From 4cd0c28b2cff2ed50f9b173cc42e17af2e88060d Mon Sep 17 00:00:00 2001 From: zhangpan Date: Tue, 2 Jul 2024 03:03:24 +0000 Subject: [PATCH] fix CVE-2024-39331 (cherry picked from commit 8b1147dc99256511c7d456db5045cfe8fcee5b8c) --- backport-CVE-2024-39331.patch | 68 +++++++++++++++++++++++++++++++++++ emacs.spec | 6 +++- 2 files changed, 73 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2024-39331.patch diff --git a/backport-CVE-2024-39331.patch b/backport-CVE-2024-39331.patch new file mode 100644 index 0000000..3861ab0 --- /dev/null +++ b/backport-CVE-2024-39331.patch @@ -0,0 +1,68 @@ +From c645e1d8205f0f0663ec4a2d27575b238c646c7c Mon Sep 17 00:00:00 2001 +From: Ihor Radchenko +Date: Fri, 21 Jun 2024 15:45:25 +0200 +Subject: org-link-expand-abbrev: Do not evaluate arbitrary unsafe Elisp code + +* lisp/org/ol.el (org-link-expand-abbrev): Refuse expanding %(...) +link abbrevs that specify unsafe function. Instead, display a +warning, and do not expand the abbrev. Clear all the text properties +from the returned link, to avoid any potential vulnerabilities caused +by properties that may contain arbitrary Elisp. +--- + lisp/org/ol.el | 40 +++++++++++++++++++++++++++++----------- + 1 file changed, 29 insertions(+), 11 deletions(-) + +diff --git a/lisp/org/ol.el b/lisp/org/ol.el +index 4c84e62..c34d92b 100644 +--- a/lisp/org/ol.el ++++ b/lisp/org/ol.el +@@ -1063,17 +1063,35 @@ Abbreviations are defined in `org-link-abbrev-alist'." + (if (not as) + link + (setq rpl (cdr as)) +- (cond +- ((symbolp rpl) (funcall rpl tag)) +- ((string-match "%(\\([^)]+\\))" rpl) +- (replace-match +- (save-match-data +- (funcall (intern-soft (match-string 1 rpl)) tag)) +- t t rpl)) +- ((string-match "%s" rpl) (replace-match (or tag "") t t rpl)) +- ((string-match "%h" rpl) +- (replace-match (url-hexify-string (or tag "")) t t rpl)) +- (t (concat rpl tag))))))) ++ ;; Drop any potentially dangerous text properties like ++ ;; `modification-hooks' that may be used as an attack vector. ++ (substring-no-properties ++ (cond ++ ((symbolp rpl) (funcall rpl tag)) ++ ((string-match "%(\\([^)]+\\))" rpl) ++ (let ((rpl-fun-symbol (intern-soft (match-string 1 rpl)))) ++ ;; Using `unsafep-function' is not quite enough because ++ ;; Emacs considers functions like `genenv' safe, while ++ ;; they can potentially be used to expose private system ++ ;; data to attacker if abbreviated link is clicked. ++ (if (or (eq t (get rpl-fun-symbol 'org-link-abbrev-safe)) ++ (eq t (get rpl-fun-symbol 'pure))) ++ (replace-match ++ (save-match-data ++ (funcall (intern-soft (match-string 1 rpl)) tag)) ++ t t rpl) ++ (org-display-warning ++ (format "Disabling unsafe link abbrev: %s ++You may mark function safe via (put '%s 'org-link-abbrev-safe t)" ++ rpl (match-string 1 rpl))) ++ (setq org-link-abbrev-alist-local (delete as org-link-abbrev-alist-local) ++ org-link-abbrev-alist (delete as org-link-abbrev-alist)) ++ link ++ ))) ++ ((string-match "%s" rpl) (replace-match (or tag "") t t rpl)) ++ ((string-match "%h" rpl) ++ (replace-match (url-hexify-string (or tag "")) t t rpl)) ++ (t (concat rpl tag)))))))) + + (defun org-link-open (link &optional arg) + "Open a link object LINK. +-- +cgit v1.1 + diff --git a/emacs.spec b/emacs.spec index ddcc6c4..b23959a 100644 --- a/emacs.spec +++ b/emacs.spec @@ -8,7 +8,7 @@ Name: emacs Epoch: 1 Version: 29.1 -Release: 2 +Release: 3 Summary: An extensible GNU text editor License: GPLv3+ and CC0-1.0 URL: http://www.gnu.org/software/emacs @@ -31,6 +31,7 @@ Patch6004: backport-CVE-2024-30203-pre.patch Patch6005: backport-CVE-2024-30203.patch Patch6006: backport-CVE-2024-30204.patch Patch6007: backport-CVE-2024-30205.patch +Patch6008: backport-CVE-2024-39331.patch Patch9000: emacs-deal-taboo-words.patch @@ -415,6 +416,9 @@ fi %{_mandir}/*/* %changelog +* Tue Jul 02 2024 zhangpan - 1:29.1-3 +- fix CVE-2024-39331 + * Mon Apr 01 2024 lingsheng - 1:29.1-2 - fix CVE-2024-30202 CVE-2024-30203 CVE-2024-30204 CVE-2024-30205 -- Gitee