Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package emacs for openSUSE:Factory checked
in at 2023-02-22 15:21:04
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/emacs (Old)
and /work/SRC/openSUSE:Factory/.emacs.new.1706 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "emacs"
Wed Feb 22 15:21:04 2023 rev:171 rq:1066988 version:28.2
Changes:
--------
--- /work/SRC/openSUSE:Factory/emacs/emacs.changes 2022-11-30
16:07:44.055436773 +0100
+++ /work/SRC/openSUSE:Factory/.emacs.new.1706/emacs.changes 2023-02-22
15:21:06.865700627 +0100
@@ -1,0 +2,13 @@
+Tue Feb 21 08:28:17 UTC 2023 - Dr. Werner Fink <wer...@suse.de>
+
+- Add upstream commit/patches
+ * 01a4035c.patch
+ Fix etags local command injection vulnerability (CVE-2022-48337,
bsc#1208515)
+ * CVE-2022-48338.patch
+ Fix ruby-mode.el local command injection vulnerability (CVE-2022-48338,
bsc#1208514)
+ * CVE-2022-48339.patch
+ Fix htmlfontify.el command injection vulnerability (CVE-2022-48339
bsc#1208512)
+- Require libwebp at build time for automatically enable support
+ for libwebp if given
+
+-------------------------------------------------------------------
New:
----
01a4035c.patch
CVE-2022-48338.patch
CVE-2022-48339.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ emacs.spec ++++++
--- /var/tmp/diff_new_pack.i3wmQW/_old 2023-02-22 15:21:08.017707160 +0100
+++ /var/tmp/diff_new_pack.i3wmQW/_new 2023-02-22 15:21:08.025707206 +0100
@@ -1,7 +1,7 @@
#
# spec file for package emacs
#
-# Copyright (c) 2022 SUSE LLC
+# Copyright (c) 2023 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -93,6 +93,7 @@
BuildRequires: pkgconfig(harfbuzz)
BuildRequires: pkgconfig(ice)
BuildRequires: pkgconfig(libseccomp)
+BuildRequires: pkgconfig(libwebp)
BuildRequires: pkgconfig(valgrind)
%if %{with tex4pdf}
BuildRequires: tex(babel.sty)
@@ -168,7 +169,7 @@
# https://ftp.gnu.org/gnu/gnu-keyring.gpg
Source7: %{name}.keyring
Source8: emacs-%{version}-pdf.tar.xz
-Patch: emacs-28.1.dif
+Patch0: emacs-28.1.dif
# Currently disabled
Patch2: emacs-24.4-glibc.patch
Patch4: emacs-24.3-asian-print.patch
@@ -188,7 +189,9 @@
Patch26: emacs-27.1-pdftex.patch
Patch29: emacs-27.1-Xauthority4server.patch
Patch30: d48bb487.patch
-
+Patch31: 01a4035c.patch
+Patch32: CVE-2022-48338.patch
+Patch33: CVE-2022-48339.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%{expand: %%global include_info %(test -s /usr/share/info/info.info* && echo 0
|| echo 1)}
%{expand: %%global _exec_prefix %(type -p pkg-config &>/dev/null && pkg-config
--variable prefix x11 || echo /usr/X11R6)}
@@ -335,7 +338,10 @@
%patch26 -p0 -b .fmt
%patch29 -p0 -b .xauth
%patch30 -p0 -b .cve202245939
-%patch -p0 -b .0
+%patch31 -p0 -b .cve2022XXXXX
+%patch32 -p0 -b .cve202248338
+%patch33 -p0 -b .cve202248339
+%patch0 -p0 -b .0
%if %{without tex4pdf}
pushd etc/refcards/
tar --use-compress-program=xz -xf %{S:8}
@@ -647,6 +653,8 @@
rm -vf %{buildroot}%{_datadir}/emacs/%{version}/lisp/mouse.el.prime
rm -vf %{buildroot}%{_datadir}/emacs/%{version}/lisp/dynamic-setting.el.custfnt
rm -vf %{buildroot}%{_datadir}/emacs/%{version}/lisp/server.el.xauth
+rm -vf
%{buildroot}%{_datadir}/emacs/%{version}/lisp/htmlfontify.el.cve202248339
+rm -vf
%{buildroot}%{_datadir}/emacs/%{version}/lisp/progmodes/ruby-mode.el.cve202248338
unelc %{buildroot}%{_datadir}/emacs/%{version}/lisp/bindings.elc
unelc %{buildroot}%{_datadir}/emacs/%{version}/lisp/cus-start.elc
unelc %{buildroot}%{_datadir}/emacs/%{version}/lisp/generic-x.elc
++++++ 01a4035c.patch ++++++
>From e339926272a598bd9ee7e02989c1662b89e64cf0 Mon Sep 17 00:00:00 2001
From: lu4nx <l...@shellcodes.org>
Date: Tue, 6 Dec 2022 15:42:40 +0800
Subject: [PATCH] Fix etags local command injection vulnerability
* lib-src/etags.c: (escape_shell_arg_string): New function.
