Package: release.debian.org Severity: normal Tags: bookworm User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: em...@packages.debian.org Control: affects -1 + src:emacs
This is security update for CVEs marked no-dsa by the secteam. It backports a series of upstream commits for CVE-2024-30202, CVE-2024-30203, CVE-2024-30204 and CVE-2024-30205. I had to backport a feature that the fixes use to pop up a dialog asking the user about the potentially unsafe remote resources. This involves only localised code changes, and is already two years old, so has received an adequate amount of testing upstream. I manually tested the fixes using reproducers provided in the BTS and from upstream. The fixes are already in unstable. I have uploaded to stable-pu. -- Sean Whitton
diff -Nru emacs-28.2+1/debian/changelog emacs-28.2+1/debian/changelog --- emacs-28.2+1/debian/changelog 2023-05-13 21:17:27.000000000 +0100 +++ emacs-28.2+1/debian/changelog 2024-04-27 10:49:04.000000000 +0100 @@ -1,3 +1,10 @@ +emacs (1:28.2+1-15+deb12u1) bookworm; urgency=high + + * Fix CVE-2024-30202, CVE-2024-30203, CVE-2024-30204 & CVE-2024-30205 + (Closes: #1067630). + + -- Sean Whitton <spwhit...@spwhitton.name> Sat, 27 Apr 2024 10:49:04 +0100 + emacs (1:28.2+1-15) unstable; urgency=medium * emacs-common: add breaks/replaces emacs-bin-common (<< 1:28) since the diff -Nru emacs-28.2+1/debian/.git-dpm emacs-28.2+1/debian/.git-dpm --- emacs-28.2+1/debian/.git-dpm 2023-03-31 19:22:32.000000000 +0100 +++ emacs-28.2+1/debian/.git-dpm 2024-04-27 10:49:04.000000000 +0100 @@ -1,6 +1,6 @@ # see git-dpm(1) from git-dpm package -023ac1eff558f6fb387fea1629b084c8929de18d -023ac1eff558f6fb387fea1629b084c8929de18d +1c0b3e5ae5cef71210b094bfd1f8582efe3a7b90 +1c0b3e5ae5cef71210b094bfd1f8582efe3a7b90 279b82e64e15b5e2df3cb522636c6db85a8ee659 279b82e64e15b5e2df3cb522636c6db85a8ee659 emacs_28.2+1.orig.tar.xz diff -Nru emacs-28.2+1/debian/.gitignore emacs-28.2+1/debian/.gitignore --- emacs-28.2+1/debian/.gitignore 1970-01-01 01:00:00.000000000 +0100 +++ emacs-28.2+1/debian/.gitignore 2024-04-27 10:49:04.000000000 +0100 @@ -0,0 +1,81 @@ +*~ +.\#* +/*-stamp +/.debhelper/ +/build-gtk/ +/build-lucid/ +/build-nox/ +/build-src/ +/build-x/ +/elgz-canary +/elgz-info +/emacs +/emacs-bin-common +/emacs-bin-common.README.Debian +/emacs-bin-common.debhelper.log +/emacs-bin-common.lintian-overrides +/emacs-bin-common.postinst +/emacs-bin-common.postrm +/emacs-bin-common.prerm +/emacs-bin-common.substvars +/emacs-common +/emacs-common.README.00 +/emacs-common.README.01 +/emacs-common.README.Debian +/emacs-common.debhelper.log +/emacs-common.docs +/emacs-common.links +/emacs-common.lintian-overrides +/emacs-common.postinst +/emacs-common.postinst.debhelper +/emacs-common.postrm.debhelper +/emacs-common.prerm +/emacs-common.prerm.debhelper +/emacs-common.substvars +/emacs-el +/emacs-el.debhelper.log +/emacs-el.prerm +/emacs-el.substvars +/emacs-gtk +/emacs-gtk.README.Debian +/emacs-gtk.debhelper.log +/emacs-gtk.desktop +/emacs-gtk.links +/emacs-gtk.lintian-overrides +/emacs-gtk.menu +/emacs-gtk.postinst +/emacs-gtk.postinst.debhelper +/emacs-gtk.postrm +/emacs-gtk.postrm.debhelper +/emacs-gtk.prerm +/emacs-gtk.substvars +/emacs-lucid +/emacs-lucid.README.Debian +/emacs-lucid.debhelper.log +/emacs-lucid.desktop +/emacs-lucid.lintian-overrides +/emacs-lucid.menu +/emacs-lucid.postinst +/emacs-lucid.postinst.debhelper +/emacs-lucid.postrm.debhelper +/emacs-lucid.prerm +/emacs-lucid.substvars +/emacs-nox +/emacs-nox.README.Debian +/emacs-nox.debhelper.log +/emacs-nox.desktop +/emacs-nox.links +/emacs-nox.lintian-overrides +/emacs-nox.menu +/emacs-nox.postinst +/emacs-nox.postinst.debhelper +/emacs-nox.postrm +/emacs-nox.postrm.debhelper +/emacs-nox.prerm +/emacs-nox.substvars +/emacs.debhelper.log +/emacs.substvars +/files +/stamp-configured +/tmp-alt-list +\#*\# diff -Nru emacs-28.2+1/debian/patches/0029-org-macro-set-templates-Prevent-code-evaluation.patch emacs-28.2+1/debian/patches/0029-org-macro-set-templates-Prevent-code-evaluation.patch --- emacs-28.2+1/debian/patches/0029-org-macro-set-templates-Prevent-code-evaluation.patch 1970-01-01 01:00:00.000000000 +0100 +++ emacs-28.2+1/debian/patches/0029-org-macro-set-templates-Prevent-code-evaluation.patch 2024-04-27 10:49:04.000000000 +0100 @@ -0,0 +1,44 @@ +From d9bd61923515607fcc7ada4ba66b7e58e8ba00d9 Mon Sep 17 00:00:00 2001 +From: Ihor Radchenko <yanta...