Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package emacs for openSUSE:Factory checked
in at 2023-03-11 18:22:30
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/emacs (Old)
and /work/SRC/openSUSE:Factory/.emacs.new.31432 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "emacs"
Sat Mar 11 18:22:30 2023 rev:172 rq:1070372 version:28.2
Changes:
--------
--- /work/SRC/openSUSE:Factory/emacs/emacs.changes 2023-02-22
15:21:06.865700627 +0100
+++ /work/SRC/openSUSE:Factory/.emacs.new.31432/emacs.changes 2023-03-11
18:22:32.902414196 +0100
@@ -1,0 +2,8 @@
+Thu Mar 9 09:04:28 UTC 2023 - Dr. Werner Fink <wer...@suse.de>
+
+- Add patch d3209119.patch
+ boo#1209089,CVE-2023-27985: Fix shell command injection in
emacsclient-mail.desktop
+- Add patch 3c1693d0.patch
+ boo#1209090,CVE-2023-27986: Fix Emacs Lisp code injection in
emacsclient-mail.desktop
+
+-------------------------------------------------------------------
New:
----
3c1693d0.patch
d3209119.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ emacs.spec ++++++
--- /var/tmp/diff_new_pack.576ROT/_old 2023-03-11 18:22:33.938419593 +0100
+++ /var/tmp/diff_new_pack.576ROT/_new 2023-03-11 18:22:33.946419635 +0100
@@ -192,6 +192,8 @@
Patch31: 01a4035c.patch
Patch32: CVE-2022-48338.patch
Patch33: CVE-2022-48339.patch
+Patch34: d3209119.patch
+Patch35: 3c1693d0.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%{expand: %%global include_info %(test -s /usr/share/info/info.info* && echo 0
|| echo 1)}
%{expand: %%global _exec_prefix %(type -p pkg-config &>/dev/null && pkg-config
--variable prefix x11 || echo /usr/X11R6)}
@@ -341,6 +343,8 @@
%patch31 -p0 -b .cve2022XXXXX
%patch32 -p0 -b .cve202248338
%patch33 -p0 -b .cve202248339
+%patch34 -p1 -b .cve202327985
+%patch35 -p1 -b .cve202327986
%patch0 -p0 -b .0
%if %{without tex4pdf}
pushd etc/refcards/
@@ -655,6 +659,9 @@
rm -vf %{buildroot}%{_datadir}/emacs/%{version}/lisp/server.el.xauth
rm -vf
%{buildroot}%{_datadir}/emacs/%{version}/lisp/htmlfontify.el.cve202248339
rm -vf
%{buildroot}%{_datadir}/emacs/%{version}/lisp/progmodes/ruby-mode.el.cve202248338
+rm -vf
%{buildroot}%{_datadir}/emacs/%{version}/etc/emacsclient-mail.desktop.cve202327985
+rm -vf
%{buildroot}%{_datadir}/emacs/%{version}/etc/emacsclient-mail.desktop.cve202327986
+rm -vf
%{buildroot}%{_datadir}/emacs/%{version}/etc/emacsclient.desktop.cve202327985
unelc %{buildroot}%{_datadir}/emacs/%{version}/lisp/bindings.elc
unelc %{buildroot}%{_datadir}/emacs/%{version}/lisp/cus-start.elc
unelc %{buildroot}%{_datadir}/emacs/%{version}/lisp/generic-x.elc
++++++ 3c1693d0.patch ++++++
>From 3c1693d08b0a71d40a77e7b40c0ebc42dca2d2cc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ulrich=20M=C3=BCller?= <u...@gentoo.org>
Date: Tue, 7 Mar 2023 18:25:37 +0100
Subject: Fix Elisp code injection vulnerability in emacsclient-mail.desktop
A crafted mailto URI could contain unescaped double-quote
characters, allowing injection of Elisp code. Therefore, any
'\' and '"' characters are replaced by '\\' and '\"', using Bash
pattern substitution (which is not available in the POSIX shell).
We want to pass literal 'u=${1//\\/\\\\}; u=${u//\"/\\\"};' in the
bash -c command, but in the desktop entry '"', '$', and '\' must
be escaped as '\\"', '\\$', and '\\\\', respectively (backslashes
are expanded twice, see the Desktop Entry Specification).
Reported by Gabriel Corona <gabriel.cor...@free.fr>.
* etc/emacsclient-mail.desktop (Exec): Escape backslash and
double-quote characters.
---
etc/emacsclient-mail.desktop | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/etc/emacsclient-mail.desktop b/etc/emacsclient-mail.desktop
index 91df122..49c6f99 100644
--- a/etc/emacsclient-mail.desktop
+++ b/etc/emacsclient-mail.desktop
@@ -1,7 +1,10 @@
[Desktop Entry]
Categories=Network;Email;
Comment=GNU Emacs is an extensible, customizable text editor - and more
-Exec=sh -c "exec emacsclient --alternate-editor= --display=\\"\\$DISPLAY\\"
--eval \\"(message-mailto \\\\\\"\\$1\\\\\\")\\"" sh %u
+# We want to pass the following commands to the shell wrapper:
+# u=${1//\\/\\\\}; u=${u//\"/\\\"}; exec emacsclient --alternate-editor=
--display="$DISPLAY" --eval "(message-mailto \"$u\")"
+# Special chars '"', '$', and '\' must be escaped as '\\"', '\\$', and '\\\\'.
