From: Rob Browning <rlb@defaultvalue.org>
Date: Fri, 31 Mar 2023 17:28:33 +0000 (-0500)
Subject: Fix Org Mode command injection vulnerability CVE-2023-28617
X-Git-Tag: archive/raspbian/1%29.2+1-2+rpi1~1^2~39
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=a8235261697476cd013ad95bda4fe3029834462b;p=emacs.git

Fix Org Mode command injection vulnerability CVE-2023-28617

Add 0027-Org-Mode-vulnerability-CVE-2023-28617-is-fixed-1-2.patch and
0028-Org-Mode-vulnerability-CVE-2023-28617-is-fixed-2-2.patch to
address the issue.

Closes: 1033342
---

a8235261697476cd013ad95bda4fe3029834462b
diff --cc debian/.git-dpm
index 9c05d91ed5f,00000000000..7c71a3b2eea
mode 100644,000000..100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@@ -1,8 -1,0 +1,8 @@@
 +# see git-dpm(1) from git-dpm package
- cf3c2037c3531b756fbb443b8ab2f6873f10930e
- cf3c2037c3531b756fbb443b8ab2f6873f10930e
++023ac1eff558f6fb387fea1629b084c8929de18d
++023ac1eff558f6fb387fea1629b084c8929de18d
 +279b82e64e15b5e2df3cb522636c6db85a8ee659
 +279b82e64e15b5e2df3cb522636c6db85a8ee659
 +emacs_28.2+1.orig.tar.xz
 +d7f49858bdec2d47110c2ed7b1d0005f157e20c3
 +26988304
diff --cc debian/patches/0027-Org-Mode-vulnerability-CVE-2023-28617-is-fixed-1-2.patch
index 00000000000,00000000000..3ad5769b95f
new file mode 100644
--- /dev/null
+++ b/debian/patches/0027-Org-Mode-vulnerability-CVE-2023-28617-is-fixed-1-2.patch
@@@ -1,0 -1,0 +1,49 @@@
++From 320ab831aad7b66605e3778abe51a29cc377fb46 Mon Sep 17 00:00:00 2001
++From: Xi Lu <lx@shellcodes.org>
++Date: Sat, 11 Mar 2023 18:53:37 +0800
++Subject: Org Mode vulnerability CVE-2023-28617 is fixed (1/2)
++
++https://security-tracker.debian.org/tracker/CVE-2023-28617
++
++This upstream patch (1/2) has been incorporated to fix the problem:
++
++  * lisp/ob-latex.el: Fix command injection vulnerability
++
++  (org-babel-execute:latex):
++  Replaced the `(shell-command "mv BAR NEWBAR")' with `rename-file'.
++
++  TINYCHANGE
++
++Origin: https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=a8006ea580ed74f27f974d60b598143b04ad1741
++Bug-Debian: https://bugs.debian.org/1033342
++---
++ lisp/org/ob-latex.el | 13 +++++--------
++ 1 file changed, 5 insertions(+), 8 deletions(-)
++
++diff --git a/lisp/org/ob-latex.el b/lisp/org/ob-latex.el
++index 7253803af9e..73139c836b8 100644
++--- a/lisp/org/ob-latex.el
+++++ b/lisp/org/ob-latex.el
++@@ -205,17 +205,14 @@ org-babel-execute:latex
++ 	    (if (string-suffix-p ".svg" out-file)
++ 		(progn
++ 		  (shell-command "pwd")
++-		  (shell-command (format "mv %s %s"
++-					 (concat (file-name-sans-extension tex-file) "-1.svg")
++-					 out-file)))
+++                  (rename-file (concat (file-name-sans-extension tex-file) "-1.svg")
+++                               out-file t))
++ 	      (error "SVG file produced but HTML file requested")))
++ 	   ((file-exists-p (concat (file-name-sans-extension tex-file) ".html"))
++ 	    (if (string-suffix-p ".html" out-file)
++-		(shell-command "mv %s %s"
++-			       (concat (file-name-sans-extension tex-file)
++-				       ".html")
++-			       out-file)
++-	      (error "HTML file produced but SVG file requested")))))
+++                (rename-file (concat (file-name-sans-extension tex-file) ".html")
+++                             out-file t)
+++              (error "HTML file produced but SVG file requested")))))
++ 	 ((or (string= "pdf" extension) imagemagick)
++ 	  (with-temp-file tex-file
++ 	    (require 'ox-latex)
diff --cc debian/patches/0028-Org-Mode-vulnerability-CVE-2023-28617-is-fixed-2-2.patch