@posteo.net> +Date: Tue, 20 Feb 2024 12:19:46 +0300 +Subject: org-macro--set-templates: Prevent code evaluation + +* lisp/org/org-macro.el (org-macro--set-templates): Get rid of any +risk to evaluate code when `org-macro--set-templates' is called as a +part of major mode initialization. This way, no code evaluation is +ever triggered when user merely opens the file or when +`mm-display-org-inline' invokes Org major mode to fontify mime part +preview in email messages. + +(cherry picked from commit befa9fcaae29a6c9a283ba371c3c5234c7f644eb) +--- + lisp/org/org-macro.el | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/lisp/org/org-macro.el b/lisp/org/org-macro.el +index 0921f3aa27c..5619cadf841 100644 +--- a/lisp/org/org-macro.el ++++ b/lisp/org/org-macro.el +@@ -103,6 +103,13 @@ org-macro--set-templates + (let ((new-templates nil)) + (pcase-dolist (`(,name . ,value) templates) + (let ((old-definition (assoc name new-templates))) ++ ;; This code can be evaluated unconditionally, as a part of ++ ;; loading Org mode. We *must not* evaluate any code present ++ ;; inside the Org buffer while loading. Org buffers may come ++ ;; from various sources, like received email messages from ++ ;; potentially malicious senders. Org mode might be used to ++ ;; preview such messages and no code evaluation from inside the ++ ;; received Org text should ever happen without user consent. + (when (and (stringp value) (string-match-p "\\`(eval\\>" value)) + ;; Pre-process the evaluation form for faster macro expansion. + (let* ((args (org-macro--makeargs value)) +@@ -115,7 +122,7 @@ org-macro--set-templates + (cadr (read value)) + (error + (user-error "Invalid definition for macro %S" name))))) +- (setq value (eval (macroexpand-all `(lambda ,args ,body)) t)))) ++ (setq value `(lambda ,args ,body)))) + (cond ((and value old-definition) (setcdr old-definition value)) + (old-definition) + (t (push (cons name (or value "")) new-templates))))) diff -Nru emacs-28.2+1/debian/patches/0030-lisp-files.el-untrusted-content-New-variable.patch emacs-28.2+1/debian/patches/0030-lisp-files.el-untrusted-content-New-variable.patch --- emacs-28.2+1/debian/patches/0030-lisp-files.el-untrusted-content-New-variable.patch 1970-01-01 01:00:00.000000000 +0100 +++ emacs-28.2+1/debian/patches/0030-lisp-files.el-untrusted-content-New-variable.patch 2024-04-27 10:49:04.000000000 +0100 @@ -0,0 +1,32 @@ +From f6f7f00156e13af3922eb2b1b2676e8a2cb21620 Mon Sep 17 00:00:00 2001 +From: Ihor Radchenko <yanta...@posteo.net> +Date: Tue, 20 Feb 2024 12:43:51 +0300 +Subject: * lisp/files.el (untrusted-content): New variable. + +The new variable is to be used when buffer contents comes from untrusted +source. + +(cherry picked from commit ccc188fcf98ad9166ee551fac9d94b2603c3a51b) +--- + lisp/files.el | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/lisp/files.el b/lisp/files.el +index 860b9ca7249..e127e99d410 100644 +--- a/lisp/files.el ++++ b/lisp/files.el +@@ -623,6 +623,14 @@ enable-dir-local-variables + Some modes may wish to set this to nil to prevent directory-local + settings being applied, but still respect file-local ones.") + ++(defvar-local untrusted-content nil ++ "Non-nil means that current buffer originated from an untrusted source. ++Email clients and some other modes may set this non-nil to mark the ++buffer contents as untrusted. ++ ++This variable might be subject to change without notice.") ++(put 'untrusted-content 'permanent-local t) ++ + ;; This is an odd variable IMO. + ;; You might wonder why it is needed, when we could just do: + ;; (setq-local enable-local-variables nil) diff -Nru emacs-28.2+1/debian/patches/0031-lisp-gnus-mm-view.el-mm-display-inline-fontify-Mark-.patch emacs-28.2+1/debian/patches/0031-lisp-gnus-mm-view.el-mm-display-inline-fontify-Mark-.patch --- emacs-28.2+1/debian/patches/0031-lisp-gnus-mm-view.el-mm-display-inline-fontify-Mark-.patch 1970-01-01 01:00:00.000000000 +0100 +++ emacs-28.2+1/debian/patches/0031-lisp-gnus-mm-view.el-mm-display-inline-fontify-Mark-.patch 2024-04-27 10:49:04.000000000 +0100 @@ -0,0 +1,23 @@ +From 075a7ec4aca2477354b63a273f4571e00d53a1a7 Mon Sep 17 00:00:00 2001 +From: Ihor Radchenko <yanta...@posteo.net> +Date: Tue, 20 Feb 2024 12:44:30 +0300 +Subject: * lisp/gnus/mm-view.el (mm-display-inline-fontify): Mark contents + untrusted. + +(cherry picked from commit 937b9042ad7426acdcca33e3d931d8f495bdd804) +--- + lisp/gnus/mm-view.el | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lisp/gnus/mm-view.el b/lisp/gnus/mm-view.el +index 44c744b068b..507978fa320 100644 +--- a/lisp/gnus/mm-view.el ++++ b/lisp/gnus/mm-view.el +@@ -506,6 +506,7 @@ mm-display-inline-fontify + (with-temp-buffer + (buffer-disable-undo) + (mm-enable-multibyte) ++ (setq untrusted-content t) + (insert (cond ((eq charset 'gnus-decoded) + (with-current-buffer (mm-handle-buffer handle) + (buffer-string))) diff -Nru emacs-28.2+1/debian/patches/0032-org-latex-preview-Add-protection-when-untrusted-cont.patch emacs-28.2+1/debian/patches/0032-org-latex-preview-Add-protection-when-untrusted-cont.patch --- emacs-28.2+1/debian/patches/0032-org-latex-preview-Add-protection-when-untrusted-cont.patch 1970-01-01 01:00:00.000000000 +0100 +++ emacs-28.2+1/debian/patches/0032-org-latex-preview-Add-protection-when-untrusted-cont.patch 2024-04-27 10:49:04.000000000 +0100 @@ -0,0 +1,56 @@ +From 6031a74488aeafb952f7ad05c0d2f6f7a8c933bf Mon Sep 17 00:00:00 2001 +From: Ihor Radchenko <yanta...