!101 fix CVE-2024-30203 CVE-2024-30204 CVE-2024-30205

From: @ultra_planet 
Reviewed-by: @t_feng 
Signed-off-by: @t_feng

backport-0002-CVE-2022-48337.patch

@@ -0,0 +1,25 @@
+From ab998b90206733f2cd9b009dcdb8e5567834ed3b Mon Sep 17 00:00:00 2001
+From: Super User <root@localhost.localdomain>
+Date: Mon, 25 Sep 2023 14:32:05 +0800
+Subject: [PATCH] backport 0002 CVE-2022-48337
+
+---
+ lib-src/etags.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/lib-src/etags.c b/lib-src/etags.c
+index 5d0eed2..5399008 100644
+--- a/lib-src/etags.c
++++ b/lib-src/etags.c
+@@ -1680,6 +1680,8 @@ process_file_name (char *file, language *lang)
+           int buf_len = strlen (compr->command) + strlen ("  > ") + strlen (new_real_name) + strlen (new_tmp_name) + 1;
+           char *cmd = xmalloc (buf_len);
+           snprintf (cmd, buf_len, "%s %s > %s", compr->command, new_real_name, new_tmp_name);
++	  free (new_real_name);
++	  free (new_tmp_name);
+ #endif
+ 	  int tmp_errno;
+ 	  if (system (cmd) == -1)
+-- 
+2.41.0
+

backport-CVE-2022-48337.patch

@@ -0,0 +1,107 @@
+From 01a4035c869b91c153af9a9132c87adb7669ea1c Mon Sep 17 00:00:00 2001
+From: lu4nx <lx@shellcodes.org>
+Date: Tue, 6 Dec 2022 15:42:40 +0800
+Subject: Fix etags local command injection vulnerability
+
+* lib-src/etags.c: (escape_shell_arg_string): New function.
+(process_file_name): Use it to quote file names passed to the
+shell.  (Bug#59817)
+
+Reference:https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=01a4035c869b91c153af9a9132c87adb7669ea1c
+Conflict:Adaptation Context
+---
+ lib-src/etags.c | 63 +++++++++++++++++++++++++++++++++++++++++++++----
+ 1 file changed, 58 insertions(+), 5 deletions(-)
+
+diff --git a/lib-src/etags.c b/lib-src/etags.c
+index 7b509d7..5d0eed2 100644
+--- a/lib-src/etags.c
++++ b/lib-src/etags.c
+@@ -398,6 +398,7 @@ static void invalidate_nodes (fdesc *, node **);
+ static void put_entries (node *);
+ static void clean_matched_file_tag (char const * const, char const * const);
+ 
++static char *escape_shell_arg_string (char *);
+ static void do_move_file (const char *, const char *);
+ static char *concat (const char *, const char *, const char *);
+ static char *skip_spaces (char *);
+@@ -1670,13 +1671,16 @@ process_file_name (char *file, language *lang)
+       else
+ 	{
+ #if MSDOS || defined (DOS_NT)
+-	  char *cmd1 = concat (compr->command, " \"", real_name);
+-	  char *cmd = concat (cmd1, "\" > ", tmp_name);
++          int buf_len = strlen (compr->command) + strlen (" \"\" > \"\"") + strlen (real_name) + strlen (tmp_name) + 1;
++          char *cmd = xmalloc (buf_len);
++          snprintf (cmd, buf_len, "%s \"%s\" > \"%s\"", compr->command, real_name, tmp_name);
+ #else
+-	  char *cmd1 = concat (compr->command, " '", real_name);
+-	  char *cmd = concat (cmd1, "' > ", tmp_name);
++          char *new_real_name = escape_shell_arg_string (real_name);
++          char *new_tmp_name = escape_shell_arg_string (tmp_name);
++          int buf_len = strlen (compr->command) + strlen ("  > ") + strlen (new_real_name) + strlen (new_tmp_name) + 1;
++          char *cmd = xmalloc (buf_len);
++          snprintf (cmd, buf_len, "%s %s > %s", compr->command, new_real_name, new_tmp_name);
+ #endif
+-	  free (cmd1);
+ 	  int tmp_errno;
+ 	  if (system (cmd) == -1)
+ 	    {
+@@ -7124,6 +7128,55 @@ etags_mktmp (void)
+   return templt;
+ }
+ 
++/*
++ * Adds single quotes around a string, if found single quotes, escaped it.
++ * Return a newly-allocated string.
++ *
++ * For example:
++ * escape_shell_arg_string("test.txt") => 'test.txt'
++ * escape_shell_arg_string("'test.txt") => ''\''test.txt'
++ */
++static char *
++escape_shell_arg_string (char *str)
++{
++  char *p = str;
++  int need_space = 2;           /* ' at begin and end */
++
++  while (*p != '\0')
++    {
++      if (*p == '\'')
++        need_space += 4;        /* ' to '\'', length is 4 */
++      else
++        need_space++;
++
++      p++;
++    }
++
++  char *new_str = xnew (need_space + 1, char);
++  new_str[0] = '\'';
++  new_str[need_space-1] = '\'';
++
++  int i = 1;                    /* skip first byte */
++  p = str;
++  while (*p != '\0')
++    {
++      new_str[i] = *p;
++      if (*p == '\'')
++        {
++          new_str[i+1] = '\\';
++          new_str[i+2] = '\'';
++          new_str[i+3] = '\'';
++          i += 3;
++        }
++
++      i++;
++      p++;
++    }
++
++  new_str[need_space] = '\0';
++  return new_str;
++}
++
+ static void
+ do_move_file(const char *src_file, const char *dst_file)
+ {
+-- 
+2.27.0

