26.3, 27.2, 28.2: Backport security fixes from 29.3emacs-28.2-patches-6emacs-27.2-patches-8emacs-26.3-patches-7

Signed-off-by: Ulrich Müller <ulm@gentoo.org>

6 files changed, 293 insertions, 0 deletions

diff --git a/emacs/26.3/08_all_org-remote-unsafe.patch b/emacs/26.3/08_all_org-remote-unsafe.patch
new file mode 100644
index 0000000..9124db5
--- /dev/null
+++ b/emacs/26.3/08_all_org-remote-unsafe.patch
@@ -0,0 +1,30 @@
+org-mode should consider remote files unsafe
+Backported from emacs-29 branch
+https://bugs.gentoo.org/927727
+
+commit 2bc865ace050ff118db43f01457f95f95112b877
+Author: Ihor Radchenko <yantar92@posteo.net>
+Date:   Tue Feb 20 14:59:20 2024 +0300
+
+    org-file-contents: Consider all remote files unsafe
+    
+--- emacs-26.3/lisp/org/org.el
++++ emacs-26.3/lisp/org/org.el
+@@ -5297,12 +5297,16 @@ org-file-contents
+ If NOCACHE is non-nil, do a fresh fetch of FILE even if cached version
+ is available.  This option applies only if FILE is a URL."
+   (let* ((is-url (org-file-url-p file))
++         (is-remote (condition-case nil
++                        (file-remote-p file)
++                      ;; In case of error, be safe.
++                      (t t)))
+          (cache (and is-url
+                      (not nocache)
+                      (gethash file org--file-cache))))
+     (cond
+      (cache)
+-     (is-url
++     ((or is-url is-remote)
+       (with-current-buffer (url-retrieve-synchronously file)
+ 	(goto-char (point-min))
+ 	;; Move point to after the url-retrieve header.
diff --git a/emacs/27.2/09_all_untrusted-content.patch b/emacs/27.2/09_all_untrusted-content.patch
new file mode 100644
index 0000000..0ff1d36
--- /dev/null
+++ b/emacs/27.2/09_all_untrusted-content.patch
@@ -0,0 +1,84 @@
+New variable untrusted-content
+Backported from emacs-29 branch
+https://bugs.gentoo.org/927727
+
+commit ccc188fcf98ad9166ee551fac9d94b2603c3a51b
+Author: Ihor Radchenko <yantar92@posteo.net>
+Date:   Tue Feb 20 12:43:51 2024 +0300
+
+    * lisp/files.el (untrusted-content): New variable.
+    
+commit 937b9042ad7426acdcca33e3d931d8f495bdd804
+Author: Ihor Radchenko <yantar92@posteo.net>
+Date:   Tue Feb 20 12:44:30 2024 +0300
+
+    * lisp/gnus/mm-view.el (mm-display-inline-fontify): Mark contents untrusted.
+
+commit 6f9ea396f49cbe38c2173e0a72ba6af3e03b271c
+Author: Ihor Radchenko <yantar92@posteo.net>
+Date:   Tue Feb 20 12:47:24 2024 +0300
+
+    org-latex-preview: Add protection when `untrusted-content' is non-nil
+    
+--- emacs-27.2/lisp/files.el
++++ emacs-27.2/lisp/files.el
+@@ -588,6 +588,14 @@
+ Some modes may wish to set this to nil to prevent directory-local
+ settings being applied, but still respect file-local ones.")
+ 
++(defvar-local untrusted-content nil
++  "Non-nil means that current buffer originated from an untrusted source.
++Email clients and some other modes may set this non-nil to mark the
++buffer contents as untrusted.
++
++This variable might be subject to change without notice.")
++(put 'untrusted-content 'permanent-local t)
++
+ ;; This is an odd variable IMO.
+ ;; You might wonder why it is needed, when we could just do:
+ ;; (set (make-local-variable 'enable-local-variables) nil)
+--- emacs-27.2/lisp/gnus/mm-view.el
++++ emacs-27.2/lisp/gnus/mm-view.el
+@@ -466,6 +466,7 @@ mm-display-inline-fontify
+ 	  (setq coding-system (mm-find-buffer-file-coding-system)))
+ 	(setq text (buffer-string))))
+     (with-temp-buffer
++      (setq untrusted-content t)
+       (buffer-disable-undo)
+       (mm-enable-multibyte)
+       (insert (cond ((eq charset 'gnus-decoded)
+--- emacs-27.2/lisp/org/org.el
++++ emacs-27.2/lisp/org/org.el
+@@ -1077,6 +1077,24 @@
+   :package-version '(Org . "8.0")
+   :type 'boolean)
+ 
++(defvar untrusted-content) ; defined in files.el
++(defvar org--latex-preview-when-risky nil
++  "If non-nil, enable LaTeX preview in Org buffers from unsafe source.
++
++Some specially designed LaTeX code may generate huge pdf or log files
++that may exhaust disk space.
++
++This variable controls how to handle LaTeX preview when rendering LaTeX
++fragments that originate from incoming email messages.  It has no effect
++when Org mode is unable to determine the origin of the Org buffer.
