6 files changed, 291 insertions, 0 deletions
diff --git a/emacs/27.2/08_all_configure-decl.patch b/emacs/27.2/08_all_configure-decl.patch
new file mode 100644
index 0000000..0e95515
--- /dev/null
+++ b/emacs/27.2/08_all_configure-decl.patch
@@ -0,0 +1,66 @@
+Fix implicit function declarations in configure.ac (XOpenDisplay, malloc)
+Backported from master branch
+https://bugs.gentoo.org/898304
+
+commit 6c1413d5ef0d1fea639b0d8c83a0c0065d99359b
+Author: Florian Weimer <fweimer@redhat.com>
+Date:   Fri Dec 23 18:49:25 2022 +0100
+
+    configure: Remove obsolete check for -b i486-linuxaout
+
+commit 121a9ff9f6fc69066ce30c2dbe6cbfbfdca6aeaa
+Author: Florian Weimer <fweimer@redhat.com>
+Date:   Fri Dec 23 18:51:08 2022 +0100
+
+    Fix alternate stack test in configure
+
+--- emacs-27.2/configure.ac
++++ emacs-27.2/configure.ac
+@@ -2505,39 +2505,6 @@
+     export LD_RUN_PATH
+   fi
+ 
+-  if test "${opsys}" = "gnu-linux"; then
+-    AC_CACHE_CHECK([whether X on GNU/Linux needs -b to link], [emacs_cv_b_link],
+-    [AC_LINK_IFELSE([AC_LANG_PROGRAM([[]],
+-     [[XOpenDisplay ("foo");]])],
+-     [xgnu_linux_first_failure=no],
+-     [xgnu_linux_first_failure=yes])
+-    if test "${xgnu_linux_first_failure}" = "yes"; then
+-      OLD_CPPFLAGS="$CPPFLAGS"
+-      OLD_LIBS="$LIBS"
+-      CPPFLAGS="$CPPFLAGS -b i486-linuxaout"
+-      LIBS="$LIBS -b i486-linuxaout"
+-      AC_LINK_IFELSE([AC_LANG_PROGRAM([[]],
+-       [[XOpenDisplay ("foo");]])],
+-       [xgnu_linux_second_failure=no],
+-       [xgnu_linux_second_failure=yes])
+-      if test "${xgnu_linux_second_failure}" = "yes"; then
+-	# If we get the same failure with -b, there is no use adding -b.
+-	# So leave it out.  This plays safe.
+-        emacs_cv_b_link=no
+-      else
+-        emacs_cv_b_link=yes
+-      fi
+-      CPPFLAGS=$OLD_CPPFLAGS
+-      LIBS=$OLD_LIBS
+-    else
+-      emacs_cv_b_link=no
+-    fi])
+-    if test "x$emacs_cv_b_link" = xyes ; then
+-      LD_SWITCH_X_SITE="$LD_SWITCH_X_SITE -b i486-linuxaout"
+-      C_SWITCH_X_SITE="$C_SWITCH_X_SITE -b i486-linuxaout"
+-    fi
+-  fi
+-
+   # Reportedly, some broken Solaris systems have XKBlib.h but are missing
+   # header files included from there.
+   AC_CACHE_CHECK([for Xkb], [emacs_cv_xkb],
+@@ -4397,6 +4364,7 @@
+ 	       [emacs_cv_alternate_stack],
+   [AC_COMPILE_IFELSE(
+      [AC_LANG_PROGRAM([[#include <signal.h>
++			#include <stdlib.h>
+ 		      ]],
+ 		      [[stack_t ss;
+ 			struct sigaction sa;
diff --git a/emacs/27.2/09_all_untrusted-content.patch b/emacs/27.2/09_all_untrusted-content.patch
new file mode 100644
index 0000000..0ff1d36
--- /dev/null
+++ b/emacs/27.2/09_all_untrusted-content.patch
@@ -0,0 +1,84 @@
+New variable untrusted-content
+Backported from emacs-29 branch
+https://bugs.gentoo.org/927727
+
+commit ccc188fcf98ad9166ee551fac9d94b2603c3a51b
+Author: Ihor Radchenko <yantar92@posteo.net>
+Date:   Tue Feb 20 12:43:51 2024 +0300
+
+    * lisp/files.el (untrusted-content): New variable.
+    
+commit 937b9042ad7426acdcca33e3d931d8f495bdd804
+Author: Ihor Radchenko <yantar92@posteo.net>
+Date:   Tue Feb 20 12:44:30 2024 +0300
+
+    * lisp/gnus/mm-view.el (mm-display-inline-fontify): Mark contents untrusted.
+
+commit 6f9ea396f49cbe38c2173e0a72ba6af3e03b271c
+Author: Ihor Radchenko <yantar92@posteo.net>
+Date:   Tue Feb 20 12:47:24 2024 +0300
+
+    org-latex-preview: Add protection when `untrusted-content' is non-nil
+    
+--- emacs-27.2/lisp/files.el
++++ emacs-27.2/lisp/files.el
+@@ -588,6 +588,14 @@
+ Some modes may wish to set this to nil to prevent directory-local
+ settings being applied, but still respect file-local ones.")
