From: Sean Whitton <spwhitton@spwhitton.name>
Date: Wed, 22 Feb 2023 17:59:29 +0000 (-0700)
Subject: Cherry-pick upstream fixes for command injection vulnerabilities
X-Git-Tag: archive/raspbian/1%29.2+1-2+rpi1~1^2~50
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=bf173862eb9e7239f63cd804f3076aba9712f0a3;p=emacs.git

Cherry-pick upstream fixes for command injection vulnerabilities

CVE-2022-48337, CVE-2022-48338, CVE-2022-48339

Closes: #1031730
---

bf173862eb9e7239f63cd804f3076aba9712f0a3
diff --cc debian/.git-dpm
index 3d573f53d90,00000000000..a12c6e1563f
mode 100644,000000..100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@@ -1,8 -1,0 +1,8 @@@
 +# see git-dpm(1) from git-dpm package
- 595617abab6964ac0c6e617bae3d82692bf298b9
- 595617abab6964ac0c6e617bae3d82692bf298b9
++f8822cd42a828c42d9b76bcd32de7e595ffb73c1
++f8822cd42a828c42d9b76bcd32de7e595ffb73c1
 +279b82e64e15b5e2df3cb522636c6db85a8ee659
 +279b82e64e15b5e2df3cb522636c6db85a8ee659
 +emacs_28.2+1.orig.tar.xz
 +d7f49858bdec2d47110c2ed7b1d0005f157e20c3
 +26988304
diff --cc debian/patches/0020-Fix-htmlfontify.el-command-injection-vulnerability-C.patch
index 00000000000,00000000000..bb98110870e
new file mode 100644
--- /dev/null
+++ b/debian/patches/0020-Fix-htmlfontify.el-command-injection-vulnerability-C.patch
@@@ -1,0 -1,0 +1,33 @@@
++From 665489d7de786a61fa0c0883b9dffbc76487e37e Mon Sep 17 00:00:00 2001
++From: Xi Lu <lx@shellcodes.org>
++Date: Sat, 24 Dec 2022 16:28:54 +0800
++Subject: Fix htmlfontify.el command injection vulnerability (CVE-2022-48339)
++
++This upstream patch has been incorporated to fix the problem:
++
++  Fix htmlfontify.el command injection vulnerability.
++
++  * lisp/htmlfontify.el (hfy-text-p): Fix command injection
++  vulnerability.  (Bug#60295)
++
++Origin: upstream, commit 807d2d5b3a7cd1d0e3f7dd24de22770f54f5ae16
++Bug: https://debbugs.gnu.org/60295
++Bug-Debian: https://bugs.debian.org/1031730
++Forwarded: not-needed
++---
++ lisp/htmlfontify.el | 2 +-
++ 1 file changed, 1 insertion(+), 1 deletion(-)
++
++diff --git a/lisp/htmlfontify.el b/lisp/htmlfontify.el
++index 115f67c9560..f8d1e205369 100644
++--- a/lisp/htmlfontify.el
+++++ b/lisp/htmlfontify.el
++@@ -1882,7 +1882,7 @@ hfy-make-directory
++ 
++ (defun hfy-text-p (srcdir file)
++   "Is SRCDIR/FILE text?  Use `hfy-istext-command' to determine this."
++-  (let* ((cmd (format hfy-istext-command (expand-file-name file srcdir)))
+++  (let* ((cmd (format hfy-istext-command (shell-quote-argument (expand-file-name file srcdir))))
++          (rsp (shell-command-to-string    cmd)))
++     (string-match "text" rsp)))
++ 
diff --cc debian/patches/0021-Fix-ruby-mode.el-command-injection-vulnerability-CVE.patch
index 00000000000,00000000000..9d95c93d3d1
new file mode 100644
--- /dev/null
+++ b/debian/patches/0021-Fix-ruby-mode.el-command-injection-vulnerability-CVE.patch
@@@ -1,0 -1,0 +1,33 @@@
++From 52fb40cf6a3c50c996cff79b0d4f81fc39c7badf Mon Sep 17 00:00:00 2001
++From: Xi Lu <lx@shellcodes.org>
++Date: Fri, 23 Dec 2022 12:52:48 +0800
++Subject: Fix ruby-mode.el command injection vulnerability (CVE-2022-48338)
++
++This upstream patch has been incorporated to fix the problem:
++
++  Fix ruby-mode.el local command injection vulnerability (bug#60268)
++
++  * lisp/progmodes/ruby-mode.el
++  (ruby-find-library-file): Fix local command injection vulnerability.
