Fix multiple command injection vulnerabilitiesemacs-28.2-patches-3emacs-27.2-patches-6emacs-26.3-patches-5emacs-25.3-patches-5

This fixes command injection vulnerabilities in etags (CVE-2022-48337),
ruby-mode (CVE-2022-48338), and htmlfontify (CVE-2022-48339) for Emacs
slots 25, 26, 27, and 28.

Note that Emacs 25 and 26 are not affected by the ruby-mode
vulnerability because function ruby-find-library-file did not yet
exist (and there is no call to the gem command in ruby-mode.el).

Emacs 18 is not affected by either of them: It doesn't have ruby-mode
and htmlfontify, and we no longer install the ctags and etags binaries.

Bug: https://bugs.gentoo.org/897950
Signed-off-by: Ulrich Müller <ulm@gentoo.org>

11 files changed, 566 insertions, 0 deletions

diff --git a/emacs/25.3/05_all_etags-metachar.patch b/emacs/25.3/05_all_etags-metachar.patch
new file mode 100644
index 0000000..31ffc14
--- /dev/null
+++ b/emacs/25.3/05_all_etags-metachar.patch
@@ -0,0 +1,99 @@
+Fix etags local command injection vulnerability (CVE-2022-48337)
+Backported from emacs-28 branch
+https://bugs.gentoo.org/897950
+https://debbugs.gnu.org/59817
+
+commit e339926272a598bd9ee7e02989c1662b89e64cf0
+Author: Xi Lu <lx@shellcodes.org>
+Date:   Tue Dec 6 15:42:40 2022 +0800
+
+    Fix etags local command injection vulnerability
+
+--- emacs-25.3/lib-src/etags.c
++++ emacs-25.3/lib-src/etags.c
+@@ -398,6 +398,7 @@
+ static void put_entries (node *);
+ static void clean_matched_file_tag (char const * const, char const * const);
+ 
++static char *escape_shell_arg_string (char *);
+ static void do_move_file (const char *, const char *);
+ static char *concat (const char *, const char *, const char *);
+ static char *skip_spaces (char *);
+@@ -1658,13 +1659,16 @@
+       else
+ 	{
+ #if MSDOS || defined (DOS_NT)
+-	  char *cmd1 = concat (compr->command, " \"", real_name);
+-	  char *cmd = concat (cmd1, "\" > ", tmp_name);
++          int buf_len = strlen (compr->command) + strlen (" \"\" > \"\"") + strlen (real_name) + strlen (tmp_name) + 1;
++          char *cmd = xmalloc (buf_len);
++          snprintf (cmd, buf_len, "%s \"%s\" > \"%s\"", compr->command, real_name, tmp_name);
+ #else
+-	  char *cmd1 = concat (compr->command, " '", real_name);
+-	  char *cmd = concat (cmd1, "' > ", tmp_name);
++          char *new_real_name = escape_shell_arg_string (real_name);
++          char *new_tmp_name = escape_shell_arg_string (tmp_name);
++          int buf_len = strlen (compr->command) + strlen ("  > ") + strlen (new_real_name) + strlen (new_tmp_name) + 1;
++          char *cmd = xmalloc (buf_len);
++          snprintf (cmd, buf_len, "%s %s > %s", compr->command, new_real_name, new_tmp_name);
+ #endif
+-	  free (cmd1);
+ 	  int tmp_errno;
+ 	  if (system (cmd) == -1)
+ 	    {
+@@ -6876,6 +6880,55 @@
+   return templt;
+ }
+ 
++/*
++ * Adds single quotes around a string, if found single quotes, escaped it.
++ * Return a newly-allocated string.
