!101 fix CVE-2024-30203 CVE-2024-30204 CVE-2024-30205
From: @ultra_planet Reviewed-by: @t_feng Signed-off-by: @t_feng
This commit is contained in:
openeuler-ci-bot
Gitee
commit
cf54e80006
33
backport-CVE-2024-30203-pre.patch
Normal file
33
backport-CVE-2024-30203-pre.patch
Normal file
@ -0,0 +1,33 @@
|
||||
From ccc188fcf98ad9166ee551fac9d94b2603c3a51b Mon Sep 17 00:00:00 2001
|
||||
From: Ihor Radchenko <yantar92@posteo.net>
|
||||
Date: Tue, 20 Feb 2024 12:43:51 +0300
|
||||
Subject: * lisp/files.el (untrusted-content): New variable.
|
||||
|
||||
The new variable is to be used when buffer contents comes from untrusted
|
||||
source.
|
||||
---
|
||||
lisp/files.el | 8 ++++++++
|
||||
1 file changed, 8 insertions(+)
|
||||
|
||||
diff --git a/lisp/files.el b/lisp/files.el
|
||||
index c0d26b2..5536af0 100644
|
||||
--- a/lisp/files.el
|
||||
+++ b/lisp/files.el
|
||||
@@ -695,6 +695,14 @@ Also see the `permanently-enabled-local-variables' variable."
|
||||
Some modes may wish to set this to nil to prevent directory-local
|
||||
settings being applied, but still respect file-local ones.")
|
||||
|
||||
+(defvar-local untrusted-content nil
|
||||
+ "Non-nil means that current buffer originated from an untrusted source.
|
||||
+Email clients and some other modes may set this non-nil to mark the
|
||||
+buffer contents as untrusted.
|
||||
+
|
||||
+This variable might be subject to change without notice.")
|
||||
+(put 'untrusted-content 'permanent-local t)
|
||||
+
|
||||
;; This is an odd variable IMO.
|
||||
;; You might wonder why it is needed, when we could just do:
|
||||
;; (set (make-local-variable 'enable-local-variables) nil)
|
||||
--
|
||||
cgit v1.1
|
||||
|
||||
25
backport-CVE-2024-30203.patch
Normal file
25
backport-CVE-2024-30203.patch
Normal file
@ -0,0 +1,25 @@
|
||||
From 937b9042ad7426acdcca33e3d931d8f495bdd804 Mon Sep 17 00:00:00 2001
|
||||
From: Ihor Radchenko <yantar92@posteo.net>
|
||||
Date: Tue, 20 Feb 2024 12:44:30 +0300
|
||||
Subject: * lisp/gnus/mm-view.el (mm-display-inline-fontify): Mark contents
|
||||
untrusted.
|
||||
|
||||
---
|
||||
lisp/gnus/mm-view.el | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/lisp/gnus/mm-view.el b/lisp/gnus/mm-view.el
|
||||
index 2e1261c..5f234e5 100644
|
||||
--- a/lisp/gnus/mm-view.el
|
||||
+++ b/lisp/gnus/mm-view.el
|
||||
@@ -504,6 +504,7 @@ If MODE is not set, try to find mode automatically."
|
||||
(setq coding-system (mm-find-buffer-file-coding-system)))
|
||||
(setq text (buffer-string))))
|
||||
(with-temp-buffer
|
||||
+ (setq untrusted-content t)
|
||||
(buffer-disable-undo)
|
||||
(mm-enable-multibyte)
|
||||
(insert (cond ((eq charset 'gnus-decoded)
|
||||
--
|
||||
cgit v1.1
|
||||
|
||||
57
backport-CVE-2024-30204.patch
Normal file
57
backport-CVE-2024-30204.patch
Normal file
@ -0,0 +1,57 @@
|
||||
From 6f9ea396f49cbe38c2173e0a72ba6af3e03b271c Mon Sep 17 00:00:00 2001
|
||||
From: Ihor Radchenko <yantar92@posteo.net>
|
||||
Date: Tue, 20 Feb 2024 12:47:24 +0300
|
||||
Subject: org-latex-preview: Add protection when `untrusted-content' is non-nil
|
||||
|
||||
* lisp/org/org.el (org--latex-preview-when-risky): New variable
|
||||
controlling how to handle LaTeX previews in Org files from untrusted
|
||||
origin.
|
||||
(org-latex-preview): Consult `org--latex-preview-when-risky' before
|
||||
generating previews.
|
||||
|
||||
This patch adds a layer of protection when LaTeX preview is requested
|
||||
for an email attachment, where `untrusted-content' is set to non-nil.
|
||||
---
|
||||
lisp/org/org.el | 19 +++++++++++++++++++
|
||||
1 file changed, 19 insertions(+)
|
||||
|
||||
diff --git a/lisp/org/org.el b/lisp/org/org.el
|
||||
index c75afbf..0f5d17d 100644
|
||||
--- a/lisp/org/org.el
|
||||
+++ b/lisp/org/org.el
|
||||
@@ -1140,6 +1140,24 @@ the following lines anywhere in the buffer:
|
||||
:package-version '(Org . "8.0")
|
||||
:type 'boolean)
|
||||
|
||||
+(defvar untrusted-content) ; defined in files.el
|
||||
+(defvar org--latex-preview-when-risky nil
|
||||
+ "If non-nil, enable LaTeX preview in Org buffers from unsafe source.