++
++Origin: upstream, commit 22fb5ff5126dc8bb01edaa0252829d853afb284f
++Bug: https://debbugs.gnu.org/60268
++Bug-Debian: https://bugs.debian.org/1031730
++Forwarded: not-needed
++---
++ lisp/progmodes/ruby-mode.el | 2 +-
++ 1 file changed, 1 insertion(+), 1 deletion(-)
++
++diff --git a/lisp/progmodes/ruby-mode.el b/lisp/progmodes/ruby-mode.el
++index 72631a6557f..9b05b04a52c 100644
++--- a/lisp/progmodes/ruby-mode.el
+++++ b/lisp/progmodes/ruby-mode.el
++@@ -1819,7 +1819,7 @@ ruby-find-library-file
++       (setq feature-name (read-string "Feature name: " init))))
++   (let ((out
++          (substring
++-          (shell-command-to-string (concat "gem which " feature-name))
+++          (shell-command-to-string (concat "gem which " (shell-quote-argument feature-name)))
++           0 -1)))
++     (if (string-match-p "\\`ERROR" out)
++         (user-error "%s" out)
diff --cc debian/patches/0022-Fix-etags-local-command-injection-vulnerability-CVE-.patch
index 00000000000,00000000000..31e797eaef2
new file mode 100644
--- /dev/null
+++ b/debian/patches/0022-Fix-etags-local-command-injection-vulnerability-CVE-.patch
@@@ -1,0 -1,0 +1,111 @@@
++From f8822cd42a828c42d9b76bcd32de7e595ffb73c1 Mon Sep 17 00:00:00 2001
++From: lu4nx <lx@shellcodes.org>
++Date: Tue, 6 Dec 2022 15:42:40 +0800
++Subject: Fix etags local command injection vulnerability (CVE-2022-48337)
++
++This upstream patch has been incorporated to fix the problem:
++
++  Fix etags local command injection vulnerability
++
++  * lib-src/etags.c: (escape_shell_arg_string): New function.
++  (process_file_name): Use it to quote file names passed to the
++  shell.  (Bug#59817)
++
++Origin: upstream, commit e339926272a598bd9ee7e02989c1662b89e64cf0
++Bug: https://debbugs.gnu.org/59817
++Bug-Debian: https://bugs.debian.org/1031730
++Forwarded: not-needed
++---
++ lib-src/etags.c | 63 +++++++++++++++++++++++++++++++++++++++++++++----
++ 1 file changed, 58 insertions(+), 5 deletions(-)
++
++diff --git a/lib-src/etags.c b/lib-src/etags.c
++index c9c32691016..a6bd7f66e29 100644
++--- a/lib-src/etags.c
+++++ b/lib-src/etags.c
++@@ -408,6 +408,7 @@ #define xrnew(op, n, m) ((op) = xnrealloc (op, n, (m) * sizeof *(op)))
++ static void put_entries (node *);
++ static void clean_matched_file_tag (char const * const, char const * const);
++ 
+++static char *escape_shell_arg_string (char *);
++ static void do_move_file (const char *, const char *);
++ static char *concat (const char *, const char *, const char *);
++ static char *skip_spaces (char *);
++@@ -1704,13 +1705,16 @@ process_file_name (char *file, language *lang)
++       else
++ 	{
++ #if MSDOS || defined (DOS_NT)
++-	  char *cmd1 = concat (compr->command, " \"", real_name);
++-	  char *cmd = concat (cmd1, "\" > ", tmp_name);
+++          int buf_len = strlen (compr->command) + strlen (" \"\" > \"\"") + strlen (real_name) + strlen (tmp_name) + 1;
+++          char *cmd = xmalloc (buf_len);
+++          snprintf (cmd, buf_len, "%s \"%s\" > \"%s\"", compr->command, real_name, tmp_name);
++ #else
++-	  char *cmd1 = concat (compr->command, " '", real_name);
++-	  char *cmd = concat (cmd1, "' > ", tmp_name);
+++          char *new_real_name = escape_shell_arg_string (real_name);
+++          char *new_tmp_name = escape_shell_arg_string (tmp_name);
+++          int buf_len = strlen (compr->command) + strlen ("  > ") + strlen (new_real_name) + strlen (new_tmp_name) + 1;
+++          char *cmd = xmalloc (buf_len);
+++          snprintf (cmd, buf_len, "%s %s > %s", compr->command, new_real_name, new_tmp_name);
++ #endif
++-	  free (cmd1);
++ 	  inf = (system (cmd) == -1
++ 		 ? NULL
++ 		 : fopen (tmp_name, "r" FOPEN_BINARY));
++@@ -7689,6 +7693,55 @@ etags_mktmp (void)
++   return templt;
++ }
++ 
+++/*
+++ * Adds single quotes around a string, if found single quotes, escaped it.
