Cherry-pick upstream fixes for command injection vulnerabilities

CVE-2023-27984, CVE-2023-27986

Closes: #1032538

diff --cc debian/.git-dpm
index 97c04a483cd3951b80df2eb418b27facb6f58f08,0000000000000000000000000000000000000000..8e6ac6221899d1c42d2555904a2f612e39c77d12
mode 100644,000000..100644
--- 1/debian/.git-dpm
--- /dev/null
+++ b/debian/.git-dpm
@@@ -1,8 -1,0 +1,8 @@@
- 3f6e215ea8d05e2760981c8ab5bce41879e54703
- 3f6e215ea8d05e2760981c8ab5bce41879e54703
 +# see git-dpm(1) from git-dpm package
++4e6971c25c27c9a3f34cc69b51db894105362d08
++4e6971c25c27c9a3f34cc69b51db894105362d08
 +279b82e64e15b5e2df3cb522636c6db85a8ee659
 +279b82e64e15b5e2df3cb522636c6db85a8ee659
 +emacs_28.2+1.orig.tar.xz
 +d7f49858bdec2d47110c2ed7b1d0005f157e20c3
 +26988304

diff --cc debian/patches/0024-Fix-quoted-argument-in-emacsclient-mail.desktop-CVE-.patch
index 0000000000000000000000000000000000000000,0000000000000000000000000000000000000000..c7d97c197b632766729bc83be0ee4de7fd134601
new file mode 100644 (file)
--- /dev/null
--- /dev/null
+++ b/debian/patches/0024-Fix-quoted-argument-in-emacsclient-mail.desktop-CVE-.patch
@@@ -1,0 -1,0 +1,71 @@@
++From a7bd44852551bd9a4c04d56bac64a6ca3d9af9a3 Mon Sep 17 00:00:00 2001
++From: =?UTF-8?q?Ulrich=20M=C3=BCller?= <ulm@gentoo.org>
++Date: Mon, 19 Dec 2022 16:51:20 +0100
++Subject: Fix quoted argument in emacsclient-mail.desktop (CVE-2023-27985)
++
++This upstream patch has been incorporated to fix the problem:
++
++  Fix quoted argument in emacsclient-mail.desktop Exec key
++
++  Apparently the emacsclient-mail.desktop file doesn't conform to the
++  Desktop Entry Specification at
++  https://specifications.freedesktop.org/desktop-entry-spec/desktop-entry-spec-latest.html#exec-variables
++  which says about the Exec key:
++
++  | Field codes must not be used inside a quoted argument, the result of
++  | field code expansion inside a quoted argument is undefined.
++
++  However, the %u field code is used inside a quoted argument of the
++  Exec key in both the [Desktop Entry] and [Desktop Action new-window]
++  sections.
++  * etc/emacsclient-mail.desktop (Exec): The Desktop Entry
++  Specification does not allow field codes like %u inside a quoted
++  argument. Work around it by passing %u as first parameter ($1)
++  to the shell wrapper.
++  * etc/emacsclient.desktop (Exec): Use `sh` rather than `placeholder`
++  as the command name of the shell wrapper.  (Bug#60204)
++
++Origin: upstream, commit d32091199ae5de590a83f1542a01d75fba000467
++Bug: https://debbugs.gnu.org/60204
++Bug-Debian: https://bugs.debian.org/1032538
++Forwarded: not-needed
++---
++ etc/emacsclient-mail.desktop | 4 ++--
++ etc/emacsclient.desktop      | 2 +-
++ 2 files changed, 3 insertions(+), 3 deletions(-)
++
++diff --git a/etc/emacsclient-mail.desktop b/etc/emacsclient-mail.desktop
++index b575a41758a..91df122c594 100644
++--- a/etc/emacsclient-mail.desktop
+++++ b/etc/emacsclient-mail.desktop
++@@ -1,7 +1,7 @@
++ [Desktop Entry]
++ Categories=Network;Email;
++ Comment=GNU Emacs is an extensible, customizable text editor - and more
++-Exec=sh -c "exec emacsclient --alternate-editor= --display=\\"\\$DISPLAY\\" --eval \\\\(message-mailto\\\\ \\\\\\"%u\\\\\\"\\\\)"
+++Exec=sh -c "exec emacsclient --alternate-editor= --display=\\"\\$DISPLAY\\" --eval \\"(message-mailto \\\\\\"\\$1\\\\\\")\\"" sh %u
++ Icon=emacs
++ Name=Emacs (Mail, Client)
++ MimeType=x-scheme-handler/mailto;
++@@ -13,7 +13,7 @@ Actions=new-window;new-instance;
++ 
++ [Desktop Action new-window]
++ Name=New Window
++-Exec=emacsclient --alternate-editor= --create-frame --eval "(message-mailto \\"%u\\")"
+++Exec=sh -c "exec emacsclient --alternate-editor= --create-frame --eval \\"(message-mailto \\\\\\"\\$1\\\\\\")\\"" sh %u
++ 
++ [Desktop Action new-instance]
++ Name=New Instance
++diff --git a/etc/emacsclient.desktop b/etc/emacsclient.desktop
++index 1ecdecffafd..a9f840c7033 100644
++--- a/etc/emacsclient.desktop
+++++ b/etc/emacsclient.desktop
++@@ -3,7 +3,7 @@ Name=Emacs (Client)
++ GenericName=Text Editor
++ Comment=Edit text
++ MimeType=text/english;text/plain;text/x-makefile;text/x-c++hdr;text/x-c++src;text/x-chdr;text/x-csrc;text/x-java;text/x-moc;text/x-pascal;text/x-tcl;text/x-tex;application/x-shellscript;text/x-c;text/x-c++;
++-Exec=sh -c "if [ -n \\"\\$*\\" ]; then exec emacsclient --alternate-editor= --display=\\"\\$DISPLAY\\" \\"\\$@\\"; else exec emacsclient --alternate-editor= --create-frame; fi" placeholder %F
+++Exec=sh -c "if [ -n \\"\\$*\\" ]; then exec emacsclient --alternate-editor= --display=\\"\\$DISPLAY\\" \\"\\$@\\"; else exec emacsclient --alternate-editor= --create-frame; fi" sh %F
++ Icon=emacs
++ Type=Application
++ Terminal=false

