Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: org-m...@packages.debian.org
Control: affects -1 + src:org-mode
Control: block -1 by 1069943

This is security update for CVEs marked no-dsa by the secteam.
It backports a series of upstream commits for CVE-2024-30203, CVE-2024-30204
and CVE-2024-30205.

I had to backport a feature that the fixes use to pop up a dialog asking the
user about the potentially unsafe remote resources.
This involves only localised code changes, and is already two years old, so
has received an adequate amount of testing upstream.

The fix depends on some corresponding changes to Emacs, in #1069943.

I manually tested the fixes using reproducers provided in the BTS and from
upstream.  The fixes are already in unstable.  I have uploaded to oldstable-pu.

-- 
Sean Whitton
diff -Nru org-mode-9.4.0+dfsg/debian/changelog 
org-mode-9.4.0+dfsg/debian/changelog
--- org-mode-9.4.0+dfsg/debian/changelog        2023-08-03 14:28:47.000000000 
+0100
+++ org-mode-9.4.0+dfsg/debian/changelog        2024-04-30 09:08:33.000000000 
+0100
@@ -1,3 +1,11 @@
+org-mode (9.4.0+dfsg-1+deb11u2) bullseye; urgency=high
+
+  * Team upload.
+  * Fix CVE-2024-30203, CVE-2024-30204 & CVE-2024-30205 (Closes: #1067663).
+    - Require Emacs 1:27.1+1-3.1+deb11u3 to ensure we get the whole fix.
+
+ -- Sean Whitton <spwhit...@spwhitton.name>  Tue, 30 Apr 2024 09:08:33 +0100
+
 org-mode (9.4.0+dfsg-1+deb11u1) bullseye; urgency=medium
 
   * Team upload.
diff -Nru org-mode-9.4.0+dfsg/debian/control org-mode-9.4.0+dfsg/debian/control
--- org-mode-9.4.0+dfsg/debian/control  2023-08-03 14:28:47.000000000 +0100
+++ org-mode-9.4.0+dfsg/debian/control  2024-04-30 09:08:33.000000000 +0100
@@ -11,7 +11,8 @@
 
 Package: elpa-org
 Architecture: all
-Depends: ${elpa:Depends}, ${misc:Depends}, elpa-htmlize
+Depends: ${elpa:Depends}, ${misc:Depends}, elpa-htmlize,
+ emacs-gtk (>= 1:27.1+1-3.1+deb11u3) | emacs-lucid (>= 1:27.1+1-3.1+deb11u3) | 
emacs-nox (>= 1:27.1+1-3.1+deb11u3)
 Recommends: emacs (>= 46.0)
 Suggests: org-mode-doc, ditaa, texlive-latex-extra, texlive-fonts-recommended, 
texinfo
 Enhances: emacs,
diff -Nru 
org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_01.patch 
org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_01.patch
--- org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_01.patch   
1970-01-01 01:00:00.000000000 +0100
+++ org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_01.patch   
2024-04-30 09:08:33.000000000 +0100
@@ -0,0 +1,56 @@
+From: Ihor Radchenko <yanta...@posteo.net>
+Date: Tue, 20 Feb 2024 12:47:24 +0300
+Subject: org-latex-preview: Add protection when `untrusted-content' is
+ non-nil
+
+* lisp/org/org.el (org--latex-preview-when-risky): New variable
+controlling how to handle LaTeX previews in Org files from untrusted
+origin.
+(org-latex-preview): Consult `org--latex-preview-when-risky' before
+generating previews.
+
+This patch adds a layer of protection when LaTeX preview is requested
+for an email attachment, where `untrusted-content' is set to non-nil.
+
+(cherry picked from Emacs commit 6f9ea396f49cbe38c2173e0a72ba6af3e03b271c)
+---
+ lisp/org.el | 19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+
+diff --git a/lisp/org.el b/lisp/org.el
+index 4964e01..eea46cb 100644
+--- a/lisp/org.el
++++ b/lisp/org.el
+@@ -1074,6 +1074,24 @@ the following lines anywhere in the buffer:
+   :package-version '(Org . "8.0")
+   :type 'boolean)
+ 
++(defvar untrusted-content) ; defined in files.el
++(defvar org--latex-preview-when-risky nil
++  "If non-nil, enable LaTeX preview in Org buffers from unsafe source.
