From dfe3b5140502207cf64dc11b33c30da958822937 Mon Sep 17 00:00:00 2001 From: Ulrich Müller Date: Sun, 26 Feb 2023 21:00:06 +0100 Subject: Fix multiple command injection vulnerabilities MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This fixes command injection vulnerabilities in etags (CVE-2022-48337), ruby-mode (CVE-2022-48338), and htmlfontify (CVE-2022-48339) for Emacs slots 25, 26, 27, and 28. Note that Emacs 25 and 26 are not affected by the ruby-mode vulnerability because function ruby-find-library-file did not yet exist (and there is no call to the gem command in ruby-mode.el). Emacs 18 is not affected by either of them: It doesn't have ruby-mode and htmlfontify, and we no longer install the ctags and etags binaries. Bug: https://bugs.gentoo.org/897950 Signed-off-by: Ulrich Müller --- emacs/25.3/05_all_etags-metachar.patch | 99 ++++++++++++++++++++++++++++++++++ emacs/25.3/06_all_htmlfontify.patch | 22 ++++++++ emacs/26.3/05_all_etags-metachar.patch | 99 ++++++++++++++++++++++++++++++++++ emacs/26.3/06_all_htmlfontify.patch | 22 ++++++++ emacs/27.2/05_all_etags-metachar.patch | 99 ++++++++++++++++++++++++++++++++++ emacs/27.2/06_all_ruby-mode.patch | 22 ++++++++ emacs/27.2/07_all_htmlfontify.patch | 22 ++++++++ emacs/28.2/04_all_gnus-nnml.patch | 38 +++++++++++++ emacs/28.2/05_all_etags-metachar.patch | 99 ++++++++++++++++++++++++++++++++++ emacs/28.2/06_all_ruby-mode.patch | 22 ++++++++ emacs/28.2/07_all_htmlfontify.patch | 22 ++++++++ 11 files changed, 566 insertions(+) create mode 100644 emacs/25.3/05_all_etags-metachar.patch create mode 100644 emacs/25.3/06_all_htmlfontify.patch create mode 100644 emacs/26.3/05_all_etags-metachar.patch create mode 100644 emacs/26.3/06_all_htmlfontify.patch create mode 100644 emacs/27.2/05_all_etags-metachar.patch create mode 100644 emacs/27.2/06_all_ruby-mode.patch create mode 100644 emacs/27.2/07_all_htmlfontify.patch create mode 100644 emacs/28.2/04_all_gnus-nnml.patch create mode 100644 emacs/28.2/05_all_etags-metachar.patch create mode 100644 emacs/28.2/06_all_ruby-mode.patch create mode 100644 emacs/28.2/07_all_htmlfontify.patch diff --git a/emacs/25.3/05_all_etags-metachar.patch b/emacs/25.3/05_all_etags-metachar.patch new file mode 100644 index 0000000..31ffc14 --- /dev/null +++ b/emacs/25.3/05_all_etags-metachar.patch @@ -0,0 +1,99 @@ +Fix etags local command injection vulnerability (CVE-2022-48337) +Backported from emacs-28 branch +https://bugs.gentoo.org/897950 +https://debbugs.gnu.org/59817 + +commit e339926272a598bd9ee7e02989c1662b89e64cf0 +Author: Xi Lu +Date: Tue Dec 6 15:42:40 2022 +0800 + + Fix etags local command injection vulnerability + +--- emacs-25.3/lib-src/etags.c ++++ emacs-25.3/lib-src/etags.c +@@ -398,6 +398,7 @@ + static void put_entries (node *); + static void clean_matched_file_tag (char const * const, char const * const); + ++static char *escape_shell_arg_string (char *); + static void do_move_file (const char *, const char *); + static char *concat (const char *, const char *, const char *); + static