backport-CVE-2022-48338.patch

@@ -0,0 +1,29 @@
+From 9a3b08061feea14d6f37685ca1ab8801758bfd1c Mon Sep 17 00:00:00 2001
+From: Xi Lu <lx@shellcodes.org>
+Date: Fri, 23 Dec 2022 12:52:48 +0800
+Subject: Fix ruby-mode.el local command injection vulnerability (bug#60268)
+
+* lisp/progmodes/ruby-mode.el
+(ruby-find-library-file): Fix local command injection vulnerability.
+
+Reference:https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=9a3b08061feea14d6f37685ca1ab8801758bfd1c
+Conflict:NA
+---
+ lisp/progmodes/ruby-mode.el | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lisp/progmodes/ruby-mode.el b/lisp/progmodes/ruby-mode.el
+index 1f3e9b6..a4aa619 100644
+--- a/lisp/progmodes/ruby-mode.el
++++ b/lisp/progmodes/ruby-mode.el
+@@ -1899,7 +1899,7 @@ or `gem' statement around point."
+       (setq feature-name (read-string "Feature name: " init))))
+   (let ((out
+          (substring
+-          (shell-command-to-string (concat "gem which " feature-name))
++          (shell-command-to-string (concat "gem which " (shell-quote-argument feature-name)))
+           0 -1)))
+     (if (string-match-p "\\`ERROR" out)
+         (user-error "%s" out)
+-- 
+cgit v1.1

backport-CVE-2022-48339.patch

@@ -0,0 +1,29 @@
+From 1b4dc4691c1f87fc970fbe568b43869a15ad0d4c Mon Sep 17 00:00:00 2001
+From: Xi Lu <lx@shellcodes.org>
+Date: Sat, 24 Dec 2022 16:28:54 +0800
+Subject: Fix htmlfontify.el command injection vulnerability.
+
+* lisp/htmlfontify.el (hfy-text-p): Fix command injection
+vulnerability.  (Bug#60295)
+
+Reference:https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=1b4dc4691c1f87fc970fbe568b43869a15ad0d4c
+Conflict:NA
+---
+ lisp/htmlfontify.el | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lisp/htmlfontify.el b/lisp/htmlfontify.el
+index df4c6ab..389b929 100644
+--- a/lisp/htmlfontify.el
++++ b/lisp/htmlfontify.el
+@@ -1850,7 +1850,7 @@ Hardly bombproof, but good enough in the context in which it is being used."
+ 
+ (defun hfy-text-p (srcdir file)
+   "Is SRCDIR/FILE text?  Uses `hfy-istext-command' to determine this."
+-  (let* ((cmd (format hfy-istext-command (expand-file-name file srcdir)))
++  (let* ((cmd (format hfy-istext-command (shell-quote-argument (expand-file-name file srcdir))))
+          (rsp (shell-command-to-string    cmd)))
+     (string-match "text" rsp)))
+ 
+-- 
+cgit v1.1

