diff options
Diffstat (limited to 'emacs/25.3/06_all_htmlfontify.patch')
-rw-r--r-- | emacs/25.3/06_all_htmlfontify.patch | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/emacs/25.3/06_all_htmlfontify.patch b/emacs/25.3/06_all_htmlfontify.patch new file mode 100644 index 0000000..6870c0b --- /dev/null +++ b/emacs/25.3/06_all_htmlfontify.patch @@ -0,0 +1,22 @@ +Fix htmlfontify.el command injection vulnerability (CVE-2022-48339) +Backported from emacs-28 branch +https://bugs.gentoo.org/897950 +https://debbugs.gnu.org/60295 + +commit 807d2d5b3a7cd1d0e3f7dd24de22770f54f5ae16 +Author: Xi Lu <lx@shellcodes.org> +Date: Sat Dec 24 16:28:54 2022 +0800 + + Fix htmlfontify.el command injection vulnerability. + +--- emacs-25.3/lisp/htmlfontify.el ++++ emacs-25.3/lisp/htmlfontify.el +@@ -1898,7 +1898,7 @@ + + (defun hfy-text-p (srcdir file) + "Is SRCDIR/FILE text? Uses `hfy-istext-command' to determine this." +- (let* ((cmd (format hfy-istext-command (expand-file-name file srcdir))) ++ (let* ((cmd (format hfy-istext-command (shell-quote-argument (expand-file-name file srcdir)))) + (rsp (shell-command-to-string cmd))) + (string-match "text" rsp))) + |