char *skip_spaces (char *); +@@ -1658,13 +1659,16 @@ + else + { + #if MSDOS || defined (DOS_NT) +- char *cmd1 = concat (compr->command, " \"", real_name); +- char *cmd = concat (cmd1, "\" > ", tmp_name); ++ int buf_len = strlen (compr->command) + strlen (" \"\" > \"\"") + strlen (real_name) + strlen (tmp_name) + 1; ++ char *cmd = xmalloc (buf_len); ++ snprintf (cmd, buf_len, "%s \"%s\" > \"%s\"", compr->command, real_name, tmp_name); + #else +- char *cmd1 = concat (compr->command, " '", real_name); +- char *cmd = concat (cmd1, "' > ", tmp_name); ++ char *new_real_name = escape_shell_arg_string (real_name); ++ char *new_tmp_name = escape_shell_arg_string (tmp_name); ++ int buf_len = strlen (compr->command) + strlen (" > ") + strlen (new_real_name) + strlen (new_tmp_name) + 1; ++ char *cmd = xmalloc (buf_len); ++ snprintf (cmd, buf_len, "%s %s > %s", compr->command, new_real_name, new_tmp_name); + #endif +- free (cmd1); + int tmp_errno; + if (system (cmd) == -1) + { +@@ -6876,6 +6880,55 @@ + return templt; + } + ++/* ++ * Adds single quotes around a string, if found single quotes, escaped it. ++ * Return a newly-allocated string. ++ * ++ * For example: ++ * escape_shell_arg_string("test.txt") => 'test.txt' ++ * escape_shell_arg_string("'test.txt") => ''\''test.txt' ++ */ ++static char * ++escape_shell_arg_string (char *str) ++{ ++ char *p = str; ++ int need_space = 2; /* ' at begin and end */ ++ ++ while (*p != '\0') ++ { ++ if (*p == '\'') ++ need_space += 4; /* ' to '\'', length is 4 */ ++ else ++ need_space++; ++ ++ p++; ++ } ++ ++ char *new_str = xnew (need_space + 1, char); ++ new_str[0] = '\''; ++ new_str[need_space-1] = '\''; ++ ++ int i = 1; /* skip first byte */ ++ p = str; ++ while (*p != '\0') ++ { ++ new_str[i] = *p; ++ if (*p == '\'') ++ { ++ new_str[i+1] = '\\'; ++ new_str[i+2] = '\''; ++ new_str[i+3] = '\''; ++ i += 3; ++ } ++ ++ i++; ++ p++; ++ } ++ ++ new_str[need_space] = '\0'; ++ return new_str; ++} ++ + static void + do_move_file(const char *src_file, const char *dst_file) + { diff --git a/emacs/25.3/06_all_htmlfontify.patch b/emacs/25.3/06_all_htmlfontify.patch new file mode 100644 index 0000000..6870c0b --- /dev/null +++ b/emacs/25.3/06_all_htmlfontify.patch @@ -0,0 +1,22 @@ +Fix htmlfontify.el command injection vulnerability (CVE-2022-48339) +Backported from emacs-28 branch +https://bugs.gentoo.org/897950 +https://debbugs.gnu.org/60295 + +commit 807d2d5b3a7cd1d0e3f7dd24de22770f54f5ae16 +Author: Xi Lu +Date: Sat Dec 24 16:28:54 2022 +0800 + + Fix htmlfontify.el command injection vulnerability. + +--- emacs-25.3/lisp/htmlfontify.el ++++ emacs-25.3/lisp/htmlfontify.el +@@ -1898,7 +1898,7 @@ + + (defun hfy-text-p (srcdir file) + "Is SRCDIR/FILE text? Uses `hfy-istext-command' to determine this." +- (let* ((cmd (format hfy-istext-command (expand-file-name file srcdir))) ++ (let* ((cmd (format hfy-istext-command (shell-quote-argument (expand-file-name file srcdir)))) + (rsp (shell-command-to-string cmd))) + (string-match "text" rsp))) + diff --git