On 2023-04-02 12:44:36 -0500, Rob Browning wrote: > Package: release.debian.org > Severity: normal > User: release.debian....@packages.debian.org > Usertags: unblock > X-Debbugs-Cc: em...@packages.debian.org > Control: affects -1 + src:emacs > > Please unblock package emacs > > The only changes are two bug fixes, one for the Org Mode CVE. The > patches added are the cherry-picked upstream changes, as indicated in > the patch headers. > > https://bugs.debian.org/1033342 > https://bugs.debian.org/1033397 > > unblock emacs/1:28.2+1-14 > > (Package hasn't been uploaded yet; this is a preapproval request.)
Please go ahead Cheers > diff -Nru emacs-28.2+1/debian/.git-dpm emacs-28.2+1/debian/.git-dpm > --- emacs-28.2+1/debian/.git-dpm 2023-03-14 15:30:28.000000000 -0500 > +++ emacs-28.2+1/debian/.git-dpm 2023-03-31 13:22:32.000000000 -0500 > @@ -1,6 +1,6 @@ > # see git-dpm(1) from git-dpm package > -4e6971c25c27c9a3f34cc69b51db894105362d08 > -4e6971c25c27c9a3f34cc69b51db894105362d08 > +023ac1eff558f6fb387fea1629b084c8929de18d > +023ac1eff558f6fb387fea1629b084c8929de18d > 279b82e64e15b5e2df3cb522636c6db85a8ee659 > 279b82e64e15b5e2df3cb522636c6db85a8ee659 > emacs_28.2+1.orig.tar.xz > diff -Nru emacs-28.2+1/debian/changelog emacs-28.2+1/debian/changelog > --- emacs-28.2+1/debian/changelog 2023-03-14 15:30:28.000000000 -0500 > +++ emacs-28.2+1/debian/changelog 2023-04-01 22:38:56.000000000 -0500 > @@ -1,7 +1,20 @@ > +emacs (1:28.2+1-14) unstable; urgency=medium > + > + * Fix gnus nnml crash on some invalid headers. Add > + 0026-Gnus-nnml-should-avoid-crashing-on-some-invalid-head.patch to > + address the issue. (Closes: 1033397) > + > + * Fix Org Mode command injection vulnerability CVE-2023-28617. Add > + 0027-Org-Mode-vulnerability-CVE-2023-28617-is-fixed-1-2.patch and > + 0028-Org-Mode-vulnerability-CVE-2023-28617-is-fixed-2-2.patch to > + address the issue. (Closes: 1033342) > + > + -- Rob Browning <r...@defaultvalue.org> Sat, 01 Apr 2023 22:38:56 -0500 > + > emacs (1:28.2+1-13) unstable; urgency=high > > * Cherry-pick upstream fixes for command injection vulnerabilities > - (CVE-2023-27984, CVE-2023-27986) (Closes: #1032538). > + (CVE-2023-27985, CVE-2023-27986) (Closes: #1032538). > > -- Sean Whitton <spwhit...@spwhitton.name> Tue, 14 Mar 2023 13:30:28 -0700 > > diff -Nru > emacs-28.2+1/debian/patches/0026-Gnus-nnml-should-avoid-crashing-on-some-invalid-head.patch > > emacs-28.2+1/debian/patches/0026-Gnus-nnml-should-avoid-crashing-on-some-invalid-head.patch > --- > emacs-28.2+1/debian/patches/0026-Gnus-nnml-should-avoid-crashing-on-some-invalid-head.patch > 1969-12-31 18:00:00.000000000 -0600 > +++ > emacs-28.2+1/debian/patches/0026-Gnus-nnml-should-avoid-crashing-on-some-invalid-head.patch > 2023-03-31 13:22:31.000000000 -0500 > @@ -0,0 +1,52 @@ > +From cf3c2037c3531b756fbb443b8ab2f6873f10930e Mon Sep 17 00:00:00 2001 > +From: Eli Zaretskii <e...@gnu.org> > +Date: Mon, 19 Dec 2022 19:01:04 +0200 > +Subject: Gnus nnml should avoid crashing on some invalid headers > + > +This upstream patch has been incorporated to fix the problem: > + > + Fix storing email into nnmail by Gnus > + > + * lisp/gnus/nnml.el (nnml--encode-headers): Wrap > + 'rfc2047-encode-string' calls with 'ignore-errors', to avoid > + disrupting email workflows due to possibly-invalid headers. > + Reported by Florian Weimer <fwei...