++
++Some specially designed LaTeX code may generate huge pdf or log files
++that may exhaust disk space.
++
++This variable controls how to handle LaTeX preview when rendering LaTeX
++fragments that originate from incoming email messages.  It has no effect
++when Org mode is unable to determine the origin of the Org buffer.
++
++An Org buffer is considered to be from unsafe source when the
++variable `untrusted-content' has a non-nil value in the buffer.
++
++If this variable is non-nil, LaTeX previews are rendered unconditionally.
++
++This variable may be renamed or changed in the future.")
++
+ (defcustom org-insert-mode-line-in-empty-file nil
+   "Non-nil means insert the first line setting Org mode in empty files.
+ When the function `org-mode' is called interactively in an empty file, this
+@@ -15820,6 +15838,7 @@ fragments in the buffer."
+   (interactive "P")
+   (cond
+    ((not (display-graphic-p)) nil)
++   ((and untrusted-content (not org--latex-preview-when-risky)) nil)
+    ;; Clear whole buffer.
+    ((equal arg '(64))
+     (org-clear-latex-preview (point-min) (point-max))
diff -Nru 
org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_02.patch 
org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_02.patch
--- org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_02.patch   
1970-01-01 01:00:00.000000000 +0100
+++ org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_02.patch   
2024-04-30 09:08:33.000000000 +0100
@@ -0,0 +1,208 @@
+From: TEC <t...@tecosaur.com>
+Date: Sun, 12 Jun 2022 22:37:42 +0800
+Subject: org: Add setting for remote file download policy
+
+* lisp/org/org.el (org-resource-download-policy, org-safe-remote-resources):
+Two new customisations to configure the policy for downloading remote
+resources.
+(org--should-fetch-remote-resource-p, org--safe-remote-resource-p,
+org--confirm-resource-safe): Introduce the new function
+`org--should-fetch-remote-resource-p' for internal use determining
+whether a remote resource should be downloaded according to the download
+policy.  This function makes use of two helper functions,
+`org--safe-remote-resource-p' and `org--confirm-resource-safe'.
+(org-file-contents): Apply `org--safe-remote-resource-p' to file
+downloading.
+
+* lisp/org/org-attach.el (org-attach-attach, org-attach-url): Apply
+`org--safe-remote-resource-p' to url downloading.
+
+(cherry picked from commit 0583a0c5eaa955d4370558b980b3772bb91dd057)
+---
+ lisp/org-attach.el |  10 ++++-
+ lisp/org.el        | 130 ++++++++++++++++++++++++++++++++++++++++++++++-------
+ 2 files changed, 123 insertions(+), 17 deletions(-)
+
+diff --git a/lisp/org-attach.el b/lisp/org-attach.el
+index e6aa97e..6345af3a 100644
+--- a/lisp/org-attach.el
++++ b/lisp/org-attach.el
+@@ -463,7 +463,9 @@ DIR-property exists (that is different from the unset 
one)."
+ 
+ (defun org-attach-url (url)
+   (interactive "MURL of the file to attach: \n")
+-  (let ((org-attach-method 'url))
++  (let ((org-attach-method 'url)
++        (org-safe-remote-resources ; Assume safety if in an interactive 
session
++         (if noninteractive org-safe-remote-resources '(""))))
+     (org-attach-attach url)))
+ 
+ (defun org-attach-buffer (buffer-name)
+@@ -503,7 +505,11 @@ METHOD may be `cp', `mv', `ln', `lns' or `url' default 
taken from
+        ((eq method 'cp) (copy-file file attach-file))
+        ((eq method 'ln) (add-name-to-file file attach-file))
+        ((eq method 'lns) (make-symbolic-link file attach-file))
+-       ((eq method 'url) (url-copy-file file attach-file)))
++       ((eq method 'url)
++        (if (org--should-fetch-remote-resource-p file)
++            (url-copy-file file attach-file)
++          (error "The remote resources %S is considered unsafe, and will not 
be downloaded"
++                 file))))
+       (run-hook-with-args 'org-attach-after-change-hook attach-dir)
+       (org-attach-tag)
+       (cond ((eq org-attach-store-link-p 'attached)
+diff --git a/lisp/org.el b/lisp/org.el
+index eea46cb..ca2e166 100644
+--- a/lisp/org.el
++++ b/lisp/org.el
+@@ -1410,6 +1410,34 @@ For more examples, see the system specific constants
+                       (string :tag "Command")
+                       (function :tag "Function")))))
+ 
++(defcustom org-resource-download-policy 'prompt
++  "The policy applied to requests to obtain remote resources.
