From 7eac5c963388aa7a0af02daf51e775d77cd2a95d Mon Sep 17 00:00:00 2001
From: zhangpan <zp1224248514@163.com>
Date: Thu, 23 Feb 2023 07:08:50 +0000
Subject: [PATCH] fix CVE-2022-48337 CVE-2022-48338 CVE-2022-48339

---
 backport-CVE-2022-48337.patch | 107 ++++++++++++++++++++++++++++++++++
 backport-CVE-2022-48338.patch |  29 +++++++++
 backport-CVE-2022-48339.patch |  29 +++++++++
 emacs.spec                    |   8 ++-
 4 files changed, 172 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2022-48337.patch
 create mode 100644 backport-CVE-2022-48338.patch
 create mode 100644 backport-CVE-2022-48339.patch

diff --git a/backport-CVE-2022-48337.patch b/backport-CVE-2022-48337.patch
new file mode 100644
index 0000000..8ac2e7f
--- /dev/null
+++ b/backport-CVE-2022-48337.patch
@@ -0,0 +1,107 @@
+From 01a4035c869b91c153af9a9132c87adb7669ea1c Mon Sep 17 00:00:00 2001
+From: lu4nx <lx@shellcodes.org>
+Date: Tue, 6 Dec 2022 15:42:40 +0800
+Subject: Fix etags local command injection vulnerability
+
+* lib-src/etags.c: (escape_shell_arg_string): New function.
+(process_file_name): Use it to quote file names passed to the
+shell.  (Bug#59817)
+
+Reference:https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=01a4035c869b91c153af9a9132c87adb7669ea1c
+Conflict:Adaptation Context
+---
+ lib-src/etags.c | 63 +++++++++++++++++++++++++++++++++++++++++++++----
+ 1 file changed, 58 insertions(+), 5 deletions(-)
+
+diff --git a/lib-src/etags.c b/lib-src/etags.c
+index 7b509d7..5d0eed2 100644
+--- a/lib-src/etags.c
++++ b/lib-src/etags.c
+@@ -398,6 +398,7 @@ static void invalidate_nodes (fdesc *, node **);
+ static void put_entries (node *);
+ static void clean_matched_file_tag (char const * const, char const * const);
+ 
++static char *escape_shell_arg_string (char *);
+ static void do_move_file (const char *, const char *);
+ static char *concat (const char *, const char *, const char *);
+ static char *skip_spaces (char *);
+@@ -1670,13 +1671,16 @@ process_file_name (char *file, language *lang)
+       else
+ 	{
+ #if MSDOS || defined (DOS_NT)
+-	  char *cmd1 = concat (compr->command, " \"", real_name);
+-	  char *cmd = concat (cmd1, "\" > ", tmp_name);
++          int buf_len = strlen (compr->command) + strlen (" \"\" > \"\"") + strlen (real_name) + strlen (tmp_name) + 1;
++          char *cmd = xmalloc (buf_len);
++          snprintf (cmd, buf_len, "%s \"%s\" > \"%s\"", compr->command, real_name, tmp_name);
+ #else
+-	  char *cmd1 = concat (compr->command, " '", real_name);
+-	  char *cmd = concat (cmd1, "' > ", tmp_name);
++          char *new_real_name = escape_shell_arg_string (real_name);
++          char *new_tmp_name = escape_shell_arg_string (tmp_name);
++          int buf_len = strlen (compr->command) + strlen ("  > ") + strlen (new_real_name) + strlen (new_tmp_name) + 1;
++          char *cmd = xmalloc (buf_len);
++          snprintf (cmd, buf_len, "%s %s > %s", compr->command, new_real_name, new_tmp_name);
+ #endif
+-	  free (cmd1);
+ 	  int tmp_errno;
+ 	  if (system (cmd) == -1)
+ 	    {
+@@ -7124,6 +7128,55 @@ etags_mktmp (void)
+   return templt;
+ }
+ 
++/*
++ * Adds single quotes around a string, if found single quotes, escaped it.
++ * Return a newly-allocated string.
++ *
++ * For example:
++ * escape_shell_arg_string("test.txt") => 'test.txt'
++ * escape_shell_arg_string("'test.txt") => ''\''test.txt'
++ */
++static char *
++escape_shell_arg_string (char *str)
++{
++  char *p = str;
++  int need_space = 2;           /* ' at begin and end */
++
++  while (*p != '\0')
++    {
++      if (*p == '\'')
++        need_space += 4;        /* ' to '\'', length is 4 */
++      else
++        need_space++;
++
++      p++;
++    }
++
++  char *new_str = xnew (need_space + 1, char);
++  new_str[0] = '\'';
++  new_str[need_space-1] = '\'';
++
++  int i = 1;                    /* skip first byte */
++  p = str;
++  while (*p != '\0')
++    {
++      new_str[i] = *p;
++      if (*p == '\'')
++        {
++          new_str[i+1] = '\\';
++          new_str[i+2] = '\'';
