From 7cb768940b0e7e6cf4c5c1f1c45acc6165b1149918b5e256b40c476765064ac7 Mon Sep 17 00:00:00 2001 From: "Dr. Werner Fink" Date: Thu, 9 Mar 2023 09:34:47 +0000 Subject: [PATCH] boo#1209089 and boo#1209090 OBS-URL: https://build.opensuse.org/package/show/editors/emacs?expand=0&rev=343 --- 3c1693d0.patch | 51 +++++++++++++++++++++++++++++++++++++++ d3209119.patch | 65 ++++++++++++++++++++++++++++++++++++++++++++++++++ emacs.changes | 8 +++++++ emacs.spec | 7 ++++++ 4 files changed, 131 insertions(+) create mode 100644 3c1693d0.patch create mode 100644 d3209119.patch diff --git a/3c1693d0.patch b/3c1693d0.patch new file mode 100644 index 0000000..b38a8fc --- /dev/null +++ b/3c1693d0.patch @@ -0,0 +1,51 @@ +From 3c1693d08b0a71d40a77e7b40c0ebc42dca2d2cc Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ulrich=20M=C3=BCller?= +Date: Tue, 7 Mar 2023 18:25:37 +0100 +Subject: Fix Elisp code injection vulnerability in emacsclient-mail.desktop + +A crafted mailto URI could contain unescaped double-quote +characters, allowing injection of Elisp code. Therefore, any +'\' and '"' characters are replaced by '\\' and '\"', using Bash +pattern substitution (which is not available in the POSIX shell). + +We want to pass literal 'u=${1//\\/\\\\}; u=${u//\"/\\\"};' in the +bash -c command, but in the desktop entry '"', '$', and '\' must +be escaped as '\\"', '\\$', and '\\\\', respectively (backslashes +are expanded twice, see the Desktop Entry Specification). + +Reported by Gabriel Corona . + +* etc/emacsclient-mail.desktop (Exec): Escape backslash and +double-quote characters. +--- + etc/emacsclient-mail.desktop | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/etc/emacsclient-mail.desktop b/etc/emacsclient-mail.desktop +index 91df122..49c6f99 100644 +--- a/etc/emacsclient-mail.desktop ++++ b/etc/emacsclient-mail.desktop +@@ -1,7 +1,10 @@ + [Desktop Entry] + Categories=Network;Email; + Comment=GNU Emacs is an extensible, customizable text editor - and more +-Exec=sh -c "exec emacsclient --alternate-editor= --display=\\"\\$DISPLAY\\" --eval \\"(message-mailto \\\\\\"\\$1\\\\\\")\\"" sh %u ++# We want to pass the following commands to the shell wrapper: ++# u=${1//\\/\\\\}; u=${u//\"/\\\"}; exec emacsclient --alternate-editor= --display="$DISPLAY" --eval "(message-mailto \"$u\")" ++# Special chars '"', '$', and '\' must be escaped as '\\"', '\\$', and '\\\\'. ++Exec=bash -c "u=\\${1//\\\\\\\\/\\\\\\\\\\\\\\\\}; u=\\${u//\\\\\\"/\\\\\\\\\\\\\\"}; exec emacsclient --alternate-editor= --display=\\"\\$DISPLAY\\" --eval \\"(message-mailto \\\\\\"\\$u\\\\\\")\\"" bash %u + Icon=emacs + Name=Emacs (Mail, Client) + MimeType=x-scheme-handler/mailto; +@@ -13,7 +16,7 @@ Actions=new-window;new-instance; + + [Desktop Action new-window] + Name=New Window +-Exec=sh -c "exec emacsclient --alternate-editor= --create-frame --eval \\"(message-mailto \\\\\\"\\$1\\\\\\")\\"" sh %u ++Exec=bash -c "u=\\${1//\\\\\\\\/\\\\\\\\\\\\\\\\}; u=\\${u//\\\\\\"/\\\\\\\\\\\\\\"}; exec emacsclient --alternate-editor= --create-frame --eval \\"(message-mailto \\\\\\"\\$u\\\\\\")\\"" bash %u + + [Desktop Action new-instance] + Name=New Instance +-- +cgit v1.1 + diff --git a/d3209119.patch b/d3209119.patch new file mode 100644 index 0000000..7bf3def --- /dev/null +++ b/d3209119.patch @@ -0,0 +1,65 @@ +From d32091199ae5de590a83f1542a01d75fba000467 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ulrich=20M=C3=BCller?= +Date: Mon, 19 Dec 2022 16:51:20 +0100 +Subject: Fix quoted argument in emacsclient-mail.desktop Exec key + +Apparently the emacsclient-mail.desktop file doesn't conform to the +Desktop Entry Specification at +https://specifications.freedesktop.org/desktop-entry-spec/desktop-entry-spec-latest.html#exec-variables +which says about the Exec key: + +| Field codes must not be used inside a quoted argument, the result of +| field code expansion inside a quoted argument is undefined. + +However, the %u field code is used inside a quoted argument of the +Exec key in both the [Desktop Entry] and [Desktop Action new-window] +sections. +* etc/emacsclient-mail.desktop (Exec): The Desktop Entry +Specification does not allow field codes like %u inside a quoted +argument. Work around it by passing %u as first parameter ($1) +to the shell wrapper. +* etc/emacsclient.desktop (Exec): Use `sh` rather than `placeholder` +as the command name of the shell wrapper. (Bug#60204) +--- + etc/emacsclient-mail.desktop | 4 ++-- + etc/emacsclient.desktop | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/etc/emacsclient-mail.desktop b/etc/emacsclient-mail.desktop +index b575a41..91df122 100644 +--- a/etc/emacsclient-mail.desktop ++++ b/etc/emacsclient-mail.desktop +@@ -1,7 +1,7 @@ + [Desktop Entry] + Categories=Network;Email; + Comment=GNU Emacs is an extensible, customizable text editor - and more +-Exec=sh -c "exec emacsclient --alternate-editor= --display=\\"\\$DISPLAY\\" --eval \\\\(message-mailto\\\\ \\\\\\"%u\\\\\\"\\\\)" ++Exec=sh -c "exec emacsclient --alternate-editor= --display=\\"\\$DISPLAY\\" --eval \\"(message-mailto \\\\\\"\\$1\\\\\\")\\"" sh %u + Icon=emacs + Name=Emacs (Mail, Client) + MimeType=x-scheme-handler/mailto; +@@ -13,7 +13,7 @@ Actions=new-window;new-instance; + + [Desktop Action new-window] + Name=New Window +-Exec=emacsclient --alternate-editor= --create-frame --eval "(message-mailto \\"%u\\")" ++Exec=sh -c "exec emacsclient --alternate-editor= --create-frame --eval \\"(message-mailto \\\\\\"\\$1\\\\\\")\\"" sh %u + + [Desktop Action new-instance] + Name=New Instance +diff --git a/etc/emacsclient.desktop b/etc/emacsclient.desktop +index 1ecdecf..a9f840c7 100644 +--- a/etc/emacsclient.desktop ++++ b/etc/emacsclient.desktop +@@ -3,7 +3,7 @@ Name=Emacs (Client) + GenericName=Text Editor + Comment=Edit text + MimeType=text/english;text/plain;text/x-makefile;text/x-c++hdr;text/x-c++src;text/x-chdr;text/x-csrc;text/x-java;text/x-moc;text/x-pascal;text/x-tcl;text/x-tex;application/x-shellscript;text/x-c;text/x-c++; +-Exec=sh -c "if [ -n \\"\\$*\\" ]; then exec emacsclient --alternate-editor= --display=\\"\\$DISPLAY\\" \\"\\$@\\"; else exec emacsclient --alternate-editor= --create-frame; fi" placeholder %F ++Exec=sh -c "if [ -n \\"\\$*\\" ]; then exec emacsclient --alternate-editor= --display=\\"\\$DISPLAY\\" \\"\\$@\\"; else exec emacsclient --alternate-editor= --create-frame; fi" sh %F + Icon=emacs + Type=Application + Terminal=false +-- +cgit v1.1 + diff --git a/emacs.changes b/emacs.changes index 06f1a34..85b93fb 100644 --- a/emacs.changes +++ b/emacs.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Thu Mar 9 09:04:28 UTC 2023 - Dr. Werner Fink + +- Add patch d3209119.patch + boo#1209089,CVE-2023-27985: Fix shell command injection in emacsclient-mail.desktop +- Add patch 3c1693d0.patch + boo#1209090,CVE-2023-27986: Fix Emacs Lisp code injection in emacsclient-mail.desktop + ------------------------------------------------------------------- Tue Feb 21 08:28:17 UTC 2023 - Dr. Werner Fink diff --git a/emacs.spec b/emacs.spec index 557e480..df78c7d 100644 --- a/emacs.spec +++ b/emacs.spec @@ -192,6 +192,8 @@ Patch30: d48bb487.patch Patch31: 01a4035c.patch Patch32: CVE-2022-48338.patch Patch33: CVE-2022-48339.patch +Patch34: d3209119.patch +Patch35: 3c1693d0.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %{expand: %%global include_info %(test -s /usr/share/info/info.info* && echo 0 || echo 1)} %{expand: %%global _exec_prefix %(type -p pkg-config &>/dev/null && pkg-config --variable prefix x11 || echo /usr/X11R6)} @@ -341,6 +343,8 @@ and most assembler-like syntaxes. %patch31 -p0 -b .cve2022XXXXX %patch32 -p0 -b .cve202248338 %patch33 -p0 -b .cve202248339 +%patch34 -p1 -b .cve202327985 +%patch35 -p1 -b .cve202327986 %patch0 -p0 -b .0 %if %{without tex4pdf} pushd etc/refcards/ @@ -655,6 +659,9 @@ rm -vf %{buildroot}%{_datadir}/emacs/%{version}/lisp/dynamic-setting.el.custfnt rm -vf %{buildroot}%{_datadir}/emacs/%{version}/lisp/server.el.xauth rm -vf %{buildroot}%{_datadir}/emacs/%{version}/lisp/htmlfontify.el.cve202248339 rm -vf %{buildroot}%{_datadir}/emacs/%{version}/lisp/progmodes/ruby-mode.el.cve202248338 +rm -vf %{buildroot}%{_datadir}/emacs/%{version}/etc/emacsclient-mail.desktop.cve202327985 +rm -vf %{buildroot}%{_datadir}/emacs/%{version}/etc/emacsclient-mail.desktop.cve202327986 +rm -vf %{buildroot}%{_datadir}/emacs/%{version}/etc/emacsclient.desktop.cve202327985 unelc %{buildroot}%{_datadir}/emacs/%{version}/lisp/bindings.elc unelc %{buildroot}%{_datadir}/emacs/%{version}/lisp/cus-start.elc unelc %{buildroot}%{_datadir}/emacs/%{version}/lisp/generic-x.elc