boo#1209089 and boo#1209090

OBS-URL: https://build.opensuse.org/package/show/editors/emacs?expand=0&rev=343

3c1693d0.patch

@@ -0,0 +1,51 @@
+From 3c1693d08b0a71d40a77e7b40c0ebc42dca2d2cc Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ulrich=20M=C3=BCller?= <ulm@gentoo.org>
+Date: Tue, 7 Mar 2023 18:25:37 +0100
+Subject: Fix Elisp code injection vulnerability in emacsclient-mail.desktop
+
+A crafted mailto URI could contain unescaped double-quote
+characters, allowing injection of Elisp code.  Therefore, any
+'\' and '"' characters are replaced by '\\' and '\"', using Bash
+pattern substitution (which is not available in the POSIX shell).
+
+We want to pass literal 'u=${1//\\/\\\\}; u=${u//\"/\\\"};' in the
+bash -c command, but in the desktop entry '"', '$', and '\' must
+be escaped as '\\"', '\\$', and '\\\\', respectively (backslashes
+are expanded twice, see the Desktop Entry Specification).
+
+Reported by Gabriel Corona <gabriel.corona@free.fr>.
+
+* etc/emacsclient-mail.desktop (Exec): Escape backslash and
+double-quote characters.
+---
+ etc/emacsclient-mail.desktop | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/etc/emacsclient-mail.desktop b/etc/emacsclient-mail.desktop
+index 91df122..49c6f99 100644
+--- a/etc/emacsclient-mail.desktop
++++ b/etc/emacsclient-mail.desktop
+@@ -1,7 +1,10 @@
+ [Desktop Entry]
+ Categories=Network;Email;
+ Comment=GNU Emacs is an extensible, customizable text editor - and more
+-Exec=sh -c "exec emacsclient --alternate-editor= --display=\\"\\$DISPLAY\\" --eval \\"(message-mailto \\\\\\"\\$1\\\\\\")\\"" sh %u
++# We want to pass the following commands to the shell wrapper:
++# u=${1//\\/\\\\}; u=${u//\"/\\\"}; exec emacsclient --alternate-editor= --display="$DISPLAY" --eval "(message-mailto \"$u\")"
++# Special chars '"', '$', and '\' must be escaped as '\\"', '\\$', and '\\\\'.
++Exec=bash -c "u=\\${1//\\\\\\\\/\\\\\\\\\\\\\\\\}; u=\\${u//\\\\\\"/\\\\\\\\\\\\\\"}; exec emacsclient --alternate-editor= --display=\\"\\$DISPLAY\\" --eval \\"(message-mailto \\\\\\"\\$u\\\\\\")\\"" bash %u
+ Icon=emacs
+ Name=Emacs (Mail, Client)
+ MimeType=x-scheme-handler/mailto;
+@@ -13,7 +16,7 @@ Actions=new-window;new-instance;
+ 
+ [Desktop Action new-window]
+ Name=New Window
+-Exec=sh -c "exec emacsclient --alternate-editor= --create-frame --eval \\"(message-mailto \\\\\\"\\$1\\\\\\")\\"" sh %u
++Exec=bash -c "u=\\${1//\\\\\\\\/\\\\\\\\\\\\\\\\}; u=\\${u//\\\\\\"/\\\\\\\\\\\\\\"}; exec emacsclient --alternate-editor= --create-frame --eval \\"(message-mailto \\\\\\"\\$u\\\\\\")\\"" bash %u
+ 
+ [Desktop Action new-instance]
+ Name=New Instance
+-- 
+cgit v1.1
+