++          new_str[i+3] = '\'';
++          i += 3;
++        }
++
++      i++;
++      p++;
++    }
++
++  new_str[need_space] = '\0';
++  return new_str;
++}
++
+ static void
+ do_move_file(const char *src_file, const char *dst_file)
+ {
+-- 
+2.27.0
diff --git a/backport-CVE-2022-48338.patch b/backport-CVE-2022-48338.patch
new file mode 100644
index 0000000..934d36c
--- /dev/null
+++ b/backport-CVE-2022-48338.patch
@@ -0,0 +1,29 @@
+From 9a3b08061feea14d6f37685ca1ab8801758bfd1c Mon Sep 17 00:00:00 2001
+From: Xi Lu <lx@shellcodes.org>
+Date: Fri, 23 Dec 2022 12:52:48 +0800
+Subject: Fix ruby-mode.el local command injection vulnerability (bug#60268)
+
+* lisp/progmodes/ruby-mode.el
+(ruby-find-library-file): Fix local command injection vulnerability.
+
+Reference:https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=9a3b08061feea14d6f37685ca1ab8801758bfd1c
+Conflict:NA
+---
+ lisp/progmodes/ruby-mode.el | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lisp/progmodes/ruby-mode.el b/lisp/progmodes/ruby-mode.el
+index 1f3e9b6..a4aa619 100644
+--- a/lisp/progmodes/ruby-mode.el
++++ b/lisp/progmodes/ruby-mode.el
+@@ -1899,7 +1899,7 @@ or `gem' statement around point."
+       (setq feature-name (read-string "Feature name: " init))))
+   (let ((out
+          (substring
+-          (shell-command-to-string (concat "gem which " feature-name))
++          (shell-command-to-string (concat "gem which " (shell-quote-argument feature-name)))
+           0 -1)))
+     (if (string-match-p "\\`ERROR" out)
+         (user-error "%s" out)
+-- 
+cgit v1.1
diff --git a/backport-CVE-2022-48339.patch b/backport-CVE-2022-48339.patch
new file mode 100644
index 0000000..3ebc5de
--- /dev/null
+++ b/backport-CVE-2022-48339.patch
@@ -0,0 +1,29 @@
+From 1b4dc4691c1f87fc970fbe568b43869a15ad0d4c Mon Sep 17 00:00:00 2001
+From: Xi Lu <lx@shellcodes.org>
+Date: Sat, 24 Dec 2022 16:28:54 +0800
+Subject: Fix htmlfontify.el command injection vulnerability.
+
+* lisp/htmlfontify.el (hfy-text-p): Fix command injection
+vulnerability.  (Bug#60295)
+
+Reference:https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=1b4dc4691c1f87fc970fbe568b43869a15ad0d4c
+Conflict:NA
+---
+ lisp/htmlfontify.el | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lisp/htmlfontify.el b/lisp/htmlfontify.el
+index df4c6ab..389b929 100644
+--- a/lisp/htmlfontify.el
++++ b/lisp/htmlfontify.el
+@@ -1850,7 +1850,7 @@ Hardly bombproof, but good enough in the context in which it is being used."
+ 
+ (defun hfy-text-p (srcdir file)
+   "Is SRCDIR/FILE text?  Uses `hfy-istext-command' to determine this."
+-  (let* ((cmd (format hfy-istext-command (expand-file-name file srcdir)))
++  (let* ((cmd (format hfy-istext-command (shell-quote-argument (expand-file-name file srcdir))))
+          (rsp (shell-command-to-string    cmd)))
+     (string-match "text" rsp)))
+ 
+-- 
+cgit v1.1
\ No newline at end of file
diff --git a/emacs.spec b/emacs.spec
index 0bc9109..34eb52a 100644
--- a/emacs.spec
+++ b/emacs.spec
@@ -8,7 +8,7 @@
 Name:          emacs
 Epoch:         1
 Version:       27.2
-Release:       8
+Release:       9
 Summary:       An extensible GNU text editor
 License:       GPLv3+ and CC0-1.0
 URL:           http://www.gnu.org/software/emacs
@@ -26,6 +26,9 @@ Patch6001:        emacs-spellchecker.patch
 Patch6002:        emacs-system-crypto-policies.patch
 Patch6003:        backport-emacs-glibc-2.34.patch
 Patch6004:        backport-CVE-2022-45939.patch
+Patch6005:        backport-CVE-2022-48337.patch
+Patch6006:        backport-CVE-2022-48338.patch
+Patch6007:        backport-CVE-2022-48339.patch
 Patch9000:        emacs-deal-taboo-words.patch
 
 BuildRequires: gcc atk-devel cairo-devel freetype-devel fontconfig-devel dbus-devel giflib-devel
@@ -408,6 +411,9 @@ fi
 %{_mandir}/*/*
 
 %changelog
+* Thu Feb 23 2023 zhangpan <zhangpan103@h-partners.com> - 1:27.2-9
+- fix CVE-2022-48337 CVE-2022-48338 CVE-2022-48339
+
 * Thu Dec 01 2022 wangkerong <wangkerong@h-partners.com> - 1:27.2-8
 - fix CVE-2022-45939
 
-- 
Gitee