Add patches to fix CVE-2022-48337, CVE-2022-48338, and CVE-2022-48339

OBS-URL: https://build.opensuse.org/package/show/editors/emacs?expand=0&rev=341
2023-02-21 09:13:28 +00:00 · 2023-02-21 09:13:28 +00:00 · f5bdf52c1b
commit f5bdf52c1b
parent c158df1782
5 changed files with 191 additions and 4 deletions
--- a/01a4035c.patch
+++ b/01a4035c.patch
@ -0,0 +1,107 @@
+From e339926272a598bd9ee7e02989c1662b89e64cf0 Mon Sep 17 00:00:00 2001
+From: lu4nx <lx@shellcodes.org>
+Date: Tue, 6 Dec 2022 15:42:40 +0800
+Subject: [PATCH] Fix etags local command injection vulnerability
+
+* lib-src/etags.c: (escape_shell_arg_string): New function.
+(process_file_name): Use it to quote file names passed to the
+shell.  (Bug#59817)
+
+(cherry picked from commit 01a4035c869b91c153af9a9132c87adb7669ea1c)
+---
+ lib-src/etags.c | 63 +++++++++++++++++++++++++++++++++++++++++++++----
+ 1 file changed, 58 insertions(+), 5 deletions(-)
+
+diff --git lib-src/etags.c lib-src/etags.c
+index c9c32691016..a6bd7f66e29 100644
+--- lib-src/etags.c
+++ lib-src/etags.c
+@@ -408,6 +408,7 @@ static void invalidate_nodes (fdesc *, node **);
+ static void put_entries (node *);
+ static void clean_matched_file_tag (char const * const, char const * const);
+ 
+static char *escape_shell_arg_string (char *);
+ static void do_move_file (const char *, const char *);
+ static char *concat (const char *, const char *, const char *);
+ static char *skip_spaces (char *);
+@@ -1704,13 +1705,16 @@ process_file_name (char *file, language *lang)
+       else
+ 	{
+ #if MSDOS || defined (DOS_NT)
+-	  char *cmd1 = concat (compr->command, " \"", real_name);
+-	  char *cmd = concat (cmd1, "\" > ", tmp_name);
+          int buf_len = strlen (compr->command) + strlen (" \"\" > \"\"") + strlen (real_name) + strlen (tmp_name) + 1;
+          char *cmd = xmalloc (buf_len);
+          snprintf (cmd, buf_len, "%s \"%s\" > \"%s\"", compr->command, real_name, tmp_name);
+ #else
+-	  char *cmd1 = concat (compr->command, " '", real_name);
+-	  char *cmd = concat (cmd1, "' > ", tmp_name);
+          char *new_real_name = escape_shell_arg_string (real_name);
+          char *new_tmp_name = escape_shell_arg_string (tmp_name);
+          int buf_len = strlen (compr->command) + strlen ("  > ") + strlen (new_real_name) + strlen (new_tmp_name) + 1;
+          char *cmd = xmalloc (buf_len);
+          snprintf (cmd, buf_len, "%s %s > %s", compr->command, new_real_name, new_tmp_name);
+ #endif
+-	  free (cmd1);
+ 	  inf = (system (cmd) == -1
+ 		 ? NULL
+ 		 : fopen (tmp_name, "r" FOPEN_BINARY));
+@@ -7689,6 +7693,55 @@ etags_mktmp (void)
+   return templt;
+ }
+ 
+/*
+ * Adds single quotes around a string, if found single quotes, escaped it.
+ * Return a newly-allocated string.