backport-CVE-2023-28617.patch

@@ -0,0 +1,46 @@
+From a8006ea580ed74f27f974d60b598143b04ad1741 Mon Sep 17 00:00:00 2001
+From: Xi Lu <lx@shellcodes.org>
+Date: Sat, 11 Mar 2023 18:53:37 +0800
+Subject: * lisp/ob-latex.el: Fix command injection vulnerability
+
+(org-babel-execute:latex):
+Replaced the `(shell-command "mv BAR NEWBAR")' with `rename-file'.
+
+TINYCHANGE
+
+Reference:https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=a8006ea580ed74f27f974d60b598143b04ad1741
+Conflict:NA
+
+---
+ lisp/org/ob-latex.el | 13 +++++--------
+ 1 file changed, 5 insertions(+), 8 deletions(-)
+
+diff --git a/lisp/org/ob-latex.el b/lisp/org/ob-latex.el
+index a2c24b3..ce39628 100644
+--- a/lisp/org/ob-latex.el
++++ b/lisp/org/ob-latex.el
+@@ -218,17 +218,14 @@ This function is called by `org-babel-execute-src-block'."
+ 	    (if (string-suffix-p ".svg" out-file)
+ 		(progn
+ 		  (shell-command "pwd")
+-		  (shell-command (format "mv %s %s"
+-					 (concat (file-name-sans-extension tex-file) "-1.svg")
+-					 out-file)))
++                  (rename-file (concat (file-name-sans-extension tex-file) "-1.svg")
++                               out-file t))
+ 	      (error "SVG file produced but HTML file requested")))
+ 	   ((file-exists-p (concat (file-name-sans-extension tex-file) ".html"))
+ 	    (if (string-suffix-p ".html" out-file)
+-		(shell-command "mv %s %s"
+-			       (concat (file-name-sans-extension tex-file)
+-				       ".html")
+-			       out-file)
+-	      (error "HTML file produced but SVG file requested")))))
++                (rename-file (concat (file-name-sans-extension tex-file) ".html")
++                             out-file t)
++              (error "HTML file produced but SVG file requested")))))
+ 	 ((or (string= "pdf" extension) imagemagick)
+ 	  (with-temp-file tex-file
+ 	    (require 'ox-latex)
+-- 
+cgit v1.1

backport-CVE-2024-30203-pre.patch

@@ -0,0 +1,33 @@
+From ccc188fcf98ad9166ee551fac9d94b2603c3a51b Mon Sep 17 00:00:00 2001
+From: Ihor Radchenko <yantar92@posteo.net>
+Date: Tue, 20 Feb 2024 12:43:51 +0300
+Subject: * lisp/files.el (untrusted-content): New variable.
+
+The new variable is to be used when buffer contents comes from untrusted
+source.
+---
+ lisp/files.el | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/lisp/files.el b/lisp/files.el
+index c0d26b2..5536af0 100644
+--- a/lisp/files.el
++++ b/lisp/files.el
+@@ -695,6 +695,14 @@ Also see the `permanently-enabled-local-variables' variable."
+ Some modes may wish to set this to nil to prevent directory-local
+ settings being applied, but still respect file-local ones.")
+ 
++(defvar-local untrusted-content nil
++  "Non-nil means that current buffer originated from an untrusted source.
++Email clients and some other modes may set this non-nil to mark the
++buffer contents as untrusted.
++
++This variable might be subject to change without notice.")
++(put 'untrusted-content 'permanent-local t)
++
+ ;; This is an odd variable IMO.
+ ;; You might wonder why it is needed, when we could just do:
+ ;; (set (make-local-variable 'enable-local-variables) nil)
+-- 
+cgit v1.1
+

backport-CVE-2024-30203.patch

@@ -0,0 +1,25 @@
+From 937b9042ad7426acdcca33e3d931d8f495bdd804 Mon Sep 17 00:00:00 2001
+From: Ihor Radchenko <yantar92@posteo.net>
+Date: Tue, 20 Feb 2024 12:44:30 +0300
+Subject: * lisp/gnus/mm-view.el (mm-display-inline-fontify): Mark contents
+ untrusted.
+
+---
+ lisp/gnus/mm-view.el | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/lisp/gnus/mm-view.el b/lisp/gnus/mm-view.el
+index 2e1261c..5f234e5 100644
+--- a/lisp/gnus/mm-view.el
++++ b/lisp/gnus/mm-view.el
+@@ -504,6 +504,7 @@ If MODE is not set, try to find mode automatically."
+ 	  (setq coding-system (mm-find-buffer-file-coding-system)))
+ 	(setq text (buffer-string))))
+     (with-temp-buffer
++      (setq untrusted-content t)
+       (buffer-disable-undo)
+       (mm-enable-multibyte)
+       (insert (cond ((eq charset 'gnus-decoded)
+-- 
+cgit v1.1
+

