commit emacs for openSUSE:Factory

Tue, 17 Dec 2024 10:23:56 -0800 

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package emacs for openSUSE:Factory checked 
in at 2024-12-17 19:22:24
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/emacs (Old)
 and      /work/SRC/openSUSE:Factory/.emacs.new.29675 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "emacs"

Tue Dec 17 19:22:24 2024 rev:196 rq:1231394 version:29.4

Changes:
--------
--- /work/SRC/openSUSE:Factory/emacs/emacs.changes      2024-11-27 
22:12:30.983420400 +0100
+++ /work/SRC/openSUSE:Factory/.emacs.new.29675/emacs.changes   2024-12-17 
19:23:04.252695861 +0100
@@ -1,0 +2,7 @@
+Fri Dec 13 14:42:16 UTC 2024 - Dr. Werner Fink <wer...@suse.de>
+
+- Add patch emacs-CVE-2024-53920.patch (bsc#1233894, CVE-2024-53920) 
+  * Disable flymake on start and save to avoid to be attacked with
+    elisp code from foreign source.
+
+-------------------------------------------------------------------

New:
----
  emacs-CVE-2024-53920.patch

BETA DEBUG BEGIN:
  New:
- Add patch emacs-CVE-2024-53920.patch (bsc#1233894, CVE-2024-53920) 
  * Disable flymake on start and save to avoid to be attacked with
BETA DEBUG END:

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ emacs.spec ++++++
--- /var/tmp/diff_new_pack.RDHAGu/_old  2024-12-17 19:23:06.080771940 +0100
+++ /var/tmp/diff_new_pack.RDHAGu/_new  2024-12-17 19:23:06.084772107 +0100
@@ -172,6 +172,7 @@
 Provides:       epg = 1.0.0
 Obsoletes:      epg < 1.0.0
 Provides:       emacs(ELPA)
+Requires:       bubblewrap
 Requires:       emacs-info = %{version}
 Requires:       emacs_program = %{version}-%{release}
 Requires:       etags
@@ -216,6 +217,7 @@
 Patch25:        emacs-26.1-xft4x11.patch
 Patch26:        emacs-27.1-pdftex.patch
 Patch29:        emacs-27.1-Xauthority4server.patch
+Patch30:        emacs-CVE-2024-53920.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %{expand: %%global include_info %(test -s /usr/share/info/info.info* && echo 0 
|| echo 1)}
 %{expand: %%global _exec_prefix %(type -p pkg-config &>/dev/null && pkg-config 
--variable prefix x11 || echo /usr/X11R6)}
@@ -378,6 +380,7 @@
 %patch -P25 -p0 -b .xft
 %patch -P26 -p0 -b .fmt
 %patch -P29 -p0 -b .xauth
+%patch -P30 -p0 -b .cve202453920
 %patch -P0  -p0 -b .0
 %if %{without tex4pdf}
 pushd etc/refcards/
@@ -736,6 +739,7 @@
 rm -vf %{buildroot}%{_datadir}/emacs/%{version}/lisp/obsolete/fast-lock.el.flc
 rm -vf %{buildroot}%{_datadir}/emacs/%{version}/lisp/loaddefs.el.flc
 rm -vf %{buildroot}%{_datadir}/emacs/%{version}/lisp/progmodes/python.el.python
+rm -vf 
%{buildroot}%{_datadir}/emacs/%{version}/lisp/progmodes/flymake.el.cve202453920
 rm -vf 
%{buildroot}%{_datadir}/emacs/%{version}/lisp/textmodes/flyspell.el.flyspell
 rm -vf %{buildroot}%{_datadir}/emacs/%{version}/lisp/obsolete/spell.el.obsolate
 rm -vf %{buildroot}%{_datadir}/emacs/%{version}/lisp/cmuscheme.el.0
@@ -749,6 +753,7 @@
 rm -vf %{buildroot}%{_datadir}/emacs/%{version}/lisp/dynamic-setting.el.custfnt
 rm -vf %{buildroot}%{_datadir}/emacs/%{version}/lisp/server.el.xauth
 rm -vf 
%{buildroot}%{_datadir}/emacs/%{version}/lisp/htmlfontify.el.cve202248339
+rm -vf 
%{buildroot}%{_datadir}/emacs/%{version}/lisp/progmodes/elisp-mode.el.el.cve202453920
 rm -vf 
%{buildroot}%{_datadir}/emacs/%{version}/lisp/progmodes/ruby-mode.el.cve202248338
 rm -vf 
%{buildroot}%{_datadir}/emacs/%{version}/etc/emacsclient-mail.desktop.cve202327985
 rm -vf 
%{buildroot}%{_datadir}/emacs/%{version}/etc/emacsclient-mail.desktop.cve202327986


++++++ emacs-CVE-2024-53920.patch ++++++
From: Werner Fink <wer...@suse.de>
Date: Fri, 13 Dec 2024 14:32:39 +0000
Subject: [PATCH] Disable flymake on start and save (CVE-2024-53920)

Disable flymake on start and save to avoid to be attacked with elisp code
like in this example:

 > cat document.txt 
 ;; -*- mode: emacs-lisp -*-
 (rx (eval (call-process "touch" nil nil nil "/tmp/owned")))

if not disabled the elisp code above is completed which means executed
without any warning if `flymake-mode' would be enabled by default for
`emacs-lisp-mode'.

---
 lisp/progmodes/flymake.el |   14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

--- lisp/progmodes/flymake.el
+++ lisp/progmodes/flymake.el   2024-12-13 14:26:43.833166494 +0000
@@ -199,15 +199,21 @@ If nil, never start checking buffer auto
 (define-obsolete-variable-alias 'flymake-start-syntax-check-on-find-file
   'flymake-start-on-flymake-mode "26.1")
 
-(defcustom flymake-start-on-flymake-mode t
+(defcustom flymake-start-on-flymake-mode nil
   "If non-nil, start syntax check when `flymake-mode' is enabled.
-Specifically, start it when the buffer is actually displayed."
+Specifically, start it when the buffer is actually displayed.
+Warning: if enabled and with elisp-mode the triggered code completion on
+untrusted Emacs Lisp source code allows attackers to execute arbitrary code.
+More information at https://www.cve.org/CVERecord?id=CVE-2024-53920";
   :version "26.1"
   :type 'boolean)
 
-(defcustom flymake-start-on-save-buffer t
+(defcustom flymake-start-on-save-buffer nil
   "If non-nil, start syntax check when a buffer is saved.
-Specifically, start it when the saved buffer is actually displayed."
+Specifically, start it when the saved buffer is actually displayed.
+Warning: if enabled and with elisp-mode the triggered code completion on
+untrusted Emacs Lisp source code allows attackers to execute arbitrary code.
+More information at https://www.cve.org/CVERecord?id=CVE-2024-53920";
   :version "27.1"
   :type 'boolean)

Reply via email to