++ *
++ * For example:
++ * escape_shell_arg_string("test.txt") => 'test.txt'
++ * escape_shell_arg_string("'test.txt") => ''\''test.txt'
++ */
++static char *
++escape_shell_arg_string (char *str)
++{
++  char *p = str;
++  int need_space = 2;           /* ' at begin and end */
++
++  while (*p != '\0')
++    {
++      if (*p == '\'')
++        need_space += 4;        /* ' to '\'', length is 4 */
++      else
++        need_space++;
++
++      p++;
++    }
++
++  char *new_str = xnew (need_space + 1, char);
++  new_str[0] = '\'';
++  new_str[need_space-1] = '\'';
++
++  int i = 1;                    /* skip first byte */
++  p = str;
++  while (*p != '\0')
++    {
++      new_str[i] = *p;
++      if (*p == '\'')
++        {
++          new_str[i+1] = '\\';
++          new_str[i+2] = '\'';
++          new_str[i+3] = '\'';
++          i += 3;
++        }
++
++      i++;
++      p++;
++    }
++
++  new_str[need_space] = '\0';
++  return new_str;
++}
++
+ static void
+ do_move_file(const char *src_file, const char *dst_file)
+ {
diff --git a/emacs/25.3/06_all_htmlfontify.patch b/emacs/25.3/06_all_htmlfontify.patch
new file mode 100644
index 0000000..6870c0b
--- /dev/null
+++ b/emacs/25.3/06_all_htmlfontify.patch
@@ -0,0 +1,22 @@
+Fix htmlfontify.el command injection vulnerability (CVE-2022-48339)
+Backported from emacs-28 branch
+https://bugs.gentoo.org/897950
+https://debbugs.gnu.org/60295
+
+commit 807d2d5b3a7cd1d0e3f7dd24de22770f54f5ae16
+Author: Xi Lu <lx@shellcodes.org>
+Date:   Sat Dec 24 16:28:54 2022 +0800
+
+    Fix htmlfontify.el command injection vulnerability.
+
+--- emacs-25.3/lisp/htmlfontify.el
++++ emacs-25.3/lisp/htmlfontify.el
+@@ -1898,7 +1898,7 @@
+ 
+ (defun hfy-text-p (srcdir file)
+   "Is SRCDIR/FILE text?  Uses `hfy-istext-command' to determine this."
+-  (let* ((cmd (format hfy-istext-command (expand-file-name file srcdir)))
++  (let* ((cmd (format hfy-istext-command (shell-quote-argument (expand-file-name file srcdir))))
+          (rsp (shell-command-to-string    cmd)))
+     (string-match "text" rsp)))
+ 
diff --git a/emacs/26.3/05_all_etags-metachar.patch b/emacs/26.3/05_all_etags-metachar.patch
new file mode 100644
index 0000000..b7cc07b
--- /dev/null
+++ b/emacs/26.3/05_all_etags-metachar.patch
@@ -0,0 +1,99 @@
+Fix etags local command injection vulnerability (CVE-2022-48337)
+Backported from emacs-28 branch
+https://bugs.gentoo.org/897950
+https://debbugs.gnu.org/59817
+
+commit e339926272a598bd9ee7e02989c1662b89e64cf0
+Author: Xi Lu <lx@shellcodes.org>
+Date:   Tue Dec 6 15:42:40 2022 +0800
+
+    Fix etags local command injection vulnerability
+
+--- emacs-26.3/lib-src/etags.c
++++ emacs-26.3/lib-src/etags.c
+@@ -396,6 +396,7 @@
+ static void put_entries (node *);
+ static void clean_matched_file_tag (char const * const, char const * const);
+ 
++static char *escape_shell_arg_string (char *);
+ static void do_move_file (const char *, const char *);
+ static char *concat (const char *, const char *, const char *);
+ static char *skip_spaces (char *);