++
++This affects keywords like #+setupfile and #+incude on export,
++`org-persist-write:url',and `org-attach-url' in non-interactive
++Emacs sessions.
++
++This recognises four possible values:
++- t, remote resources should always be downloaded.
++- prompt, you will be prompted to download resources nt considered safe.
++- safe, only resources considered safe will be downloaded.
++- nil, never download remote resources.
++
++A resource is considered safe if it matches one of the patterns
++in `org-safe-remote-resources'."
++  :group 'org
++  :type '(choice (const :tag "Always download remote resources" t)
++                 (const :tag "Prompt before downloading an unsafe resource" 
prompt)
++                 (const :tag "Only download resources considered safe" safe)
++                 (const :tag "Never download any resources" nil)))
++
++(defcustom org-safe-remote-resources nil
++  "A list of regexp patterns matching safe URIs.
++URI regexps are applied to both URLs and Org files requesting
++remote resources."
++  :group 'org
++  :type '(list regexp))
++
+ (defcustom org-open-non-existing-files nil
+   "Non-nil means `org-open-file' opens non-existing files.
+ 
+@@ -4668,21 +4696,25 @@ is available.  This option applies only if FILE is a 
URL."
+     (cond
+      (cache)
+      (is-url
+-      (with-current-buffer (url-retrieve-synchronously file)
+-      (goto-char (point-min))
+-      ;; Move point to after the url-retrieve header.
+-      (search-forward "\n\n" nil :move)
+-      ;; Search for the success code only in the url-retrieve header.
+-      (if (save-excursion
+-            (re-search-backward "HTTP.*\\s-+200\\s-OK" nil :noerror))
+-          ;; Update the cache `org--file-cache' and return contents.
+-          (puthash file
+-                   (buffer-substring-no-properties (point) (point-max))
+-                   org--file-cache)
+-        (funcall (if noerror #'message #'user-error)
+-                 "Unable to fetch file from %S"
+-                 file)
+-        nil)))
++      (if (org--should-fetch-remote-resource-p file)
++          (with-current-buffer (url-retrieve-synchronously file)
++            (goto-char (point-min))
++            ;; Move point to after the url-retrieve header.
++            (search-forward "\n\n" nil :move)
++            ;; Search for the success code only in the url-retrieve header.
++            (if (save-excursion
++                  (re-search-backward "HTTP.*\\s-+200\\s-OK" nil :noerror))
++                ;; Update the cache `org--file-cache' and return contents.
++                (puthash file
++                         (buffer-substring-no-properties (point) (point-max))
++                         org--file-cache)
++              (funcall (if noerror #'message #'user-error)
++                       "Unable to fetch file from %S"
++                       file)
++              nil))
++        (funcall (if noerror #'message #'user-error)
++                 "The remote resource %S is considered unsafe, and will not 
be downloaded"
++                 file)))
+      (t
+       (with-temp-buffer
+         (condition-case nil
+@@ -4695,6 +4727,74 @@ is available.  This option applies only if FILE is a 
URL."
+                   file)
+          nil)))))))
+ 
++(defun org--should-fetch-remote-resource-p (uri)
++  "Return non-nil if the URI should be fetched."
++  (or (eq org-resource-download-policy t)
++      (org--safe-remote-resource-p uri)
++      (and (eq org-resource-download-policy 'prompt)
++           (org--confirm-resource-safe uri))))
++
++(defun org--safe-remote-resource-p (uri)
++  "Return non-nil if URI is considered safe.
++This checks every pattern in `org-safe-remote-resources', and
++returns non-nil if any of them match."
++  (let ((uri-patterns org-safe-remote-resources)
++        (file-uri (and buffer-file-name
++                       (concat "file://" (file-truename buffer-file-name))))
++        match-p)
++    (while (and (not match-p) uri-patterns)
++      (setq match-p (or (string-match-p (car uri-patterns) uri)
++                        (and file-uri (string-match-p (car uri-patterns) 
file-uri)))
++            uri-patterns (cdr uri-patterns)))
++    match-p))
++
++(defun org--confirm-resource-safe (uri)
++  "Ask the user if URI should be considered safe, returning non-nil if so."
