Accepting request 1231394 from editors

- Add patch emacs-CVE-2024-53920.patch (bsc#1233894, CVE-2024-53920) 
  * Disable flymake on start and save to avoid to be attacked with
    elisp code from foreign source.

OBS-URL: https://build.opensuse.org/request/show/1231394
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/emacs?expand=0&rev=196

emacs-CVE-2024-53920.patch

@@ -0,0 +1,47 @@
+From: Werner Fink <werner@suse.de>
+Date: Fri, 13 Dec 2024 14:32:39 +0000
+Subject: [PATCH] Disable flymake on start and save (CVE-2024-53920)
+
+Disable flymake on start and save to avoid to be attacked with elisp code
+like in this example:
+
+ > cat document.txt 
+ ;; -*- mode: emacs-lisp -*-
+ (rx (eval (call-process "touch" nil nil nil "/tmp/owned")))
+
+if not disabled the elisp code above is completed which means executed
+without any warning if `flymake-mode' would be enabled by default for
+`emacs-lisp-mode'.
+
+---
+ lisp/progmodes/flymake.el |   14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+--- lisp/progmodes/flymake.el
++++ lisp/progmodes/flymake.el	2024-12-13 14:26:43.833166494 +0000
+@@ -199,15 +199,21 @@ If nil, never start checking buffer auto
+ (define-obsolete-variable-alias 'flymake-start-syntax-check-on-find-file
+   'flymake-start-on-flymake-mode "26.1")
+ 
+-(defcustom flymake-start-on-flymake-mode t
++(defcustom flymake-start-on-flymake-mode nil
+   "If non-nil, start syntax check when `flymake-mode' is enabled.
+-Specifically, start it when the buffer is actually displayed."
++Specifically, start it when the buffer is actually displayed.
++Warning: if enabled and with elisp-mode the triggered code completion on
++untrusted Emacs Lisp source code allows attackers to execute arbitrary code.
++More information at https://www.cve.org/CVERecord?id=CVE-2024-53920"
+   :version "26.1"
+   :type 'boolean)
+ 
+-(defcustom flymake-start-on-save-buffer t
++(defcustom flymake-start-on-save-buffer nil
+   "If non-nil, start syntax check when a buffer is saved.
+-Specifically, start it when the saved buffer is actually displayed."
++Specifically, start it when the saved buffer is actually displayed.
++Warning: if enabled and with elisp-mode the triggered code completion on
++untrusted Emacs Lisp source code allows attackers to execute arbitrary code.
++More information at https://www.cve.org/CVERecord?id=CVE-2024-53920"
+   :version "27.1"
+   :type 'boolean)
+ 

emacs.changes

@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Fri Dec 13 14:42:16 UTC 2024 - Dr. Werner Fink <werner@suse.de>
+
+- Add patch emacs-CVE-2024-53920.patch (bsc#1233894, CVE-2024-53920) 
+  * Disable flymake on start and save to avoid to be attacked with
+    elisp code from foreign source.
+
 -------------------------------------------------------------------
 Wed Nov 27 08:46:04 UTC 2024 - Dr. Werner Fink <werner@suse.de>
 

emacs.spec

@@ -172,6 +172,7 @@ Obsoletes:      nxml-mode < 20041004
 Provides:       epg = 1.0.0
 Obsoletes:      epg < 1.0.0
 Provides:       emacs(ELPA)
+Requires:       bubblewrap
 Requires:       emacs-info = %{version}
 Requires:       emacs_program = %{version}-%{release}
 Requires:       etags
@@ -216,6 +217,7 @@ Patch24:        emacs-25.2-ImageMagick7.patch
 Patch25:        emacs-26.1-xft4x11.patch
 Patch26:        emacs-27.1-pdftex.patch
 Patch29:        emacs-27.1-Xauthority4server.patch
+Patch30:        emacs-CVE-2024-53920.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %{expand: %%global include_info %(test -s /usr/share/info/info.info* && echo 0 || echo 1)}
 %{expand: %%global _exec_prefix %(type -p pkg-config &>/dev/null && pkg-config --variable prefix x11 || echo /usr/X11R6)}
@@ -378,6 +380,7 @@ and most assembler-like syntaxes.
 %patch -P25 -p0 -b .xft
 %patch -P26 -p0 -b .fmt
 %patch -P29 -p0 -b .xauth
+%patch -P30 -p0 -b .cve202453920
 %patch -P0  -p0 -b .0
 %if %{without tex4pdf}
 pushd etc/refcards/
@@ -736,6 +739,7 @@ rm -vf %{buildroot}%{_datadir}/emacs/%{version}/lisp/fast-lock.el.flc
 rm -vf %{buildroot}%{_datadir}/emacs/%{version}/lisp/obsolete/fast-lock.el.flc
 rm -vf %{buildroot}%{_datadir}/emacs/%{version}/lisp/loaddefs.el.flc
 rm -vf %{buildroot}%{_datadir}/emacs/%{version}/lisp/progmodes/python.el.python
+rm -vf %{buildroot}%{_datadir}/emacs/%{version}/lisp/progmodes/flymake.el.cve202453920
 rm -vf %{buildroot}%{_datadir}/emacs/%{version}/lisp/textmodes/flyspell.el.flyspell
 rm -vf %{buildroot}%{_datadir}/emacs/%{version}/lisp/obsolete/spell.el.obsolate
 rm -vf %{buildroot}%{_datadir}/emacs/%{version}/lisp/cmuscheme.el.0
@@ -749,6 +753,7 @@ rm -vf %{buildroot}%{_datadir}/emacs/%{version}/lisp/mouse.el.prime
 rm -vf %{buildroot}%{_datadir}/emacs/%{version}/lisp/dynamic-setting.el.custfnt
 rm -vf %{buildroot}%{_datadir}/emacs/%{version}/lisp/server.el.xauth
 rm -vf %{buildroot}%{_datadir}/emacs/%{version}/lisp/htmlfontify.el.cve202248339
+rm -vf %{buildroot}%{_datadir}/emacs/%{version}/lisp/progmodes/elisp-mode.el.el.cve202453920
 rm -vf %{buildroot}%{_datadir}/emacs/%{version}/lisp/progmodes/ruby-mode.el.cve202248338
 rm -vf %{buildroot}%{_datadir}/emacs/%{version}/etc/emacsclient-mail.desktop.cve202327985
 rm -vf %{buildroot}%{_datadir}/emacs/%{version}/etc/emacsclient-mail.desktop.cve202327986