+ 
++(defvar-local untrusted-content nil
++  "Non-nil means that current buffer originated from an untrusted source.
++Email clients and some other modes may set this non-nil to mark the
++buffer contents as untrusted.
++
++This variable might be subject to change without notice.")
++(put 'untrusted-content 'permanent-local t)
++
+ ;; This is an odd variable IMO.
+ ;; You might wonder why it is needed, when we could just do:
+ ;; (set (make-local-variable 'enable-local-variables) nil)
+--- emacs-27.2/lisp/gnus/mm-view.el
++++ emacs-27.2/lisp/gnus/mm-view.el
+@@ -466,6 +466,7 @@ mm-display-inline-fontify
+ 	  (setq coding-system (mm-find-buffer-file-coding-system)))
+ 	(setq text (buffer-string))))
+     (with-temp-buffer
++      (setq untrusted-content t)
+       (buffer-disable-undo)
+       (mm-enable-multibyte)
+       (insert (cond ((eq charset 'gnus-decoded)
+--- emacs-27.2/lisp/org/org.el
++++ emacs-27.2/lisp/org/org.el
+@@ -1077,6 +1077,24 @@
+   :package-version '(Org . "8.0")
+   :type 'boolean)
+ 
++(defvar untrusted-content) ; defined in files.el
++(defvar org--latex-preview-when-risky nil
++  "If non-nil, enable LaTeX preview in Org buffers from unsafe source.
++
++Some specially designed LaTeX code may generate huge pdf or log files
++that may exhaust disk space.
++
++This variable controls how to handle LaTeX preview when rendering LaTeX
++fragments that originate from incoming email messages.  It has no effect
++when Org mode is unable to determine the origin of the Org buffer.
++
++An Org buffer is considered to be from unsafe source when the
++variable `untrusted-content' has a non-nil value in the buffer.
++
++If this variable is non-nil, LaTeX previews are rendered unconditionally.
++
++This variable may be renamed or changed in the future.")
++
+ (defcustom org-insert-mode-line-in-empty-file nil
+   "Non-nil means insert the first line setting Org mode in empty files.
+ When the function `org-mode' is called interactively in an empty file, this
+@@ -15827,6 +15845,7 @@ org-latex-preview
+   (interactive "P")
+   (cond
+    ((not (display-graphic-p)) nil)
++   ((and untrusted-content (not org--latex-preview-when-risky)) nil)
+    ;; Clear whole buffer.
+    ((equal arg '(64))
+     (org-clear-latex-preview (point-min) (point-max))
diff --git a/emacs/27.2/10_all_org-remote-unsafe.patch b/emacs/27.2/10_all_org-remote-unsafe.patch
new file mode 100644
index 0000000..65f6a34
--- /dev/null
+++ b/emacs/27.2/10_all_org-remote-unsafe.patch
@@ -0,0 +1,30 @@
+org-mode should consider remote files unsafe
+Backported from emacs-29 branch
+https://bugs.gentoo.org/927727
+
+commit 2bc865ace050ff118db43f01457f95f95112b877
+Author: Ihor Radchenko <yantar92@posteo.net>
+Date:   Tue Feb 20 14:59:20 2024 +0300
+
+    org-file-contents: Consider all remote files unsafe
+    
+--- emacs-27.2/lisp/org/org.el
++++ emacs-27.2/lisp/org/org.el
+@@ -4665,12 +4665,16 @@ org-file-contents
+ If NOCACHE is non-nil, do a fresh fetch of FILE even if cached version
+ is available.  This option applies only if FILE is a URL."
+   (let* ((is-url (org-file-url-p file))
++         (is-remote (condition-case nil
++                        (file-remote-p file)
++                      ;; In case of error, be safe.
++                      (t t)))
+          (cache (and is-url
+                      (not nocache)
+                      (gethash file org--file-cache))))
+     (cond
+      (cache)
+-     (is-url
++     ((or is-url is-remote)
+       (with-current-buffer (url-retrieve-synchronously file)
+ 	(goto-char (point-min))
+ 	;; Move point to after the url-retrieve header.
diff --git a/emacs/27.2/11_all_autoconf-2.72.patch b/emacs/27.2/11_all_autoconf-2.72.patch
new file mode 100644
index 0000000..2343066
--- /dev/null
+++ b/emacs/27.2/11_all_autoconf-2.72.patch
@@ -0,0 +1,24 @@
+Compatibility fix for autoconf-2.72
+Patch backported from master branch
+https://bugs.gentoo.org/930502
+
+commit e34ebc0ccc6c27e7e1217baad9ca74dd7bea4c37
+Author: Paul Eggert <eggert@cs.ucla.edu>
+Date:   Wed Feb 7 13:17:57 2024 -0800
+
+    Port better to Autoconf 2.72
+
+    * configure.ac: Set ac_cv_type_gid_t=yes to pacify Autoconf 2.72
+    AC_TYPE_GETGROUPS.  Problem reported by Nick Bowler in:
+    https://lists.gnu.org/r/autoconf-patches/2024-02/msg00001.html
+
+--- emacs-27.2/configure.ac
++++ emacs-27.2/configure.ac
+@@ -1633,6 +1633,7 @@
+ AC_DEFUN([AC_TYPE_SIZE_T])
+ # Likewise for obsolescent test for uid_t, gid_t; Emacs assumes them.
