Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: org-m...@packages.debian.org Control: affects -1 + src:org-mode Control: block -1 by 1069943
This is security update for CVEs marked no-dsa by the secteam. It backports a series of upstream commits for CVE-2024-30203, CVE-2024-30204 and CVE-2024-30205. I had to backport a feature that the fixes use to pop up a dialog asking the user about the potentially unsafe remote resources. This involves only localised code changes, and is already two years old, so has received an adequate amount of testing upstream. The fix depends on some corresponding changes to Emacs, in #1069943. I manually tested the fixes using reproducers provided in the BTS and from upstream. The fixes are already in unstable. I have uploaded to oldstable-pu. -- Sean Whitton
diff -Nru org-mode-9.4.0+dfsg/debian/changelog
org-mode-9.4.0+dfsg/debian/changelog
--- org-mode-9.4.0+dfsg/debian/changelog 2023-08-03 14:28:47.000000000
+0100
+++ org-mode-9.4.0+dfsg/debian/changelog 2024-04-30 09:08:33.000000000
+0100
@@ -1,3 +1,11 @@
+org-mode (9.4.0+dfsg-1+deb11u2) bullseye; urgency=high
+
+ * Team upload.
+ * Fix CVE-2024-30203, CVE-2024-30204 & CVE-2024-30205 (Closes: #1067663).
+ - Require Emacs 1:27.1+1-3.1+deb11u3 to ensure we get the whole fix.
+
+ -- Sean Whitton <spwhit...@spwhitton.name> Tue, 30 Apr 2024 09:08:33 +0100
+
org-mode (9.4.0+dfsg-1+deb11u1) bullseye; urgency=medium
* Team upload.
diff -Nru org-mode-9.4.0+dfsg/debian/control org-mode-9.4.0+dfsg/debian/control
--- org-mode-9.4.0+dfsg/debian/control 2023-08-03 14:28:47.000000000 +0100
+++ org-mode-9.4.0+dfsg/debian/control 2024-04-30 09:08:33.000000000 +0100
@@ -11,7 +11,8 @@
Package: elpa-org
Architecture: all
-Depends: ${elpa:Depends}, ${misc:Depends}, elpa-htmlize
+Depends: ${elpa:Depends}, ${misc:Depends}, elpa-htmlize,
+ emacs-gtk (>= 1:27.1+1-3.1+deb11u3) | emacs-lucid (>= 1:27.1+1-3.1+deb11u3) |
emacs-nox (>= 1:27.1+1-3.1+deb11u3)
Recommends: emacs (>= 46.0)
Suggests: org-mode-doc, ditaa, texlive-latex-extra, texlive-fonts-recommended,
texinfo
Enhances: emacs,
diff -Nru
org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_01.patch
org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_01.patch
--- org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_01.patch
1970-01-01 01:00:00.000000000 +0100
+++ org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_01.patch
2024-04-30 09:08:33.000000000 +0100
@@ -0,0 +1,56 @@
+From: Ihor Radchenko <yanta...@posteo.net>
+Date: Tue, 20 Feb 2024 12:47:24 +0300
+Subject: org-latex-preview: Add protection when `untrusted-content' is
+ non-nil
+
+* lisp/org/org.el (org--latex-preview-when-risky): New variable
+controlling how to handle LaTeX previews in Org files from untrusted
+origin.
+(org-latex-preview): Consult `org--latex-preview-when-risky' before
+generating previews.
+
+This patch adds a layer of protection when LaTeX preview is requested
+for an email attachment, where `untrusted-content' is set to non-nil.
+
+(cherry picked from Emacs commit 6f9ea396f49cbe38c2173e0a72ba6af3e03b271c)
+---
+ lisp/org.el | 19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+
+diff --git a/lisp/org.el b/lisp/org.el
+index 4964e01..eea46cb 100644
+--- a/lisp/org.el
++++ b/lisp/org.el
+@@ -1074,6 +1074,24 @@ the following lines anywhere in the buffer:
+ :package-version '(Org . "8.0")
+ :type 'boolean)
+
++(defvar untrusted-content) ; defined in files.el
++(defvar org--latex-preview-when-risky nil
++ "If non-nil, enable LaTeX preview in Org buffers from unsafe source.
