[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1033844: unblock: emacs/1:28.2+1-13

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: emacs@packages.debian.org
Control: affects -1 + src:emacs

Please unblock package emacs

The only changes are two bug fixes, one for the Org Mode CVE.  The
patches added are the cherry-picked upstream changes, as indicated in
the patch headers.

https://bugs.debian.org/1033342
https://bugs.debian.org/1033397

unblock emacs/1:28.2+1-14

(Package hasn't been uploaded yet; this is a preapproval request.)


diff -Nru emacs-28.2+1/debian/.git-dpm emacs-28.2+1/debian/.git-dpm
--- emacs-28.2+1/debian/.git-dpm	2023-03-14 15:30:28.000000000 -0500
+++ emacs-28.2+1/debian/.git-dpm	2023-03-31 13:22:32.000000000 -0500
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-4e6971c25c27c9a3f34cc69b51db894105362d08
-4e6971c25c27c9a3f34cc69b51db894105362d08
+023ac1eff558f6fb387fea1629b084c8929de18d
+023ac1eff558f6fb387fea1629b084c8929de18d
 279b82e64e15b5e2df3cb522636c6db85a8ee659
 279b82e64e15b5e2df3cb522636c6db85a8ee659
 emacs_28.2+1.orig.tar.xz
diff -Nru emacs-28.2+1/debian/changelog emacs-28.2+1/debian/changelog
--- emacs-28.2+1/debian/changelog	2023-03-14 15:30:28.000000000 -0500
+++ emacs-28.2+1/debian/changelog	2023-04-01 22:38:56.000000000 -0500
@@ -1,7 +1,20 @@
+emacs (1:28.2+1-14) unstable; urgency=medium
+
+  * Fix gnus nnml crash on some invalid headers.  Add
+    0026-Gnus-nnml-should-avoid-crashing-on-some-invalid-head.patch to
+    address the issue. (Closes: 1033397)
+
+  * Fix Org Mode command injection vulnerability CVE-2023-28617.  Add
+    0027-Org-Mode-vulnerability-CVE-2023-28617-is-fixed-1-2.patch and
+    0028-Org-Mode-vulnerability-CVE-2023-28617-is-fixed-2-2.patch to
+    address the issue. (Closes: 1033342)
+
+ -- Rob Browning <rlb@defaultvalue.org>  Sat, 01 Apr 2023 22:38:56 -0500
+
 emacs (1:28.2+1-13) unstable; urgency=high
 
   * Cherry-pick upstream fixes for command injection vulnerabilities
-    (CVE-2023-27984, CVE-2023-27986) (Closes: #1032538).
+    (CVE-2023-27985, CVE-2023-27986) (Closes: #1032538).
 