+@@ -1672,13 +1673,16 @@
+       else
+ 	{
+ #if MSDOS || defined (DOS_NT)
+-	  char *cmd1 = concat (compr->command, " \"", real_name);
+-	  char *cmd = concat (cmd1, "\" > ", tmp_name);
++          int buf_len = strlen (compr->command) + strlen (" \"\" > \"\"") + strlen (real_name) + strlen (tmp_name) + 1;
++          char *cmd = xmalloc (buf_len);
++          snprintf (cmd, buf_len, "%s \"%s\" > \"%s\"", compr->command, real_name, tmp_name);
+ #else
+-	  char *cmd1 = concat (compr->command, " '", real_name);
+-	  char *cmd = concat (cmd1, "' > ", tmp_name);
++          char *new_real_name = escape_shell_arg_string (real_name);
++          char *new_tmp_name = escape_shell_arg_string (tmp_name);
++          int buf_len = strlen (compr->command) + strlen ("  > ") + strlen (new_real_name) + strlen (new_tmp_name) + 1;
++          char *cmd = xmalloc (buf_len);
++          snprintf (cmd, buf_len, "%s %s > %s", compr->command, new_real_name, new_tmp_name);
+ #endif
+-	  free (cmd1);
+ 	  int tmp_errno;
+ 	  if (system (cmd) == -1)
+ 	    {
+@@ -7141,6 +7145,55 @@
+   return templt;
+ }
+ 
++/*
++ * Adds single quotes around a string, if found single quotes, escaped it.
++ * Return a newly-allocated string.
++ *
++ * For example:
++ * escape_shell_arg_string("test.txt") => 'test.txt'
++ * escape_shell_arg_string("'test.txt") => ''\''test.txt'
++ */
++static char *
++escape_shell_arg_string (char *str)
++{
++  char *p = str;
++  int need_space = 2;           /* ' at begin and end */
++
++  while (*p != '\0')
++    {
++      if (*p == '\'')
++        need_space += 4;        /* ' to '\'', length is 4 */
++      else
++        need_space++;
++
++      p++;
++    }
++
++  char *new_str = xnew (need_space + 1, char);
++  new_str[0] = '\'';
++  new_str[need_space-1] = '\'';
++
++  int i = 1;                    /* skip first byte */
++  p = str;
++  while (*p != '\0')
++    {
++      new_str[i] = *p;
++      if (*p == '\'')
++        {
++          new_str[i+1] = '\\';
++          new_str[i+2] = '\'';
++          new_str[i+3] = '\'';
++          i += 3;
++        }
++
++      i++;
++      p++;
++    }
++
++  new_str[need_space] = '\0';
++  return new_str;
++}
++
+ static void
+ do_move_file(const char *src_file, const char *dst_file)
+ {
diff --git a/emacs/26.3/06_all_htmlfontify.patch b/emacs/26.3/06_all_htmlfontify.patch
new file mode 100644
index 0000000..c19e662
--- /dev/null
+++ b/emacs/26.3/06_all_htmlfontify.patch
@@ -0,0 +1,22 @@
+Fix htmlfontify.el command injection vulnerability (CVE-2022-48339)
+Backported from emacs-28 branch
+https://bugs.gentoo.org/897950
+https://debbugs.gnu.org/60295
+
+commit 807d2d5b3a7cd1d0e3f7dd24de22770f54f5ae16
+Author: Xi Lu <lx@shellcodes.org>
+Date:   Sat Dec 24 16:28:54 2022 +0800
+
+    Fix htmlfontify.el command injection vulnerability.
+
+--- emacs-26.3/lisp/htmlfontify.el
++++ emacs-26.3/lisp/htmlfontify.el
+@@ -1906,7 +1906,7 @@
+ 
+ (defun hfy-text-p (srcdir file)
+   "Is SRCDIR/FILE text?  Uses `hfy-istext-command' to determine this."