++
++Some specially designed LaTeX code may generate huge pdf or log files
++that may exhaust disk space.
++
++This variable controls how to handle LaTeX preview when rendering LaTeX
++fragments that originate from incoming email messages. It has no effect
++when Org mode is unable to determine the origin of the Org buffer.
++
++An Org buffer is considered to be from unsafe source when the
++variable `untrusted-content' has a non-nil value in the buffer.
++
++If this variable is non-nil, LaTeX previews are rendered unconditionally.
++
++This variable may be renamed or changed in the future.")
++
+ (defcustom org-insert-mode-line-in-empty-file nil
+ "Non-nil means insert the first line setting Org mode in empty files.
+ When the function `org-mode' is called interactively in an empty file, this
+@@ -15820,6 +15838,7 @@ fragments in the buffer."
+ (interactive "P")
+ (cond
+ ((not (display-graphic-p)) nil)
++ ((and untrusted-content (not org--latex-preview-when-risky)) nil)
+ ;; Clear whole buffer.
+ ((equal arg '(64))
+ (org-clear-latex-preview (point-min) (point-max))
diff -Nru
org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_02.patch
org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_02.patch
--- org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_02.patch
1970-01-01 01:00:00.000000000 +0100
+++ org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_02.patch
2024-04-30 09:08:33.000000000 +0100
@@ -0,0 +1,208 @@
+From: TEC <t...@tecosaur.com>
+Date: Sun, 12 Jun 2022 22:37:42 +0800
+Subject: org: Add setting for remote file download policy
+
+* lisp/org/org.el (org-resource-download-policy, org-safe-remote-resources):
+Two new customisations to configure the policy for downloading remote
+resources.
+(org--should-fetch-remote-resource-p, org--safe-remote-resource-p,
+org--confirm-resource-safe): Introduce the new function
+`org--should-fetch-remote-resource-p' for internal use determining
+whether a remote resource should be downloaded according to the download
+policy. This function makes use of two helper functions,
+`org--safe-remote-resource-p' and `org--confirm-resource-safe'.
+(org-file-contents): Apply `org--safe-remote-resource-p' to file
+downloading.
+
+* lisp/org/org-attach.el (org-attach-attach, org-attach-url): Apply
+`org--safe-remote-resource-p' to url downloading.
+
+(cherry picked from commit 0583a0c5eaa955d4370558b980b3772bb91dd057)
+---
+ lisp/org-attach.el | 10 ++++-
+ lisp/org.el | 130 ++++++++++++++++++++++++++++++++++++++++++++++-------
+ 2 files changed, 123 insertions(+), 17 deletions(-)
+
+diff --git a/lisp/org-attach.el b/lisp/org-attach.el
+index e6aa97e..6345af3a 100644
+--- a/lisp/org-attach.el
++++ b/lisp/org-attach.el
+@@ -463,7 +463,9 @@ DIR-property exists (that is different from the unset
one)."
+
+ (defun org-attach-url (url)
+ (interactive "MURL of the file to attach: \n")
+- (let ((org-attach-method 'url))
++ (let ((org-attach-method 'url)
++ (org-safe-remote-resources ; Assume safety if in an interactive
session
++ (if noninteractive org-safe-remote-resources '(""))))
+ (org-attach-attach url)))
+
+ (defun org-attach-buffer (buffer-name)
+@@ -503,7 +505,11 @@ METHOD may be `cp', `mv', `ln', `lns' or `url' default
taken from
+ ((eq method 'cp) (copy-file file attach-file))
+ ((eq method 'ln) (add-name-to-file file attach-file))
+ ((eq method 'lns) (make-symbolic-link file attach-file))
+- ((eq method 'url) (url-copy-file file attach-file)))
++ ((eq method 'url)
++ (if (org--should-fetch-remote-resource-p file)
++ (url-copy-file file attach-file)
++ (error "The remote resources %S is considered unsafe, and will not
be downloaded"
++ file))))
+ (run-hook-with-args 'org-attach-after-change-hook attach-dir)
+ (org-attach-tag)
+ (cond ((eq org-attach-store-link-p 'attached)
+diff --git a/lisp/org.el b/lisp/org.el
+index eea46cb..ca2e166 100644
+--- a/lisp/org.el
++++ b/lisp/org.el
+@@ -1410,6 +1410,34 @@ For more examples, see the system specific constants
+ (string :tag "Command")
+ (function :tag "Function")))))
+
++(defcustom org-resource-download-policy 'prompt
++ "The policy applied to requests to obtain remote resources.