a/emacs/26.3/05_all_etags-metachar.patch b/emacs/26.3/05_all_etags-metachar.patch new file mode 100644 index 0000000..b7cc07b --- /dev/null +++ b/emacs/26.3/05_all_etags-metachar.patch @@ -0,0 +1,99 @@ +Fix etags local command injection vulnerability (CVE-2022-48337) +Backported from emacs-28 branch +https://bugs.gentoo.org/897950 +https://debbugs.gnu.org/59817 + +commit e339926272a598bd9ee7e02989c1662b89e64cf0 +Author: Xi Lu +Date: Tue Dec 6 15:42:40 2022 +0800 + + Fix etags local command injection vulnerability + +--- emacs-26.3/lib-src/etags.c ++++ emacs-26.3/lib-src/etags.c +@@ -396,6 +396,7 @@ + static void put_entries (node *); + static void clean_matched_file_tag (char const * const, char const * const); + ++static char *escape_shell_arg_string (char *); + static void do_move_file (const char *, const char *); + static char *concat (const char *, const char *, const char *); + static char *skip_spaces (char *); +@@ -1672,13 +1673,16 @@ + else + { + #if MSDOS || defined (DOS_NT) +- char *cmd1 = concat (compr->command, " \"", real_name); +- char *cmd = concat (cmd1, "\" > ", tmp_name); ++ int buf_len = strlen (compr->command) + strlen (" \"\" > \"\"") + strlen (real_name) + strlen (tmp_name) + 1; ++ char *cmd = xmalloc (buf_len); ++ snprintf (cmd, buf_len, "%s \"%s\" > \"%s\"", compr->command, real_name, tmp_name); + #else +- char *cmd1 = concat (compr->command, " '", real_name); +- char *cmd = concat (cmd1, "' > ", tmp_name); ++ char *new_real_name = escape_shell_arg_string (real_name); ++ char *new_tmp_name = escape_shell_arg_string (tmp_name); ++ int buf_len = strlen (compr->command) + strlen (" > ") + strlen (new_real_name) + strlen (new_tmp_name) + 1; ++ char *cmd = xmalloc (buf_len); ++ snprintf (cmd, buf_len, "%s %s > %s", compr->command, new_real_name, new_tmp_name); + #endif +- free (cmd1); + int tmp_errno; + if (system (cmd) == -1) + { +@@ -7141,6 +7145,55 @@ + return templt; + } + ++/* ++ * Adds single quotes around a string, if found single quotes, escaped it. ++ * Return a newly-allocated string. ++ * ++ * For example: ++ * escape_shell_arg_string("test.txt") => 'test.txt' ++ * escape_shell_arg_string("'test.txt") => ''\''test.txt' ++ */ ++static char * ++escape_shell_arg_string (char *str) ++{ ++ char *p = str; ++ int need_space = 2; /* ' at begin and end */ ++ ++ while (*p != '\0') ++ { ++ if (*p == '\'') ++ need_space += 4; /* ' to '\'', length is 4 */ ++ else ++ need_space++; ++ ++ p++; ++ } ++ ++ char *new_str = xnew (need_space + 1, char); ++ new_str[0] = '\''; ++ new_str[need_space-1] = '\''; ++ ++ int i = 1; /* skip first byte */ ++ p = str; ++ while (*p != '\0') ++ { ++ new_str[i] = *p; ++ if (*p == '\'') ++ { ++ new_str[i+1] = '\\'; ++ new_str[i+2] = '\''; ++ new_str[i+3] = '\''; ++ i += 3; ++ } ++ ++ i++; ++ p++; ++ } ++ ++ new_str[need_space] = '\0'; ++ return new_str; ++} ++ + static void + do_move_file(const char *src_file, const char *dst_file) + { diff --git a/emacs/26.3/06_all_htmlfontify.patch b/emacs/26.3/06_all_htmlfontify.patch new file mode 100644 index 