor Radchenko +Date: Tue, 20 Feb 2024 12:44:30 +0300 +Subject: * lisp/gnus/mm-view.el (mm-display-inline-fontify): Mark contents + untrusted. + +--- + lisp/gnus/mm-view.el | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lisp/gnus/mm-view.el b/lisp/gnus/mm-view.el +index 2e1261c..5f234e5 100644 +--- a/lisp/gnus/mm-view.el ++++ b/lisp/gnus/mm-view.el +@@ -504,6 +504,7 @@ If MODE is not set, try to find mode automatically." + (setq coding-system (mm-find-buffer-file-coding-system))) + (setq text (buffer-string)))) + (with-temp-buffer ++ (setq untrusted-content t) + (buffer-disable-undo) + (mm-enable-multibyte) + (insert (cond ((eq charset 'gnus-decoded) +-- +cgit v1.1 + diff --git a/1002-CVE-2024-39331.patch b/emacs-org-link-expand-abbrev-unsafe-elisp.patch similarity index 46% rename from 1002-CVE-2024-39331.patch rename to emacs-org-link-expand-abbrev-unsafe-elisp.patch index a3e7313401e7fb4e9088103afcc00b220919d4d2..fffc2cc65dd315f80b087075d9951282f3a8596e 100644 --- a/1002-CVE-2024-39331.patch +++ b/emacs-org-link-expand-abbrev-unsafe-elisp.patch @@ -1,28 +1,26 @@ From f4cc61636947b5c2f0afc67174dd369fe3277aa8 Mon Sep 17 00:00:00 2001 From: Ihor Radchenko Date: Tue, 18 Jun 2024 13:06:44 +0200 -Subject: org-link-expand-abbrev: Do not evaluate arbitrary unsafe Elisp -code +Subject: org-link-expand-abbrev: Do not evaluate arbitrary unsafe Elisp code -* lisp/ol.el (org-link-expand-abbrev): Refuse expanding %(...) link +* lisp/org/ol.el (org-link-expand-abbrev): Refuse expanding %(...) link abbrevs that specify unsafe function. Instead, display a warning, and do not expand the abbrev. Clear all the text properties from the returned link, to avoid any potential vulnerabilities caused by properties that may contain arbitrary Elisp. --- + lisp/org/ol.el | 40 +++++++++++++++++++++++++++++----------- + 1 file changed, 29 insertions(+), 11 deletions(-) diff --git a/lisp/org/ol.el b/lisp/org/ol.el -index d1db168..49e9d4c 100644 +index 7a7f4f5..8a556c7 100644 --- a/lisp/org/ol.el +++ b/lisp/org/ol.el -@@ -1007,17 +1007,36 @@ Abbreviations are defined in `org-link-abbrev-alist'." +@@ -1152,17 +1152,35 @@ Abbreviations are defined in `org-link-abbrev-alist'." (if (not as) link (setq rpl (cdr as)) -+ ;; Drop any potentially dangerous text properties like -+ ;; `modification-hooks' that may be used as an attack vector. -+ (substring-no-properties - (cond +- (cond - ((symbolp rpl) (funcall rpl tag)) - ((string-match "%(\\([^)]+\\))" rpl) - (replace-match @@ -33,35 +31,38 @@ index d1db168..49e9d4c 100644 - ((string-match "%h" rpl) - (replace-match (url-hexify-string (or tag "")) t t rpl)) - (t (concat rpl tag))))))) ++ ;; Drop any potentially dangerous text properties like ++ ;; `modification-hooks' that may be used as an attack vector. ++ (substring-no-properties ++ (cond + ((symbolp rpl) (funcall rpl tag)) + ((string-match "%(\\([^)]+\\))" rpl) + (let ((rpl-fun-symbol (intern-soft (match-string 1 rpl)))) -+ ;; Using `unsafep-function' is not quite enough because -+ ;; Emacs considers functions like `genenv' safe, while -+ ;; they can potentially be used to expose private system -+ ;; data to attacker if abbreviated link is clicked. -+ (if (or (eq t (get rpl-fun-symbol 'org-link-abbrev-safe)) -+ (eq t (get rpl-fun-symbol 'pure))) -+ (replace-match -+ (save-match-data -+ (funcall (intern-soft (match-string 1 rpl)) tag)) -+ t t rpl) -+ (org-display-warning -+ (format "Disabling unsafe link abbrev: %s ++ ;; Using `unsafep-function' is not quite enough because ++ ;; Emacs considers functions like `genenv' safe, while ++ ;; they can potentially be used to expose private system ++ ;; data to attacker if abbreviated link is clicked. ++ (if (or (eq t (get rpl-fun-symbol 'org-link-abbrev-safe)) ++ (eq t (get rpl-fun-symbol 'pure))) ++ (replace-match ++ (save-match-data ++ (funcall (intern-soft (match-string 1 rpl)) tag)) ++ t t rpl) ++ (org-display-warning ++ (format "Disabling unsafe link abbrev: %s +You may mark function safe via (put '%s 'org-link-abbrev-safe t)" + rpl (match-string 1 rpl))) -+ (setq org-link-abbrev-alist-local (delete as org-link-abbrev-alist-local) -+ org-link-abbrev-alist (delete as org-link-abbrev-alist)) -+ link -+ ))) -+ ((string-match "%s" rpl) (replace-match (or tag "") t t rpl)) -+ ((string-match "%h" rpl) -+ (replace-match (url-hexify-string (or tag "")) t t rpl)) -+ (t (concat rpl tag)))))))) -+ ++ (setq org-link-abbrev-alist-local (delete as org-link-abbrev-alist-local) ++ org-link-abbrev-alist (delete as org-link-abbrev-alist)) ++ link ++ ))) ++ ((string-match "%s" rpl) (replace-match (or tag "") t t rpl)) ++ ((string-match "%h" rpl) ++ (replace-match (url-hexify-string (or tag "")) t t rpl)) ++ (t (concat rpl tag)))))))) (defun org-link-open (link &optional arg) "Open a link object LINK. -- -2.31.1 +cgit v1.1 diff --git a/emacs.spec b/emacs.spec index 969824584f185c7b4020ca16a849490b2640a1e0..aa8000f7c69f1d62163c23f9b8b041ff69fcf356 100644 --- a/emacs.spec +++ b/emacs.spec @@ -1,12 +1,12 @@ %global _hardened_build 1 -%define anolis_release .0.3 +%define anolis_release .0.1 # This file is encoded in UTF-8. -*- coding: utf-8 -*- Summary: GNU Emacs text editor Name: emacs Epoch: 1 Version: 27.2 -Release: 9%{anolis_release}%{?dist} +Release: 10%{anolis_release}%{?dist} License: GPLv3+ and CC0-1.0 URL: http://www.gnu.org/software/emacs/ Source0: https://ftp.gnu.org/gnu/emacs/emacs-%{version}.tar.xz @@ -34,12 +34,14 @@ Patch6: emacs-etags-local-command-injection-vulnerability.patch Patch7: emacs-htmlfontify-command-injection-vulnerability.patch Patch8: emacs-ruby-mode-local-command-injection-vulnerability.patch Patch9: emacs-ob-latex-command-injection-vulnerability.patch +Patch10: emacs-consider-org-file-contents-unsafe.patch +Patch11: emacs-mark-contents-untrusted.patch +Patch12: emacs-latex-preview.patch +Patch13: emacs-org-link-expand-abbrev-unsafe-elisp.patch BuildRequires: gcc # Add by Anolis Patch1001: 1001-emacs-add-sw.patch # End of Anolis -Patch1002: 1002-CVE-2024-39331.patch - BuildRequires: atk-devel BuildRequires: cairo-devel @@ -82,7 +84,6 @@ BuildRequires: jansson-devel BuildRequires: systemd-devel BuildRequires: gtk3-devel -BuildRequires: webkit2gtk3-devel BuildRequires: gnupg2 @@ -219,7 +220,10 @@ Doc pages for %{name}. %patch7 -p1 -b .htmlfontify-command-injection-vulnerability %patch8 -p1 -b .ruby-mode-local-command-injection-vulnerability %patch9 -p1 -b .ob-latex-command-injection-vulnerability -%patch1002 -p1 +%patch10 -p1 -b .consider-org-file-contents-unsafe +%patch11 -p1 -b .mark-contents-untrusted +%patch12 -p1 -b .latex-preview +%patch13 -p1 -b .org-link-expand-abbrev-unsafe-elisp %ifarch loongarch64 %_update_config_guess @@ -282,7 +286,7 @@ ln -s ../configure . %configure --with-dbus --with-gif --with-jpeg --with-png --with-rsvg \ --with-tiff --with-xft --with-xpm --with-x-toolkit=gtk3 --with-gpm=no \ - --with-xwidgets --with-modules --with-harfbuzz --with-cairo --with-json + --with-modules --with-harfbuzz --with-cairo --with-json make bootstrap %{setarch} %make_build cd .. @@ -522,15 +526,17 @@ rm %{buildroot}%{_datadir}/icons/hicolor/scalable/mimetypes/emacs-document23.svg %doc doc/NEWS BUGS README %changelog -* Thu Aug 22 2024 Chunchun Yang - 1:27.2-9.0.3 -- Fxed CVE-2024-39331 - -* Tue Mar 19 2024 wxiat - 1:27.2-9.0.2 -- cherry-pick `add sw patch #349896d0a48b80b530cfa5cc2bd1fc4ceff68e42`. - -* Wed Dec 06 2023 Xiaoping Liu - 1:27.2-9.0.1 +* Fri Nov 15 2024 Xiaoping Liu - 1:27.2-10.0.1 - Add doc sub package - update config.sub and config.guess for loongarch64 (Jingyun Hua) +- cherry-pick `add sw patch #349896d0a48b80b530cfa5cc2bd1fc4ceff68e42`. (nijie@wxiat.com) + +* Fri Mar 15 2024 Jacek Migacz - 1:27.2-10 +- Disable xwidgets (RHEL-14551) +- org-file-contents: Consider all remote files unsafe (CVE-2024-30205) +- Make Gnus treats inline MIME contents as untrusted (CVE-2024-30203) +- Add protection for LaTeX preview (CVE-2024-30204) +- org-link-expand-abbrev: Do not evaluate arbitrary unsafe Elisp code (CVE-2024-39331) * Sun Apr 2 2023 Jacek Migacz - 1:27.2-9 - Fix etags local command injection vulnerability (#2175190)