diff --cc debian/patches/0025-Fix-code-injection-vulnerability-CVE-2023-27986.patch
index 0000000000000000000000000000000000000000,0000000000000000000000000000000000000000..4d40cda0dd91637be015a15c55377121db28e37a
new file mode 100644 (file)
--- /dev/null
--- /dev/null
+++ b/debian/patches/0025-Fix-code-injection-vulnerability-CVE-2023-27986.patch
@@@ -1,0 -1,0 +1,56 @@@
++From 4e6971c25c27c9a3f34cc69b51db894105362d08 Mon Sep 17 00:00:00 2001
++From: =?UTF-8?q?Ulrich=20M=C3=BCller?= <ulm@gentoo.org>
++Date: Tue, 7 Mar 2023 18:25:37 +0100
++Subject: Fix code injection vulnerability (CVE-2023-27986)
++
++This upstream patch has been incorporated to fix the problem:
++
++  Fix Elisp code injection vulnerability in emacsclient-mail.desktop
++
++  A crafted mailto URI could contain unescaped double-quote
++  characters, allowing injection of Elisp code.  Therefore, any
++  '\' and '"' characters are replaced by '\\' and '\"', using Bash
++  pattern substitution (which is not available in the POSIX shell).
++
++  We want to pass literal 'u=${1//\\/\\\\}; u=${u//\"/\\\"};' in the
++  bash -c command, but in the desktop entry '"', '$', and '\' must
++  be escaped as '\\"', '\\$', and '\\\\', respectively (backslashes
++  are expanded twice, see the Desktop Entry Specification).
++
++  Reported by Gabriel Corona <gabriel.corona@free.fr>.
++
++  * etc/emacsclient-mail.desktop (Exec): Escape backslash and
++  double-quote characters.
++
++Origin: upstream, commit 3c1693d08b0a71d40a77e7b40c0ebc42dca2d2cc
++Bug-Debian: https://bugs.debian.org/1032538
++Forwarded: not-needed
++---
++ etc/emacsclient-mail.desktop | 7 +++++--
++ 1 file changed, 5 insertions(+), 2 deletions(-)
++
++diff --git a/etc/emacsclient-mail.desktop b/etc/emacsclient-mail.desktop
++index 91df122c594..49c6f99f317 100644
++--- a/etc/emacsclient-mail.desktop
+++++ b/etc/emacsclient-mail.desktop
++@@ -1,7 +1,10 @@
++ [Desktop Entry]
++ Categories=Network;Email;
++ Comment=GNU Emacs is an extensible, customizable text editor - and more
++-Exec=sh -c "exec emacsclient --alternate-editor= --display=\\"\\$DISPLAY\\" --eval \\"(message-mailto \\\\\\"\\$1\\\\\\")\\"" sh %u
+++# We want to pass the following commands to the shell wrapper:
+++# u=${1//\\/\\\\}; u=${u//\"/\\\"}; exec emacsclient --alternate-editor= --display="$DISPLAY" --eval "(message-mailto \"$u\")"
+++# Special chars '"', '$', and '\' must be escaped as '\\"', '\\$', and '\\\\'.
+++Exec=bash -c "u=\\${1//\\\\\\\\/\\\\\\\\\\\\\\\\}; u=\\${u//\\\\\\"/\\\\\\\\\\\\\\"}; exec emacsclient --alternate-editor= --display=\\"\\$DISPLAY\\" --eval \\"(message-mailto \\\\\\"\\$u\\\\\\")\\"" bash %u
++ Icon=emacs
++ Name=Emacs (Mail, Client)
++ MimeType=x-scheme-handler/mailto;
++@@ -13,7 +16,7 @@ Actions=new-window;new-instance;
++ 
++ [Desktop Action new-window]
++ Name=New Window
++-Exec=sh -c "exec emacsclient --alternate-editor= --create-frame --eval \\"(message-mailto \\\\\\"\\$1\\\\\\")\\"" sh %u
+++Exec=bash -c "u=\\${1//\\\\\\\\/\\\\\\\\\\\\\\\\}; u=\\${u//\\\\\\"/\\\\\\\\\\\\\\"}; exec emacsclient --alternate-editor= --create-frame --eval \\"(message-mailto \\\\\\"\\$u\\\\\\")\\"" bash %u
++ 
++ [Desktop Action new-instance]
++ Name=New Instance