@posteo.net> +Date: Tue, 20 Feb 2024 12:47:24 +0300 +Subject: org-latex-preview: Add protection when `untrusted-content' is non-nil + +* lisp/org/org.el (org--latex-preview-when-risky): New variable +controlling how to handle LaTeX previews in Org files from untrusted +origin. +(org-latex-preview): Consult `org--latex-preview-when-risky' before +generating previews. + +This patch adds a layer of protection when LaTeX preview is requested +for an email attachment, where `untrusted-content' is set to non-nil. + +(cherry picked from commit 6f9ea396f49cbe38c2173e0a72ba6af3e03b271c) +--- + lisp/org/org.el | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +diff --git a/lisp/org/org.el b/lisp/org/org.el +index bc4c83b7d97..41e8bd79114 100644 +--- a/lisp/org/org.el ++++ b/lisp/org/org.el +@@ -1092,6 +1092,24 @@ org-startup-with-latex-preview + :package-version '(Org . "8.0") + :type 'boolean) + ++(defvar untrusted-content) ; defined in files.el ++(defvar org--latex-preview-when-risky nil ++ "If non-nil, enable LaTeX preview in Org buffers from unsafe source. ++ ++Some specially designed LaTeX code may generate huge pdf or log files ++that may exhaust disk space. ++ ++This variable controls how to handle LaTeX preview when rendering LaTeX ++fragments that originate from incoming email messages. It has no effect ++when Org mode is unable to determine the origin of the Org buffer. ++ ++An Org buffer is considered to be from unsafe source when the ++variable `untrusted-content' has a non-nil value in the buffer. ++ ++If this variable is non-nil, LaTeX previews are rendered unconditionally. ++ ++This variable may be renamed or changed in the future.") ++ + (defcustom org-insert-mode-line-in-empty-file nil + "Non-nil means insert the first line setting Org mode in empty files. + When the function `org-mode' is called interactively in an empty file, this +@@ -16000,6 +16018,7 @@ org-latex-preview + (interactive "P") + (cond + ((not (display-graphic-p)) nil) ++ ((and untrusted-content (not org--latex-preview-when-risky)) nil) + ;; Clear whole buffer. + ((equal arg '(64)) + (org-clear-latex-preview (point-min) (point-max)) diff -Nru emacs-28.2+1/debian/patches/0033-org-Add-setting-for-remote-file-download-policy.patch emacs-28.2+1/debian/patches/0033-org-Add-setting-for-remote-file-download-policy.patch --- emacs-28.2+1/debian/patches/0033-org-Add-setting-for-remote-file-download-policy.patch 1970-01-01 01:00:00.000000000 +0100 +++ emacs-28.2+1/debian/patches/0033-org-Add-setting-for-remote-file-download-policy.patch 2024-04-27 10:49:04.000000000 +0100 @@ -0,0 +1,209 @@ +From 34f1e76df1411a7d542292f3fb1fd5111fabe2fa Mon Sep 17 00:00:00 2001 +From: TEC <t...@tecosaur.com> +Date: Sun, 12 Jun 2022 22:37:42 +0800 +Subject: org: Add setting for remote file download policy + +* lisp/org/org.el (org-resource-download-policy, org-safe-remote-resources): +Two new customisations to configure the policy for downloading remote +resources. +(org--should-fetch-remote-resource-p, org--safe-remote-resource-p, +org--confirm-resource-safe): Introduce the new function +`org--should-fetch-remote-resource-p' for internal use determining +whether a remote resource should be downloaded according to the download +policy. This function makes use of two helper functions, +`org--safe-remote-resource-p' and `org--confirm-resource-safe'. +(org-file-contents): Apply `org--safe-remote-resource-p' to file +downloading. + +* lisp/org/org-attach.el (org-attach-attach, org-attach-url): Apply +`org--safe-remote-resource-p' to url downloading. + +(cherry picked from Org-mode commit 0583a0c5eaa955d4370558b980b3772bb91dd057) +--- + lisp/org/org-attach.el | 10 +++- + lisp/org/org.el | 130 ++++++++++++++++++++++++++++++++++++----- + 2 files changed, 123 insertions(+), 17 deletions(-) + +diff --git a/lisp/org/org-attach.el b/lisp/org/org-attach.el +index 36c21b7021c..c80f7f35ea9 100644 +--- a/lisp/org/org-attach.el ++++ b/lisp/org/org-attach.el +@@ -484,7 +484,9 @@ org-attach-untag + + (defun org-attach-url (url) + (interactive "MURL of the file to attach: \n") +- (let ((org-attach-method 'url)) ++ (let ((org-attach-method 'url) ++ (org-safe-remote-resources ; Assume safety if in an interactive session ++ (if noninteractive org-safe-remote-resources '("")))) + (org-attach-attach url))) + + (defun org-attach-buffer (buffer-name) +@@ -524,7 +526,11 @@ org-attach-attach + ((eq method 'cp) (copy-file file attach-file)) + ((eq method 'ln) (add-name-to-file file attach-file)) + ((eq method 'lns) (make-symbolic-link file attach-file)) +- ((eq method 'url) (url-copy-file file