++
++This affects keywords like #+setupfile and #+incude on export,
++`org-persist-write:url',and `org-attach-url' in non-interactive
++Emacs sessions.
++
++This recognises four possible values:
++- t, remote resources should always be downloaded.
++- prompt, you will be prompted to download resources nt considered safe.
++- safe, only resources considered safe will be downloaded.
++- nil, never download remote resources.
++
++A resource is considered safe if it matches one of the patterns
++in `org-safe-remote-resources'."
++ :group 'org
++ :type '(choice (const :tag "Always download remote resources" t)
++ (const :tag "Prompt before downloading an unsafe resource"
prompt)
++ (const :tag "Only download resources considered safe" safe)
++ (const :tag "Never download any resources" nil)))
++
++(defcustom org-safe-remote-resources nil
++ "A list of regexp patterns matching safe URIs.
++URI regexps are applied to both URLs and Org files requesting
++remote resources."
++ :group 'org
++ :type '(list regexp))
++
+ (defcustom org-open-non-existing-files nil
+ "Non-nil means `org-open-file' opens non-existing files.
+
+@@ -4668,21 +4696,25 @@ is available. This option applies only if FILE is a
URL."
+ (cond
+ (cache)
+ (is-url
+- (with-current-buffer (url-retrieve-synchronously file)
+- (goto-char (point-min))
+- ;; Move point to after the url-retrieve header.
+- (search-forward "\n\n" nil :move)
+- ;; Search for the success code only in the url-retrieve header.
+- (if (save-excursion
+- (re-search-backward "HTTP.*\\s-+200\\s-OK" nil :noerror))
+- ;; Update the cache `org--file-cache' and return contents.
+- (puthash file
+- (buffer-substring-no-properties (point) (point-max))
+- org--file-cache)
+- (funcall (if noerror #'message #'user-error)
+- "Unable to fetch file from %S"
+- file)
+- nil)))
++ (if (org--should-fetch-remote-resource-p file)
++ (with-current-buffer (url-retrieve-synchronously file)
++ (goto-char (point-min))
++ ;; Move point to after the url-retrieve header.
++ (search-forward "\n\n" nil :move)
++ ;; Search for the success code only in the url-retrieve header.
++ (if (save-excursion
++ (re-search-backward "HTTP.*\\s-+200\\s-OK" nil :noerror))
++ ;; Update the cache `org--file-cache' and return contents.
++ (puthash file
++ (buffer-substring-no-properties (point) (point-max))
++ org--file-cache)
++ (funcall (if noerror #'message #'user-error)
++ "Unable to fetch file from %S"
++ file)
++ nil))
++ (funcall (if noerror #'message #'user-error)
++ "The remote resource %S is considered unsafe, and will not
be downloaded"
++ file)))
+ (t
+ (with-temp-buffer
+ (condition-case nil
+@@ -4695,6 +4727,74 @@ is available. This option applies only if FILE is a
URL."
+ file)
+ nil)))))))
+
++(defun org--should-fetch-remote-resource-p (uri)
++ "Return non-nil if the URI should be fetched."
++ (or (eq org-resource-download-policy t)
++ (org--safe-remote-resource-p uri)
++ (and (eq org-resource-download-policy 'prompt)
++ (org--confirm-resource-safe uri))))
++
++(defun org--safe-remote-resource-p (uri)
++ "Return non-nil if URI is considered safe.
++This checks every pattern in `org-safe-remote-resources', and
++returns non-nil if any of them match."
