From e963bec1d20cbe3c7802b197a28d07da7f5bda9b Mon Sep 17 00:00:00 2001 From: Kanishk-Bansal Date: Sat, 15 Feb 2025 19:33:16 +0000 Subject: [PATCH] Patch emacs for CVE-2025-1244 [High] --- SPECS/emacs/CVE-2025-1244.patch | 54 +++++++++++++++++++++++++++++++++ SPECS/emacs/emacs.spec | 6 +++- 2 files changed, 59 insertions(+), 1 deletion(-) create mode 100644 SPECS/emacs/CVE-2025-1244.patch diff --git a/SPECS/emacs/CVE-2025-1244.patch b/SPECS/emacs/CVE-2025-1244.patch new file mode 100644 index 00000000000..7435df28d42 --- /dev/null +++ b/SPECS/emacs/CVE-2025-1244.patch @@ -0,0 +1,54 @@ +From 820f0793f0b46448928905552726c1f1b999062f Mon Sep 17 00:00:00 2001 +From: Xi Lu +Date: Tue, 10 Oct 2023 22:20:05 +0800 +Subject: [PATCH] Fix man.el shell injection vulnerability + +* lisp/man.el (Man-translate-references): Fix shell injection +vulnerability. (Bug#66390) +* test/lisp/man-tests.el (man-tests-Man-translate-references): New +test. +--- + lisp/man.el | 6 +++++- + test/lisp/man-tests.el | 12 ++++++++++++ + 2 files changed, 17 insertions(+), 1 deletion(-) + +diff --git a/lisp/man.el b/lisp/man.el +index 55cb9383bec1..d96396483d39 100644 +--- a/lisp/man.el ++++ b/lisp/man.el +@@ -761,7 +761,11 @@ and the `Man-section-translations-alist' variables)." + (setq name (match-string 2 ref) + section (match-string 1 ref)))) + (if (string= name "") +- ref ; Return the reference as is ++ ;; see Bug#66390 ++ (mapconcat 'identity ++ (mapcar #'shell-quote-argument ++ (split-string ref "\\s-+")) ++ " ") ; Return the reference as is + (if Man-downcase-section-letters-flag + (setq section (downcase section))) + (while slist +diff --git a/test/lisp/man-tests.el b/test/lisp/man-tests.el +index 140482ee6222..11f5f805e43f 100644 +--- a/test/lisp/man-tests.el ++++ b/test/lisp/man-tests.el +@@ -161,6 +161,18 @@ DESCRIPTION + (let ((button (button-at (match-beginning 0)))) + (should (and button (eq 'Man-xref-header-file (button-type button)))))))))) + ++(ert-deftest man-tests-Man-translate-references () ++ (should (equal (Man-translate-references "basename") ++ "basename")) ++ (should (equal (Man-translate-references "basename(3)") ++ "3 basename")) ++ (should (equal (Man-translate-references "basename(3v)") ++ "3v basename")) ++ (should (equal (Man-translate-references ";id") ++ "\\;id")) ++ (should (equal (Man-translate-references "-k basename") ++ "-k basename"))) ++ + (provide 'man-tests) + + ;;; man-tests.el ends here diff --git a/SPECS/emacs/emacs.spec b/SPECS/emacs/emacs.spec index 59fa9bb6184..56a7e205b22 100644 --- a/SPECS/emacs/emacs.spec +++ b/SPECS/emacs/emacs.spec @@ -1,13 +1,14 @@ Summary: GNU Emacs text editor Name: emacs Version: 29.4 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv3+ AND CC0-1.0 Vendor: Microsoft Corporation Distribution: Mariner Group: Applications/Editors URL: https://www.gnu.org/software/emacs/ Source0: https://ftp.gnu.org/gnu/%{name}/%{name}-%{version}.tar.xz +Patch0: CVE-2025-1244.patch BuildRequires: gcc BuildRequires: glibc-devel BuildRequires: gnutls-devel @@ -84,6 +85,9 @@ mkdir -p %{buildroot}%{_datadir}/emacs/site-lisp/site-start.d %dir %{_datadir}/emacs/site-lisp/site-start.d %changelog +* Sun Feb 16 2025 Kanishk Bansal - 29.4-2 +- Apply upstream patch to fix CVE-2025-1244 + * Mon Jul 01 2024 Sharath Srikanth Chellappa - 29.4-1 - Upgrade to 29.4 to fix CVE-2024-39331.