diff --git a/CVE-2025-1244.patch b/CVE-2025-1244.patch new file mode 100644 index 0000000..c13aa9f --- /dev/null +++ b/CVE-2025-1244.patch @@ -0,0 +1,57 @@ +From 820f0793f0b46448928905552726c1f1b999062f Mon Sep 17 00:00:00 2001 +From: Xi Lu +Date: Tue, 10 Oct 2023 22:20:05 +0800 +Subject: Fix man.el shell injection vulnerability + +* lisp/man.el (Man-translate-references): Fix shell injection +vulnerability. (Bug#66390) +* test/lisp/man-tests.el (man-tests-Man-translate-references): New +test. +--- + lisp/man.el | 6 +++++- + test/lisp/man-tests.el | 12 ++++++++++++ + 2 files changed, 17 insertions(+), 1 deletion(-) + +diff --git a/lisp/man.el b/lisp/man.el +index 55cb938..d963964 100644 +--- a/lisp/man.el ++++ b/lisp/man.el +@@ -761,7 +761,11 @@ and the `Man-section-translations-alist' variables)." + (setq name (match-string 2 ref) + section (match-string 1 ref)))) + (if (string= name "") +- ref ; Return the reference as is ++ ;; see Bug#66390 ++ (mapconcat 'identity ++ (mapcar #'shell-quote-argument ++ (split-string ref "\\s-+")) ++ " ") ; Return the reference as is + (if Man-downcase-section-letters-flag + (setq section (downcase section))) + (while slist +diff --git a/test/lisp/man-tests.el b/test/lisp/man-tests.el +index 140482e..11f5f80 100644 +--- a/test/lisp/man-tests.el ++++ b/test/lisp/man-tests.el +@@ -161,6 +161,18 @@ DESCRIPTION + (let ((button (button-at (match-beginning 0)))) + (should (and button (eq 'Man-xref-header-file (button-type button)))))))))) + ++(ert-deftest man-tests-Man-translate-references () ++ (should (equal (Man-translate-references "basename") ++ "basename")) ++ (should (equal (Man-translate-references "basename(3)") ++ "3 basename")) ++ (should (equal (Man-translate-references "basename(3v)") ++ "3v basename")) ++ (should (equal (Man-translate-references ";id") ++ "\\;id")) ++ (should (equal (Man-translate-references "-k basename") ++ "-k basename"))) ++ + (provide 'man-tests) + + ;;; man-tests.el ends here +-- +cgit v1.1 + diff --git a/emacs.changes b/emacs.changes index cc71330..488dd1f 100644 --- a/emacs.changes +++ b/emacs.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Wed Feb 12 12:20:32 UTC 2025 - Dr. Werner Fink + +- Add patch CVE-2025-1244.patch + * Avoid shell injection via custom "man" URI scheme (boo#1237091, CVE-2025-1244) + ------------------------------------------------------------------- Wed Jan 15 13:53:48 UTC 2025 - Dr. Werner Fink diff --git a/emacs.spec b/emacs.spec index 65087d3..bd57a4f 100644 --- a/emacs.spec +++ b/emacs.spec @@ -224,6 +224,7 @@ Patch26: emacs-27.1-pdftex.patch Patch29: emacs-27.1-Xauthority4server.patch Patch30: emacs-CVE-2024-53920.patch Patch31: emacs-29.4-boo1234673.patch +Patch32: CVE-2025-1244.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %{expand: %%global include_info %(test -s /usr/share/info/info.info* && echo 0 || echo 1)} %{expand: %%global _exec_prefix %(type -p pkg-config &>/dev/null && pkg-config --variable prefix x11 || echo /usr/X11R6)} @@ -394,6 +395,7 @@ and most assembler-like syntaxes. %patch -P29 -p0 -b .xauth %patch -P30 -p0 -b .cve202453920 %patch -P31 -p0 -b .boo1234673 +%patch -P32 -p1 -b .boo1237091 %patch -P0 -p0 -b .0 %if %{without tex4pdf} pushd etc/refcards/ @@ -770,6 +772,7 @@ rm -vf %{buildroot}%{_datadir}/emacs/%{version}/lisp/htmlfontify.el.cve202248339 rm -vf %{buildroot}%{_datadir}/emacs/%{version}/lisp/progmodes/elisp-mode.el.el.cve202453920 rm -vf %{buildroot}%{_datadir}/emacs/%{version}/lisp/progmodes/ruby-mode.el.cve202248338 rm -vf %{buildroot}%{_datadir}/emacs/%{version}/lisp/emacs-lisp/comp.el.boo1234673 +rm -vf %{buildroot}%{_datadir}/emacs/%{version}/lisp/man.el.boo1237091 rm -vf %{buildroot}%{_datadir}/emacs/%{version}/etc/emacsclient-mail.desktop.cve202327985 rm -vf %{buildroot}%{_datadir}/emacs/%{version}/etc/emacsclient-mail.desktop.cve202327986 rm -vf %{buildroot}%{_datadir}/emacs/%{version}/etc/emacsclient.desktop.cve202327985