++ (let ((uri-patterns org-safe-remote-resources)
++ (file-uri (and buffer-file-name
++ (concat "file://" (file-truename buffer-file-name))))
++ match-p)
++ (while (and (not match-p) uri-patterns)
++ (setq match-p (or (string-match-p (car uri-patterns) uri)
++ (and file-uri (string-match-p (car uri-patterns)
file-uri)))
++ uri-patterns (cdr uri-patterns)))
++ match-p))
++
++(defun org--confirm-resource-safe (uri)
++ "Ask the user if URI should be considered safe, returning non-nil if so."
++ (unless noninteractive
++ (let ((current-file (and buffer-file-name (file-truename
buffer-file-name)))
++ (buf (get-buffer-create "*Org Remote Resource*")))
++ ;; Set up the contents of the *Org Remote Resource* buffer.
++ (with-current-buffer buf
++ (erase-buffer)
++ (insert "An org-mode document would like to download "
++ (propertize uri 'face '(:inherit org-link :weight normal))
++ ", which is not considered safe.\n\n"
++ "Do you want to download this? You can type\n "
++ (propertize "!" 'face 'success)
++ " to download this resource, and permanantly mark it as
safe.\n "
++ (propertize "f" 'face 'success)
++ " to download this resource, and permanantly mark all
resources in "
++ (propertize current-file 'face 'fixed-pitch-serif)
++ " as safe.\n "
++ (propertize "y" 'face 'warning)
++ " to download this resource, just this once.\n "
++ (propertize "n" 'face 'error)
++ " to skip this resource.\n")
++ (setq-local cursor-type nil)
++ (set-buffer-modified-p nil)
++ (goto-char (point-min)))
++ ;; Display the buffer and read a choice.
++ (save-window-excursion
++ (pop-to-buffer buf)
++ (let* ((exit-chars '(?y ?n ?! ?f ?\s))
++ (prompt (format "Please type y, n, f, or !%s: "
++ (if (< (line-number-at-pos (point-max))
++ (window-body-height))
++ ""
++ ", or C-v/M-v to scroll")))
++ char)
++ (setq char (read-char-choice prompt exit-chars))
++ (when (memq char '(?! ?f))
++ (customize-push-and-save
++ 'org-safe-remote-resources
++ (list (rx string-start
++ (literal
++ (if (and (= char ?f) current-file)
++ (concat "file://" current-file) uri))
++ string-end))))
++ (prog1 (memq char '(?! ?\s ?y ?f))
++ (quit-window t)))))))
++
+ (defun org-extract-log-state-settings (x)
+ "Extract the log state setting from a TODO keyword string.
+ This will extract info from a string like \"WAIT(w@/!)\"."
diff -Nru
org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_03.patch
org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_03.patch
--- org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_03.patch
1970-01-01 01:00:00.000000000 +0100
+++ org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_03.patch
2024-04-30 09:08:33.000000000 +0100
@@ -0,0 +1,34 @@
+From: TEC <t...@tecosaur.com>
+Date: Sun, 24 Jul 2022 22:03:20 +0800
+Subject: org: Refactor rx to concat + regexp-opt
+
+* lisp/org.el (org--confirm-resource-safe): Since Emacs 26 doesn't
+support rx's (literal S) construct, use (concat (regexp-opt ...) ...)
+instead.
+
+(cherry picked from commit 6de5431acc8b77548e89c61a6ae0ebc1b57540bb)
+---
+ lisp/org.el | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/lisp/org.el b/lisp/org.el
+index ca2e166..91a569f 100644
+--- a/lisp/org.el
++++ b/lisp/org.el
+@@ -4787,11 +4787,11 @@ returns non-nil if any of them match."
+ (when (memq char '(?! ?f))
+ (customize-push-and-save
+ 'org-safe-remote-resources
+- (list (rx string-start
+- (literal
+- (if (and (= char ?f) current-file)
+- (concat "file://" current-file) uri))
+- string-end))))
++ (list (concat "\\`"
++ (regexp-opt
++ (if (and (= char ?f) current-file)
++ (concat "file://" current-file) uri))
++ "\\'"))))
+ (prog1 (memq char '(?! ?\s ?y ?f))
+ (quit-window t)))))))
+
diff -Nru
org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_04.patch
org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_04.patch
--- org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_04.patch
1970-01-01 01:00:00.000000000 +0100
+++ org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_04.patch
2024-04-30 09:08:33.000000000 +0100
@@ -0,0 +1,25 @@
+From: TEC <t...@tecosaur.com>
+Date: Tue, 26 Jul 2022 12:22:07 +0800
+Subject: org: Correct regexp escaping to use regexp-quote
+
+* lisp/org.el (org--confirm-resource-safe): `regexp-opt' was
+accidentally used instead of `regexp-quote'.