attach-file))) ++ ((eq method 'url) ++ (if (org--should-fetch-remote-resource-p file) ++ (url-copy-file file attach-file) ++ (error "The remote resources %S is considered unsafe, and will not be downloaded" ++ file)))) + (run-hook-with-args 'org-attach-after-change-hook attach-dir) + (org-attach-tag) + (cond ((eq org-attach-store-link-p 'attached) +diff --git a/lisp/org/org.el b/lisp/org/org.el +index 41e8bd79114..f13f780fda5 100644 +--- a/lisp/org/org.el ++++ b/lisp/org/org.el +@@ -1431,6 +1431,34 @@ org-file-apps + (string :tag "Command") + (function :tag "Function"))))) + ++(defcustom org-resource-download-policy 'prompt ++ "The policy applied to requests to obtain remote resources. ++ ++This affects keywords like #+setupfile and #+incude on export, ++`org-persist-write:url',and `org-attach-url' in non-interactive ++Emacs sessions. ++ ++This recognises four possible values: ++- t, remote resources should always be downloaded. ++- prompt, you will be prompted to download resources nt considered safe. ++- safe, only resources considered safe will be downloaded. ++- nil, never download remote resources. ++ ++A resource is considered safe if it matches one of the patterns ++in `org-safe-remote-resources'." ++ :group 'org ++ :type '(choice (const :tag "Always download remote resources" t) ++ (const :tag "Prompt before downloading an unsafe resource" prompt) ++ (const :tag "Only download resources considered safe" safe) ++ (const :tag "Never download any resources" nil))) ++ ++(defcustom org-safe-remote-resources nil ++ "A list of regexp patterns matching safe URIs. ++URI regexps are applied to both URLs and Org files requesting ++remote resources." ++ :group 'org ++ :type '(list regexp)) ++ + (defcustom org-open-non-existing-files nil + "Non-nil means `org-open-file' opens non-existing files. + +@@ -4711,21 +4739,25 @@ org-file-contents + (cond + (cache) + (is-url +- (with-current-buffer (url-retrieve-synchronously file) +- (goto-char (point-min)) +- ;; Move point to after the url-retrieve header. +- (search-forward "\n\n" nil :move) +- ;; Search for the success code only in the url-retrieve header. +- (if (save-excursion +- (re-search-backward "HTTP.*\\s-+200\\s-OK" nil :noerror)) +- ;; Update the cache `org--file-cache' and return contents. +- (puthash file +- (buffer-substring-no-properties (point) (point-max)) +- org--file-cache) +- (funcall (if noerror #'message #'user-error) +- "Unable to fetch file from %S" +- file) +- nil))) ++ (if (org--should-fetch-remote-resource-p file) ++ (with-current-buffer (url-retrieve-synchronously file) ++ (goto-char (point-min)) ++ ;; Move point to after the url-retrieve header. ++ (search-forward "\n\n" nil :move) ++ ;; Search for the success code only in the url-retrieve header. ++ (if (save-excursion ++ (re-search-backward "HTTP.*\\s-+200\\s-OK" nil :noerror)) ++ ;; Update the cache `org--file-cache' and return contents. ++ (puthash file ++ (buffer-substring-no-properties (point) (point-max)) ++ org--file-cache) ++ (funcall (if noerror #'message #'user-error) ++ "Unable to fetch file from %S" ++ file) ++ nil)) ++ (funcall (if noerror #'message #'user-error) ++ "The remote resource %S is considered unsafe, and will not be downloaded" ++ file))) + (t + (with-temp-buffer + (condition-case nil +@@ -4738,6 +4770,74 @@ org-file-contents + file) + nil))))))) + ++(defun org--should-fetch-remote-resource-p (uri) ++ "Return non-nil if the URI should be fetched." ++ (or (eq org-resource-download-policy t) ++ (org--safe-remote-resource-p uri) ++ (and (eq org-resource-download-policy 'prompt) ++ (org--confirm-resource-safe uri)))) ++ ++(defun org--safe-remote-resource-p (uri) ++ "Return non-nil if URI is considered safe. ++This checks every pattern in `org-safe-remote-resources', and ++returns non-nil if any of them match." ++ (let ((uri-patterns org-safe-remote-resources) ++ (file-uri (and buffer-file-name ++ (concat "file://" (file-truename buffer-file-name)))) ++ match-p) ++ (while (and (not match-p) uri-patterns) ++ (setq match-p (or (string-match-p (car uri-patterns) uri) ++ (and file-uri (string-match-p (car uri-patterns) file-uri))) ++ uri-patterns (cdr uri-patterns))) ++ match-p)) ++ ++(defun org--confirm-resource-safe (uri) ++ "Ask the user if URI should be considered safe, returning non-nil if so." ++ (unless noninteractive ++ (let ((current-file (and buffer-file-name (file-truename buffer-file-name))) ++ (buf (get-buffer-create "*Org Remote Resource*"))) ++ ;; Set up the contents of the *Org Remote Resource* buffer. ++ (with-current-buffer buf ++ (erase-buffer) ++ (insert "An org-mode document would like to download " ++ (propertize uri 'face '(:inherit org-link :weight normal)) ++ ", which is not considered safe.\n\n" ++ "Do you want to download this? You can type\n " ++ (propertize "!" 