+ *
+ * For example:
+ * escape_shell_arg_string("test.txt") => 'test.txt'
+ * escape_shell_arg_string("'test.txt") => ''\''test.txt'
+ */
+static char *
+escape_shell_arg_string (char *str)
+{
+  char *p = str;
+  int need_space = 2;           /* ' at begin and end */
+
+  while (*p != '\0')
+    {
+      if (*p == '\'')
+        need_space += 4;        /* ' to '\'', length is 4 */
+      else
+        need_space++;
+
+      p++;
+    }
+
+  char *new_str = xnew (need_space + 1, char);
+  new_str[0] = '\'';
+  new_str[need_space-1] = '\'';
+
+  int i = 1;                    /* skip first byte */
+  p = str;
+  while (*p != '\0')
+    {
+      new_str[i] = *p;
+      if (*p == '\'')
+        {
+          new_str[i+1] = '\\';
+          new_str[i+2] = '\'';
+          new_str[i+3] = '\'';
+          i += 3;
+        }
+
+      i++;
+      p++;
+    }
+
+  new_str[need_space] = '\0';
+  return new_str;
+}
+
+ static void
+ do_move_file(const char *src_file, const char *dst_file)
+ {
+-- 
+2.35.3
+
--- a/CVE-2022-48338.patch
+++ b/CVE-2022-48338.patch
@ -0,0 +1,30 @@
+From 22fb5ff5126dc8bb01edaa0252829d853afb284f Mon Sep 17 00:00:00 2001
+From: Xi Lu <lx@shellcodes.org>
+Date: Fri, 23 Dec 2022 12:52:48 +0800
+Subject: [PATCH] Fix ruby-mode.el local command injection vulnerability
+ (bug#60268)
+
+* lisp/progmodes/ruby-mode.el
+(ruby-find-library-file): Fix local command injection vulnerability.
+
+(cherry picked from commit 9a3b08061feea14d6f37685ca1ab8801758bfd1c)
+---
+ lisp/progmodes/ruby-mode.el | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git lisp/progmodes/ruby-mode.el lisp/progmodes/ruby-mode.el
+index 72631a6557f..9b05b04a52c 100644
+--- lisp/progmodes/ruby-mode.el
+++ lisp/progmodes/ruby-mode.el
+@@ -1819,7 +1819,7 @@ or `gem' statement around point."
+       (setq feature-name (read-string "Feature name: " init))))
+   (let ((out
+          (substring
+-          (shell-command-to-string (concat "gem which " feature-name))
+          (shell-command-to-string (concat "gem which " (shell-quote-argument feature-name)))
+           0 -1)))
+     (if (string-match-p "\\`ERROR" out)
+         (user-error "%s" out)
+-- 
+2.35.3
+
--- a/CVE-2022-48339.patch
+++ b/CVE-2022-48339.patch
@ -0,0 +1,29 @@
+From 807d2d5b3a7cd1d0e3f7dd24de22770f54f5ae16 Mon Sep 17 00:00:00 2001
+From: Xi Lu <lx@shellcodes.org>
+Date: Sat, 24 Dec 2022 16:28:54 +0800
+Subject: [PATCH] Fix htmlfontify.el command injection vulnerability.
+
+* lisp/htmlfontify.el (hfy-text-p): Fix command injection
+vulnerability.  (Bug#60295)
+
+(cherry picked from commit 1b4dc4691c1f87fc970fbe568b43869a15ad0d4c)
+---
+ lisp/htmlfontify.el | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git lisp/htmlfontify.el lisp/htmlfontify.el
+index 115f67c9560..f8d1e205369 100644
+--- lisp/htmlfontify.el
+++ lisp/htmlfontify.el
+@@ -1882,7 +1882,7 @@ Hardly bombproof, but good enough in the context in which it is being used."
+ 
+ (defun hfy-text-p (srcdir file)
+   "Is SRCDIR/FILE text?  Use `hfy-istext-command' to determine this."