+
+(cherry picked from commit 6ad53fa22eab5830f85a401960dc1e7d00154a27)
+---
+ lisp/org.el | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lisp/org.el b/lisp/org.el
+index 91a569f..86888c8 100644
+--- a/lisp/org.el
++++ b/lisp/org.el
+@@ -4788,7 +4788,7 @@ returns non-nil if any of them match."
+ (customize-push-and-save
+ 'org-safe-remote-resources
+ (list (concat "\\`"
+- (regexp-opt
++ (regexp-quote
+ (if (and (= char ?f) current-file)
+ (concat "file://" current-file) uri))
+ "\\'"))))
diff -Nru
org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_05.patch
org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_05.patch
--- org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_05.patch
1970-01-01 01:00:00.000000000 +0100
+++ org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_05.patch
2024-04-30 09:08:33.000000000 +0100
@@ -0,0 +1,44 @@
+From: TEC <g...@tecosaur.net>
+Date: Wed, 3 Aug 2022 21:38:49 +0800
+Subject: org: Fix resource prompt in non-file buffers
+
+* lisp/org.el (org--confirm-resource-safe): When `buffer-file-name' is
+nil, skip over file-specific behaviour.
+
+(cherry picked from commit 4702a73031c77ba03b480b0848c137d5d8773e07)
+---
+ lisp/org.el | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/lisp/org.el b/lisp/org.el
+index 86888c8..ca9d723 100644
+--- a/lisp/org.el
++++ b/lisp/org.el
+@@ -4763,9 +4763,12 @@ returns non-nil if any of them match."
+ (propertize "!" 'face 'success)
+ " to download this resource, and permanantly mark it as
safe.\n "
+ (propertize "f" 'face 'success)
+- " to download this resource, and permanantly mark all
resources in "
+- (propertize current-file 'face 'fixed-pitch-serif)
+- " as safe.\n "
++ (if current-file
++ (concat
++ " to download this resource, and permanantly mark all
resources in "
++ (propertize current-file 'face 'fixed-pitch-serif)
++ " as safe.\n ")
++ "")
+ (propertize "y" 'face 'warning)
+ " to download this resource, just this once.\n "
+ (propertize "n" 'face 'error)
+@@ -4776,8 +4779,9 @@ returns non-nil if any of them match."
+ ;; Display the buffer and read a choice.
+ (save-window-excursion
+ (pop-to-buffer buf)
+- (let* ((exit-chars '(?y ?n ?! ?f ?\s))
+- (prompt (format "Please type y, n, f, or !%s: "
++ (let* ((exit-chars (append '(?y ?n ?! ?\s) (and current-file '(?f))))
++ (prompt (format "Please type y, n%s, or !%s: "
++ (if current-file ", f" "")
+ (if (< (line-number-at-pos (point-max))
+ (window-body-height))
+ ""
diff -Nru
org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_06.patch
org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_06.patch
--- org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_06.patch
1970-01-01 01:00:00.000000000 +0100
+++ org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_06.patch
2024-04-30 09:08:33.000000000 +0100
@@ -0,0 +1,78 @@
+From: TEC <g...@tecosaur.net>
+Date: Sun, 7 Aug 2022 16:21:21 +0800
+Subject: org: Add "mark domain as safe" convenience action
+
+* lisp/org.el (org--confirm-resource-safe): Pick out domains from URLs,
+and provide an option of marking that domain as safe.
+
+(cherry picked from commit 1ae801e9c86d5b150fd085230722e4dac550df30)
+---
+ lisp/org.el | 32 +++++++++++++++++++++++---------
+ 1 file changed, 23 insertions(+), 9 deletions(-)
+
+diff --git a/lisp/org.el b/lisp/org.el
+index ca9d723..c90c669 100644
+--- a/lisp/org.el
++++ b/lisp/org.el
+@@ -4752,6 +4752,13 @@ returns non-nil if any of them match."