diff --cc debian/patches/series
index 58041d1d72943d76be4f95a937d81fb09ee5290b,0000000000000000000000000000000000000000..1bf62a48800471098e4a915729f9d8d884a5cc17
mode 100644,000000..100644
--- 1/debian/patches/series
--- /dev/null
+++ b/debian/patches/series
@@@ -1,23 -1,0 +1,25 @@@
 +0001-Prefer-usr-share-info-emacs.patch
 +0002-Run-debian-startup-and-set-debian-emacs-flavor.patch
 +0003-Remove-files-that-appear-to-be-incompatible-with-the.patch
 +0004-Adjust-documentation-references-for-Debian.patch
 +0005-Modify-the-output-of-version-to-indicate-Debian-modi.patch
 +0006-Don-t-try-to-build-src-macuvs.h-via-IVD_Sequences.tx.patch
 +0007-Kill-gpg-agent-in-package-test.el-to-avoid-a-race.patch
 +0008-Mark-vc-bzr-test-fauilt-bzr-autoloads-as-unstable-fo.patch
 +0009-pdumper-set-DUMP_RELOC_ALIGNMENT_BITS-1-for-m68k.patch
 +0010-Avoid-fork-bomb-caused-by-native-compilation.patch
 +0011-Avoid-fork-bomb-caused-by-native-compilation-trampol.patch
 +0012-Fix-eln-files-not-being-generated-when-native-comp-a.patch
 +0013-Fix-large-core-dumps-from-background-processes.patch
 +0014-Mark-test-undo-region-as-unstable.patch
 +0015-Mark-flaky-test-process-tests-multiple-threads-waiti.patch
 +0016-Fix-ctags-local-command-execution-vulnerability-CVE-.patch
 +0017-Add-inhibit-native-compilation.patch
 +0018-Rename-to-inhibit-automatic-native-compilation.patch
 +0019-Fix-copyright-tests-for-2023-onwards.patch
 +0020-Fix-htmlfontify.el-command-injection-vulnerability-C.patch
 +0021-Fix-ruby-mode.el-command-injection-vulnerability-CVE.patch
 +0022-Fix-etags-local-command-injection-vulnerability-CVE-.patch
 +0023-Fix-memory-leak-in-etags.c.patch
++0024-Fix-quoted-argument-in-emacsclient-mail.desktop-CVE-.patch
++0025-Fix-code-injection-vulnerability-CVE-2023-27986.patch