index 00000000000,00000000000..03182436b3e
new file mode 100644
--- /dev/null
+++ b/debian/patches/0028-Org-Mode-vulnerability-CVE-2023-28617-is-fixed-2-2.patch
@@@ -1,0 -1,0 +1,36 @@@
++From 023ac1eff558f6fb387fea1629b084c8929de18d Mon Sep 17 00:00:00 2001
++From: Xi Lu <lx@shellcodes.org>
++Date: Sat, 18 Feb 2023 18:03:28 +0800
++Subject: Org Mode vulnerability CVE-2023-28617 is fixed (2/2)
++
++https://security-tracker.debian.org/tracker/CVE-2023-28617
++
++This upstream patch (2/2) has been incorporated to fix the problem:
++
++Org Mode command injection vulnerability has been fixed (CVE-2023-28617)
++
++  * lisp/ob-latex.el (org-babel-execute:latex): Fix command injection vulnerability
++
++  Link: https://orgmode.org/list/tencent_5C4D5D0DEFDDBBFC66F855703927E60C7706@qq.com
++
++  TINYCHANGE
++
++Origin: https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=8f8ec2ccf3f5ef8f38d68ec84a7e4739c45db485
++Bug-Debian: https://bugs.debian.org/1033342
++---
++ lisp/org/ob-latex.el | 2 +-
++ 1 file changed, 1 insertion(+), 1 deletion(-)
++
++diff --git a/lisp/org/ob-latex.el b/lisp/org/ob-latex.el
++index 73139c836b8..1c5df6fe85d 100644
++--- a/lisp/org/ob-latex.el
+++++ b/lisp/org/ob-latex.el
++@@ -167,7 +167,7 @@ org-babel-execute:latex
++ 	                     tmp-pdf
++                              (list org-babel-latex-pdf-svg-process)
++                              extension err-msg log-buf)))
++-              (shell-command (format "mv %s %s" img-out out-file)))))
+++              (rename-file img-out out-file t))))
++          ((string-suffix-p ".tikz" out-file)
++ 	  (when (file-exists-p out-file) (delete-file out-file))
++ 	  (with-temp-file out-file
diff --cc debian/patches/series
index 1a612b473f1,00000000000..0b282410adc
mode 100644,000000..100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@@ -1,26 -1,0 +1,28 @@@
 +0001-Prefer-usr-share-info-emacs.patch
 +0002-Run-debian-startup-and-set-debian-emacs-flavor.patch
 +0003-Remove-files-that-appear-to-be-incompatible-with-the.patch
 +0004-Adjust-documentation-references-for-Debian.patch
 +0005-Modify-the-output-of-version-to-indicate-Debian-modi.patch
 +0006-Don-t-try-to-build-src-macuvs.h-via-IVD_Sequences.tx.patch
 +0007-Kill-gpg-agent-in-package-test.el-to-avoid-a-race.patch
 +0008-Mark-vc-bzr-test-fauilt-bzr-autoloads-as-unstable-fo.patch
 +0009-pdumper-set-DUMP_RELOC_ALIGNMENT_BITS-1-for-m68k.patch
 +0010-Avoid-fork-bomb-caused-by-native-compilation.patch
 +0011-Avoid-fork-bomb-caused-by-native-compilation-trampol.patch
 +0012-Fix-eln-files-not-being-generated-when-native-comp-a.patch
 +0013-Fix-large-core-dumps-from-background-processes.patch
 +0014-Mark-test-undo-region-as-unstable.patch
 +0015-Mark-flaky-test-process-tests-multiple-threads-waiti.patch
 +0016-Fix-ctags-local-command-execution-vulnerability-CVE-.patch
 +0017-Add-inhibit-native-compilation.patch
 +0018-Rename-to-inhibit-automatic-native-compilation.patch
 +0019-Fix-copyright-tests-for-2023-onwards.patch
 +0020-Fix-htmlfontify.el-command-injection-vulnerability-C.patch
 +0021-Fix-ruby-mode.el-command-injection-vulnerability-CVE.patch
 +0022-Fix-etags-local-command-injection-vulnerability-CVE-.patch
 +0023-Fix-memory-leak-in-etags.c.patch
 +0024-Fix-quoted-argument-in-emacsclient-mail.desktop-CVE-.patch
 +0025-Fix-code-injection-vulnerability-CVE-2023-27986.patch
 +0026-Gnus-nnml-should-avoid-crashing-on-some-invalid-head.patch
++0027-Org-Mode-vulnerability-CVE-2023-28617-is-fixed-1-2.patch
++0028-Org-Mode-vulnerability-CVE-2023-28617-is-fixed-2-2.patch