++  (unless noninteractive
++    (let ((current-file (and buffer-file-name (file-truename 
buffer-file-name)))
++          (buf (get-buffer-create "*Org Remote Resource*")))
++      ;; Set up the contents of the *Org Remote Resource* buffer.
++      (with-current-buffer buf
++        (erase-buffer)
++        (insert "An org-mode document would like to download "
++                (propertize uri 'face '(:inherit org-link :weight normal))
++                ", which is not considered safe.\n\n"
++                "Do you want to download this?  You can type\n "
++                (propertize "!" 'face 'success)
++                " to download this resource, and permanantly mark it as 
safe.\n "
++                (propertize "f" 'face 'success)
++                " to download this resource, and permanantly mark all 
resources in "
++                (propertize current-file 'face 'fixed-pitch-serif)
++                " as safe.\n "
++                (propertize "y" 'face 'warning)
++                " to download this resource, just this once.\n "
++                (propertize "n" 'face 'error)
++                " to skip this resource.\n")
++        (setq-local cursor-type nil)
++        (set-buffer-modified-p nil)
++        (goto-char (point-min)))
++      ;; Display the buffer and read a choice.
++      (save-window-excursion
++        (pop-to-buffer buf)
++        (let* ((exit-chars '(?y ?n ?! ?f ?\s))
++               (prompt (format "Please type y, n, f, or !%s: "
++                               (if (< (line-number-at-pos (point-max))
++                                      (window-body-height))
++                                   ""
++                                 ", or C-v/M-v to scroll")))
++               char)
++          (setq char (read-char-choice prompt exit-chars))
++          (when (memq char '(?! ?f))
++            (customize-push-and-save
++             'org-safe-remote-resources
++             (list (rx string-start
++                       (literal
++                        (if (and (= char ?f) current-file)
++                            (concat "file://" current-file) uri))
++                       string-end))))
++          (prog1 (memq char '(?! ?\s ?y ?f))
++            (quit-window t)))))))
++
+ (defun org-extract-log-state-settings (x)
+   "Extract the log state setting from a TODO keyword string.
+ This will extract info from a string like \"WAIT(w@/!)\"."
diff -Nru 
org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_03.patch 
org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_03.patch
--- org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_03.patch   
1970-01-01 01:00:00.000000000 +0100
+++ org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_03.patch   
2024-04-30 09:08:33.000000000 +0100
@@ -0,0 +1,34 @@
+From: TEC <t...@tecosaur.com>
+Date: Sun, 24 Jul 2022 22:03:20 +0800
+Subject: org: Refactor rx to concat + regexp-opt
+
+* lisp/org.el (org--confirm-resource-safe): Since Emacs 26 doesn't
+support rx's (literal S) construct, use (concat (regexp-opt ...) ...)
+instead.
+
+(cherry picked from commit 6de5431acc8b77548e89c61a6ae0ebc1b57540bb)
+---
+ lisp/org.el | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/lisp/org.el b/lisp/org.el
+index ca2e166..91a569f 100644
+--- a/lisp/org.el
++++ b/lisp/org.el
+@@ -4787,11 +4787,11 @@ returns non-nil if any of them match."
+           (when (memq char '(?! ?f))
+             (customize-push-and-save
+              'org-safe-remote-resources
+-             (list (rx string-start
+-                       (literal
+-                        (if (and (= char ?f) current-file)
+-                            (concat "file://" current-file) uri))
+-                       string-end))))
++             (list (concat "\\`"
++                           (regexp-opt
++                            (if (and (= char ?f) current-file)
++                                (concat "file://" current-file) uri))
++                           "\\'"))))
+           (prog1 (memq char '(?! ?\s ?y ?f))
+             (quit-window t)))))))
+ 
diff -Nru 
org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_04.patch 
org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_04.patch
--- org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_04.patch   
1970-01-01 01:00:00.000000000 +0100
+++ org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_04.patch   
2024-04-30 09:08:33.000000000 +0100
@@ -0,0 +1,25 @@
+From: TEC <t...@tecosaur.com>
+Date: Tue, 26 Jul 2022 12:22:07 +0800
+Subject: org: Correct regexp escaping to use regexp-quote
+
+* lisp/org.el (org--confirm-resource-safe): `regexp-opt' was
+accidentally used instead of `regexp-quote'.