+ "Ask the user if URI should be considered safe, returning non-nil if so."
+ (unless noninteractive
+ (let ((current-file (and buffer-file-name (file-truename
buffer-file-name)))
++ (domain (and (string-match
++ (rx (seq "http" (? "s") "://")
++ (optional (+ (not (any "@/\n"))) "@")
++ (optional "www.")
++ (one-or-more (not (any ":/?\n"))))
++ uri)
++ (match-string 0 uri)))
+ (buf (get-buffer-create "*Org Remote Resource*")))
+ ;; Set up the contents of the *Org Remote Resource* buffer.
+ (with-current-buffer buf
+@@ -4762,6 +4769,11 @@ returns non-nil if any of them match."
+ "Do you want to download this? You can type\n "
+ (propertize "!" 'face 'success)
+ " to download this resource, and permanantly mark it as
safe.\n "
++ (if domain
++ (concat
++ (propertize "d" 'face 'success)
++ " to download this resource, and mark this domain as
safe.\n ")
++ "")
+ (propertize "f" 'face 'success)
+ (if current-file
+ (concat
+@@ -4779,8 +4791,8 @@ returns non-nil if any of them match."
+ ;; Display the buffer and read a choice.
+ (save-window-excursion
+ (pop-to-buffer buf)
+- (let* ((exit-chars (append '(?y ?n ?! ?\s) (and current-file '(?f))))
+- (prompt (format "Please type y, n%s, or !%s: "
++ (let* ((exit-chars (append '(?y ?n ?! ?d ?\s) (and current-file
'(?f))))
++ (prompt (format "Please type y, n%s, d, or !%s: "
+ (if current-file ", f" "")
+ (if (< (line-number-at-pos (point-max))
+ (window-body-height))
+@@ -4788,15 +4800,17 @@ returns non-nil if any of them match."
+ ", or C-v/M-v to scroll")))
+ char)
+ (setq char (read-char-choice prompt exit-chars))
+- (when (memq char '(?! ?f))
++ (when (memq char '(?! ?f ?d))
+ (customize-push-and-save
+ 'org-safe-remote-resources
+- (list (concat "\\`"
+- (regexp-quote
+- (if (and (= char ?f) current-file)
+- (concat "file://" current-file) uri))
+- "\\'"))))
+- (prog1 (memq char '(?! ?\s ?y ?f))
++ (list (if (eq char ?d)
++ (concat "\\`" (regexp-quote domain) "\\(?:/\\|\\'\\)")
++ (concat "\\`"
++ (regexp-quote
++ (if (and (= char ?f) current-file)
++ (concat "file://" current-file) uri))
++ "\\'")))))
++ (prog1 (memq char '(?y ?n ?! ?d ?\s ?f))
+ (quit-window t)))))))
+
+ (defun org-extract-log-state-settings (x)
diff -Nru
org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_07.patch
org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_07.patch
--- org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_07.patch
1970-01-01 01:00:00.000000000 +0100
+++ org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_07.patch
2024-04-30 09:08:33.000000000 +0100
@@ -0,0 +1,34 @@
+From: TEC <g...@tecosaur.net>
+Date: Tue, 30 Aug 2022 01:45:41 +0800
+Subject: org: Tweak styling of url in resource prompt
+
+* lisp/org.el (org--confirm-resource-safe): Style domain with a link,
+and url with an underline.
+
+(cherry picked from commit 1061db94acf785f4b8f1140649e3857d52693115)
+---
+ lisp/org.el | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/lisp/org.el b/lisp/org.el
+index c90c669..72ed4a9 100644
+--- a/lisp/org.el
++++ b/lisp/org.el
+@@ -4772,13 +4772,15 @@ returns non-nil if any of them match."