0000000..c19e662 --- /dev/null +++ b/emacs/26.3/06_all_htmlfontify.patch @@ -0,0 +1,22 @@ +Fix htmlfontify.el command injection vulnerability (CVE-2022-48339) +Backported from emacs-28 branch +https://bugs.gentoo.org/897950 +https://debbugs.gnu.org/60295 + +commit 807d2d5b3a7cd1d0e3f7dd24de22770f54f5ae16 +Author: Xi Lu +Date: Sat Dec 24 16:28:54 2022 +0800 + + Fix htmlfontify.el command injection vulnerability. + +--- emacs-26.3/lisp/htmlfontify.el ++++ emacs-26.3/lisp/htmlfontify.el +@@ -1906,7 +1906,7 @@ + + (defun hfy-text-p (srcdir file) + "Is SRCDIR/FILE text? Uses `hfy-istext-command' to determine this." +- (let* ((cmd (format hfy-istext-command (expand-file-name file srcdir))) ++ (let* ((cmd (format hfy-istext-command (shell-quote-argument (expand-file-name file srcdir)))) + (rsp (shell-command-to-string cmd))) + (string-match "text" rsp))) + diff --git a/emacs/27.2/05_all_etags-metachar.patch b/emacs/27.2/05_all_etags-metachar.patch new file mode 100644 index 0000000..8f3338e --- /dev/null +++ b/emacs/27.2/05_all_etags-metachar.patch @@ -0,0 +1,99 @@ +Fix etags local command injection vulnerability (CVE-2022-48337) +Backported from emacs-28 branch +https://bugs.gentoo.org/897950 +https://debbugs.gnu.org/59817 + +commit e339926272a598bd9ee7e02989c1662b89e64cf0 +Author: Xi Lu +Date: Tue Dec 6 15:42:40 2022 +0800 + + Fix etags local command injection vulnerability + +--- emacs-27.2/lib-src/etags.c ++++ emacs-27.2/lib-src/etags.c +@@ -398,6 +398,7 @@ + static void put_entries (node *); + static void clean_matched_file_tag (char const * const, char const * const); + ++static char *escape_shell_arg_string (char *); + static void do_move_file (const char *, const char *); + static char *concat (const char *, const char *, const char *); + static char *skip_spaces (char *); +@@ -1670,13 +1671,16 @@ + else + { + #if MSDOS || defined (DOS_NT) +- char *cmd1 = concat (compr->command, " \"", real_name); +- char *cmd = concat (cmd1, "\" > ", tmp_name); ++ int buf_len = strlen (compr->command) + strlen (" \"\" > \"\"") + strlen (real_name) + strlen (tmp_name) + 1; ++ char *cmd = xmalloc (buf_len); ++ snprintf (cmd, buf_len, "%s \"%s\" > \"%s\"", compr->command, real_name, tmp_name); + #else +- char *cmd1 = concat (compr->command, " '", real_name); +- char *cmd = concat (cmd1, "' > ", tmp_name); ++ char *new_real_name = escape_shell_arg_string (real_name); ++ char *new_tmp_name = escape_shell_arg_string (tmp_name); ++ int buf_len = strlen (compr->command) + strlen (" > ") + strlen (new_real_name) + strlen (new_tmp_name) + 1; ++ char *cmd = xmalloc (buf_len); ++ snprintf (cmd, buf_len, "%s %s > %s", compr->command, new_real_name, new_tmp_name); + #endif +- free (cmd1); + int tmp_errno; + if (system (cmd) == -1) + { +@@ -7124,6 +7128,55 @@ + return templt; + } + ++/* ++ * Adds single quotes around a string, if found single quotes, escaped it. ++ * Return a newly-allocated string. ++ * ++ * For example: ++ * escape_shell_arg_string("test.txt") => 'test.txt' ++ * escape_shell_arg_string("'test.txt") => ''\''test.txt' ++ */ ++static char * ++escape_shell_arg_string (char *str) ++{ ++ char *p = str; ++ int need_space = 2; /* ' at begin and end */ ++ ++ while (*p != '\0') ++ { ++ if (*p == '\'') ++ need_space += 4; /* ' to '\'', length is 4 */ ++ else ++ need_space++; ++ ++ p++; ++ } ++ ++ char *new_str = xnew (need_space + 1, char); ++ new_str[0] = '\''; ++ new_str[need_space-1] = '\''; ++ ++ int i = 1; /* skip first byte */ ++ p = str; ++ while (*p != '\0') ++ { ++ new_str[i] = *p; ++ if (*p == '\'') ++ { ++ new_str[i+1] = '\\'; ++ new_str[i+2] = '\''; ++ new_str[i+3] = '\''; ++ i += 3; ++ } ++ ++ i++; ++ p++; ++ } ++ ++ new_str[need_space] = '\0'; ++ return new_str; ++} ++ + static void + do_move_file(const char *src_file, const char *dst_file) + { diff --git a/emacs/27.2/06_all_ruby-mode.patch b/emacs/27.2/06_all_ruby-mode.patch new file mode 100644 index 0000000..8537b02 --- /dev/null +++ b/emacs/27.2/06_all_ruby-mode.patch @@ -0,0 +1,22 @@ +Fix ruby-mode.el local command injection vulnerability (CVE-2022-48338) +Backported from emacs-28 branch +https://bugs.gentoo.org/897950 +https://debbugs.gnu.org/60268 + +commit 22fb5ff5126dc8bb01edaa0252829d853afb284f +Author: Xi Lu +Date: Fri Dec 23 12:52:48 2022 +0800 + + Fix ruby-mode.el local command injection vulnerability (bug#60268) + +--- emacs-27.2/lisp/progmodes/ruby-mode.el ++++ emacs-27.2/lisp/progmodes/ruby-mode.el +@@ -1820,7 +1820,7 @@ + (setq feature-name (read-string "Feature name: " init)))) + (let ((out + (substring +- (shell-command-to-string (concat "gem which " feature-name)) ++ (shell-command-to-string (concat "gem which " (shell-quote-argument feature-name))) + 0 -1))) + (if (string-match-p "\\`ERROR" out) + (user-error "%s" out) diff --git a/emacs/27.2/07_all_htmlfontify.patch b/emacs/27.2/07_all_htmlfontify.patch new file mode 100644 index 0000000..eb0b079 --- /dev/null +++ b/emacs/27.2/07_all_htmlfontify.patch @@ -0,0 +1,22 @@ +Fix htmlfontify.el command injection vulnerability (CVE-2022-48339) +Backported from emacs-28 branch +https://bugs.gentoo.org/897950 +https://debbugs.gnu.org/60295 + +commit 807d2d5b3a7cd1d0e3f7dd24de22770f54f5ae16 +Author: Xi Lu +Date: Sat Dec 24 16:28:54 2022 +0800 + + Fix htmlfontify.el command injection vulnerability. + +--- emacs-27.2/lisp/htmlfontify.el ++++ emacs-27.2/lisp/htmlfontify.el +@@ -1912,7 +1912,7 @@ + + (defun hfy-text-p (srcdir file) + "Is SRCDIR/FILE text? Uses `hfy-istext-command' to determine this." +- (let* ((cmd (format hfy-istext-command (expand-file-name file srcdir))) ++ (let* ((cmd (format hfy-istext-command (shell-quote-argument (expand-file-name file srcdir)))) + (rsp (shell-command-to-string cmd))) + (string-match "text" rsp))) + diff --git a/emacs/28.2/04_all_gnus-nnml.patch b/emacs/28.2/04_all_gnus-nnml.patch new file mode 100644 index 0000000..eed2058 --- /dev/null +++ b/emacs/28.2/04_all_gnus-nnml.patch @@ -0,0 +1,38 @@ +Fix denial-of-service issue in Gnus +Patch from emacs-28 branch + +commit ae9bfed50dbf5043c0b47f20473ef43d8aeebebd +Author: Eli Zaretskii +Date: Mon Dec 19 19:01:04 2022 +0200 + + Fix storing email into nnmail by Gnus + +--- a/lisp/gnus/nnml.el ++++ b/lisp/gnus/nnml.el +@@ -775,17 +775,22 @@ + (nnml--encode-headers headers) + headers)))) + ++;; RFC2047-encode Subject and From, but leave invalid headers unencoded. + (defun nnml--encode-headers (headers) + (let ((subject (mail-header-subject headers)) + (rfc2047-encoding-type 'mime)) + (unless (string-match "\\`[[:ascii:]]*\\'" subject) +- (setf (mail-header-subject headers) +- (mail-encode-encoded-word-string subject t)))) ++ (let ((encoded-subject ++ (ignore-errors (mail-encode-encoded-word-string subject t)))) ++ (if encoded-subject ++ (setf (mail-header-subject headers) encoded-subject))))) + (let ((from (mail-header-from headers)) + (rfc2047-encoding-type 'address-mime)) + (unless (string-match "\\`[[:ascii:]]*\\'" from) +- (setf (mail-header-from headers) +- (rfc2047-encode-string from t))))) ++ (let ((encoded-from ++ (ignore-errors (rfc2047-encode-string from t)))) ++ (if encoded-from ++ (setf (mail-header-from headers) encoded-from)))))) + + (defun nnml-get-nov-buffer (group &optional incrementalp) + (let ((buffer (gnus-get-buffer-create diff --git a/emacs/28.2/05_all_etags-metachar.patch b/emacs/28.2/05_all_etags-metachar.patch new file mode 100644 index 0000000..9371c17 --- /dev/null +++ b/emacs/28.2/05_all_etags-metachar.patch @@ -0,0 +1,99 @@ +Fix etags local command injection vulnerability (CVE-2022-48337) +Patch from emacs-28 branch +https://bugs.gentoo.org/897950 +https://debbugs.gnu.org/59817 + +commit e339926272a598bd9ee7e02989c1662b89e64cf0 +Author: Xi Lu +Date: Tue Dec 6 15:42:40 2022 +0800 + + Fix etags local command injection vulnerability + +--- a/lib-src/etags.c ++++ b/lib-src/etags.c +@@ -408,6 +408,7 @@ + static void put_entries (node *); + static void clean_matched_file_tag (char const * const, char const * const); + ++static char *escape_shell_arg_string (char *); + static void do_move_file (const char *, const char *); + static char *concat (const char *, const char *, const char *); + static char *skip_spaces (char *); +@@ -1704,13 +1705,16 @@ + else + { + #if MSDOS || defined (DOS_NT) +- char *cmd1 = concat (compr->command, " \"", real_name); +- char *cmd = concat (cmd1, "\" > ", tmp_name); ++ int buf_len = strlen (compr->command) + strlen (" \"\" > \"\"") + strlen (real_name) + strlen (tmp_name) + 1; ++ char *cmd = xmalloc (buf_len); ++ snprintf (cmd, buf_len, "%s \"%s\" > \"%s\"", compr->command, real_name, tmp_name); + #else +- char *cmd1 = concat (compr->command, " '", real_name); +- char *cmd = concat (cmd1, "' > ", tmp_name); ++ char *new_real_name = escape_shell_arg_string (real_name); ++ char *new_tmp_name = escape_shell_arg_string (tmp_name); ++ int buf_len = strlen (compr->command) + strlen (" > ") + strlen (new_real_name) + strlen (new_tmp_name) + 1; ++ char *cmd = xmalloc (buf_len); ++ snprintf (cmd, buf_len, "%s %s > %s", compr->command, new_real_name, new_tmp_name); + #endif +- free (cmd1); + inf = (system (cmd) == -1 + ? NULL + : fopen (tmp_name, "r" FOPEN_BINARY)); +@@ -7689,6 +7693,55 @@ + return templt; + } + ++/* ++ * Adds single quotes around a string, if found single quotes, escaped it. ++ * Return a newly-allocated string. ++ * ++ * For example: ++ * escape_shell_arg_string("test.txt") => 'test.txt' ++ * escape_shell_arg_string("'test.txt") => ''\''test.txt' ++ */ ++static char * ++escape_shell_arg_string (char *str) ++{ ++ char *p = str; ++ int need_space = 2; /* ' at begin and end */ ++ ++ while (*p != '\0') ++ { ++ if (*p == '\'') ++ need_space += 4; /* ' to '\'', length is 4 */ ++ else ++ need_space++; ++ ++ p++; ++ } ++ ++ char *new_str = xnew (need_space + 1, char); ++ new_str[0] = '\''; ++ new_str[need_space-1] = '\''; ++ ++ int i = 1; /* skip first byte */ ++ p = str; ++ while (*p != '\0') ++ { ++ new_str[i] = *p; ++ if (*p == '\'') ++ { ++ new_str[i+1] = '\\'; ++ new_str[i+2] = '\''; ++ new_str[i+3] = '\''; ++ i += 3; ++ } ++ ++ i++; ++ p++; ++ } ++ ++ new_str[need_space] = '\0'; ++ return new_str; ++} ++ + static void + do_move_file(const char *src_file, const char *dst_file) + { diff --git a/emacs/28.2/06_all_ruby-mode.patch b/emacs/28.2/06_all_ruby-mode.patch new file mode 100644 index 0000000..6b1b054 --- /dev/null +++ b/emacs/28.2/06_all_ruby-mode.patch @@ -0,0 +1,22 @@ +Fix ruby-mode.el local command injection vulnerability (CVE-2022-48338) +Patch from emacs-28 branch +https://bugs.gentoo.org/897950 +https://debbugs.gnu.org/60268 + +commit 22fb5ff5126dc8bb01edaa0252829d853afb284f +Author: Xi Lu +Date: Fri Dec 23 12:52:48 2022 +0800 + + Fix ruby-mode.el local command injection vulnerability (bug#60268) + +--- a/lisp/progmodes/ruby-mode.el ++++ b/lisp/progmodes/ruby-mode.el +@@ -1819,7 +1819,7 @@ + (setq feature-name (read-string "Feature name: " init)))) + (let ((out + (substring +- (shell-command-to-string (concat "gem which " feature-name)) ++ (shell-command-to-string (concat "gem which " (shell-quote-argument feature-name))) + 0 -1))) + (if (string-match-p "\\`ERROR" out) + (user-error "%s" out) diff --git a/emacs/28.2/07_all_htmlfontify.patch b/emacs/28.2/07_all_htmlfontify.patch new file mode 100644 index 0000000..acfccc5 --- /dev/null +++ b/emacs/28.2/07_all_htmlfontify.patch @@ -0,0 +1,22 @@ +Fix htmlfontify.el command injection vulnerability (CVE-2022-48339) +Patch from emacs-28 branch +https://bugs.gentoo.org/897950 +https://debbugs.gnu.org/60295 + +commit 807d2d5b3a7cd1d0e3f7dd24de22770f54f5ae16 +Author: Xi Lu +Date: Sat Dec 24 16:28:54 2022 +0800 + + Fix htmlfontify.el command injection vulnerability. + +--- a/lisp/htmlfontify.el ++++ b/lisp/htmlfontify.el +@@ -1882,7 +1882,7 @@ + + (defun hfy-text-p (srcdir file) + "Is SRCDIR/FILE text? Use `hfy-istext-command' to determine this." +- (let* ((cmd (format hfy-istext-command (expand-file-name file srcdir))) ++ (let* ((cmd (format hfy-istext-command (shell-quote-argument (expand-file-name file srcdir)))) + (rsp (shell-command-to-string cmd))) + (string-match "text" rsp))) + -- cgit v1.2.3-65-gdbad