+
+(cherry picked from commit 6ad53fa22eab5830f85a401960dc1e7d00154a27)
+---
+ lisp/org.el | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lisp/org.el b/lisp/org.el
+index 91a569f..86888c8 100644
+--- a/lisp/org.el
++++ b/lisp/org.el
+@@ -4788,7 +4788,7 @@ returns non-nil if any of them match."
+             (customize-push-and-save
+              'org-safe-remote-resources
+              (list (concat "\\`"
+-                           (regexp-opt
++                           (regexp-quote
+                             (if (and (= char ?f) current-file)
+                                 (concat "file://" current-file) uri))
+                            "\\'"))))
diff -Nru 
org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_05.patch 
org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_05.patch
--- org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_05.patch   
1970-01-01 01:00:00.000000000 +0100
+++ org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_05.patch   
2024-04-30 09:08:33.000000000 +0100
@@ -0,0 +1,44 @@
+From: TEC <g...@tecosaur.net>
+Date: Wed, 3 Aug 2022 21:38:49 +0800
+Subject: org: Fix resource prompt in non-file buffers
+
+* lisp/org.el (org--confirm-resource-safe): When `buffer-file-name' is
+nil, skip over file-specific behaviour.
+
+(cherry picked from commit 4702a73031c77ba03b480b0848c137d5d8773e07)
+---
+ lisp/org.el | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/lisp/org.el b/lisp/org.el
+index 86888c8..ca9d723 100644
+--- a/lisp/org.el
++++ b/lisp/org.el
+@@ -4763,9 +4763,12 @@ returns non-nil if any of them match."
+                 (propertize "!" 'face 'success)
+                 " to download this resource, and permanantly mark it as 
safe.\n "
+                 (propertize "f" 'face 'success)
+-                " to download this resource, and permanantly mark all 
resources in "
+-                (propertize current-file 'face 'fixed-pitch-serif)
+-                " as safe.\n "
++                (if current-file
++                    (concat
++                     " to download this resource, and permanantly mark all 
resources in "
++                     (propertize current-file 'face 'fixed-pitch-serif)
++                     " as safe.\n ")
++                  "")
+                 (propertize "y" 'face 'warning)
+                 " to download this resource, just this once.\n "
+                 (propertize "n" 'face 'error)
+@@ -4776,8 +4779,9 @@ returns non-nil if any of them match."
+       ;; Display the buffer and read a choice.
+       (save-window-excursion
+         (pop-to-buffer buf)
+-        (let* ((exit-chars '(?y ?n ?! ?f ?\s))
+-               (prompt (format "Please type y, n, f, or !%s: "
++        (let* ((exit-chars (append '(?y ?n ?! ?\s) (and current-file '(?f))))
++               (prompt (format "Please type y, n%s, or !%s: "
++                               (if current-file ", f" "")
+                                (if (< (line-number-at-pos (point-max))
+                                       (window-body-height))
+                                    ""
diff -Nru 
org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_06.patch 
org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_06.patch
--- org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_06.patch   
1970-01-01 01:00:00.000000000 +0100
+++ org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_06.patch   
2024-04-30 09:08:33.000000000 +0100
@@ -0,0 +1,78 @@
+From: TEC <g...@tecosaur.net>
+Date: Sun, 7 Aug 2022 16:21:21 +0800
+Subject: org: Add "mark domain as safe" convenience action
+
+* lisp/org.el (org--confirm-resource-safe): Pick out domains from URLs,
+and provide an option of marking that domain as safe.
+
+(cherry picked from commit 1ae801e9c86d5b150fd085230722e4dac550df30)
+---
+ lisp/org.el | 32 +++++++++++++++++++++++---------
+ 1 file changed, 23 insertions(+), 9 deletions(-)
+
+diff --git a/lisp/org.el b/lisp/org.el
+index ca9d723..c90c669 100644
+--- a/lisp/org.el
++++ b/lisp/org.el
+@@ -4752,6 +4752,13 @@ returns non-nil if any of them match."
