From: Xi Lu <lx@shellcodes.org>
Date: Fri, 23 Dec 2022 04:52:48 +0000 (+0800)
Subject: Fix ruby-mode.el command injection vulnerability (CVE-2022-48338)
X-Git-Tag: archive/raspbian/1%29.2+1-2+rpi1~1^2~40^2~5
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=52fb40cf6a3c50c996cff79b0d4f81fc39c7badf;p=emacs.git

Fix ruby-mode.el command injection vulnerability (CVE-2022-48338)

This upstream patch has been incorporated to fix the problem:

  Fix ruby-mode.el local command injection vulnerability (bug#60268)

  * lisp/progmodes/ruby-mode.el
  (ruby-find-library-file): Fix local command injection vulnerability.

Origin: upstream, commit 22fb5ff5126dc8bb01edaa0252829d853afb284f
Bug: https://debbugs.gnu.org/60268
Bug-Debian: https://bugs.debian.org/1031730
Forwarded: not-needed
---

diff --git a/lisp/progmodes/ruby-mode.el b/lisp/progmodes/ruby-mode.el
index 72631a6557f..9b05b04a52c 100644
--- a/lisp/progmodes/ruby-mode.el
+++ b/lisp/progmodes/ruby-mode.el
@@ -1819,7 +1819,7 @@ or `gem' statement around point."
       (setq feature-name (read-string "Feature name: " init))))
   (let ((out
          (substring
-          (shell-command-to-string (concat "gem which " feature-name))
+          (shell-command-to-string (concat "gem which " (shell-quote-argument feature-name)))
           0 -1)))
     (if (string-match-p "\\`ERROR" out)
         (user-error "%s" out)