+-  (let* ((cmd (format hfy-istext-command (expand-file-name file srcdir)))
++  (let* ((cmd (format hfy-istext-command (shell-quote-argument (expand-file-name file srcdir))))
+          (rsp (shell-command-to-string    cmd)))
+     (string-match "text" rsp)))
+ 
diff --git a/emacs/27.2/05_all_etags-metachar.patch b/emacs/27.2/05_all_etags-metachar.patch
new file mode 100644
index 0000000..8f3338e
--- /dev/null
+++ b/emacs/27.2/05_all_etags-metachar.patch
@@ -0,0 +1,99 @@
+Fix etags local command injection vulnerability (CVE-2022-48337)
+Backported from emacs-28 branch
+https://bugs.gentoo.org/897950
+https://debbugs.gnu.org/59817
+
+commit e339926272a598bd9ee7e02989c1662b89e64cf0
+Author: Xi Lu <lx@shellcodes.org>
+Date:   Tue Dec 6 15:42:40 2022 +0800
+
+    Fix etags local command injection vulnerability
+
+--- emacs-27.2/lib-src/etags.c
++++ emacs-27.2/lib-src/etags.c
+@@ -398,6 +398,7 @@
+ static void put_entries (node *);
+ static void clean_matched_file_tag (char const * const, char const * const);
+ 
++static char *escape_shell_arg_string (char *);
+ static void do_move_file (const char *, const char *);
+ static char *concat (const char *, const char *, const char *);
+ static char *skip_spaces (char *);
+@@ -1670,13 +1671,16 @@
+       else
+ 	{
+ #if MSDOS || defined (DOS_NT)
+-	  char *cmd1 = concat (compr->command, " \"", real_name);
+-	  char *cmd = concat (cmd1, "\" > ", tmp_name);
++          int buf_len = strlen (compr->command) + strlen (" \"\" > \"\"") + strlen (real_name) + strlen (tmp_name) + 1;
++          char *cmd = xmalloc (buf_len);
++          snprintf (cmd, buf_len, "%s \"%s\" > \"%s\"", compr->command, real_name, tmp_name);
+ #else
+-	  char *cmd1 = concat (compr->command, " '", real_name);
+-	  char *cmd = concat (cmd1, "' > ", tmp_name);
++          char *new_real_name = escape_shell_arg_string (real_name);
++          char *new_tmp_name = escape_shell_arg_string (tmp_name);
++          int buf_len = strlen (compr->command) + strlen ("  > ") + strlen (new_real_name) + strlen (new_tmp_name) + 1;
++          char *cmd = xmalloc (buf_len);
++          snprintf (cmd, buf_len, "%s %s > %s", compr->command, new_real_name, new_tmp_name);
+ #endif
+-	  free (cmd1);
+ 	  int tmp_errno;
+ 	  if (system (cmd) == -1)
+ 	    {
+@@ -7124,6 +7128,55 @@
+   return templt;
+ }
+ 
++/*
++ * Adds single quotes around a string, if found single quotes, escaped it.
++ * Return a newly-allocated string.