+ (if domain
+ (concat
+ (propertize "d" 'face 'success)
+- " to download this resource, and mark this domain as
safe.\n ")
++ " to download this resource, and mark the domain ("
++ (propertize domain 'face '(:inherit org-link :weight
normal))
++ ") as safe.\n ")
+ "")
+ (propertize "f" 'face 'success)
+ (if current-file
+ (concat
+ " to download this resource, and permanantly mark all
resources in "
+- (propertize current-file 'face 'fixed-pitch-serif)
++ (propertize current-file 'face 'underline)
+ " as safe.\n ")
+ "")
+ (propertize "y" 'face 'warning)
diff -Nru
org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_08.patch
org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_08.patch
--- org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_08.patch
1970-01-01 01:00:00.000000000 +0100
+++ org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_08.patch
2024-04-30 09:08:33.000000000 +0100
@@ -0,0 +1,39 @@
+From: TEC <g...@tecosaur.net>
+Date: Sat, 10 Dec 2022 21:38:21 +0800
+Subject: org: Use buffer-base-buffer in safe resource fns
+
+* lisp/org.el (org--confirm-resource-safe, org--safe-remote-resource-p):
+Replace instances of buffer-file-name
+with (buffer-file-name (buffer-base-buffer)) so these functions work in
+indirect buffers.
+
+(cherry picked from commit 88329143c86b34195af68a8e5d5fd3d00a5dcae6)
+---
+ lisp/org.el | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/lisp/org.el b/lisp/org.el
+index 72ed4a9..5a1fe84 100644
+--- a/lisp/org.el
++++ b/lisp/org.el
+@@ -4739,8 +4739,8 @@ is available. This option applies only if FILE is a
URL."
+ This checks every pattern in `org-safe-remote-resources', and
+ returns non-nil if any of them match."
+ (let ((uri-patterns org-safe-remote-resources)
+- (file-uri (and buffer-file-name
+- (concat "file://" (file-truename buffer-file-name))))
++ (file-uri (and (buffer-file-name (buffer-base-buffer))
++ (concat "file://" (file-truename (buffer-file-name
(buffer-base-buffer))))))
+ match-p)
+ (while (and (not match-p) uri-patterns)
+ (setq match-p (or (string-match-p (car uri-patterns) uri)
+@@ -4751,7 +4751,8 @@ returns non-nil if any of them match."
+ (defun org--confirm-resource-safe (uri)
+ "Ask the user if URI should be considered safe, returning non-nil if so."
+ (unless noninteractive
+- (let ((current-file (and buffer-file-name (file-truename
buffer-file-name)))
++ (let ((current-file (and (buffer-file-name (buffer-base-buffer))
++ (file-truename (buffer-file-name
(buffer-base-buffer)))))
+ (domain (and (string-match
+ (rx (seq "http" (? "s") "://")
+ (optional (+ (not (any "@/\n"))) "@")
diff -Nru org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30205_01.patch
org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30205_01.patch
--- org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30205_01.patch 1970-01-01
01:00:00.000000000 +0100
+++ org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30205_01.patch 2024-04-30
09:08:33.000000000 +0100
@@ -0,0 +1,34 @@
+From: Ihor Radchenko <yanta...@posteo.net>
+Date: Tue, 20 Feb 2024 14:59:20 +0300
+Subject: org-file-contents: Consider all remote files unsafe
+
+* lisp/org/org.el (org-file-contents): When loading files, consider all
+remote files (like TRAMP-fetched files) unsafe, in addition to URLs.
+
+(cherry picked from Emacs commit 2bc865ace050ff118db43f01457f95f95112b877)
+---
+ lisp/org.el | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/lisp/org.el b/lisp/org.el
+index 5a1fe84..6ee63be 100644
+--- a/lisp/org.el
++++ b/lisp/org.el
+@@ -4690,12 +4690,16 @@ from file or URL, and return nil.
+ If NOCACHE is non-nil, do a fresh fetch of FILE even if cached version
+ is available. This option applies only if FILE is a URL."
+ (let* ((is-url (org-file-url-p file))
++ (is-remote (condition-case nil
++ (file-remote-p file)
++ ;; In case of error, be safe.