+   "Ask the user if URI should be considered safe, returning non-nil if so."
+   (unless noninteractive
+     (let ((current-file (and buffer-file-name (file-truename 
buffer-file-name)))
++          (domain (and (string-match
++                        (rx (seq "http" (? "s") "://")
++                            (optional (+ (not (any "@/\n"))) "@")
++                            (optional "www.")
++                            (one-or-more (not (any ":/?\n"))))
++                        uri)
++                       (match-string 0 uri)))
+           (buf (get-buffer-create "*Org Remote Resource*")))
+       ;; Set up the contents of the *Org Remote Resource* buffer.
+       (with-current-buffer buf
+@@ -4762,6 +4769,11 @@ returns non-nil if any of them match."
+                 "Do you want to download this?  You can type\n "
+                 (propertize "!" 'face 'success)
+                 " to download this resource, and permanantly mark it as 
safe.\n "
++                (if domain
++                    (concat
++                     (propertize "d" 'face 'success)
++                     " to download this resource, and mark this domain as 
safe.\n ")
++                  "")
+                 (propertize "f" 'face 'success)
+                 (if current-file
+                     (concat
+@@ -4779,8 +4791,8 @@ returns non-nil if any of them match."
+       ;; Display the buffer and read a choice.
+       (save-window-excursion
+         (pop-to-buffer buf)
+-        (let* ((exit-chars (append '(?y ?n ?! ?\s) (and current-file '(?f))))
+-               (prompt (format "Please type y, n%s, or !%s: "
++        (let* ((exit-chars (append '(?y ?n ?! ?d ?\s) (and current-file 
'(?f))))
++               (prompt (format "Please type y, n%s, d, or !%s: "
+                                (if current-file ", f" "")
+                                (if (< (line-number-at-pos (point-max))
+                                       (window-body-height))
+@@ -4788,15 +4800,17 @@ returns non-nil if any of them match."
+                                  ", or C-v/M-v to scroll")))
+                char)
+           (setq char (read-char-choice prompt exit-chars))
+-          (when (memq char '(?! ?f))
++          (when (memq char '(?! ?f ?d))
+             (customize-push-and-save
+              'org-safe-remote-resources
+-             (list (concat "\\`"
+-                           (regexp-quote
+-                            (if (and (= char ?f) current-file)
+-                                (concat "file://" current-file) uri))
+-                           "\\'"))))
+-          (prog1 (memq char '(?! ?\s ?y ?f))
++             (list (if (eq char ?d)
++                       (concat "\\`" (regexp-quote domain) "\\(?:/\\|\\'\\)")
++                     (concat "\\`"
++                             (regexp-quote
++                              (if (and (= char ?f) current-file)
++                                  (concat "file://" current-file) uri))
++                             "\\'")))))
++          (prog1 (memq char '(?y ?n ?! ?d ?\s ?f))
+             (quit-window t)))))))
+ 
+ (defun org-extract-log-state-settings (x)
diff -Nru 
org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_07.patch 
org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_07.patch
--- org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_07.patch   
1970-01-01 01:00:00.000000000 +0100
+++ org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_07.patch   
2024-04-30 09:08:33.000000000 +0100
@@ -0,0 +1,34 @@
+From: TEC <g...@tecosaur.net>
+Date: Tue, 30 Aug 2022 01:45:41 +0800
+Subject: org: Tweak styling of url in resource prompt
+
+* lisp/org.el (org--confirm-resource-safe): Style domain with a link,
+and url with an underline.
+
+(cherry picked from commit 1061db94acf785f4b8f1140649e3857d52693115)
+---
+ lisp/org.el | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/lisp/org.el b/lisp/org.el
+index c90c669..72ed4a9 100644
+--- a/lisp/org.el
++++ b/lisp/org.el
+@@ -4772,13 +4772,15 @@ returns non-nil if any of them match."