(process_file_name): Use it to quote file names passed to the
shell. (Bug#59817)
(cherry picked from commit 01a4035c869b91c153af9a9132c87adb7669ea1c)
---
lib-src/etags.c | 63 +++++++++++++++++++++++++++++++++++++++++++++----
1 file changed, 58 insertions(+), 5 deletions(-)
diff --git lib-src/etags.c lib-src/etags.c
index c9c32691016..a6bd7f66e29 100644
--- lib-src/etags.c
+++ lib-src/etags.c
@@ -408,6 +408,7 @@ static void invalidate_nodes (fdesc *, node **);
static void put_entries (node *);
static void clean_matched_file_tag (char const * const, char const * const);
+static char *escape_shell_arg_string (char *);
static void do_move_file (const char *, const char *);
static char *concat (const char *, const char *, const char *);
static char *skip_spaces (char *);
@@ -1704,13 +1705,16 @@ process_file_name (char *file, language *lang)
else
{
#if MSDOS || defined (DOS_NT)
- char *cmd1 = concat (compr->command, " \"", real_name);
- char *cmd = concat (cmd1, "\" > ", tmp_name);
+ int buf_len = strlen (compr->command) + strlen (" \"\" > \"\"") +
strlen (real_name) + strlen (tmp_name) + 1;
+ char *cmd = xmalloc (buf_len);
+ snprintf (cmd, buf_len, "%s \"%s\" > \"%s\"", compr->command,
real_name, tmp_name);
#else
- char *cmd1 = concat (compr->command, " '", real_name);
- char *cmd = concat (cmd1, "' > ", tmp_name);
+ char *new_real_name = escape_shell_arg_string (real_name);
+ char *new_tmp_name = escape_shell_arg_string (tmp_name);
+ int buf_len = strlen (compr->command) + strlen (" > ") + strlen
(new_real_name) + strlen (new_tmp_name) + 1;
+ char *cmd = xmalloc (buf_len);
+ snprintf (cmd, buf_len, "%s %s > %s", compr->command, new_real_name,
new_tmp_name);
#endif
- free (cmd1);
inf = (system (cmd) == -1
? NULL
: fopen (tmp_name, "r" FOPEN_BINARY));
@@ -7689,6 +7693,55 @@ etags_mktmp (void)
return templt;
}
+/*
+ * Adds single quotes around a string, if found single quotes, escaped it.
+ * Return a newly-allocated string.
+ *
+ * For example:
+ * escape_shell_arg_string("test.txt") => 'test.txt'
+ * escape_shell_arg_string("'test.txt") => ''\''test.txt'
+ */
+static char *
+escape_shell_arg_string (char *str)
+{
+ char *p = str;
+ int need_space = 2; /* ' at begin and end */
+
+ while (*p != '\0')
+ {
+ if (*p == '\'')
+ need_space += 4; /* ' to '\'', length is 4 */
+ else
+ need_space++;
+
+ p++;
+ }
+
+ char *new_str = xnew (need_space + 1, char);
+ new_str[0] = '\'';
+ new_str[need_space-1] = '\'';
+
+ int i = 1; /* skip first byte */
+ p = str;
+ while (*p != '\0')
+ {
+ new_str[i] = *p;
+ if (*p == '\'')
+ {
+ new_str[i+1] = '\\';
+ new_str[i+2] = '\'';
+ new_str[i+3] = '\'';
+ i += 3;
+ }
+
+ i++;
+ p++;
+ }
+
+ new_str[need_space] = '\0';
+ return new_str;
+}
+
static void
do_move_file(const char *src_file, const char *dst_file)
{
--
2.35.3
++++++ CVE-2022-48338.patch ++++++
>From 22fb5ff5126dc8bb01edaa0252829d853afb284f Mon Sep 17 00:00:00 2001
From: Xi Lu <l...@shellcodes.org>
Date: Fri, 23 Dec 2022 12:52:48 +0800
Subject: [PATCH] Fix ruby-mode.el local command injection vulnerability
(bug#60268)
* lisp/progmodes/ruby-mode.el
(ruby-find-library-file): Fix local command injection vulnerability.
(cherry picked from commit 9a3b08061feea14d6f37685ca1ab8801758bfd1c)
---
lisp/progmodes/ruby-mode.el | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git lisp/progmodes/ruby-mode.el lisp/progmodes/ruby-mode.el
index 72631a6557f..9b05b04a52c 100644
--- lisp/progmodes/ruby-mode.el
+++ lisp/progmodes/ruby-mode.el
@@ -1819,7 +1819,7 @@ or `gem' statement around point."
(setq feature-name (read-string "Feature name: " init))))
(let ((out
(substring
- (shell-command-to-string (concat "gem which " feature-name))
+ (shell-command-to-string (concat "gem which " (shell-quote-argument
feature-name)))
0 -1)))
(if (string-match-p "\\`ERROR" out)
(user-error "%s" out)
--
2.35.3
++++++ CVE-2022-48339.patch ++++++
>From 807d2d5b3a7cd1d0e3f7dd24de22770f54f5ae16 Mon Sep 17 00:00:00 2001
From: Xi Lu <l...@shellcodes.org>
Date: Sat, 24 Dec 2022 16:28:54 +0800
Subject: [PATCH] Fix htmlfontify.el command injection vulnerability.
* lisp/htmlfontify.el (hfy-text-p): Fix command injection
vulnerability. (Bug#60295)
(cherry picked from commit 1b4dc4691c1f87fc970fbe568b43869a15ad0d4c)
---
lisp/htmlfontify.el | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git lisp/htmlfontify.el lisp/htmlfontify.el
index 115f67c9560..f8d1e205369 100644
--- lisp/htmlfontify.el
+++ lisp/htmlfontify.el
@@ -1882,7 +1882,7 @@ Hardly bombproof, but good enough in the context in which
it is being used."
(defun hfy-text-p (srcdir file)
"Is SRCDIR/FILE text? Use `hfy-istext-command' to determine this."
- (let* ((cmd (format hfy-istext-command (expand-file-name file srcdir)))
+ (let* ((cmd (format hfy-istext-command (shell-quote-argument
(expand-file-name file srcdir))))
(rsp (shell-command-to-string cmd)))
(string-match "text" rsp)))
--
2.35.3