|
||||
+
|
||||
+Some specially designed LaTeX code may generate huge pdf or log files
|
||||
+that may exhaust disk space.
|
||||
+
|
||||
+This variable controls how to handle LaTeX preview when rendering LaTeX
|
||||
+fragments that originate from incoming email messages. It has no effect
|
||||
+when Org mode is unable to determine the origin of the Org buffer.
|
||||
+
|
||||
+An Org buffer is considered to be from unsafe source when the
|
||||
+variable `untrusted-content' has a non-nil value in the buffer.
|
||||
+
|
||||
+If this variable is non-nil, LaTeX previews are rendered unconditionally.
|
||||
+
|
||||
+This variable may be renamed or changed in the future.")
|
||||
+
|
||||
(defcustom org-insert-mode-line-in-empty-file nil
|
||||
"Non-nil means insert the first line setting Org mode in empty files.
|
||||
When the function `org-mode' is called interactively in an empty file, this
|
||||
@@ -15695,6 +15713,7 @@ fragments in the buffer."
|
||||
(interactive "P")
|
||||
(cond
|
||||
((not (display-graphic-p)) nil)
|
||||
+ ((and untrusted-content (not org--latex-preview-when-risky)) nil)
|
||||
;; Clear whole buffer.
|
||||
((equal arg '(64))
|
||||
(org-clear-latex-preview (point-min) (point-max))
|
||||
--
|
||||
cgit v1.1
|
||||
|
||||
36
backport-CVE-2024-30205.patch
Normal file
36
backport-CVE-2024-30205.patch
Normal file
@ -0,0 +1,36 @@
|
||||
From 2bc865ace050ff118db43f01457f95f95112b877 Mon Sep 17 00:00:00 2001
|
||||
From: Ihor Radchenko <yantar92@posteo.net>
|
||||
Date: Tue, 20 Feb 2024 14:59:20 +0300
|
||||
Subject: org-file-contents: Consider all remote files unsafe
|
||||
|
||||
* lisp/org/org.el (org-file-contents): When loading files, consider all
|
||||
remote files (like TRAMP-fetched files) unsafe, in addition to URLs.
|
||||
---
|
||||
lisp/org/org.el | 6 +++++-
|
||||
1 file changed, 5 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/lisp/org/org.el b/lisp/org/org.el
|
||||
index 0f5d17d..76559c9 100644
|
||||
--- a/lisp/org/org.el
|
||||
+++ b/lisp/org/org.el
|
||||
@@ -4576,12 +4576,16 @@ from file or URL, and return nil.
|
||||
If NOCACHE is non-nil, do a fresh fetch of FILE even if cached version
|
||||
is available. This option applies only if FILE is a URL."
|
||||
(let* ((is-url (org-file-url-p file))
|
||||
+ (is-remote (condition-case nil
|
||||
+ (file-remote-p file)
|
||||
+ ;; In case of error, be safe.
|
||||
+ (t t)))
|
||||
(cache (and is-url
|
||||
(not nocache)
|
||||
(gethash file org--file-cache))))
|
||||
(cond
|
||||
(cache)
|
||||
- (is-url
|
||||
+ ((or is-url is-remote)
|
||||
(with-current-buffer (url-retrieve-synchronously file)
|
||||
(goto-char (point-min))
|
||||
;; Move point to after the url-retrieve header.
|
||||
--
|
||||
cgit v1.1
|
||||
|
||||
10
emacs.spec
10
emacs.spec
@ -8,7 +8,7 @@
|
||||
Name: emacs
|
||||
Epoch: 1
|
||||
Version: 27.2
|
||||
Release: 12
|
||||
Release: 13
|
||||
Summary: An extensible GNU text editor
|
||||
License: GPLv3+ and CC0-1.0
|
||||
URL: http://www.gnu.org/software/emacs
|
||||
@ -31,6 +31,11 @@ Patch6006: backport-CVE-2022-48338.patch
|
||||
Patch6007: backport-CVE-2022-48339.patch
|
||||
Patch6008: backport-CVE-2023-28617.patch
|
||||
Patch6009: backport-0002-CVE-2022-48337.patch
|
||||
Patch6010: backport-CVE-2024-30203-pre.patch
|
||||
Patch6011: backport-CVE-2024-30203.patch
|
||||
Patch6012: backport-CVE-2024-30204.patch
|
||||
Patch6013: backport-CVE-2024-30205.patch
|
||||
|
||||
Patch9000: emacs-deal-taboo-words.patch
|
||||
|
||||
BuildRequires: gcc atk-devel cairo-devel freetype-devel fontconfig-devel dbus-devel giflib-devel
|
||||
@ -419,6 +424,9 @@ fi
|
||||
%{_mandir}/*/*
|
||||
|
||||
%changelog
|
||||
* Mon Apr 01 2024 lingsheng <lingsheng1@h-partners.com> - 1:27.2-13
|
||||
- fix CVE-2024-30203 CVE-2024-30204 CVE-2024-30205
|
||||
|
||||
* Thu Feb 29 2024 zhangpan <zhangpan103@h-partners.com> - 1:27.2-12
|
||||
- fix emacs start slow
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user