'face 'success) ++ " to download this resource, and permanantly mark it as safe.\n " ++ (propertize "f" 'face 'success) ++ " to download this resource, and permanantly mark all resources in " ++ (propertize current-file 'face 'fixed-pitch-serif) ++ " as safe.\n " ++ (propertize "y" 'face 'warning) ++ " to download this resource, just this once.\n " ++ (propertize "n" 'face 'error) ++ " to skip this resource.\n") ++ (setq-local cursor-type nil) ++ (set-buffer-modified-p nil) ++ (goto-char (point-min))) ++ ;; Display the buffer and read a choice. ++ (save-window-excursion ++ (pop-to-buffer buf) ++ (let* ((exit-chars '(?y ?n ?! ?f ?\s)) ++ (prompt (format "Please type y, n, f, or !%s: " ++ (if (< (line-number-at-pos (point-max)) ++ (window-body-height)) ++ "" ++ ", or C-v/M-v to scroll"))) ++ char) ++ (setq char (read-char-choice prompt exit-chars)) ++ (when (memq char '(?! ?f)) ++ (customize-push-and-save ++ 'org-safe-remote-resources ++ (list (rx string-start ++ (literal ++ (if (and (= char ?f) current-file) ++ (concat "file://" current-file) uri)) ++ string-end)))) ++ (prog1 (memq char '(?! ?\s ?y ?f)) ++ (quit-window t))))))) ++ + (defun org-extract-log-state-settings (x) + "Extract the log state setting from a TODO keyword string. + This will extract info from a string like \"WAIT(w@/!)\"." diff -Nru emacs-28.2+1/debian/patches/0034-org-Refactor-rx-to-concat-regexp-opt.patch emacs-28.2+1/debian/patches/0034-org-Refactor-rx-to-concat-regexp-opt.patch --- emacs-28.2+1/debian/patches/0034-org-Refactor-rx-to-concat-regexp-opt.patch 1970-01-01 01:00:00.000000000 +0100 +++ emacs-28.2+1/debian/patches/0034-org-Refactor-rx-to-concat-regexp-opt.patch 2024-04-27 10:49:04.000000000 +0100 @@ -0,0 +1,35 @@ +From ef9d16949ada26721559024b9534252fdaf10db8 Mon Sep 17 00:00:00 2001 +From: TEC <t...@tecosaur.com> +Date: Sun, 24 Jul 2022 22:03:20 +0800 +Subject: org: Refactor rx to concat + regexp-opt + +* lisp/org.el (org--confirm-resource-safe): Since Emacs 26 doesn't +support rx's (literal S) construct, use (concat (regexp-opt ...) ...) +instead. + +(cherry picked from Org-mode commit 6de5431acc8b77548e89c61a6ae0ebc1b57540bb) +--- + lisp/org/org.el | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/lisp/org/org.el b/lisp/org/org.el +index f13f780fda5..e21f972e747 100644 +--- a/lisp/org/org.el ++++ b/lisp/org/org.el +@@ -4830,11 +4830,11 @@ org--confirm-resource-safe + (when (memq char '(?! ?f)) + (customize-push-and-save + 'org-safe-remote-resources +- (list (rx string-start +- (literal +- (if (and (= char ?f) current-file) +- (concat "file://" current-file) uri)) +- string-end)))) ++ (list (concat "\\`" ++ (regexp-opt ++ (if (and (= char ?f) current-file) ++ (concat "file://" current-file) uri)) ++ "\\'")))) + (prog1 (memq char '(?! ?\s ?y ?f)) + (quit-window t))))))) + diff -Nru emacs-28.2+1/debian/patches/0035-org-Correct-regexp-escaping-to-use-regexp-quote.patch emacs-28.2+1/debian/patches/0035-org-Correct-regexp-escaping-to-use-regexp-quote.patch --- emacs-28.2+1/debian/patches/0035-org-Correct-regexp-escaping-to-use-regexp-quote.patch 1970-01-01 01:00:00.000000000 +0100 +++ emacs-28.2+1/debian/patches/0035-org-Correct-regexp-escaping-to-use-regexp-quote.patch 2024-04-27 10:49:04.000000000 +0100 @@ -0,0 +1,26 @@ +From df00eab6bfb8d39028485ab9d8d4b42851f2db14 Mon Sep 17 00:00:00 2001 +From: TEC <t...@tecosaur.com> +Date: Tue, 26 Jul 2022 12:22:07 +0800 +Subject: org: Correct regexp escaping to use regexp-quote + +* lisp/org.el (org--confirm-resource-safe): `regexp-opt' was +accidentally used instead of `regexp-quote'. + +(cherry picked from Org-mode commit 6ad53fa22eab5830f85a401960dc1e7d00154a27) +--- + lisp/org/org.el | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lisp/org/org.el b/lisp/org/org.el +index e21f972e747..62d07af4079 100644 +--- a/lisp/org/org.el ++++ b/lisp/org/org.el +@@ -4831,7 +4831,7 @@ org--confirm-resource-safe + (customize-push-and-save + 'org-safe-remote-resources + (list (concat "\\`" +- (regexp-opt ++ (regexp-quote + (if (and (= char ?f) current-file) + (concat "file://" current-file) uri)) + "\\'")))) diff -Nru emacs-28.2+1/debian/patches/0036-org-Fix-resource-prompt-in-non-file-buffers.patch emacs-28.2+1/debian/patches/0036-org-Fix-resource-prompt-in-non-file-buffers.patch --- emacs-28.2+1/debian/patches/0036-org-Fix-resource-prompt-in-non-file-buffers.patch 1970-01-01 01:00:00.000000000 +0100 +++ emacs-28.2+1/debian/patches/0036-org-Fix-resource-prompt-in-non-file-buffers.patch 2024-04-27 10:49:04.000000000 +0100 @@ -0,0 +1,45 @@ +From c6d219de2f3f0b6fa11f7edbc974c291ea464c4c Mon Sep 17 00:00:00 2001 +From: TEC <g...