diff options
Diffstat (limited to 'emacs/28.2/06_all_ruby-mode.patch')
| -rw-r--r-- | emacs/28.2/06_all_ruby-mode.patch | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/emacs/28.2/06_all_ruby-mode.patch b/emacs/28.2/06_all_ruby-mode.patch new file mode 100644 index 0000000..6b1b054 --- /dev/null +++ b/emacs/28.2/06_all_ruby-mode.patch @@ -0,0 +1,22 @@ +Fix ruby-mode.el local command injection vulnerability (CVE-2022-48338) +Patch from emacs-28 branch +https://bugs.gentoo.org/897950 +https://debbugs.gnu.org/60268 + +commit 22fb5ff5126dc8bb01edaa0252829d853afb284f +Author: Xi Lu <lx@shellcodes.org> +Date: Fri Dec 23 12:52:48 2022 +0800 + + Fix ruby-mode.el local command injection vulnerability (bug#60268) + +--- a/lisp/progmodes/ruby-mode.el ++++ b/lisp/progmodes/ruby-mode.el +@@ -1819,7 +1819,7 @@ + (setq feature-name (read-string "Feature name: " init)))) + (let ((out + (substring +- (shell-command-to-string (concat "gem which " feature-name)) ++ (shell-command-to-string (concat "gem which " (shell-quote-argument feature-name))) + 0 -1))) + (if (string-match-p "\\`ERROR" out) + (user-error "%s" out) |