+-  (let* ((cmd (format hfy-istext-command (expand-file-name file srcdir)))
+  (let* ((cmd (format hfy-istext-command (shell-quote-argument (expand-file-name file srcdir))))
+          (rsp (shell-command-to-string    cmd)))
+     (string-match "text" rsp)))
+ 
+-- 
+2.35.3
+
--- a/emacs.changes
+++ b/emacs.changes
@ -1,3 +1,16 @@
+-------------------------------------------------------------------
+Tue Feb 21 08:28:17 UTC 2023 - Dr. Werner Fink <werner@suse.de>
+
+- Add upstream commit/patches
+  * 01a4035c.patch
+    Fix etags local command injection vulnerability (CVE-2022-48337, bsc#1208515)
+  * CVE-2022-48338.patch
+    Fix ruby-mode.el local command injection vulnerability (CVE-2022-48338, bsc#1208514)
+  * CVE-2022-48339.patch
+    Fix htmlfontify.el command injection vulnerability (CVE-2022-48339 bsc#1208512)
+- Require libwebp at build time for automatically enable support
+  for libwebp if given
+
 -------------------------------------------------------------------
 Tue Nov 29 10:41:15 UTC 2022 - Dr. Werner Fink <werner@suse.de>

--- a/emacs.spec
+++ b/emacs.spec
@ -1,7 +1,7 @@
 #
 # spec file for package emacs
 #
-# Copyright (c) 2022 SUSE LLC
+# Copyright (c) 2023 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -93,6 +93,7 @@ BuildRequires:  pkgconfig(gsettings-desktop-schemas)
 BuildRequires:  pkgconfig(harfbuzz)
 BuildRequires:  pkgconfig(ice)
 BuildRequires:  pkgconfig(libseccomp)
+BuildRequires:  pkgconfig(libwebp)
 BuildRequires:  pkgconfig(valgrind)
 %if %{with tex4pdf}
 BuildRequires:  tex(babel.sty)
@ -168,7 +169,7 @@ Source6:        https://ftp.gnu.org/gnu/emacs/emacs-%{version}.tar.xz.sig
 # https://ftp.gnu.org/gnu/gnu-keyring.gpg
 Source7:        %{name}.keyring
 Source8:        emacs-%{version}-pdf.tar.xz
-Patch:          emacs-28.1.dif
+Patch0:         emacs-28.1.dif
 # Currently disabled
 Patch2:         emacs-24.4-glibc.patch
 Patch4:         emacs-24.3-asian-print.patch
@ -188,7 +189,9 @@ Patch25:        emacs-26.1-xft4x11.patch
 Patch26:        emacs-27.1-pdftex.patch
 Patch29:        emacs-27.1-Xauthority4server.patch
 Patch30:        d48bb487.patch
-
+Patch31:        01a4035c.patch
+Patch32:        CVE-2022-48338.patch
+Patch33:        CVE-2022-48339.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %{expand: %%global include_info %(test -s /usr/share/info/info.info* && echo 0 || echo 1)}
 %{expand: %%global _exec_prefix %(type -p pkg-config &>/dev/null && pkg-config --variable prefix x11 || echo /usr/X11R6)}
@ -335,7 +338,10 @@ and most assembler-like syntaxes.
 %patch26 -p0 -b .fmt
 %patch29 -p0 -b .xauth
 %patch30 -p0 -b .cve202245939
-%patch   -p0 -b .0
+%patch31 -p0 -b .cve2022XXXXX
+%patch32 -p0 -b .cve202248338
+%patch33 -p0 -b .cve202248339
+%patch0  -p0 -b .0
 %if %{without tex4pdf}
 pushd etc/refcards/
    tar --use-compress-program=xz -xf %{S:8}
@ -647,6 +653,8 @@ rm -vf %{buildroot}%{_datadir}/emacs/%{version}/lisp/epg.el.gnupg
 rm -vf %{buildroot}%{_datadir}/emacs/%{version}/lisp/mouse.el.prime
 rm -vf %{buildroot}%{_datadir}/emacs/%{version}/lisp/dynamic-setting.el.custfnt
 rm -vf %{buildroot}%{_datadir}/emacs/%{version}/lisp/server.el.xauth
+rm -vf %{buildroot}%{_datadir}/emacs/%{version}/lisp/htmlfontify.el.cve202248339
+rm -vf %{buildroot}%{_datadir}/emacs/%{version}/lisp/progmodes/ruby-mode.el.cve202248338
 unelc  %{buildroot}%{_datadir}/emacs/%{version}/lisp/bindings.elc
 unelc  %{buildroot}%{_datadir}/emacs/%{version}/lisp/cus-start.elc
 unelc  %{buildroot}%{_datadir}/emacs/%{version}/lisp/generic-x.elc