@tecosaur.net> +Date: Wed, 3 Aug 2022 21:38:49 +0800 +Subject: org: Fix resource prompt in non-file buffers + +* lisp/org.el (org--confirm-resource-safe): When `buffer-file-name' is +nil, skip over file-specific behaviour. + +(cherry picked from Org-mode commit 4702a73031c77ba03b480b0848c137d5d8773e07) +--- + lisp/org/org.el | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/lisp/org/org.el b/lisp/org/org.el +index 62d07af4079..8f57e7c5bdb 100644 +--- a/lisp/org/org.el ++++ b/lisp/org/org.el +@@ -4806,9 +4806,12 @@ org--confirm-resource-safe + (propertize "!" 'face 'success) + " to download this resource, and permanantly mark it as safe.\n " + (propertize "f" 'face 'success) +- " to download this resource, and permanantly mark all resources in " +- (propertize current-file 'face 'fixed-pitch-serif) +- " as safe.\n " ++ (if current-file ++ (concat ++ " to download this resource, and permanantly mark all resources in " ++ (propertize current-file 'face 'fixed-pitch-serif) ++ " as safe.\n ") ++ "") + (propertize "y" 'face 'warning) + " to download this resource, just this once.\n " + (propertize "n" 'face 'error) +@@ -4819,8 +4822,9 @@ org--confirm-resource-safe + ;; Display the buffer and read a choice. + (save-window-excursion + (pop-to-buffer buf) +- (let* ((exit-chars '(?y ?n ?! ?f ?\s)) +- (prompt (format "Please type y, n, f, or !%s: " ++ (let* ((exit-chars (append '(?y ?n ?! ?\s) (and current-file '(?f)))) ++ (prompt (format "Please type y, n%s, or !%s: " ++ (if current-file ", f" "") + (if (< (line-number-at-pos (point-max)) + (window-body-height)) + "" diff -Nru emacs-28.2+1/debian/patches/0037-org-Add-mark-domain-as-safe-convenience-action.patch emacs-28.2+1/debian/patches/0037-org-Add-mark-domain-as-safe-convenience-action.patch --- emacs-28.2+1/debian/patches/0037-org-Add-mark-domain-as-safe-convenience-action.patch 1970-01-01 01:00:00.000000000 +0100 +++ emacs-28.2+1/debian/patches/0037-org-Add-mark-domain-as-safe-convenience-action.patch 2024-04-27 10:49:04.000000000 +0100 @@ -0,0 +1,79 @@ +From 1999648553f930c4ff4fb83104fb7148dfc49c07 Mon Sep 17 00:00:00 2001 +From: TEC <g...@tecosaur.net> +Date: Sun, 7 Aug 2022 16:21:21 +0800 +Subject: org: Add "mark domain as safe" convenience action + +* lisp/org.el (org--confirm-resource-safe): Pick out domains from URLs, +and provide an option of marking that domain as safe. + +(cherry picked from Org-mode commit 1ae801e9c86d5b150fd085230722e4dac550df30) +--- + lisp/org/org.el | 32 +++++++++++++++++++++++--------- + 1 file changed, 23 insertions(+), 9 deletions(-) + +diff --git a/lisp/org/org.el b/lisp/org/org.el +index 8f57e7c5bdb..accb57e1167 100644 +--- a/lisp/org/org.el ++++ b/lisp/org/org.el +@@ -4795,6 +4795,13 @@ org--confirm-resource-safe + "Ask the user if URI should be considered safe, returning non-nil if so." + (unless noninteractive + (let ((current-file (and buffer-file-name (file-truename buffer-file-name))) ++ (domain (and (string-match ++ (rx (seq "http" (? "s") "://") ++ (optional (+ (not (any "@/\n"))) "@") ++ (optional "www.") ++ (one-or-more (not (any ":/?\n")))) ++ uri) ++ (match-string 0 uri))) + (buf (get-buffer-create "*Org Remote Resource*"))) + ;; Set up the contents of the *Org Remote Resource* buffer. + (with-current-buffer buf +@@ -4805,6 +4812,11 @@ org--confirm-resource-safe + "Do you want to download this? You can type\n " + (propertize "!" 'face 'success) + " to download this resource, and permanantly mark it as safe.\n " ++ (if domain ++ (concat ++ (propertize "d" 'face 'success) ++ " to download this resource, and mark this domain as safe.\n ") ++ "") + (propertize "f" 'face 'success) + (if current-file + (concat +@@ -4822,8 +4834,8 @@ org--confirm-resource-safe + ;; Display the buffer and read a choice. + (save-window-excursion + (pop-to-buffer buf) +- (let* ((exit-chars (append '(?y ?n ?! ?\s) (and current-file '(?f)))) +- (prompt (format "Please type y, n%s, or !%s: " ++ (let* ((exit-chars (append '(?y ?n ?! ?d ?\s) (and current-file '(?f)))) ++ (prompt (format "Please type y, n%s, d, or !%s: " + (if current-file ", f" "") + (if (< (line-number-at-pos (point-max)) + (window-body-height)) +@@ -4831,15 +4843,17 @@ org--confirm-resource-safe + ", or C-v/M-v to scroll"))) + char) + (setq char (read-char-choice prompt exit-chars)) +- (when (memq char '(?! ?f)) ++ (when (memq char '(?! ?f ?d)) + (customize-push-and-save + 'org-safe-remote-resources +- (list (concat "\\`" +- (regexp-quote +- (if (and (= char ?f) current-file) +- (concat "file://" current-file) uri)) +- "\\'")))) +- (prog1 (memq char '(?! ?\s ?y ?f)) ++ (list (if (eq char ?d) ++ (concat "\\`" (regexp-quote domain) "\\(?:/\\|\\'\\)") ++ (concat "\\`" ++ (regexp-quote ++ (if (and (= char ?f) current-file) ++ (concat "file://" current-file) uri)) ++ "\\'"))))) ++ (prog1 (memq char '(?y ?n ?! ?d ?