++
++An Org buffer is considered to be from unsafe source when the
++variable `untrusted-content' has a non-nil value in the buffer.
++
++If this variable is non-nil, LaTeX previews are rendered unconditionally.
++
++This variable may be renamed or changed in the future.")
++
+ (defcustom org-insert-mode-line-in-empty-file nil
+   "Non-nil means insert the first line setting Org mode in empty files.
+ When the function `org-mode' is called interactively in an empty file, this
+@@ -15827,6 +15845,7 @@ org-latex-preview
+   (interactive "P")
+   (cond
+    ((not (display-graphic-p)) nil)
++   ((and untrusted-content (not org--latex-preview-when-risky)) nil)
+    ;; Clear whole buffer.
+    ((equal arg '(64))
+     (org-clear-latex-preview (point-min) (point-max))
diff --git a/emacs/27.2/10_all_org-remote-unsafe.patch b/emacs/27.2/10_all_org-remote-unsafe.patch
new file mode 100644
index 0000000..65f6a34
--- /dev/null
+++ b/emacs/27.2/10_all_org-remote-unsafe.patch
@@ -0,0 +1,30 @@
+org-mode should consider remote files unsafe
+Backported from emacs-29 branch
+https://bugs.gentoo.org/927727
+
+commit 2bc865ace050ff118db43f01457f95f95112b877
+Author: Ihor Radchenko <yantar92@posteo.net>
+Date:   Tue Feb 20 14:59:20 2024 +0300
+
+    org-file-contents: Consider all remote files unsafe
+    
+--- emacs-27.2/lisp/org/org.el
++++ emacs-27.2/lisp/org/org.el
+@@ -4665,12 +4665,16 @@ org-file-contents
+ If NOCACHE is non-nil, do a fresh fetch of FILE even if cached version
+ is available.  This option applies only if FILE is a URL."
+   (let* ((is-url (org-file-url-p file))
++         (is-remote (condition-case nil
++                        (file-remote-p file)
++                      ;; In case of error, be safe.
++                      (t t)))
+          (cache (and is-url
+                      (not nocache)
+                      (gethash file org--file-cache))))
+     (cond
+      (cache)
+-     (is-url
++     ((or is-url is-remote)
+       (with-current-buffer (url-retrieve-synchronously file)
+ 	(goto-char (point-min))
+ 	;; Move point to after the url-retrieve header.
diff --git a/emacs/28.2/10_all_org-macro-eval.patch b/emacs/28.2/10_all_org-macro-eval.patch
new file mode 100644
index 0000000..d3c8bb7
--- /dev/null
+++ b/emacs/28.2/10_all_org-macro-eval.patch
@@ -0,0 +1,35 @@
+Prevent code evaluation in org-macro--set-templates
+Backported from emacs-29 branch
+https://bugs.gentoo.org/927727
+
+commit befa9fcaae29a6c9a283ba371c3c5234c7f644eb
+Author: Ihor Radchenko <yantar92@posteo.net>
+Date:   Tue Feb 20 12:19:46 2024 +0300
+
+    org-macro--set-templates: Prevent code evaluation
+    
+--- emacs-28.2/lisp/org/org-macro.el
++++ emacs-28.2/lisp/org/org-macro.el
+@@ -103,6 +103,13 @@ org-macro--set-templates
+   (let ((new-templates nil))
+     (pcase-dolist (`(,name . ,value) templates)
+       (let ((old-definition (assoc name new-templates)))
++        ;; This code can be evaluated unconditionally, as a part of
++        ;; loading Org mode.  We *must not* evaluate any code present
++        ;; inside the Org buffer while loading.  Org buffers may come
++        ;; from various sources, like received email messages from
++        ;; potentially malicious senders.  Org mode might be used to
++        ;; preview such messages and no code evaluation from inside the
++        ;; received Org text should ever happen without user consent.
+         (when (and (stringp value) (string-match-p "\\`(eval\\>" value))
+           ;; Pre-process the evaluation form for faster macro expansion.
+           (let* ((args (org-macro--makeargs value))
+@@ -115,7 +122,7 @@ org-macro--set-templates
+ 		      (cadr (read value))
+ 		    (error
+                      (user-error "Invalid definition for macro %S" name)))))
+-	    (setq value (eval (macroexpand-all `(lambda ,args ,body)) t))))
++	    (setq value `(lambda ,args ,body))))
+         (cond ((and value old-definition) (setcdr old-definition value))
+ 	      (old-definition)
+ 	      (t (push (cons name (or value "")) new-templates)))))
diff --git a/emacs/28.2/11_all_untrusted-content.patch b/emacs/28.2/11_all_untrusted-content.patch
new file mode 100644
index 0000000..4cd20c0
--- /dev/null
+++ b/emacs/28.2/11_all_untrusted-content.patch
@@ -0,0 +1,84 @@
+New variable untrusted-content
+Backported from emacs-29 branch
+https://bugs.gentoo.org/927727
+
+commit ccc188fcf98ad9166ee551fac9d94b2603c3a51b
+Author: Ihor Radchenko <yantar92@posteo.net>
+Date:   Tue Feb 20 12:43:51 2024 +0300
+
+    * lisp/files.el (untrusted-content): New variable.