+                 (if domain
+                     (concat
+                      (propertize "d" 'face 'success)
+-                     " to download this resource, and mark this domain as 
safe.\n ")
++                     " to download this resource, and mark the domain ("
++                     (propertize domain 'face '(:inherit org-link :weight 
normal))
++                     ") as safe.\n ")
+                   "")
+                 (propertize "f" 'face 'success)
+                 (if current-file
+                     (concat
+                      " to download this resource, and permanantly mark all 
resources in "
+-                     (propertize current-file 'face 'fixed-pitch-serif)
++                     (propertize current-file 'face 'underline)
+                      " as safe.\n ")
+                   "")
+                 (propertize "y" 'face 'warning)
diff -Nru 
org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_08.patch 
org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_08.patch
--- org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_08.patch   
1970-01-01 01:00:00.000000000 +0100
+++ org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_08.patch   
2024-04-30 09:08:33.000000000 +0100
@@ -0,0 +1,39 @@
+From: TEC <g...@tecosaur.net>
+Date: Sat, 10 Dec 2022 21:38:21 +0800
+Subject: org: Use buffer-base-buffer in safe resource fns
+
+* lisp/org.el (org--confirm-resource-safe, org--safe-remote-resource-p):
+Replace instances of buffer-file-name
+with (buffer-file-name (buffer-base-buffer)) so these functions work in
+indirect buffers.
+
+(cherry picked from commit 88329143c86b34195af68a8e5d5fd3d00a5dcae6)
+---
+ lisp/org.el | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/lisp/org.el b/lisp/org.el
+index 72ed4a9..5a1fe84 100644
+--- a/lisp/org.el
++++ b/lisp/org.el
+@@ -4739,8 +4739,8 @@ is available.  This option applies only if FILE is a 
URL."
+ This checks every pattern in `org-safe-remote-resources', and
+ returns non-nil if any of them match."
+   (let ((uri-patterns org-safe-remote-resources)
+-        (file-uri (and buffer-file-name
+-                       (concat "file://" (file-truename buffer-file-name))))
++        (file-uri (and (buffer-file-name (buffer-base-buffer))
++                       (concat "file://" (file-truename (buffer-file-name 
(buffer-base-buffer))))))
+         match-p)
+     (while (and (not match-p) uri-patterns)
+       (setq match-p (or (string-match-p (car uri-patterns) uri)
+@@ -4751,7 +4751,8 @@ returns non-nil if any of them match."
+ (defun org--confirm-resource-safe (uri)
+   "Ask the user if URI should be considered safe, returning non-nil if so."
+   (unless noninteractive
+-    (let ((current-file (and buffer-file-name (file-truename 
buffer-file-name)))
++    (let ((current-file (and (buffer-file-name (buffer-base-buffer))
++                             (file-truename (buffer-file-name 
(buffer-base-buffer)))))
+           (domain (and (string-match
+                         (rx (seq "http" (? "s") "://")
+                             (optional (+ (not (any "@/\n"))) "@")
diff -Nru org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30205_01.patch 
org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30205_01.patch
--- org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30205_01.patch  1970-01-01 
01:00:00.000000000 +0100
+++ org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30205_01.patch  2024-04-30 
09:08:33.000000000 +0100
@@ -0,0 +1,34 @@
+From: Ihor Radchenko <yanta...@posteo.net>
+Date: Tue, 20 Feb 2024 14:59:20 +0300
+Subject: org-file-contents: Consider all remote files unsafe
+
+* lisp/org/org.el (org-file-contents): When loading files, consider all
+remote files (like TRAMP-fetched files) unsafe, in addition to URLs.
+
+(cherry picked from Emacs commit 2bc865ace050ff118db43f01457f95f95112b877)
+---
+ lisp/org.el | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/lisp/org.el b/lisp/org.el
+index 5a1fe84..6ee63be 100644
+--- a/lisp/org.el
++++ b/lisp/org.el
+@@ -4690,12 +4690,16 @@ from file or URL, and return nil.
+ If NOCACHE is non-nil, do a fresh fetch of FILE even if cached version
+ is available.  This option applies only if FILE is a URL."
+   (let* ((is-url (org-file-url-p file))
++         (is-remote (condition-case nil
++                        (file-remote-p file)
++                      ;; In case of error, be safe.