@redhat.com>. > + > +Origin: upstream, commit: 23f7c9c2a92e4619b7c4d2286d4249f812cd695d > +Bug-Debian: https://bugs.debian.org/1033397 > +Forwarded: not-needed > +--- > + lisp/gnus/nnml.el | 13 +++++++++---- > + 1 file changed, 9 insertions(+), 4 deletions(-) > + > +diff --git a/lisp/gnus/nnml.el b/lisp/gnus/nnml.el > +index afdb0c780a5..258c5efc79f 100644 > +--- a/lisp/gnus/nnml.el > ++++ b/lisp/gnus/nnml.el > +@@ -775,17 +775,22 @@ nnml-parse-head > + (nnml--encode-headers headers) > + headers)))) > + > ++;; RFC2047-encode Subject and From, but leave invalid headers unencoded. > + (defun nnml--encode-headers (headers) > + (let ((subject (mail-header-subject headers)) > + (rfc2047-encoding-type 'mime)) > + (unless (string-match "\\`[[:ascii:]]*\\'" subject) > +- (setf (mail-header-subject headers) > +- (mail-encode-encoded-word-string subject t)))) > ++ (let ((encoded-subject > ++ (ignore-errors (mail-encode-encoded-word-string subject t)))) > ++ (if encoded-subject > ++ (setf (mail-header-subject headers) encoded-subject))))) > + (let ((from (mail-header-from headers)) > + (rfc2047-encoding-type 'address-mime)) > + (unless (string-match "\\`[[:ascii:]]*\\'" from) > +- (setf (mail-header-from headers) > +- (rfc2047-encode-string from t))))) > ++ (let ((encoded-from > ++ (ignore-errors (rfc2047-encode-string from t)))) > ++ (if encoded-from > ++ (setf (mail-header-from headers) encoded-from)))))) > + > + (defun nnml-get-nov-buffer (group &optional incrementalp) > + (let ((buffer (gnus-get-buffer-create > diff -Nru > emacs-28.2+1/debian/patches/0027-Org-Mode-vulnerability-CVE-2023-28617-is-fixed-1-2.patch > > emacs-28.2+1/debian/patches/0027-Org-Mode-vulnerability-CVE-2023-28617-is-fixed-1-2.patch > --- > emacs-28.2+1/debian/patches/0027-Org-Mode-vulnerability-CVE-2023-28617-is-fixed-1-2.patch > 1969-12-31 18:00:00.000000000 -0600 > +++ > emacs-28.2+1/debian/patches/0027-Org-Mode-vulnerability-CVE-2023-28617-is-fixed-1-2.patch > 2023-03-31 13:22:32.000000000 -0500 > @@ -0,0 +1,49 @@ > +From 320ab831aad7b66605e3778abe51a29cc377fb46 Mon Sep 17 00:00:00 2001 > +From: Xi Lu <l...@shellcodes.org> > +Date: Sat, 11 Mar 2023 18:53:37 +0800 > +Subject: Org Mode vulnerability CVE-2023-28617 is fixed (1/2) > + > +https://security-tracker.debian.org/tracker/CVE-2023-28617 > + > +This upstream patch (1/2) has been incorporated to fix the problem: > + > + * lisp/ob-latex.el: Fix command injection vulnerability > + > + (org-babel-execute:latex): > + Replaced the `(shell-command "mv BAR NEWBAR")' with `rename-file'. > + > + TINYCHANGE > + > +Origin: > https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=a8006ea580ed74f27f974d60b598143b04ad1741 > +Bug-Debian: https://bugs.debian.org/1033342 > +--- > + lisp/org/ob-latex.el | 13 +++++-------- > + 1 file changed, 5 insertions(+), 8 deletions(-) > + > +diff --git a/lisp/org/ob-latex.el b/lisp/org/ob-latex.el > +index 7253803af9e..73139c836b8 100644 > +--- a/lisp/org/ob-latex.el > ++++ b/lisp/org/ob-latex.el > +@@ -205,17 +205,14 @@ org-babel-execute:latex > + (if (string-suffix-p ".svg" out-file) > + (progn > + (shell-command "pwd") > +- (shell-command (format "mv %s %s" > +- (concat (file-name-sans-extension > tex-file) "-1.svg") > +- out-file))) > ++ (rename-file (concat (file-name-sans-extension tex-file) > "-1.svg") > ++ out-file t)) > + (error "SVG file