From 46805db07e959853b2e6eae8ebb8272d7cd2d527 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Jun 06 2023 12:41:53 +0000 Subject: import emacs-24.3-23.el7_9.1 --- diff --git a/SOURCES/emacs-htmlfontify-command-injection-vulnerability.patch b/SOURCES/emacs-htmlfontify-command-injection-vulnerability.patch new file mode 100644 index 0000000..73122c8 --- /dev/null +++ b/SOURCES/emacs-htmlfontify-command-injection-vulnerability.patch @@ -0,0 +1,26 @@ +From 1b4dc4691c1f87fc970fbe568b43869a15ad0d4c Mon Sep 17 00:00:00 2001 +From: Xi Lu +Date: Sat, 24 Dec 2022 16:28:54 +0800 +Subject: [PATCH] Fix htmlfontify.el command injection vulnerability. + +* lisp/htmlfontify.el (hfy-text-p): Fix command injection +vulnerability. (Bug#60295) +--- + lisp/htmlfontify.el | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lisp/htmlfontify.el b/lisp/htmlfontify.el +index df4c6ab079c..389b92939cc 100644 +--- a/lisp/htmlfontify.el ++++ b/lisp/htmlfontify.el +@@ -1912,7 +1912,7 @@ hfy-make-directory + + (defun hfy-text-p (srcdir file) + "Is SRCDIR/FILE text? Uses `hfy-istext-command' to determine this." +- (let* ((cmd (format hfy-istext-command (expand-file-name file srcdir))) ++ (let* ((cmd (format hfy-istext-command (shell-quote-argument (expand-file-name file srcdir)))) + (rsp (shell-command-to-string cmd))) + (string-match "text" rsp))) + +-- +2.36.1 diff --git a/SPECS/emacs.spec b/SPECS/emacs.spec index c16d070..25c5304 100644 --- a/SPECS/emacs.spec +++ b/SPECS/emacs.spec @@ -4,7 +4,7 @@ Summary: GNU Emacs text editor Name: emacs Epoch: 1 Version: 24.3 -Release: 23%{?dist} +Release: 23%{?dist}.1 License: GPLv3+ URL: http://www.gnu.org/software/emacs/ Group: Applications/Editors @@ -55,6 +55,7 @@ Patch32: emacs-0013-gnutls.el-increase-gnutls-min-prime-bits-to-1024-by-. Patch100: emacs-24.3-hunspell.patch # Fix for emacs bug #827033 Patch101: emacs-24.3-hunspell.2.patch +Patch102: emacs-htmlfontify-command-injection-vulnerability.patch BuildRequires: atk-devel cairo-devel freetype-devel fontconfig-devel dbus-devel giflib-devel glibc-devel libpng-devel @@ -219,6 +220,7 @@ packages that add functionality to Emacs. %patch100 -p1 -b .hunspell %patch101 -p1 -b .hunspell.2 +%patch102 -p1 -b .htmlfontify-command-injection-vulnerability if test configure.ac -nt aclocal.m4 -o m4/gnulib-comp.m4 -nt aclocal.m4 ; then sleep 1 touch aclocal.m4 @@ -478,7 +480,6 @@ update-desktop-database &> /dev/null || : %{_datadir}/applications/emacs.desktop %{_datadir}/applications/emacsclient.desktop %{_datadir}/icons/hicolor/*/apps/emacs.png -#%{_datadir}/icons/hicolor/*/apps/emacs22.png %{_datadir}/icons/hicolor/scalable/apps/emacs.svg %{_datadir}/icons/hicolor/scalable/mimetypes/emacs-document.svg @@ -495,7 +496,6 @@ update-desktop-database &> /dev/null || : %{_bindir}/etags.emacs %{_bindir}/gctags %{_bindir}/grep-changelog -#%{_bindir}/rcs-checkin %{_mandir}/*/* %{_infodir}/* %dir %{_datadir}/emacs/%{version} @@ -520,6 +520,9 @@ update-desktop-database &> /dev/null || : %dir %{_datadir}/emacs/site-lisp/site-start.d %changelog +* Fri Apr 7 2023 Jacek Migacz - 1:24.3-23.1 +- Fix htmlfontify.el command injection vulnerability (#2175177) + * Fri Nov 01 2019 Tomas Pelka - 1:24.3-23 - Resolves: #1765208 rebuild against new IM