++ *
++ * For example:
++ * escape_shell_arg_string("test.txt") => 'test.txt'
++ * escape_shell_arg_string("'test.txt") => ''\''test.txt'
++ */
++static char *
++escape_shell_arg_string (char *str)
++{
++  char *p = str;
++  int need_space = 2;           /* ' at begin and end */
++
++  while (*p != '\0')
++    {
++      if (*p == '\'')
++        need_space += 4;        /* ' to '\'', length is 4 */
++      else
++        need_space++;
++
++      p++;
++    }
++
++  char *new_str = xnew (need_space + 1, char);
++  new_str[0] = '\'';
++  new_str[need_space-1] = '\'';
++
++  int i = 1;                    /* skip first byte */
++  p = str;
++  while (*p != '\0')
++    {
++      new_str[i] = *p;
++      if (*p == '\'')
++        {
++          new_str[i+1] = '\\';
++          new_str[i+2] = '\'';
++          new_str[i+3] = '\'';
++          i += 3;
++        }
++
++      i++;
++      p++;
++    }
++
++  new_str[need_space] = '\0';
++  return new_str;
++}
++
+ static void
+ do_move_file(const char *src_file, const char *dst_file)
+ {
diff --git a/emacs/27.2/06_all_ruby-mode.patch b/emacs/27.2/06_all_ruby-mode.patch
new file mode 100644
index 0000000..8537b02
--- /dev/null
+++ b/emacs/27.2/06_all_ruby-mode.patch
@@ -0,0 +1,22 @@
+Fix ruby-mode.el local command injection vulnerability (CVE-2022-48338)
+Backported from emacs-28 branch
+https://bugs.gentoo.org/897950
+https://debbugs.gnu.org/60268
+
+commit 22fb5ff5126dc8bb01edaa0252829d853afb284f
+Author: Xi Lu <lx@shellcodes.org>
+Date:   Fri Dec 23 12:52:48 2022 +0800
+
+    Fix ruby-mode.el local command injection vulnerability (bug#60268)
+
+--- emacs-27.2/lisp/progmodes/ruby-mode.el
++++ emacs-27.2/lisp/progmodes/ruby-mode.el
+@@ -1820,7 +1820,7 @@
+       (setq feature-name (read-string "Feature name: " init))))
+   (let ((out
+          (substring
+-          (shell-command-to-string (concat "gem which " feature-name))
++          (shell-command-to-string (concat "gem which " (shell-quote-argument feature-name)))
+           0 -1)))
+     (if (string-match-p "\\`ERROR" out)
+         (user-error "%s" out)
diff --git a/emacs/27.2/07_all_htmlfontify.patch b/emacs/27.2/07_all_htmlfontify.patch
new file mode 100644
index 0000000..eb0b079
--- /dev/null
+++ b/emacs/27.2/07_all_htmlfontify.patch
@@ -0,0 +1,22 @@
+Fix htmlfontify.el command injection vulnerability (CVE-2022-48339)
+Backported from emacs-28 branch
+https://bugs.gentoo.org/897950
+https://debbugs.gnu.org/60295
+
+commit 807d2d5b3a7cd1d0e3f7dd24de22770f54f5ae16
+Author: Xi Lu <lx@shellcodes.org>
+Date:   Sat Dec 24 16:28:54 2022 +0800
+
+    Fix htmlfontify.el command injection vulnerability.
+
+--- emacs-27.2/lisp/htmlfontify.el
++++ emacs-27.2/lisp/htmlfontify.el
+@@ -1912,7 +1912,7 @@
+ 
+ (defun hfy-text-p (srcdir file)
+   "Is SRCDIR/FILE text?  Uses `hfy-istext-command' to determine this."
+-  (let* ((cmd (format hfy-istext-command (expand-file-name file srcdir)))
++  (let* ((cmd (format hfy-istext-command (shell-quote-argument (expand-file-name file srcdir))))
+          (rsp (shell-command-to-string    cmd)))
+     (string-match "text" rsp)))
+ 
diff --git a/emacs/28.2/04_all_gnus-nnml.patch b/emacs/28.2/04_all_gnus-nnml.patch
new file mode 100644
index 0000000..eed2058
--- /dev/null
+++ b/emacs/28.2/04_all_gnus-nnml.patch
@@ -0,0 +1,38 @@
+Fix denial-of-service issue in Gnus
+Patch from emacs-28 branch
+
+commit ae9bfed50dbf5043c0b47f20473ef43d8aeebebd
+Author: Eli Zaretskii <eliz@gnu.org>
+Date:   Mon Dec 19 19:01:04 2022 +0200
+
+    Fix storing email into nnmail by Gnus
+
+--- a/lisp/gnus/nnml.el
++++ b/lisp/gnus/nnml.el
+@@ -775,17 +775,22 @@
+ 	(nnml--encode-headers headers)
+ 	headers))))
+ 
++;; RFC2047-encode Subject and From, but leave invalid headers unencoded.
