From: Sean Whitton Date: Tue, 14 Mar 2023 20:28:48 +0000 (-0700) Subject: Cherry-pick upstream fixes for command injection vulnerabilities X-Git-Tag: archive/raspbian/1%29.2+1-2+rpi1~1^2~44 X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=19031929b4b889c098d55a0f133bb8be68f32a7e;p=emacs.git Cherry-pick upstream fixes for command injection vulnerabilities CVE-2023-27984, CVE-2023-27986 Closes: #1032538 --- 19031929b4b889c098d55a0f133bb8be68f32a7e diff --cc debian/.git-dpm index 97c04a483cd,00000000000..8e6ac622189 mode 100644,000000..100644 --- a/debian/.git-dpm +++ b/debian/.git-dpm @@@ -1,8 -1,0 +1,8 @@@ +# see git-dpm(1) from git-dpm package - 3f6e215ea8d05e2760981c8ab5bce41879e54703 - 3f6e215ea8d05e2760981c8ab5bce41879e54703 ++4e6971c25c27c9a3f34cc69b51db894105362d08 ++4e6971c25c27c9a3f34cc69b51db894105362d08 +279b82e64e15b5e2df3cb522636c6db85a8ee659 +279b82e64e15b5e2df3cb522636c6db85a8ee659 +emacs_28.2+1.orig.tar.xz +d7f49858bdec2d47110c2ed7b1d0005f157e20c3 +26988304 diff --cc debian/patches/0024-Fix-quoted-argument-in-emacsclient-mail.desktop-CVE-.patch index 00000000000,00000000000..c7d97c197b6 new file mode 100644 --- /dev/null +++ b/debian/patches/0024-Fix-quoted-argument-in-emacsclient-mail.desktop-CVE-.patch @@@ -1,0 -1,0 +1,71 @@@ ++From a7bd44852551bd9a4c04d56bac64a6ca3d9af9a3 Mon Sep 17 00:00:00 2001 ++From: =?UTF-8?q?Ulrich=20M=C3=BCller?= ++Date: Mon, 19 Dec 2022 16:51:20 +0100 ++Subject: Fix quoted argument in emacsclient-mail.desktop (CVE-2023-27985) ++ ++This upstream patch has been incorporated to fix the problem: ++ ++ Fix quoted argument in emacsclient-mail.desktop Exec key ++ ++ Apparently the emacsclient-mail.desktop file doesn't conform to the ++ Desktop Entry Specification at ++ https://specifications.freedesktop.org/desktop-entry-spec/desktop-entry-spec-latest.html#exec-variables ++ which says about the Exec key: ++ ++ | Field codes must not be used inside a quoted argument, the result of ++ | field code expansion inside a quoted argument is undefined. ++ ++ However, the %u field code is used inside a quoted argument of the ++ Exec key in both the [Desktop Entry] and [Desktop Action new-window] ++ sections. ++ * etc/emacsclient-mail.desktop (Exec): The Desktop Entry ++ Specification does not allow field codes like %u inside a quoted ++ argument. Work around it by passing %u as first parameter ($1) ++ to the shell wrapper. ++ * etc/emacsclient.desktop (Exec): Use `sh` rather than `placeholder` ++ as the command name of the shell wrapper. (Bug#60204) ++ ++Origin: upstream, commit d32091199ae5de590a83f1542a01d75fba000467 ++Bug: https://debbugs.gnu.org/60204 ++Bug-Debian: https://bugs.debian.org/1032538 ++Forwarded: not-needed ++--- ++ etc/emacsclient-mail.desktop | 4 ++-- ++ etc/emacsclient.desktop | 2 +- ++ 2 files changed, 3 insertions(+), 3 deletions(-) ++ ++diff --git a/etc/emacsclient-mail.desktop b/etc/emacsclient-mail.desktop ++index b575a41758a..91df122c594 100644 ++--- a/etc/emacsclient-mail.desktop +++++ b/etc/emacsclient-mail.desktop ++@@ -1,7 +1,7 @@ ++ [Desktop Entry] ++ Categories=Network;Email; ++ Comment=GNU Emacs is an extensible, customizable text editor - and