+Exec=bash -c "u=\\${1//\\\\\\\\/\\\\\\\\\\\\\\\\};
u=\\${u//\\\\\\"/\\\\\\\\\\\\\\"}; exec emacsclient --alternate-editor=
--display=\\"\\$DISPLAY\\" --eval \\"(message-mailto \\\\\\"\\$u\\\\\\")\\""
bash %u
Icon=emacs
Name=Emacs (Mail, Client)
MimeType=x-scheme-handler/mailto;
@@ -13,7 +16,7 @@ Actions=new-window;new-instance;
[Desktop Action new-window]
Name=New Window
-Exec=sh -c "exec emacsclient --alternate-editor= --create-frame --eval
\\"(message-mailto \\\\\\"\\$1\\\\\\")\\"" sh %u
+Exec=bash -c "u=\\${1//\\\\\\\\/\\\\\\\\\\\\\\\\};
u=\\${u//\\\\\\"/\\\\\\\\\\\\\\"}; exec emacsclient --alternate-editor=
--create-frame --eval \\"(message-mailto \\\\\\"\\$u\\\\\\")\\"" bash %u
[Desktop Action new-instance]
Name=New Instance
--
cgit v1.1
++++++ d3209119.patch ++++++
>From d32091199ae5de590a83f1542a01d75fba000467 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ulrich=20M=C3=BCller?= <u...@gentoo.org>
Date: Mon, 19 Dec 2022 16:51:20 +0100
Subject: Fix quoted argument in emacsclient-mail.desktop Exec key
Apparently the emacsclient-mail.desktop file doesn't conform to the
Desktop Entry Specification at
https://specifications.freedesktop.org/desktop-entry-spec/desktop-entry-spec-latest.html#exec-variables
which says about the Exec key:
| Field codes must not be used inside a quoted argument, the result of
| field code expansion inside a quoted argument is undefined.
However, the %u field code is used inside a quoted argument of the
Exec key in both the [Desktop Entry] and [Desktop Action new-window]
sections.
* etc/emacsclient-mail.desktop (Exec): The Desktop Entry
Specification does not allow field codes like %u inside a quoted
argument. Work around it by passing %u as first parameter ($1)
to the shell wrapper.
* etc/emacsclient.desktop (Exec): Use `sh` rather than `placeholder`
as the command name of the shell wrapper. (Bug#60204)
---
etc/emacsclient-mail.desktop | 4 ++--
etc/emacsclient.desktop | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/etc/emacsclient-mail.desktop b/etc/emacsclient-mail.desktop
index b575a41..91df122 100644
--- a/etc/emacsclient-mail.desktop
+++ b/etc/emacsclient-mail.desktop
@@ -1,7 +1,7 @@
[Desktop Entry]
Categories=Network;Email;
Comment=GNU Emacs is an extensible, customizable text editor - and more
-Exec=sh -c "exec emacsclient --alternate-editor= --display=\\"\\$DISPLAY\\"
--eval \\\\(message-mailto\\\\ \\\\\\"%u\\\\\\"\\\\)"
+Exec=sh -c "exec emacsclient --alternate-editor= --display=\\"\\$DISPLAY\\"
--eval \\"(message-mailto \\\\\\"\\$1\\\\\\")\\"" sh %u
Icon=emacs
Name=Emacs (Mail, Client)
MimeType=x-scheme-handler/mailto;
@@ -13,7 +13,7 @@ Actions=new-window;new-instance;
[Desktop Action new-window]
Name=New Window
-Exec=emacsclient --alternate-editor= --create-frame --eval "(message-mailto
\\"%u\\")"
+Exec=sh -c "exec emacsclient --alternate-editor= --create-frame --eval
\\"(message-mailto \\\\\\"\\$1\\\\\\")\\"" sh %u
[Desktop Action new-instance]
Name=New Instance
diff --git a/etc/emacsclient.desktop b/etc/emacsclient.desktop
index 1ecdecf..a9f840c7 100644
--- a/etc/emacsclient.desktop
+++ b/etc/emacsclient.desktop
@@ -3,7 +3,7 @@ Name=Emacs (Client)
GenericName=Text Editor
Comment=Edit text
MimeType=text/english;text/plain;text/x-makefile;text/x-c++hdr;text/x-c++src;text/x-chdr;text/x-csrc;text/x-java;text/x-moc;text/x-pascal;text/x-tcl;text/x-tex;application/x-shellscript;text/x-c;text/x-c++;
-Exec=sh -c "if [ -n \\"\\$*\\" ]; then exec emacsclient --alternate-editor=
--display=\\"\\$DISPLAY\\" \\"\\$@\\"; else exec emacsclient
--alternate-editor= --create-frame; fi" placeholder %F
+Exec=sh -c "if [ -n \\"\\$*\\" ]; then exec emacsclient --alternate-editor=
--display=\\"\\$DISPLAY\\" \\"\\$@\\"; else exec emacsclient
--alternate-editor= --create-frame; fi" sh %F
Icon=emacs
Type=Application
Terminal=false
--
cgit v1.1