\s ?f)) + (quit-window t))))))) + + (defun org-extract-log-state-settings (x) diff -Nru emacs-28.2+1/debian/patches/0038-org-Tweak-styling-of-url-in-resource-prompt.patch emacs-28.2+1/debian/patches/0038-org-Tweak-styling-of-url-in-resource-prompt.patch --- emacs-28.2+1/debian/patches/0038-org-Tweak-styling-of-url-in-resource-prompt.patch 1970-01-01 01:00:00.000000000 +0100 +++ emacs-28.2+1/debian/patches/0038-org-Tweak-styling-of-url-in-resource-prompt.patch 2024-04-27 10:49:04.000000000 +0100 @@ -0,0 +1,35 @@ +From d466ae9051c097fb3cff044159f65ccaad491079 Mon Sep 17 00:00:00 2001 +From: TEC <g...@tecosaur.net> +Date: Tue, 30 Aug 2022 01:45:41 +0800 +Subject: org: Tweak styling of url in resource prompt + +* lisp/org.el (org--confirm-resource-safe): Style domain with a link, +and url with an underline. + +(cherry picked from Org-mode commit 1061db94acf785f4b8f1140649e3857d52693115) +--- + lisp/org/org.el | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/lisp/org/org.el b/lisp/org/org.el +index accb57e1167..5e9740ef2d2 100644 +--- a/lisp/org/org.el ++++ b/lisp/org/org.el +@@ -4815,13 +4815,15 @@ org--confirm-resource-safe + (if domain + (concat + (propertize "d" 'face 'success) +- " to download this resource, and mark this domain as safe.\n ") ++ " to download this resource, and mark the domain (" ++ (propertize domain 'face '(:inherit org-link :weight normal)) ++ ") as safe.\n ") + "") + (propertize "f" 'face 'success) + (if current-file + (concat + " to download this resource, and permanantly mark all resources in " +- (propertize current-file 'face 'fixed-pitch-serif) ++ (propertize current-file 'face 'underline) + " as safe.\n ") + "") + (propertize "y" 'face 'warning) diff -Nru emacs-28.2+1/debian/patches/0039-org-Use-buffer-base-buffer-in-safe-resource-fns.patch emacs-28.2+1/debian/patches/0039-org-Use-buffer-base-buffer-in-safe-resource-fns.patch --- emacs-28.2+1/debian/patches/0039-org-Use-buffer-base-buffer-in-safe-resource-fns.patch 1970-01-01 01:00:00.000000000 +0100 +++ emacs-28.2+1/debian/patches/0039-org-Use-buffer-base-buffer-in-safe-resource-fns.patch 2024-04-27 10:49:04.000000000 +0100 @@ -0,0 +1,40 @@ +From 5deff1d7befcff86f87cfb51f9fc9236c6d0cde9 Mon Sep 17 00:00:00 2001 +From: TEC <g...@tecosaur.net> +Date: Sat, 10 Dec 2022 21:38:21 +0800 +Subject: org: Use buffer-base-buffer in safe resource fns + +* lisp/org.el (org--confirm-resource-safe, org--safe-remote-resource-p): +Replace instances of buffer-file-name +with (buffer-file-name (buffer-base-buffer)) so these functions work in +indirect buffers. + +(cherry picked from Org-mode commit 88329143c86b34195af68a8e5d5fd3d00a5dcae6) +--- + lisp/org/org.el | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/lisp/org/org.el b/lisp/org/org.el +index 5e9740ef2d2..6871580265f 100644 +--- a/lisp/org/org.el ++++ b/lisp/org/org.el +@@ -4782,8 +4782,8 @@ org--safe-remote-resource-p + This checks every pattern in `org-safe-remote-resources', and + returns non-nil if any of them match." + (let ((uri-patterns org-safe-remote-resources) +- (file-uri (and buffer-file-name +- (concat "file://" (file-truename buffer-file-name)))) ++ (file-uri (and (buffer-file-name (buffer-base-buffer)) ++ (concat "file://" (file-truename (buffer-file-name (buffer-base-buffer)))))) + match-p) + (while (and (not match-p) uri-patterns) + (setq match-p (or (string-match-p (car uri-patterns) uri) +@@ -4794,7 +4794,8 @@ org--safe-remote-resource-p + (defun org--confirm-resource-safe (uri) + "Ask the user if URI should be considered safe, returning non-nil if so." + (unless noninteractive +- (let ((current-file (and buffer-file-name (file-truename buffer-file-name))) ++ (let ((current-file (and (buffer-file-name (buffer-base-buffer)) ++ (file-truename (buffer-file-name (buffer-base-buffer))))) + (domain (and (string-match + (rx (seq "http" (? "s") "://") + (optional (+ (not (any "@/\n"))) "@") diff -Nru emacs-28.2+1/debian/patches/0040-org-file-contents-Consider-all-remote-files-unsafe.patch emacs-28.2+1/debian/patches/0040-org-file-contents-Consider-all-remote-files-unsafe.patch --- emacs-28.2+1/debian/patches/0040-org-file-contents-Consider-all-remote-files-unsafe.patch 1970-01-01 01:00:00.000000000 +0100 +++ emacs-28.2+1/debian/patches/0040-org-file-contents-Consider-all-remote-files-unsafe.patch 2024-04-27 10:49:04.000000000 +0100 @@ -0,0 +1,35 @@ +From 2719edd8ce6ba4473b1fbf761669b43c12b99df0 Mon Sep 17 00:00:00 2001 +From: Ihor Radchenko <yanta...