aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorUlrich Müller <ulm@gentoo.org>2023-02-26 21:00:06 +0100
committerUlrich Müller <ulm@gentoo.org>2023-02-26 21:00:06 +0100
commitdfe3b5140502207cf64dc11b33c30da958822937 (patch)
treecdc8675a44b6b2018047deb540f1960b1aed66a5 /emacs/25.3
parent28.3: Copy patchset from 28.2 (diff)
downloademacs-patches-dfe3b5140502207cf64dc11b33c30da958822937.tar.gz
emacs-patches-dfe3b5140502207cf64dc11b33c30da958822937.tar.bz2
emacs-patches-dfe3b5140502207cf64dc11b33c30da958822937.zip
This fixes command injection vulnerabilities in etags (CVE-2022-48337), ruby-mode (CVE-2022-48338), and htmlfontify (CVE-2022-48339) for Emacs slots 25, 26, 27, and 28. Note that Emacs 25 and 26 are not affected by the ruby-mode vulnerability because function ruby-find-library-file did not yet exist (and there is no call to the gem command in ruby-mode.el). Emacs 18 is not affected by either of them: It doesn't have ruby-mode and htmlfontify, and we no longer install the ctags and etags binaries. Bug: https://bugs.gentoo.org/897950 Signed-off-by: Ulrich Müller <ulm@gentoo.org>
Diffstat (limited to 'emacs/25.3')
-rw-r--r--emacs/25.3/05_all_etags-metachar.patch99
-rw-r--r--emacs/25.3/06_all_htmlfontify.patch22
2 files changed, 121 insertions, 0 deletions
diff --git a/emacs/25.3/05_all_etags-metachar.patch b/emacs/25.3/05_all_etags-metachar.patch
new file mode 100644
index 0000000..31ffc14
--- /dev/null
+++ b/emacs/25.3/05_all_etags-metachar.patch
@@ -0,0 +1,99 @@
+Fix etags local command injection vulnerability (CVE-2022-48337)
+Backported from emacs-28 branch
+https://bugs.gentoo.org/897950
+https://debbugs.gnu.org/59817
+
+commit e339926272a598bd9ee7e02989c1662b89e64cf0
+Author: Xi Lu <lx@shellcodes.org>
+Date: Tue Dec 6 15:42:40 2022 +0800
+
+ Fix etags local command injection vulnerability
+
+--- emacs-25.3/lib-src/etags.c
++++ emacs-25.3/lib-src/etags.c
+@@ -398,6 +398,7 @@
+ static void put_entries (node *);
+ static void clean_matched_file_tag (char const * const, char const * const);
+
++static char *escape_shell_arg_string (char *);
+ static void do_move_file (const char *, const char *);
+ static char *concat (const char *, const char *, const char *);
+ static char *skip_spaces (char *);
+@@ -1658,13 +1659,16 @@
+ else
+ {
+ #if MSDOS || defined (DOS_NT)
+- char *cmd1 = concat (compr->command, " \"", real_name);
+- char *cmd = concat (cmd1, "\" > ", tmp_name);
++ int buf_len = strlen (compr->command) + strlen (" \"\" > \"\"") + strlen (real_name) + strlen (tmp_name) + 1;
++ char *cmd = xmalloc (buf_len);
++ snprintf (cmd, buf_len, "%s \"%s\" > \"%s\"", compr->command, real_name, tmp_name);
+ #else
+- char *cmd1 = concat (compr->command, " '", real_name);
+- char *cmd = concat (cmd1, "' > ", tmp_name);
++ char *new_real_name = escape_shell_arg_string (real_name);
++ char *new_tmp_name = escape_shell_arg_string (tmp_name);
++ int buf_len = strlen (compr->command) + strlen (" > ") + strlen (new_real_name) + strlen (new_tmp_name) + 1;
++ char *cmd = xmalloc (buf_len);
++ snprintf (cmd, buf_len, "%s %s > %s", compr->command, new_real_name, new_tmp_name);
+ #endif
+- free (cmd1);
+ int tmp_errno;
+ if (system (cmd) == -1)
+ {
+@@ -6876,6 +6880,55 @@
+ return templt;
+ }
+
++/*
++ * Adds single quotes around a string, if found single quotes, escaped it.
++ * Return a newly-allocated string.
++ *
++ * For example:
++ * escape_shell_arg_string("test.txt") => 'test.txt'
++ * escape_shell_arg_string("'test.txt") => ''\''test.txt'
++ */
++static char *
++escape_shell_arg_string (char *str)
++{
++ char *p = str;
++ int need_space = 2; /* ' at begin and end */
++
++ while (*p != '\0')
++ {
++ if (*p == '\'')
++ need_space += 4; /* ' to '\'', length is 4 */
++ else
++ need_space++;
++
++ p++;
++ }
++
++ char *new_str = xnew (need_space + 1, char);
++ new_str[0] = '\'';
++ new_str[need_space-1] = '\'';
++
++ int i = 1; /* skip first byte */
++ p = str;
++ while (*p != '\0')
++ {
++ new_str[i] = *p;
++ if (*p == '\'')
++ {
++ new_str[i+1] = '\\';
++ new_str[i+2] = '\'';
++ new_str[i+3] = '\'';
++ i += 3;
++ }
++
++ i++;
++ p++;
++ }
++
++ new_str[need_space] = '\0';
++ return new_str;
++}
++
+ static void
+ do_move_file(const char *src_file, const char *dst_file)
+ {
diff --git a/emacs/25.3/06_all_htmlfontify.patch b/emacs/25.3/06_all_htmlfontify.patch
new file mode 100644
index 0000000..6870c0b
--- /dev/null
+++ b/emacs/25.3/06_all_htmlfontify.patch
@@ -0,0 +1,22 @@
+Fix htmlfontify.el command injection vulnerability (CVE-2022-48339)
+Backported from emacs-28 branch
+https://bugs.gentoo.org/897950
+https://debbugs.gnu.org/60295
+
+commit 807d2d5b3a7cd1d0e3f7dd24de22770f54f5ae16
+Author: Xi Lu <lx@shellcodes.org>
+Date: Sat Dec 24 16:28:54 2022 +0800
+
+ Fix htmlfontify.el command injection vulnerability.
+
+--- emacs-25.3/lisp/htmlfontify.el
++++ emacs-25.3/lisp/htmlfontify.el
+@@ -1898,7 +1898,7 @@
+
+ (defun hfy-text-p (srcdir file)
+ "Is SRCDIR/FILE text? Uses `hfy-istext-command' to determine this."
+- (let* ((cmd (format hfy-istext-command (expand-file-name file srcdir)))
++ (let* ((cmd (format hfy-istext-command (shell-quote-argument (expand-file-name file srcdir))))
+ (rsp (shell-command-to-string cmd)))
+ (string-match "text" rsp)))
+