d3209119.patch

@@ -0,0 +1,65 @@
+From d32091199ae5de590a83f1542a01d75fba000467 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ulrich=20M=C3=BCller?= <ulm@gentoo.org>
+Date: Mon, 19 Dec 2022 16:51:20 +0100
+Subject: Fix quoted argument in emacsclient-mail.desktop Exec key
+
+Apparently the emacsclient-mail.desktop file doesn't conform to the
+Desktop Entry Specification at
+https://specifications.freedesktop.org/desktop-entry-spec/desktop-entry-spec-latest.html#exec-variables
+which says about the Exec key:
+
+| Field codes must not be used inside a quoted argument, the result of
+| field code expansion inside a quoted argument is undefined.
+
+However, the %u field code is used inside a quoted argument of the
+Exec key in both the [Desktop Entry] and [Desktop Action new-window]
+sections.
+* etc/emacsclient-mail.desktop (Exec): The Desktop Entry
+Specification does not allow field codes like %u inside a quoted
+argument. Work around it by passing %u as first parameter ($1)
+to the shell wrapper.
+* etc/emacsclient.desktop (Exec): Use `sh` rather than `placeholder`
+as the command name of the shell wrapper.  (Bug#60204)
+---
+ etc/emacsclient-mail.desktop | 4 ++--
+ etc/emacsclient.desktop      | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/etc/emacsclient-mail.desktop b/etc/emacsclient-mail.desktop
+index b575a41..91df122 100644
+--- a/etc/emacsclient-mail.desktop
++++ b/etc/emacsclient-mail.desktop
+@@ -1,7 +1,7 @@
+ [Desktop Entry]
+ Categories=Network;Email;
+ Comment=GNU Emacs is an extensible, customizable text editor - and more
+-Exec=sh -c "exec emacsclient --alternate-editor= --display=\\"\\$DISPLAY\\" --eval \\\\(message-mailto\\\\ \\\\\\"%u\\\\\\"\\\\)"
++Exec=sh -c "exec emacsclient --alternate-editor= --display=\\"\\$DISPLAY\\" --eval \\"(message-mailto \\\\\\"\\$1\\\\\\")\\"" sh %u
+ Icon=emacs
+ Name=Emacs (Mail, Client)
+ MimeType=x-scheme-handler/mailto;
+@@ -13,7 +13,7 @@ Actions=new-window;new-instance;
+ 
+ [Desktop Action new-window]
+ Name=New Window
+-Exec=emacsclient --alternate-editor= --create-frame --eval "(message-mailto \\"%u\\")"
++Exec=sh -c "exec emacsclient --alternate-editor= --create-frame --eval \\"(message-mailto \\\\\\"\\$1\\\\\\")\\"" sh %u
+ 
+ [Desktop Action new-instance]
+ Name=New Instance
+diff --git a/etc/emacsclient.desktop b/etc/emacsclient.desktop
+index 1ecdecf..a9f840c7 100644
+--- a/etc/emacsclient.desktop
++++ b/etc/emacsclient.desktop
+@@ -3,7 +3,7 @@ Name=Emacs (Client)
+ GenericName=Text Editor
+ Comment=Edit text
+ MimeType=text/english;text/plain;text/x-makefile;text/x-c++hdr;text/x-c++src;text/x-chdr;text/x-csrc;text/x-java;text/x-moc;text/x-pascal;text/x-tcl;text/x-tex;application/x-shellscript;text/x-c;text/x-c++;
+-Exec=sh -c "if [ -n \\"\\$*\\" ]; then exec emacsclient --alternate-editor= --display=\\"\\$DISPLAY\\" \\"\\$@\\"; else exec emacsclient --alternate-editor= --create-frame; fi" placeholder %F
++Exec=sh -c "if [ -n \\"\\$*\\" ]; then exec emacsclient --alternate-editor= --display=\\"\\$DISPLAY\\" \\"\\$@\\"; else exec emacsclient --alternate-editor= --create-frame; fi" sh %F
+ Icon=emacs
+ Type=Application
+ Terminal=false
+-- 
+cgit v1.1
+

emacs.changes

@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Thu Mar  9 09:04:28 UTC 2023 - Dr. Werner Fink <werner@suse.de>
+
+- Add patch d3209119.patch
+  boo#1209089,CVE-2023-27985: Fix shell command injection in emacsclient-mail.desktop
+- Add patch 3c1693d0.patch 
+  boo#1209090,CVE-2023-27986: Fix Emacs Lisp code injection in emacsclient-mail.desktop
+
 -------------------------------------------------------------------
 Tue Feb 21 08:28:17 UTC 2023 - Dr. Werner Fink <werner@suse.de>
 

emacs.spec

@@ -192,6 +192,8 @@ Patch30:        d48bb487.patch
 Patch31:        01a4035c.patch
 Patch32:        CVE-2022-48338.patch
 Patch33:        CVE-2022-48339.patch
+Patch34:        d3209119.patch
+Patch35:        3c1693d0.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %{expand: %%global include_info %(test -s /usr/share/info/info.info* && echo 0 || echo 1)}
 %{expand: %%global _exec_prefix %(type -p pkg-config &>/dev/null && pkg-config --variable prefix x11 || echo /usr/X11R6)}
@@ -341,6 +343,8 @@ and most assembler-like syntaxes.
 %patch31 -p0 -b .cve2022XXXXX
 %patch32 -p0 -b .cve202248338
 %patch33 -p0 -b .cve202248339
+%patch34 -p1 -b .cve202327985
+%patch35 -p1 -b .cve202327986
 %patch0  -p0 -b .0
 %if %{without tex4pdf}
 pushd etc/refcards/
@@ -655,6 +659,9 @@ rm -vf %{buildroot}%{_datadir}/emacs/%{version}/lisp/dynamic-setting.el.custfnt
 rm -vf %{buildroot}%{_datadir}/emacs/%{version}/lisp/server.el.xauth
 rm -vf %{buildroot}%{_datadir}/emacs/%{version}/lisp/htmlfontify.el.cve202248339
 rm -vf %{buildroot}%{_datadir}/emacs/%{version}/lisp/progmodes/ruby-mode.el.cve202248338
+rm -vf %{buildroot}%{_datadir}/emacs/%{version}/etc/emacsclient-mail.desktop.cve202327985
+rm -vf %{buildroot}%{_datadir}/emacs/%{version}/etc/emacsclient-mail.desktop.cve202327986
+rm -vf %{buildroot}%{_datadir}/emacs/%{version}/etc/emacsclient.desktop.cve202327985
 unelc  %{buildroot}%{_datadir}/emacs/%{version}/lisp/bindings.elc
 unelc  %{buildroot}%{_datadir}/emacs/%{version}/lisp/cus-start.elc
 unelc  %{buildroot}%{_datadir}/emacs/%{version}/lisp/generic-x.elc