+ (defun nnml--encode-headers (headers)
+   (let ((subject (mail-header-subject headers))
+ 	(rfc2047-encoding-type 'mime))
+     (unless (string-match "\\`[[:ascii:]]*\\'" subject)
+-      (setf (mail-header-subject headers)
+-	    (mail-encode-encoded-word-string subject t))))
++      (let ((encoded-subject
++             (ignore-errors (mail-encode-encoded-word-string subject t))))
++        (if encoded-subject
++            (setf (mail-header-subject headers) encoded-subject)))))
+   (let ((from (mail-header-from headers))
+ 	(rfc2047-encoding-type 'address-mime))
+     (unless (string-match "\\`[[:ascii:]]*\\'" from)
+-      (setf (mail-header-from headers)
+-	    (rfc2047-encode-string from t)))))
++      (let ((encoded-from
++             (ignore-errors (rfc2047-encode-string from t))))
++        (if encoded-from
++            (setf (mail-header-from headers) encoded-from))))))
+ 
+ (defun nnml-get-nov-buffer (group &optional incrementalp)
+   (let ((buffer (gnus-get-buffer-create
diff --git a/emacs/28.2/05_all_etags-metachar.patch b/emacs/28.2/05_all_etags-metachar.patch
new file mode 100644
index 0000000..9371c17
--- /dev/null
+++ b/emacs/28.2/05_all_etags-metachar.patch
@@ -0,0 +1,99 @@
+Fix etags local command injection vulnerability (CVE-2022-48337)
+Patch from emacs-28 branch
+https://bugs.gentoo.org/897950
+https://debbugs.gnu.org/59817
+
+commit e339926272a598bd9ee7e02989c1662b89e64cf0
+Author: Xi Lu <lx@shellcodes.org>
+Date:   Tue Dec 6 15:42:40 2022 +0800
+
+    Fix etags local command injection vulnerability
+
+--- a/lib-src/etags.c
++++ b/lib-src/etags.c
+@@ -408,6 +408,7 @@
+ static void put_entries (node *);
+ static void clean_matched_file_tag (char const * const, char const * const);
+ 
++static char *escape_shell_arg_string (char *);
+ static void do_move_file (const char *, const char *);
+ static char *concat (const char *, const char *, const char *);
+ static char *skip_spaces (char *);
+@@ -1704,13 +1705,16 @@
+       else
+ 	{
+ #if MSDOS || defined (DOS_NT)
+-	  char *cmd1 = concat (compr->command, " \"", real_name);
+-	  char *cmd = concat (cmd1, "\" > ", tmp_name);
++          int buf_len = strlen (compr->command) + strlen (" \"\" > \"\"") + strlen (real_name) + strlen (tmp_name) + 1;
++          char *cmd = xmalloc (buf_len);
++          snprintf (cmd, buf_len, "%s \"%s\" > \"%s\"", compr->command, real_name, tmp_name);
+ #else
+-	  char *cmd1 = concat (compr->command, " '", real_name);
+-	  char *cmd = concat (cmd1, "' > ", tmp_name);
++          char *new_real_name = escape_shell_arg_string (real_name);
++          char *new_tmp_name = escape_shell_arg_string (tmp_name);
++          int buf_len = strlen (compr->command) + strlen ("  > ") + strlen (new_real_name) + strlen (new_tmp_name) + 1;
++          char *cmd = xmalloc (buf_len);
++          snprintf (cmd, buf_len, "%s %s > %s", compr->command, new_real_name, new_tmp_name);
+ #endif
+-	  free (cmd1);
+ 	  inf = (system (cmd) == -1
+ 		 ? NULL
+ 		 : fopen (tmp_name, "r" FOPEN_BINARY));
+@@ -7689,6 +7693,55 @@
+   return templt;
+ }
+ 
++/*
++ * Adds single quotes around a string, if found single quotes, escaped it.
++ * Return a newly-allocated string.