@posteo.net> +Date: Tue, 20 Feb 2024 14:59:20 +0300 +Subject: org-file-contents: Consider all remote files unsafe + +* lisp/org/org.el (org-file-contents): When loading files, consider all +remote files (like TRAMP-fetched files) unsafe, in addition to URLs. + +(cherry picked from commit 2bc865ace050ff118db43f01457f95f95112b877) +--- + lisp/org/org.el | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/lisp/org/org.el b/lisp/org/org.el +index 6871580265f..cb5615e5b1f 100644 +--- a/lisp/org/org.el ++++ b/lisp/org/org.el +@@ -4733,12 +4733,16 @@ org-file-contents + If NOCACHE is non-nil, do a fresh fetch of FILE even if cached version + is available. This option applies only if FILE is a URL." + (let* ((is-url (org-url-p file)) ++ (is-remote (condition-case nil ++ (file-remote-p file) ++ ;; In case of error, be safe. ++ (t t))) + (cache (and is-url + (not nocache) + (gethash file org--file-cache)))) + (cond + (cache) +- (is-url ++ ((or is-url is-remote) + (if (org--should-fetch-remote-resource-p file) + (with-current-buffer (url-retrieve-synchronously file) + (goto-char (point-min)) diff -Nru emacs-28.2+1/debian/patches/0041-org-confirm-resource-safe-Fix-prompt-when-prompting-.patch emacs-28.2+1/debian/patches/0041-org-confirm-resource-safe-Fix-prompt-when-prompting-.patch --- emacs-28.2+1/debian/patches/0041-org-confirm-resource-safe-Fix-prompt-when-prompting-.patch 1970-01-01 01:00:00.000000000 +0100 +++ emacs-28.2+1/debian/patches/0041-org-confirm-resource-safe-Fix-prompt-when-prompting-.patch 2024-04-27 10:49:04.000000000 +0100 @@ -0,0 +1,29 @@ +From d3a160d4393dbc6d7c0b5e6dc61ff5ef09489f11 Mon Sep 17 00:00:00 2001 +From: Ihor Radchenko <yanta...@posteo.net> +Date: Fri, 23 Feb 2024 12:56:58 +0300 +Subject: org--confirm-resource-safe: Fix prompt when prompting in non-file Org + buffers + +* lisp/org/org.el (org--confirm-resource-safe): When called from +non-file buffer, do not put stray "f" in the prompt. + +(cherry picked from commit 7a5d7be52c5f0690ee47f30bfad973827261abf2) +--- + lisp/org/org.el | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lisp/org/org.el b/lisp/org/org.el +index cb5615e5b1f..7c6d8e1ea18 100644 +--- a/lisp/org/org.el ++++ b/lisp/org/org.el +@@ -4824,9 +4824,9 @@ org--confirm-resource-safe + (propertize domain 'face '(:inherit org-link :weight normal)) + ") as safe.\n ") + "") +- (propertize "f" 'face 'success) + (if current-file + (concat ++ (propertize "f" 'face 'success) + " to download this resource, and permanantly mark all resources in " + (propertize current-file 'face 'underline) + " as safe.\n ") diff -Nru emacs-28.2+1/debian/patches/0042-org-Fix-security-prompt-for-downloading-remote-resou.patch emacs-28.2+1/debian/patches/0042-org-Fix-security-prompt-for-downloading-remote-resou.patch --- emacs-28.2+1/debian/patches/0042-org-Fix-security-prompt-for-downloading-remote-resou.patch 1970-01-01 01:00:00.000000000 +0100 +++ emacs-28.2+1/debian/patches/0042-org-Fix-security-prompt-for-downloading-remote-resou.patch 2024-04-27 10:49:04.000000000 +0100 @@ -0,0 +1,28 @@ +From 1c0b3e5ae5cef71210b094bfd1f8582efe3a7b90 Mon Sep 17 00:00:00 2001 +From: Ihor Radchenko <yanta...@posteo.net> +Date: Fri, 2 Feb 2024 20:59:41 +0100 +Subject: org: Fix security prompt for downloading remote resource + +* lisp/org.el (org--confirm-resource-safe): Do not assume that +resource is safe when user replies "n" (do not download). + +Reported-by: Max Nikulin <maniku...@gmail.com> +Link: https://orgmode.org/list/upj6uk$b7o$1...@ciao.gmane.io +(cherry picked from commit e56f0ef51bfdd0e03e817670754bc813fb3702a2) +--- + lisp/org/org.el | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lisp/org/org.el b/lisp/org/org.el +index 7c6d8e1ea18..3e1d5135f45 100644 +--- a/lisp/org/org.el ++++ b/lisp/org/org.el +@@ -4860,7 +4860,7 @@ org--confirm-resource-safe + (if (and (= char ?f) current-file) + (concat "file://" current-file) uri)) + "\\'"))))) +- (prog1 (memq char '(?y ?n ?! ?d ?\s ?f)) ++ (prog1 (memq char '(?y ?! ?d ?\s ?f)) + (quit-window t))))))) + + (defun org-extract-log-state-settings (x) diff -Nru emacs-28.2+1/debian/patches/series emacs-28.2+1/debian/patches/series --- emacs-28.2+1/debian/patches/series 2023-03-31 19:22:32.000000000 +0100 +++ emacs-28.2+1/debian/patches/series 2024-04-27 10:49:04.000000000 +0100 @@ -26,3 +26,17 @@ 0026-Gnus-nnml-should-avoid-crashing-on-some-invalid-head.patch 0027-Org-Mode-vulnerability-CVE-2023-28617-is-fixed-1-2.patch 0028-Org-Mode-vulnerability-CVE-2023-28617-is-fixed-2-2.patch +0029-org-macro-set-templates-Prevent-code-evaluation.patch +0030-lisp-files.el-untrusted-content-New-variable.patch +0031-lisp-gnus-mm-view.el-mm-display-inline-fontify-Mark-.patch +0032-org-latex-preview-Add-protection-when-untrusted-cont.patch +0033-org-Add-setting-for-remote-file-download-policy.patch +0034-org-Refactor-rx-to-concat-regexp-opt.patch +0035-org-Correct-regexp-escaping-to-use-regexp-quote.patch +0036-org-Fix-resource-prompt-in-non-file-buffers.patch +0037-org-Add-mark-domain-as-safe-convenience-action.patch +0038-org-Tweak-styling-of-url-in-resource-prompt.patch +0039-org-Use-buffer-base-buffer-in-safe-resource-fns.patch +0040-org-file-contents-Consider-all-remote-files-unsafe.patch +0041-org-confirm-resource-safe-Fix-prompt-when-prompting-.patch +0042-org-Fix-security-prompt-for-downloading-remote-resou.patch
signature.asc
Description: PGP signature