+++ * Return a newly-allocated string.
+++ *
+++ * For example:
+++ * escape_shell_arg_string("test.txt") => 'test.txt'
+++ * escape_shell_arg_string("'test.txt") => ''\''test.txt'
+++ */
+++static char *
+++escape_shell_arg_string (char *str)
+++{
+++  char *p = str;
+++  int need_space = 2;           /* ' at begin and end */
+++
+++  while (*p != '\0')
+++    {
+++      if (*p == '\'')
+++        need_space += 4;        /* ' to '\'', length is 4 */
+++      else
+++        need_space++;
+++
+++      p++;
+++    }
+++
+++  char *new_str = xnew (need_space + 1, char);
+++  new_str[0] = '\'';
+++  new_str[need_space-1] = '\'';
+++
+++  int i = 1;                    /* skip first byte */
+++  p = str;
+++  while (*p != '\0')
+++    {
+++      new_str[i] = *p;
+++      if (*p == '\'')
+++        {
+++          new_str[i+1] = '\\';
+++          new_str[i+2] = '\'';
+++          new_str[i+3] = '\'';
+++          i += 3;
+++        }
+++
+++      i++;
+++      p++;
+++    }
+++
+++  new_str[need_space] = '\0';
+++  return new_str;
+++}
+++
++ static void
++ do_move_file(const char *src_file, const char *dst_file)
++ {
diff --cc debian/patches/series
index a9e9fa59f3a,00000000000..a738362067b
mode 100644,000000..100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@@ -1,19 -1,0 +1,22 @@@
 +0001-Prefer-usr-share-info-emacs.patch
 +0002-Run-debian-startup-and-set-debian-emacs-flavor.patch
 +0003-Remove-files-that-appear-to-be-incompatible-with-the.patch
 +0004-Adjust-documentation-references-for-Debian.patch
 +0005-Modify-the-output-of-version-to-indicate-Debian-modi.patch
 +0006-Don-t-try-to-build-src-macuvs.h-via-IVD_Sequences.tx.patch
 +0007-Kill-gpg-agent-in-package-test.el-to-avoid-a-race.patch
 +0008-Mark-vc-bzr-test-fauilt-bzr-autoloads-as-unstable-fo.patch
 +0009-pdumper-set-DUMP_RELOC_ALIGNMENT_BITS-1-for-m68k.patch
 +0010-Avoid-fork-bomb-caused-by-native-compilation.patch
 +0011-Avoid-fork-bomb-caused-by-native-compilation-trampol.patch
 +0012-Fix-eln-files-not-being-generated-when-native-comp-a.patch
 +0013-Fix-large-core-dumps-from-background-processes.patch
 +0014-Mark-test-undo-region-as-unstable.patch
 +0015-Mark-flaky-test-process-tests-multiple-threads-waiti.patch
 +0016-Fix-ctags-local-command-execution-vulnerability-CVE-.patch
 +0017-Add-inhibit-native-compilation.patch
 +0018-Rename-to-inhibit-automatic-native-compilation.patch
 +0019-Fix-copyright-tests-for-2023-onwards.patch
++0020-Fix-htmlfontify.el-command-injection-vulnerability-C.patch
++0021-Fix-ruby-mode.el-command-injection-vulnerability-CVE.patch
++0022-Fix-etags-local-command-injection-vulnerability-CVE-.patch