+ AC_DEFUN([AC_TYPE_UID_T])
++ac_cv_type_gid_t=yes # AC_TYPE_GETGROUPS needs this in Autoconf 2.72.
+ 
+ # sqrt and other floating-point functions such as fmod and frexp
+ # are found in -lm on many systems.
diff --git a/emacs/27.2/12_all_make-info-dir.patch b/emacs/27.2/12_all_make-info-dir.patch
new file mode 100644
index 0000000..7b11313
--- /dev/null
+++ b/emacs/27.2/12_all_make-info-dir.patch
@@ -0,0 +1,29 @@
+Make it build with mksh
+Patch from emacs-29 branch
+https://bugs.gentoo.org/930086
+https://debbugs.gnu.org/70484
+
+commit 42766f95e5c0e7eb9e21db964ed93c7e093cc0b9
+Author: Ulrich Müller <ulm@gentoo.org>
+Date:   Tue Apr 23 07:37:17 2024 +0200
+
+    * build-aux/make-info-dir: Avoid bashism (bug#70484).
+
+--- emacs-27.2/build-aux/make-info-dir
++++ emacs-27.2/build-aux/make-info-dir
+@@ -33,7 +33,8 @@
+ 
+ ## Header contains non-printing characters, so this is more
+ ## reliable than using awk.
+-cat <"${1?}" || exit
++test $# -ge 2 || exit 1
++cat <"$1"
+ shift
+ 
+ exec "${AWK-awk}" '
+@@ -71,4 +72,4 @@
+       if (data[dircat])
+         printf "\n%s\n%s", topic[dircat], data[dircat]
+   }
+-' "${@?}"
++' "$@"
diff --git a/emacs/27.2/13_all_ol-expand-abbrev.patch b/emacs/27.2/13_all_ol-expand-abbrev.patch
new file mode 100644
index 0000000..6b8761f
--- /dev/null
+++ b/emacs/27.2/13_all_ol-expand-abbrev.patch
@@ -0,0 +1,58 @@
+org-mode should not expand link abbrevs that specify an unsafe function
+Backported from emacs-29 branch
+
+commit c645e1d8205f0f0663ec4a2d27575b238c646c7c
+Author: Ihor Radchenko <yantar92@posteo.net>
+Date:   Fri Jun 21 15:45:25 2024 +0200
+
+    org-link-expand-abbrev: Do not evaluate arbitrary unsafe Elisp code
+
+--- emacs-27.2/lisp/org/ol.el
++++ emacs-27.2/lisp/org/ol.el
+@@ -1007,17 +1007,35 @@
+       (if (not as)
+ 	  link
+ 	(setq rpl (cdr as))
+-	(cond
+-	 ((symbolp rpl) (funcall rpl tag))
+-	 ((string-match "%(\\([^)]+\\))" rpl)
+-	  (replace-match
+-	   (save-match-data
+-	     (funcall (intern-soft (match-string 1 rpl)) tag))
+-	   t t rpl))
+-	 ((string-match "%s" rpl) (replace-match (or tag "") t t rpl))
+-	 ((string-match "%h" rpl)
+-	  (replace-match (url-hexify-string (or tag "")) t t rpl))
+-	 (t (concat rpl tag)))))))
++	;; Drop any potentially dangerous text properties like
++	;; `modification-hooks' that may be used as an attack vector.
++	(substring-no-properties
++	 (cond
++	  ((symbolp rpl) (funcall rpl tag))
++	  ((string-match "%(\\([^)]+\\))" rpl)
++	   (let ((rpl-fun-symbol (intern-soft (match-string 1 rpl))))
++	     ;; Using `unsafep-function' is not quite enough because
++	     ;; Emacs considers functions like `genenv' safe, while
++	     ;; they can potentially be used to expose private system
++	     ;; data to attacker if abbreviated link is clicked.
++	     (if (or (eq t (get rpl-fun-symbol 'org-link-abbrev-safe))
++		     (eq t (get rpl-fun-symbol 'pure)))
++		 (replace-match
++		  (save-match-data
++		    (funcall (intern-soft (match-string 1 rpl)) tag))
++		  t t rpl)
++	       (org-display-warning
++		(format "Disabling unsafe link abbrev: %s
++You may mark function safe via (put '%s 'org-link-abbrev-safe t)"
++			rpl (match-string 1 rpl)))
++	       (setq org-link-abbrev-alist-local (delete as org-link-abbrev-alist-local)
++		     org-link-abbrev-alist (delete as org-link-abbrev-alist))
++	       link
++	       )))
++	  ((string-match "%s" rpl) (replace-match (or tag "") t t rpl))
++	  ((string-match "%h" rpl)
++	   (replace-match (url-hexify-string (or tag "")) t t rpl))
++	  (t (concat rpl tag))))))))
+ 
+ (defun org-link-open (link &optional arg)
+   "Open a link object LINK.