++ (t t)))
+ (cache (and is-url
+ (not nocache)
+ (gethash file org--file-cache))))
+ (cond
+ (cache)
+- (is-url
++ ((or is-url is-remote)
+ (if (org--should-fetch-remote-resource-p file)
+ (with-current-buffer (url-retrieve-synchronously file)
+ (goto-char (point-min))
diff -Nru org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30205_02.patch
org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30205_02.patch
--- org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30205_02.patch 1970-01-01
01:00:00.000000000 +0100
+++ org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30205_02.patch 2024-04-30
09:08:33.000000000 +0100
@@ -0,0 +1,28 @@
+From: Ihor Radchenko <yanta...@posteo.net>
+Date: Fri, 23 Feb 2024 12:56:58 +0300
+Subject: org--confirm-resource-safe: Fix prompt when prompting in non-file
+ Org buffers
+
+* lisp/org/org.el (org--confirm-resource-safe): When called from
+non-file buffer, do not put stray "f" in the prompt.
+
+(cherry picked from Emacs commit 7a5d7be52c5f0690ee47f30bfad973827261abf2)
+---
+ lisp/org.el | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lisp/org.el b/lisp/org.el
+index 6ee63be..fbcef9a 100644
+--- a/lisp/org.el
++++ b/lisp/org.el
+@@ -4781,9 +4781,9 @@ returns non-nil if any of them match."
+ (propertize domain 'face '(:inherit org-link :weight
normal))
+ ") as safe.\n ")
+ "")
+- (propertize "f" 'face 'success)
+ (if current-file
+ (concat
++ (propertize "f" 'face 'success)
+ " to download this resource, and permanantly mark all
resources in "
+ (propertize current-file 'face 'underline)
+ " as safe.\n ")
diff -Nru org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30205_03.patch
org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30205_03.patch
--- org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30205_03.patch 1970-01-01
01:00:00.000000000 +0100
+++ org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30205_03.patch 2024-04-30
09:08:33.000000000 +0100
@@ -0,0 +1,27 @@
+From: Ihor Radchenko <yanta...@posteo.net>
+Date: Fri, 2 Feb 2024 20:59:41 +0100
+Subject: org: Fix security prompt for downloading remote resource
+
+* lisp/org.el (org--confirm-resource-safe): Do not assume that
+resource is safe when user replies "n" (do not download).
+
+Reported-by: Max Nikulin <maniku...@gmail.com>
+Link: https://orgmode.org/list/upj6uk$b7o$1...@ciao.gmane.io
+(cherry picked from Emacs commit e56f0ef51bfdd0e03e817670754bc813fb3702a2)
+---
+ lisp/org.el | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lisp/org.el b/lisp/org.el
+index fbcef9a..07ae99f 100644
+--- a/lisp/org.el
++++ b/lisp/org.el
+@@ -4817,7 +4817,7 @@ returns non-nil if any of them match."
+ (if (and (= char ?f) current-file)
+ (concat "file://" current-file) uri))
+ "\\'")))))
+- (prog1 (memq char '(?y ?n ?! ?d ?\s ?f))
++ (prog1 (memq char '(?y ?! ?d ?\s ?f))
+ (quit-window t)))))))
+
+ (defun org-extract-log-state-settings (x)
diff -Nru org-mode-9.4.0+dfsg/debian/patches/series
org-mode-9.4.0+dfsg/debian/patches/series
--- org-mode-9.4.0+dfsg/debian/patches/series 2023-08-03 14:28:47.000000000
+0100
+++ org-mode-9.4.0+dfsg/debian/patches/series 2024-04-30 09:08:33.000000000
+0100
@@ -2,3 +2,14 @@
#20-links-unescaping.patch
30-local-mk.patch
0004-Org-Mode-vulnerability-CVE-2023-28617-is-fixed.patch
+CVE-2024-30203_CVE-2024-30204_01.patch
+CVE-2024-30203_CVE-2024-30204_02.patch
+CVE-2024-30203_CVE-2024-30204_03.patch
+CVE-2024-30203_CVE-2024-30204_04.patch
+CVE-2024-30203_CVE-2024-30204_05.patch
+CVE-2024-30203_CVE-2024-30204_06.patch
+CVE-2024-30203_CVE-2024-30204_07.patch
+CVE-2024-30203_CVE-2024-30204_08.patch
+CVE-2024-30205_01.patch
+CVE-2024-30205_02.patch
+CVE-2024-30205_03.patch
signature.asc
Description: PGP signature