++                      (t t)))
+          (cache (and is-url
+                      (not nocache)
+                      (gethash file org--file-cache))))
+     (cond
+      (cache)
+-     (is-url
++     ((or is-url is-remote)
+       (if (org--should-fetch-remote-resource-p file)
+           (with-current-buffer (url-retrieve-synchronously file)
+             (goto-char (point-min))
diff -Nru org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30205_02.patch 
org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30205_02.patch
--- org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30205_02.patch  1970-01-01 
01:00:00.000000000 +0100
+++ org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30205_02.patch  2024-04-30 
09:08:33.000000000 +0100
@@ -0,0 +1,28 @@
+From: Ihor Radchenko <yanta...@posteo.net>
+Date: Fri, 23 Feb 2024 12:56:58 +0300
+Subject: org--confirm-resource-safe: Fix prompt when prompting in non-file
+ Org buffers
+
+* lisp/org/org.el (org--confirm-resource-safe): When called from
+non-file buffer, do not put stray "f" in the prompt.
+
+(cherry picked from Emacs commit 7a5d7be52c5f0690ee47f30bfad973827261abf2)
+---
+ lisp/org.el | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lisp/org.el b/lisp/org.el
+index 6ee63be..fbcef9a 100644
+--- a/lisp/org.el
++++ b/lisp/org.el
+@@ -4781,9 +4781,9 @@ returns non-nil if any of them match."
+                      (propertize domain 'face '(:inherit org-link :weight 
normal))
+                      ") as safe.\n ")
+                   "")
+-                (propertize "f" 'face 'success)
+                 (if current-file
+                     (concat
++                     (propertize "f" 'face 'success)
+                      " to download this resource, and permanantly mark all 
resources in "
+                      (propertize current-file 'face 'underline)
+                      " as safe.\n ")
diff -Nru org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30205_03.patch 
org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30205_03.patch
--- org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30205_03.patch  1970-01-01 
01:00:00.000000000 +0100
+++ org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30205_03.patch  2024-04-30 
09:08:33.000000000 +0100
@@ -0,0 +1,27 @@
+From: Ihor Radchenko <yanta...@posteo.net>
+Date: Fri, 2 Feb 2024 20:59:41 +0100
+Subject: org: Fix security prompt for downloading remote resource
+
+* lisp/org.el (org--confirm-resource-safe): Do not assume that
+resource is safe when user replies "n" (do not download).
+
+Reported-by: Max Nikulin <maniku...@gmail.com>
+Link: https://orgmode.org/list/upj6uk$b7o$1...@ciao.gmane.io
+(cherry picked from Emacs commit e56f0ef51bfdd0e03e817670754bc813fb3702a2)
+---
+ lisp/org.el | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lisp/org.el b/lisp/org.el
+index fbcef9a..07ae99f 100644
+--- a/lisp/org.el
++++ b/lisp/org.el
+@@ -4817,7 +4817,7 @@ returns non-nil if any of them match."
+                               (if (and (= char ?f) current-file)
+                                   (concat "file://" current-file) uri))
+                              "\\'")))))
+-          (prog1 (memq char '(?y ?n ?! ?d ?\s ?f))
++          (prog1 (memq char '(?y ?! ?d ?\s ?f))
+             (quit-window t)))))))
+ 
+ (defun org-extract-log-state-settings (x)
diff -Nru org-mode-9.4.0+dfsg/debian/patches/series 
org-mode-9.4.0+dfsg/debian/patches/series
--- org-mode-9.4.0+dfsg/debian/patches/series   2023-08-03 14:28:47.000000000 
+0100
+++ org-mode-9.4.0+dfsg/debian/patches/series   2024-04-30 09:08:33.000000000 
+0100
@@ -2,3 +2,14 @@
 #20-links-unescaping.patch
 30-local-mk.patch
 0004-Org-Mode-vulnerability-CVE-2023-28617-is-fixed.patch
+CVE-2024-30203_CVE-2024-30204_01.patch
+CVE-2024-30203_CVE-2024-30204_02.patch
+CVE-2024-30203_CVE-2024-30204_03.patch
+CVE-2024-30203_CVE-2024-30204_04.patch
+CVE-2024-30203_CVE-2024-30204_05.patch
+CVE-2024-30203_CVE-2024-30204_06.patch
+CVE-2024-30203_CVE-2024-30204_07.patch
+CVE-2024-30203_CVE-2024-30204_08.patch
+CVE-2024-30205_01.patch
+CVE-2024-30205_02.patch
+CVE-2024-30205_03.patch

Attachment: signature.asc
Description: PGP signature

Reply via email to