produced but HTML file requested"))) > + ((file-exists-p (concat (file-name-sans-extension tex-file) ".html")) > + (if (string-suffix-p ".html" out-file) > +- (shell-command "mv %s %s" > +- (concat (file-name-sans-extension tex-file) > +- ".html") > +- out-file) > +- (error "HTML file produced but SVG file requested"))))) > ++ (rename-file (concat (file-name-sans-extension tex-file) > ".html") > ++ out-file t) > ++ (error "HTML file produced but SVG file requested"))))) > + ((or (string= "pdf" extension) imagemagick) > + (with-temp-file tex-file > + (require 'ox-latex) > diff -Nru > emacs-28.2+1/debian/patches/0028-Org-Mode-vulnerability-CVE-2023-28617-is-fixed-2-2.patch > > emacs-28.2+1/debian/patches/0028-Org-Mode-vulnerability-CVE-2023-28617-is-fixed-2-2.patch > --- > emacs-28.2+1/debian/patches/0028-Org-Mode-vulnerability-CVE-2023-28617-is-fixed-2-2.patch > 1969-12-31 18:00:00.000000000 -0600 > +++ > emacs-28.2+1/debian/patches/0028-Org-Mode-vulnerability-CVE-2023-28617-is-fixed-2-2.patch > 2023-03-31 13:22:32.000000000 -0500 > @@ -0,0 +1,36 @@ > +From 023ac1eff558f6fb387fea1629b084c8929de18d Mon Sep 17 00:00:00 2001 > +From: Xi Lu <l...@shellcodes.org> > +Date: Sat, 18 Feb 2023 18:03:28 +0800 > +Subject: Org Mode vulnerability CVE-2023-28617 is fixed (2/2) > + > +https://security-tracker.debian.org/tracker/CVE-2023-28617 > + > +This upstream patch (2/2) has been incorporated to fix the problem: > + > +Org Mode command injection vulnerability has been fixed (CVE-2023-28617) > + > + * lisp/ob-latex.el (org-babel-execute:latex): Fix command injection > vulnerability > + > + Link: > https://orgmode.org/list/tencent_5c4d5d0defddbbfc66f855703927e60c7...@qq.com > + > + TINYCHANGE > + > +Origin: > https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=8f8ec2ccf3f5ef8f38d68ec84a7e4739c45db485 > +Bug-Debian: https://bugs.debian.org/1033342 > +--- > + lisp/org/ob-latex.el | 2 +- > + 1 file changed, 1 insertion(+), 1 deletion(-) > + > +diff --git a/lisp/org/ob-latex.el b/lisp/org/ob-latex.el > +index 73139c836b8..1c5df6fe85d 100644 > +--- a/lisp/org/ob-latex.el > ++++ b/lisp/org/ob-latex.el > +@@ -167,7 +167,7 @@ org-babel-execute:latex > + tmp-pdf > + (list org-babel-latex-pdf-svg-process) > + extension err-msg log-buf))) > +- (shell-command (format "mv %s %s" img-out out-file))))) > ++ (rename-file img-out out-file t)))) > + ((string-suffix-p ".tikz" out-file) > + (when (file-exists-p out-file) (delete-file out-file)) > + (with-temp-file out-file > diff -Nru emacs-28.2+1/debian/patches/series > emacs-28.2+1/debian/patches/series > --- emacs-28.2+1/debian/patches/series 2023-03-14 15:30:28.000000000 > -0500 > +++ emacs-28.2+1/debian/patches/series 2023-03-31 13:22:32.000000000 > -0500 > @@ -23,3 +23,6 @@ > 0023-Fix-memory-leak-in-etags.c.patch > 0024-Fix-quoted-argument-in-emacsclient-mail.desktop-CVE-.patch > 0025-Fix-code-injection-vulnerability-CVE-2023-27986.patch > +0026-Gnus-nnml-should-avoid-crashing-on-some-invalid-head.patch > +0027-Org-Mode-vulnerability-CVE-2023-28617-is-fixed-1-2.patch > +0028-Org-Mode-vulnerability-CVE-2023-28617-is-fixed-2-2.patch > > Thanks > -- > Rob Browning > rlb @defaultvalue.org and @debian.org > GPG as of 2011-07-10 E6A9 DA3C C9FD 1FF8 C676 D2C4 C0F0 39E9 ED1B 597A > GPG as of 2002-11-03 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4 -- Sebastian Ramacher