commit emacs for openSUSE:Factory

Wed, 12 Feb 2025 12:31:47 -0800 

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package emacs for openSUSE:Factory checked 
in at 2025-02-12 21:30:48
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/emacs (Old)
 and      /work/SRC/openSUSE:Factory/.emacs.new.8181 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "emacs"

Wed Feb 12 21:30:48 2025 rev:199 rq:1245402 version:29.4

Changes:
--------
--- /work/SRC/openSUSE:Factory/emacs/emacs.changes      2025-01-17 
18:37:03.476174594 +0100
+++ /work/SRC/openSUSE:Factory/.emacs.new.8181/emacs.changes    2025-02-12 
21:31:04.993133003 +0100
@@ -1,0 +2,6 @@
+Wed Feb 12 12:20:32 UTC 2025 - Dr. Werner Fink <wer...@suse.de>
+
+- Add patch CVE-2025-1244.patch
+  * Avoid shell injection via custom "man" URI scheme (boo#1237091, 
CVE-2025-1244)
+
+-------------------------------------------------------------------

New:
----
  CVE-2025-1244.patch

BETA DEBUG BEGIN:
  New:
- Add patch CVE-2025-1244.patch
  * Avoid shell injection via custom "man" URI scheme (boo#1237091, 
CVE-2025-1244)
BETA DEBUG END:

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ emacs.spec ++++++
--- /var/tmp/diff_new_pack.tIaiH4/_old  2025-02-12 21:31:06.201182804 +0100
+++ /var/tmp/diff_new_pack.tIaiH4/_new  2025-02-12 21:31:06.205182969 +0100
@@ -224,6 +224,7 @@
 Patch29:        emacs-27.1-Xauthority4server.patch
 Patch30:        emacs-CVE-2024-53920.patch
 Patch31:        emacs-29.4-boo1234673.patch
+Patch32:        CVE-2025-1244.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %{expand: %%global include_info %(test -s /usr/share/info/info.info* && echo 0 
|| echo 1)}
 %{expand: %%global _exec_prefix %(type -p pkg-config &>/dev/null && pkg-config 
--variable prefix x11 || echo /usr/X11R6)}
@@ -394,6 +395,7 @@
 %patch -P29 -p0 -b .xauth
 %patch -P30 -p0 -b .cve202453920
 %patch -P31 -p0 -b .boo1234673
+%patch -P32 -p1 -b .boo1237091
 %patch -P0  -p0 -b .0
 %if %{without tex4pdf}
 pushd etc/refcards/
@@ -770,6 +772,7 @@
 rm -vf 
%{buildroot}%{_datadir}/emacs/%{version}/lisp/progmodes/elisp-mode.el.el.cve202453920
 rm -vf 
%{buildroot}%{_datadir}/emacs/%{version}/lisp/progmodes/ruby-mode.el.cve202248338
 rm -vf 
%{buildroot}%{_datadir}/emacs/%{version}/lisp/emacs-lisp/comp.el.boo1234673
+rm -vf %{buildroot}%{_datadir}/emacs/%{version}/lisp/man.el.boo1237091
 rm -vf 
%{buildroot}%{_datadir}/emacs/%{version}/etc/emacsclient-mail.desktop.cve202327985
 rm -vf 
%{buildroot}%{_datadir}/emacs/%{version}/etc/emacsclient-mail.desktop.cve202327986
 rm -vf 
%{buildroot}%{_datadir}/emacs/%{version}/etc/emacsclient.desktop.cve202327985

++++++ CVE-2025-1244.patch ++++++
>From 820f0793f0b46448928905552726c1f1b999062f Mon Sep 17 00:00:00 2001
From: Xi Lu <l...@shellcodes.org>
Date: Tue, 10 Oct 2023 22:20:05 +0800
Subject: Fix man.el shell injection vulnerability

* lisp/man.el (Man-translate-references): Fix shell injection
vulnerability.  (Bug#66390)
* test/lisp/man-tests.el (man-tests-Man-translate-references): New
test.
---
 lisp/man.el            |  6 +++++-
 test/lisp/man-tests.el | 12 ++++++++++++
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/lisp/man.el b/lisp/man.el
index 55cb938..d963964 100644
--- a/lisp/man.el
+++ b/lisp/man.el
@@ -761,7 +761,11 @@ and the `Man-section-translations-alist' variables)."
       (setq name (match-string 2 ref)
            section (match-string 1 ref))))
     (if (string= name "")
-       ref                             ; Return the reference as is
+        ;; see Bug#66390
+       (mapconcat 'identity
+                   (mapcar #'shell-quote-argument
+                           (split-string ref "\\s-+"))
+                   " ")                 ; Return the reference as is
       (if Man-downcase-section-letters-flag
          (setq section (downcase section)))
       (while slist
diff --git a/test/lisp/man-tests.el b/test/lisp/man-tests.el
index 140482e..11f5f80 100644
--- a/test/lisp/man-tests.el
+++ b/test/lisp/man-tests.el
@@ -161,6 +161,18 @@ DESCRIPTION
           (let ((button (button-at (match-beginning 0))))
             (should (and button (eq 'Man-xref-header-file (button-type 
button))))))))))
 
+(ert-deftest man-tests-Man-translate-references ()
+  (should (equal (Man-translate-references "basename")
+                 "basename"))
+  (should (equal (Man-translate-references "basename(3)")
+                 "3 basename"))
+  (should (equal (Man-translate-references "basename(3v)")
+                 "3v basename"))
+  (should (equal (Man-translate-references ";id")
+                 "\\;id"))
+  (should (equal (Man-translate-references "-k basename")
+                 "-k basename")))
+
 (provide 'man-tests)
 
 ;;; man-tests.el ends here
-- 
cgit v1.1

Reply via email to