Fix code injection vulnerability (CVE-2023-27986)

This upstream patch has been incorporated to fix the problem:

  Fix Elisp code injection vulnerability in emacsclient-mail.desktop

  A crafted mailto URI could contain unescaped double-quote
  characters, allowing injection of Elisp code.  Therefore, any
  '\' and '"' characters are replaced by '\\' and '\"', using Bash
  pattern substitution (which is not available in the POSIX shell).

  We want to pass literal 'u=${1//\\/\\\\}; u=${u//\"/\\\"};' in the
  bash -c command, but in the desktop entry '"', '$', and '\' must
  be escaped as '\\"', '\\$', and '\\\\', respectively (backslashes
  are expanded twice, see the Desktop Entry Specification).

  Reported by Gabriel Corona <gabriel.corona@free.fr>.

  * etc/emacsclient-mail.desktop (Exec): Escape backslash and
  double-quote characters.

Origin: upstream, commit 3c1693d08b0a71d40a77e7b40c0ebc42dca2d2cc
Bug-Debian: https://bugs.debian.org/1032538
Forwarded: not-needed

diff --git a/etc/emacsclient-mail.desktop b/etc/emacsclient-mail.desktop
index 91df122c594c1af404c69febfd9b59496e6e072b..49c6f99f317fd25ab65d1ec341af3b9a1fd6382a 100644 (file)
--- a/etc/emacsclient-mail.desktop
+++ b/etc/emacsclient-mail.desktop
@@ -1,7 +1,10 @@
 [Desktop Entry]
 Categories=Network;Email;
 Comment=GNU Emacs is an extensible, customizable text editor - and more
-Exec=sh -c "exec emacsclient --alternate-editor= --display=\\"\\$DISPLAY\\" --eval \\"(message-mailto \\\\\\"\\$1\\\\\\")\\"" sh %u
+# We want to pass the following commands to the shell wrapper:
+# u=${1//\\/\\\\}; u=${u//\"/\\\"}; exec emacsclient --alternate-editor= --display="$DISPLAY" --eval "(message-mailto \"$u\")"
+# Special chars '"', '$', and '\' must be escaped as '\\"', '\\$', and '\\\\'.
+Exec=bash -c "u=\\${1//\\\\\\\\/\\\\\\\\\\\\\\\\}; u=\\${u//\\\\\\"/\\\\\\\\\\\\\\"}; exec emacsclient --alternate-editor= --display=\\"\\$DISPLAY\\" --eval \\"(message-mailto \\\\\\"\\$u\\\\\\")\\"" bash %u
 Icon=emacs
 Name=Emacs (Mail, Client)
 MimeType=x-scheme-handler/mailto;
@@ -13,7 +16,7 @@ Actions=new-window;new-instance;
 
 [Desktop Action new-window]
 Name=New Window
-Exec=sh -c "exec emacsclient --alternate-editor= --create-frame --eval \\"(message-mailto \\\\\\"\\$1\\\\\\")\\"" sh %u
+Exec=bash -c "u=\\${1//\\\\\\\\/\\\\\\\\\\\\\\\\}; u=\\${u//\\\\\\"/\\\\\\\\\\\\\\"}; exec emacsclient --alternate-editor= --create-frame --eval \\"(message-mailto \\\\\\"\\$u\\\\\\")\\"" bash %u
 
 [Desktop Action new-instance]
 Name=New Instance