more ++-Exec=sh -c "exec emacsclient --alternate-editor= --display=\\"\\$DISPLAY\\" --eval \\\\(message-mailto\\\\ \\\\\\"%u\\\\\\"\\\\)" +++Exec=sh -c "exec emacsclient --alternate-editor= --display=\\"\\$DISPLAY\\" --eval \\"(message-mailto \\\\\\"\\$1\\\\\\")\\"" sh %u ++ Icon=emacs ++ Name=Emacs (Mail, Client) ++ MimeType=x-scheme-handler/mailto; ++@@ -13,7 +13,7 @@ Actions=new-window;new-instance; ++ ++ [Desktop Action new-window] ++ Name=New Window ++-Exec=emacsclient --alternate-editor= --create-frame --eval "(message-mailto \\"%u\\")" +++Exec=sh -c "exec emacsclient --alternate-editor= --create-frame --eval \\"(message-mailto \\\\\\"\\$1\\\\\\")\\"" sh %u ++ ++ [Desktop Action new-instance] ++ Name=New Instance ++diff --git a/etc/emacsclient.desktop b/etc/emacsclient.desktop ++index 1ecdecffafd..a9f840c7033 100644 ++--- a/etc/emacsclient.desktop +++++ b/etc/emacsclient.desktop ++@@ -3,7 +3,7 @@ Name=Emacs (Client) ++ GenericName=Text Editor ++ Comment=Edit text ++ MimeType=text/english;text/plain;text/x-makefile;text/x-c++hdr;text/x-c++src;text/x-chdr;text/x-csrc;text/x-java;text/x-moc;text/x-pascal;text/x-tcl;text/x-tex;application/x-shellscript;text/x-c;text/x-c++; ++-Exec=sh -c "if [ -n \\"\\$*\\" ]; then exec emacsclient --alternate-editor= --display=\\"\\$DISPLAY\\" \\"\\$@\\"; else exec emacsclient --alternate-editor= --create-frame; fi" placeholder %F +++Exec=sh -c "if [ -n \\"\\$*\\" ]; then exec emacsclient --alternate-editor= --display=\\"\\$DISPLAY\\" \\"\\$@\\"; else exec emacsclient --alternate-editor= --create-frame; fi" sh %F ++ Icon=emacs ++ Type=Application ++ Terminal=false diff --cc debian/patches/0025-Fix-code-injection-vulnerability-CVE-2023-27986.patch index 00000000000,00000000000..4d40cda0dd9 new file mode 100644 --- /dev/null +++ b/debian/patches/0025-Fix-code-injection-vulnerability-CVE-2023-27986.patch @@@ -1,0 -1,0 +1,56 @@@ ++From 4e6971c25c27c9a3f34cc69b51db894105362d08 Mon Sep 17 00:00:00 2001 ++From: =?UTF-8?q?Ulrich=20M=C3=BCller?= ++Date: Tue, 7 Mar 2023 18:25:37 +0100 ++Subject: Fix code injection vulnerability (CVE-2023-27986) ++ ++This upstream patch has been incorporated to fix the problem: ++ ++ Fix Elisp code injection vulnerability in emacsclient-mail.desktop ++ ++ A crafted mailto URI could contain unescaped double-quote ++ characters, allowing injection of Elisp code. Therefore, any ++ '\' and '"' characters are replaced by '\\' and '\"', using Bash ++ pattern substitution (which is not available in the POSIX shell). ++ ++ We want to pass literal 'u=${1//\\/\\\\}; u=${u//\"/\\\"};' in the ++ bash -c command, but in the desktop entry '"', '$', and '\' must ++ be escaped as '\\"', '\\$', and '\\\\', respectively (backslashes ++ are expanded twice, see the Desktop Entry Specification). ++ ++ Reported by Gabriel Corona . ++ ++ * etc/emacsclient-mail.desktop (Exec): Escape backslash and ++ double-quote characters. ++ ++Origin: upstream, commit 3c1693d08b0a71d40a77e7b40c0ebc42dca2d2cc ++Bug-Debian: https://bugs.debian.org/1032538 ++Forwarded: not-needed ++--- ++ etc/emacsclient-mail.desktop | 7 +++++-- ++ 1 file changed, 5 insertions(+), 2 deletions(-) ++ ++diff --git a/etc/emacsclient-mail.desktop b/etc/emacsclient-mail.desktop ++index 91df122c594..49c6f99f317 100644 ++--- a/etc/emacsclient-mail.desktop +++++ b/etc/emacsclient-mail.desktop ++@@ -1,7 +1,10 @@ ++ [Desktop Entry] ++ Categories=Network;Email; ++ Comment=GNU Emacs is an extensible, customizable text editor - and more ++-Exec=sh -c "exec emacsclient --alternate-editor= --display=\\"\\$DISPLAY\\" --eval \\"(message-mailto \\\\\\"\\$1\\\\\\")\\"" sh %u +++# We want to pass the following commands to the shell wrapper: +++# u=${1//\\/\\\\}; u=${u//\"/\\\"}; exec emacsclient --alternate-editor= --display="$DISPLAY" --eval "(message-mailto \"$u\")" +++# Special chars '"', '$', and '\' must be escaped as '\\"', '\\$', and '\\\\'. +++Exec=bash -c "u=\\${1//\\\\\\\\/\\\\\\\\\\\\\\\\}; u=\\${u//\\\\\\"/\\\\\\\\\\\\\\"}; exec emacsclient --alternate-editor= --display=\\"\\$DISPLAY\\" --eval \\"(message-mailto \\\\\\"\\$u\\\\\\")\\"" bash %u ++ Icon=emacs ++ Name=Emacs (Mail, Client) ++ MimeType=x-scheme-handler/mailto; ++@@ -13,7 +16,7 @@ Actions=new-window;new-instance; ++ ++ [Desktop Action new-window] ++ Name=New Window ++-Exec=sh -c "exec emacsclient --alternate-editor= --create-frame --eval \\"(message-mailto \\\\\\"\\$1\\\\\\")\\"" sh %u +++Exec=bash -c "u=\\${1//\\\\\\\\/\\\\\\\\\\\\\\\\}; u=\\${u//\\\\\\"/\\\\\\\\\\\\\\"}; exec emacsclient --alternate-editor= --create-frame --eval \\"(message-mailto \\\\\\"\\$u\\\\\\")\\"" bash %u ++ ++ [Desktop Action new-instance] ++ Name=New Instance diff --cc debian/patches/series index 58041d1d729,00000000000..1bf62a48800 mode 100644,000000..100644 --- a/debian/patches/series +++ b/debian/patches/series @@@ -1,23 -1,0 +1,25 @@@ +0001-Prefer-usr-share-info-emacs.patch +0002-Run-debian-startup-and-set-debian-emacs-flavor.patch +0003-Remove-files-that-appear-to-be-incompatible-with-the.patch +0004-Adjust-documentation-references-for-Debian.patch +0005-Modify-the-output-of-version-to-indicate-Debian-modi.patch +0006-Don-t-try-to-build-src-macuvs.h-via-IVD_Sequences.tx.patch +0007-Kill-gpg-agent-in-package-test.el-to-avoid-a-race.patch +0008-Mark-vc-bzr-test-fauilt-bzr-autoloads-as-unstable-fo.patch +0009-pdumper-set-DUMP_RELOC_ALIGNMENT_BITS-1-for-m68k.patch +0010-Avoid-fork-bomb-caused-by-native-compilation.patch +0011-Avoid-fork-bomb-caused-by-native-compilation-trampol.patch +0012-Fix-eln-files-not-being-generated-when-native-comp-a.patch +0013-Fix-large-core-dumps-from-background-processes.patch +0014-Mark-test-undo-region-as-unstable.patch +0015-Mark-flaky-test-process-tests-multiple-threads-waiti.patch +0016-Fix-ctags-local-command-execution-vulnerability-CVE-.patch +0017-Add-inhibit-native-compilation.patch +0018-Rename-to-inhibit-automatic-native-compilation.patch +0019-Fix-copyright-tests-for-2023-onwards.patch +0020-Fix-htmlfontify.el-command-injection-vulnerability-C.patch +0021-Fix-ruby-mode.el-command-injection-vulnerability-CVE.patch +0022-Fix-etags-local-command-injection-vulnerability-CVE-.patch +0023-Fix-memory-leak-in-etags.c.patch ++0024-Fix-quoted-argument-in-emacsclient-mail.desktop-CVE-.patch ++0025-Fix-code-injection-vulnerability-CVE-2023-27986.patch