++ *
++ * For example:
++ * escape_shell_arg_string("test.txt") => 'test.txt'
++ * escape_shell_arg_string("'test.txt") => ''\''test.txt'
++ */
++static char *
++escape_shell_arg_string (char *str)
++{
++  char *p = str;
++  int need_space = 2;           /* ' at begin and end */
++
++  while (*p != '\0')
++    {
++      if (*p == '\'')
++        need_space += 4;        /* ' to '\'', length is 4 */
++      else
++        need_space++;
++
++      p++;
++    }
++
++  char *new_str = xnew (need_space + 1, char);
++  new_str[0] = '\'';
++  new_str[need_space-1] = '\'';
++
++  int i = 1;                    /* skip first byte */
++  p = str;
++  while (*p != '\0')
++    {
++      new_str[i] = *p;
++      if (*p == '\'')
++        {
++          new_str[i+1] = '\\';
++          new_str[i+2] = '\'';
++          new_str[i+3] = '\'';
++          i += 3;
++        }
++
++      i++;
++      p++;
++    }
++
++  new_str[need_space] = '\0';
++  return new_str;
++}
++
+ static void
+ do_move_file(const char *src_file, const char *dst_file)
+ {
diff --git a/emacs/28.2/06_all_ruby-mode.patch b/emacs/28.2/06_all_ruby-mode.patch
new file mode 100644
index 0000000..6b1b054
--- /dev/null
+++ b/emacs/28.2/06_all_ruby-mode.patch
@@ -0,0 +1,22 @@
+Fix ruby-mode.el local command injection vulnerability (CVE-2022-48338)
+Patch from emacs-28 branch
+https://bugs.gentoo.org/897950
+https://debbugs.gnu.org/60268
+
+commit 22fb5ff5126dc8bb01edaa0252829d853afb284f
+Author: Xi Lu <lx@shellcodes.org>
+Date:   Fri Dec 23 12:52:48 2022 +0800
+
+    Fix ruby-mode.el local command injection vulnerability (bug#60268)
+
+--- a/lisp/progmodes/ruby-mode.el
++++ b/lisp/progmodes/ruby-mode.el
+@@ -1819,7 +1819,7 @@
+       (setq feature-name (read-string "Feature name: " init))))
+   (let ((out
+          (substring
+-          (shell-command-to-string (concat "gem which " feature-name))
++          (shell-command-to-string (concat "gem which " (shell-quote-argument feature-name)))
+           0 -1)))
+     (if (string-match-p "\\`ERROR" out)
+         (user-error "%s" out)
diff --git a/emacs/28.2/07_all_htmlfontify.patch b/emacs/28.2/07_all_htmlfontify.patch
new file mode 100644
index 0000000..acfccc5
--- /dev/null
+++ b/emacs/28.2/07_all_htmlfontify.patch
@@ -0,0 +1,22 @@
+Fix htmlfontify.el command injection vulnerability (CVE-2022-48339)
+Patch from emacs-28 branch
+https://bugs.gentoo.org/897950
+https://debbugs.gnu.org/60295
+
+commit 807d2d5b3a7cd1d0e3f7dd24de22770f54f5ae16
+Author: Xi Lu <lx@shellcodes.org>
+Date:   Sat Dec 24 16:28:54 2022 +0800
+
+    Fix htmlfontify.el command injection vulnerability.
+
+--- a/lisp/htmlfontify.el
++++ b/lisp/htmlfontify.el
+@@ -1882,7 +1882,7 @@
+ 
+ (defun hfy-text-p (srcdir file)
+   "Is SRCDIR/FILE text?  Use `hfy-istext-command' to determine this."
+-  (let* ((cmd (format hfy-istext-command (expand-file-name file srcdir)))
++  (let* ((cmd (format hfy-istext-command (shell-quote-argument (expand-file-name file srcdir))))
+          (rsp (shell-command-to-string    cmd)))
+     (string-match "text" rsp)))
+