Accepting request 524572 from editors

- Add patch emacs-25.2-bsc1058425.patch to fix bsc#1058425 VUL-0: emacs: GNU Emacs 25.2 enriched text remote code execution OBS-URL: https://build.opensuse.org/request/show/524572 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/emacs?expand=0&rev=133
2017-09-18 17:53:03 +00:00 · 2017-09-18 17:53:03 +00:00 · de51009dca
commit de51009dca
parent cc0021f912 a8ac6cbf2a
3 changed files with 85 additions and 0 deletions
--- a/emacs-25.2-bsc1058425.patch
+++ b/emacs-25.2-bsc1058425.patch
@ -0,0 +1,76 @@
+From 9ad0fcc54442a9a01d41be19880250783426db70 Mon Sep 17 00:00:00 2001
+From: Lars Ingebrigtsen <larsi@gnus.org>
+Date: Fri, 8 Sep 2017 20:23:31 -0700
+Subject: Remove unsafe enriched mode translations
+
+* lisp/gnus/mm-view.el (mm-inline-text):
+Do not worry about enriched or richtext type.
+* lisp/textmodes/enriched.el (enriched-translations):
+Remove translations for FUNCTION, display (Bug#28350).
+(enriched-handle-display-prop, enriched-decode-display-prop): Remove.
+---
+ lisp/gnus/mm-view.el       |    4 ----
+ lisp/textmodes/enriched.el |   32 --------------------------------
+ 2 files changed, 36 deletions(-)
+
+--- lisp/gnus/mm-view.el
+++ lisp/gnus/mm-view.el	2017-09-13 07:19:26.107456442 +0000
+@@ -383,10 +383,6 @@
+ 	(goto-char (point-max))))
+     (save-restriction
+       (narrow-to-region b (point))
+-      (when (member type '("enriched" "richtext"))
+-        (set-text-properties (point-min) (point-max) nil)
+-	(ignore-errors
+-	  (enriched-decode (point-min) (point-max))))
+       (mm-handle-set-undisplayer
+        handle
+        `(lambda ()
+--- lisp/textmodes/enriched.el
+++ lisp/textmodes/enriched.el	2017-09-13 07:19:26.119456217 +0000
+@@ -117,12 +117,7 @@ expression, which is evaluated to get th
+ 		   (full        "flushboth")
+ 		   (center      "center"))
+     (PARAMETER     (t           "param")) ; Argument of preceding annotation
+-    ;; The following are not part of the standard:
+-    (FUNCTION      (enriched-decode-foreground "x-color")
+-		   (enriched-decode-background "x-bg-color")
+-		   (enriched-decode-display-prop "x-display"))
+     (read-only     (t           "x-read-only"))
+-    (display	   (nil		enriched-handle-display-prop))
+     (unknown       (nil         format-annotate-value))
+ ;   (font-size     (2           "bigger")       ; unimplemented
+ ;		   (-2          "smaller"))
+@@ -477,32 +472,5 @@ Return value is \(begin end name positiv
+     (message "Warning: no color specified for <x-bg-color>")
+     nil))
+ 
+-;;; Handling the `display' property.
+-
+-
+-(defun enriched-handle-display-prop (old new)
+-  "Return a list of annotations for a change in the `display' property.
+-OLD is the old value of the property, NEW is the new value.  Value
+-is a list `(CLOSE OPEN)', where CLOSE is a list of annotations to
+-close and OPEN a list of annotations to open.  Each of these lists
+-has the form `(ANNOTATION PARAM ...)'."
+-  (let ((annotation "x-display")
+-	(param (prin1-to-string (or old new))))
+-    (if (null old)
+-        (cons nil (list (list annotation param)))
+-      (cons (list (list annotation param)) nil))))
+-
+-(defun enriched-decode-display-prop (start end &optional param)
+-  "Decode a `display' property for text between START and END.
+-PARAM is a `<param>' found for the property.
+-Value is a list `(START END SYMBOL VALUE)' with START and END denoting
+-the range of text to assign text property SYMBOL with value VALUE."
+-  (let ((prop (when (stringp param)
+-		(condition-case ()
+-		    (car (read-from-string param))
+-		  (error nil)))))
+-    (unless prop
+-      (message "Warning: invalid <x-display> parameter %s" param))
+-    (list start end 'display prop)))
+ 
+ ;;; enriched.el ends here
--- a/emacs.changes
+++ b/emacs.changes
@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Wed Sep 13 07:21:34 UTC 2017 - werner@suse.de
+
+- Add patch emacs-25.2-bsc1058425.patch to fix bsc#1058425
+  VUL-0: emacs: GNU Emacs 25.2 enriched text remote code execution 
+
 -------------------------------------------------------------------
 Tue Aug 22 18:43:38 UTC 2017 - astieger@suse.com

--- a/emacs.spec
+++ b/emacs.spec
@ -130,6 +130,8 @@ Patch24:        emacs-25.2-ImageMagick7.patch
 Patch25:        gnulib.git-94e01571.patch
 # http://git.savannah.gnu.org/cgit/emacs.git/commit/?id=d781662873f228b110a128f7a2b6583a4d5e0a3a
 Patch26:        emacs-25.2-xwidget.patch
+# PATCH-FIX-UPSTREAM bsc#1058425 -- VUL-0: emacs: GNU Emacs 25.2 enriched text remote code execution
+Patch27:        emacs-25.2-bsc1058425.patch

 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %{expand: %%global include_info %(test -s /usr/share/info/info.info* && echo 0 || echo 1)}
@ -248,6 +250,7 @@ and most assembler-like syntaxes.
 %if 0%{?suse_version} > 1320
 %patch26 -p1
 %endif
+%patch27 -p0
 %patch   -p0 -b .0

 %if %{without autoconf}