backport-CVE-2024-30204.patch

@@ -0,0 +1,57 @@
+From 6f9ea396f49cbe38c2173e0a72ba6af3e03b271c Mon Sep 17 00:00:00 2001
+From: Ihor Radchenko <yantar92@posteo.net>
+Date: Tue, 20 Feb 2024 12:47:24 +0300
+Subject: org-latex-preview: Add protection when `untrusted-content' is non-nil
+
+* lisp/org/org.el (org--latex-preview-when-risky): New variable
+controlling how to handle LaTeX previews in Org files from untrusted
+origin.
+(org-latex-preview): Consult `org--latex-preview-when-risky' before
+generating previews.
+
+This patch adds a layer of protection when LaTeX preview is requested
+for an email attachment, where `untrusted-content' is set to non-nil.
+---
+ lisp/org/org.el | 19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+
+diff --git a/lisp/org/org.el b/lisp/org/org.el
+index c75afbf..0f5d17d 100644
+--- a/lisp/org/org.el
++++ b/lisp/org/org.el
+@@ -1140,6 +1140,24 @@ the following lines anywhere in the buffer:
+   :package-version '(Org . "8.0")
+   :type 'boolean)
+ 
++(defvar untrusted-content) ; defined in files.el
++(defvar org--latex-preview-when-risky nil
++  "If non-nil, enable LaTeX preview in Org buffers from unsafe source.
++
++Some specially designed LaTeX code may generate huge pdf or log files
++that may exhaust disk space.
++
++This variable controls how to handle LaTeX preview when rendering LaTeX
++fragments that originate from incoming email messages.  It has no effect
++when Org mode is unable to determine the origin of the Org buffer.
++
++An Org buffer is considered to be from unsafe source when the
++variable `untrusted-content' has a non-nil value in the buffer.
++
++If this variable is non-nil, LaTeX previews are rendered unconditionally.
++
++This variable may be renamed or changed in the future.")
++
+ (defcustom org-insert-mode-line-in-empty-file nil
+   "Non-nil means insert the first line setting Org mode in empty files.
+ When the function `org-mode' is called interactively in an empty file, this
+@@ -15695,6 +15713,7 @@ fragments in the buffer."
+   (interactive "P")
+   (cond
+    ((not (display-graphic-p)) nil)
++   ((and untrusted-content (not org--latex-preview-when-risky)) nil)
+    ;; Clear whole buffer.
+    ((equal arg '(64))
+     (org-clear-latex-preview (point-min) (point-max))
+-- 
+cgit v1.1
+

backport-CVE-2024-30205.patch

@@ -0,0 +1,36 @@
+From 2bc865ace050ff118db43f01457f95f95112b877 Mon Sep 17 00:00:00 2001
+From: Ihor Radchenko <yantar92@posteo.net>
+Date: Tue, 20 Feb 2024 14:59:20 +0300
+Subject: org-file-contents: Consider all remote files unsafe
+
+* lisp/org/org.el (org-file-contents): When loading files, consider all
+remote files (like TRAMP-fetched files) unsafe, in addition to URLs.
+---
+ lisp/org/org.el | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/lisp/org/org.el b/lisp/org/org.el
+index 0f5d17d..76559c9 100644
+--- a/lisp/org/org.el
++++ b/lisp/org/org.el
+@@ -4576,12 +4576,16 @@ from file or URL, and return nil.
+ If NOCACHE is non-nil, do a fresh fetch of FILE even if cached version
+ is available.  This option applies only if FILE is a URL."
+   (let* ((is-url (org-file-url-p file))
++         (is-remote (condition-case nil
++                        (file-remote-p file)
++                      ;; In case of error, be safe.
++                      (t t)))
+          (cache (and is-url
+                      (not nocache)
+                      (gethash file org--file-cache))))
+     (cond
+      (cache)
+-     (is-url
++     ((or is-url is-remote)
+       (with-current-buffer (url-retrieve-synchronously file)
+ 	(goto-char (point-min))
+ 	;; Move point to after the url-retrieve header.
+-- 
+cgit v1.1
+