+    
+commit 937b9042ad7426acdcca33e3d931d8f495bdd804
+Author: Ihor Radchenko <yantar92@posteo.net>
+Date:   Tue Feb 20 12:44:30 2024 +0300
+
+    * lisp/gnus/mm-view.el (mm-display-inline-fontify): Mark contents untrusted.
+
+commit 6f9ea396f49cbe38c2173e0a72ba6af3e03b271c
+Author: Ihor Radchenko <yantar92@posteo.net>
+Date:   Tue Feb 20 12:47:24 2024 +0300
+
+    org-latex-preview: Add protection when `untrusted-content' is non-nil
+    
+--- emacs-28.2/lisp/files.el
++++ emacs-28.2/lisp/files.el
+@@ -623,6 +623,14 @@
+ Some modes may wish to set this to nil to prevent directory-local
+ settings being applied, but still respect file-local ones.")
+ 
++(defvar-local untrusted-content nil
++  "Non-nil means that current buffer originated from an untrusted source.
++Email clients and some other modes may set this non-nil to mark the
++buffer contents as untrusted.
++
++This variable might be subject to change without notice.")
++(put 'untrusted-content 'permanent-local t)
++
+ ;; This is an odd variable IMO.
+ ;; You might wonder why it is needed, when we could just do:
+ ;; (setq-local enable-local-variables nil)
+--- emacs-28.2/lisp/gnus/mm-view.el
++++ emacs-28.2/lisp/gnus/mm-view.el
+@@ -504,6 +504,7 @@ mm-display-inline-fontify
+ 	  (setq coding-system (mm-find-buffer-file-coding-system)))
+ 	(setq text (buffer-string))))
+     (with-temp-buffer
++      (setq untrusted-content t)
+       (buffer-disable-undo)
+       (mm-enable-multibyte)
+       (insert (cond ((eq charset 'gnus-decoded)
+--- emacs-28.2/lisp/org/org.el
++++ emacs-28.2/lisp/org/org.el
+@@ -1092,6 +1092,24 @@
+   :package-version '(Org . "8.0")
+   :type 'boolean)
+ 
++(defvar untrusted-content) ; defined in files.el
++(defvar org--latex-preview-when-risky nil
++  "If non-nil, enable LaTeX preview in Org buffers from unsafe source.
++
++Some specially designed LaTeX code may generate huge pdf or log files
++that may exhaust disk space.
++
++This variable controls how to handle LaTeX preview when rendering LaTeX
++fragments that originate from incoming email messages.  It has no effect
++when Org mode is unable to determine the origin of the Org buffer.
++
++An Org buffer is considered to be from unsafe source when the
++variable `untrusted-content' has a non-nil value in the buffer.
++
++If this variable is non-nil, LaTeX previews are rendered unconditionally.
++
++This variable may be renamed or changed in the future.")
++
+ (defcustom org-insert-mode-line-in-empty-file nil
+   "Non-nil means insert the first line setting Org mode in empty files.
+ When the function `org-mode' is called interactively in an empty file, this
+@@ -16000,6 +16018,7 @@ org-latex-preview
+   (interactive "P")
+   (cond
+    ((not (display-graphic-p)) nil)
++   ((and untrusted-content (not org--latex-preview-when-risky)) nil)
+    ;; Clear whole buffer.
+    ((equal arg '(64))
+     (org-clear-latex-preview (point-min) (point-max))
diff --git a/emacs/28.2/12_all_org-remote-unsafe.patch b/emacs/28.2/12_all_org-remote-unsafe.patch
new file mode 100644
index 0000000..7236589
--- /dev/null
+++ b/emacs/28.2/12_all_org-remote-unsafe.patch
@@ -0,0 +1,30 @@
+org-mode should consider remote files unsafe
+Backported from emacs-29 branch
+https://bugs.gentoo.org/927727
+
+commit 2bc865ace050ff118db43f01457f95f95112b877
+Author: Ihor Radchenko <yantar92@posteo.net>
+Date:   Tue Feb 20 14:59:20 2024 +0300
+
+    org-file-contents: Consider all remote files unsafe
+    
+--- emacs-28.2/lisp/org/org.el
++++ emacs-28.2/lisp/org/org.el
+@@ -4705,12 +4705,16 @@ org-file-contents
+ If NOCACHE is non-nil, do a fresh fetch of FILE even if cached version
+ is available.  This option applies only if FILE is a URL."
+   (let* ((is-url (org-url-p file))
++         (is-remote (condition-case nil
++                        (file-remote-p file)
++                      ;; In case of error, be safe.
++                      (t t)))
+          (cache (and is-url
+                      (not nocache)
+                      (gethash file org--file-cache))))
+     (cond
+      (cache)
+-     (is-url
++     ((or is-url is-remote)
+       (with-current-buffer (url-retrieve-synchronously file)
+ 	(goto-char (point-min))
+ 	;; Move point to after the url-retrieve header.