emacs.spec

@@ -8,7 +8,7 @@
 Name:          emacs
 Epoch:         1
 Version:       27.2
-Release:       8
+Release:       13
 Summary:       An extensible GNU text editor
 License:       GPLv3+ and CC0-1.0
 URL:           http://www.gnu.org/software/emacs
@@ -26,6 +26,16 @@ Patch6001:        emacs-spellchecker.patch
 Patch6002:        emacs-system-crypto-policies.patch
 Patch6003:        backport-emacs-glibc-2.34.patch
 Patch6004:        backport-CVE-2022-45939.patch
+Patch6005:        backport-CVE-2022-48337.patch
+Patch6006:        backport-CVE-2022-48338.patch
+Patch6007:        backport-CVE-2022-48339.patch
+Patch6008:        backport-CVE-2023-28617.patch
+Patch6009:        backport-0002-CVE-2022-48337.patch
+Patch6010:        backport-CVE-2024-30203-pre.patch
+Patch6011:        backport-CVE-2024-30203.patch
+Patch6012:        backport-CVE-2024-30204.patch
+Patch6013:        backport-CVE-2024-30205.patch
+
 Patch9000:        emacs-deal-taboo-words.patch
 
 BuildRequires: gcc atk-devel cairo-devel freetype-devel fontconfig-devel dbus-devel giflib-devel
@@ -236,12 +246,15 @@ rm %{buildroot}%{emacs_libexecdir}/emacs.pdmp
 
 gunzip %{buildroot}%{_datadir}/emacs/%{version}/lisp/jka*.el.gz
 
+install -p -m 0644 build-gtk/src/emacs.pdmp %{buildroot}%{_bindir}/emacs-%{version}.pdmp
 
 %if !%{with bootstrap}
 install -p -m 0755 build-lucid/src/emacs %{buildroot}%{_bindir}/emacs-%{version}-lucid
+install -p -m 0644 build-lucid/src/emacs.pdmp %{buildroot}%{_bindir}/emacs-%{version}-lucid.pdmp
 %endif
 
 install -p -m 0755 build-nox/src/emacs %{buildroot}%{_bindir}/emacs-%{version}-nox
+install -p -m 0644 build-nox/src/emacs.pdmp %{buildroot}%{_bindir}/emacs-%{version}-nox.pdmp
 
 chmod 755 %{buildroot}%{emacs_libexecdir}/movemail
 
@@ -352,6 +365,7 @@ fi
 %license etc/COPYING
 %attr(0755,-,-) %ghost %{_bindir}/emacs
 %{_bindir}/emacs-%{version}
+%{_bindir}/emacs-%{version}.pdmp
 %{_datadir}/appdata/%{name}.appdata.xml
 %{_datadir}/icons/hicolor/*
 %{_datadir}/applications/emacs.desktop
@@ -365,6 +379,7 @@ fi
 %attr(0755,-,-) %ghost %{_bindir}/emacs
 %attr(0755,-,-) %ghost %{_bindir}/emacs-lucid
 %{_bindir}/emacs-%{version}-lucid
+%{_bindir}/emacs-%{version}-lucid.pdmp
 %endif
 
 %files nox
@@ -372,6 +387,7 @@ fi
 %attr(0755,-,-) %ghost %{_bindir}/emacs
 %attr(0755,-,-) %ghost %{_bindir}/emacs-nox
 %{_bindir}/emacs-%{version}-nox
+%{_bindir}/emacs-%{version}-nox.pdmp
 
 %files common -f common-filelist -f el-filelist
 %defattr(-,root,root)
@@ -408,6 +424,21 @@ fi
 %{_mandir}/*/*
 
 %changelog
+* Mon Apr 01 2024 lingsheng <lingsheng1@h-partners.com> - 1:27.2-13
+- fix CVE-2024-30203 CVE-2024-30204 CVE-2024-30205
+
+* Thu Feb 29 2024 zhangpan <zhangpan103@h-partners.com> - 1:27.2-12
+- fix emacs start slow
+
+* Mon Sep 25 2023 leeffo <liweiganga@uniontech.com> - 1:27.2-11
+- fix CVE-2022-48337
+
+* Fri Mar 24 2023 zhangpan <zhangpan103@h-partners.com> - 1:27.2-10
+- fix CVE-2023-28617
+
+* Thu Feb 23 2023 zhangpan <zhangpan103@h-partners.com> - 1:27.2-9
+- fix CVE-2022-48337 CVE-2022-48338 CVE-2022-48339
+
 * Thu Dec 01 2022 wangkerong <wangkerong@h-partners.com> - 1:27.2-8
 - fix CVE-2022-45939