  -- Sean Whitton <spwhitton@spwhitton.name>  Tue, 14 Mar 2023 13:30:28 -0700
 
diff -Nru emacs-28.2+1/debian/patches/0026-Gnus-nnml-should-avoid-crashing-on-some-invalid-head.patch emacs-28.2+1/debian/patches/0026-Gnus-nnml-should-avoid-crashing-on-some-invalid-head.patch
--- emacs-28.2+1/debian/patches/0026-Gnus-nnml-should-avoid-crashing-on-some-invalid-head.patch	1969-12-31 18:00:00.000000000 -0600
+++ emacs-28.2+1/debian/patches/0026-Gnus-nnml-should-avoid-crashing-on-some-invalid-head.patch	2023-03-31 13:22:31.000000000 -0500
@@ -0,0 +1,52 @@
+From cf3c2037c3531b756fbb443b8ab2f6873f10930e Mon Sep 17 00:00:00 2001
+From: Eli Zaretskii <eliz@gnu.org>
+Date: Mon, 19 Dec 2022 19:01:04 +0200
+Subject: Gnus nnml should avoid crashing on some invalid headers
+
+This upstream patch has been incorporated to fix the problem:
+
+  Fix storing email into nnmail by Gnus
+
+  * lisp/gnus/nnml.el (nnml--encode-headers): Wrap
+  'rfc2047-encode-string' calls with 'ignore-errors', to avoid
+  disrupting email workflows due to possibly-invalid headers.
+  Reported by Florian Weimer <fweimer@redhat.com>.
+
+Origin: upstream, commit: 23f7c9c2a92e4619b7c4d2286d4249f812cd695d
+Bug-Debian: https://bugs.debian.org/1033397
+Forwarded: not-needed
+---
+ lisp/gnus/nnml.el | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/lisp/gnus/nnml.el b/lisp/gnus/nnml.el
+index afdb0c780a5..258c5efc79f 100644
+--- a/lisp/gnus/nnml.el
++++ b/lisp/gnus/nnml.el
+@@ -775,17 +775,22 @@ nnml-parse-head
+ 	(nnml--encode-headers headers)
+ 	headers))))
+ 
++;; RFC2047-encode Subject and From, but leave invalid headers unencoded.
+ (defun nnml--encode-headers (headers)
+   (let ((subject (mail-header-subject headers))
+ 	(rfc2047-encoding-type 'mime))
+     (unless (string-match "\\`[[:ascii:]]*\\'" subject)
+-      (setf (mail-header-subject headers)
+-	    (mail-encode-encoded-word-string subject t))))
++      (let ((encoded-subject
++             (ignore-errors (mail-encode-encoded-word-string subject t))))
++        (if encoded-subject
++            (setf (mail-header-subject headers) encoded-subject)))))
+   (let ((from (mail-header-from headers))
+ 	(rfc2047-encoding-type 'address-mime))
+     (unless (string-match "\\`[[:ascii:]]*\\'" from)
+-      (setf (mail-header-from headers)
+-	    (rfc2047-encode-string from t)))))
++      (let ((encoded-from
++             (ignore-errors (rfc2047-encode-string from t))))
++        (if encoded-from
++            (setf (mail-header-from headers) encoded-from))))))
+ 
+ (defun nnml-get-nov-buffer (group &optional incrementalp)
+   (let ((buffer (gnus-get-buffer-create
diff -Nru emacs-28.2+1/debian/patches/0027-Org-Mode-vulnerability-CVE-2023-28617-is-fixed-1-2.patch emacs-28.2+1/debian/patches/0027-Org-Mode-vulnerability-CVE-2023-28617-is-fixed-1-2.patch
--- emacs-28.2+1/debian/patches/0027-Org-Mode-vulnerability-CVE-2023-28617-is-fixed-1-2.patch	1969-12-31 18:00:00.000000000 -0600
+++ emacs-28.2+1/debian/patches/0027-Org-Mode-vulnerability-CVE-2023-28617-is-fixed-1-2.patch	2023-03-31 13:22:32.000000000 -0500
@@ -0,0 +1,49 @@
+From 320ab831aad7b66605e3778abe51a29cc377fb46 Mon Sep 17 00:00:00 2001
+From: Xi Lu <lx@shellcodes.org>
+Date: Sat, 11 Mar 2023 18:53:37 +0800
+Subject: Org Mode vulnerability CVE-2023-28617 is fixed (1/2)
+
+https://security-tracker.debian.org/tracker/CVE-2023-28617
+
+This upstream patch (1/2) has been incorporated to fix the problem:
+
+  * lisp/ob-latex.el: Fix command injection vulnerability
+
+  (org-babel-execute:latex):
+  Replaced the `(shell-command "mv BAR NEWBAR")' with `rename-file'.
+
+  TINYCHANGE
+
+Origin: https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=a8006ea580ed74f27f974d60b598143b04ad1741
+Bug-Debian: https://bugs.debian.org/1033342
+---
+ lisp/org/ob-latex.el | 13 +++++--------
+ 1 file changed, 5 insertions(+), 8 deletions(-)
+
+diff --git a/lisp/org/ob-latex.el b/lisp/org/ob-latex.el
+index 7253803af9e..73139c836b8 100644
+--- a/lisp/org/ob-latex.el
++++ b/lisp/org/ob-latex.el
+@@ -205,17 +205,14 @@ org-babel-execute:latex
+ 	    (if (string-suffix-p ".svg" out-file)
+ 		(progn
+ 		  (shell-command "pwd")
+-		  (shell-command (format "mv %s %s"
+-					 (concat (file-name-sans-extension tex-file) "-1.svg")
+-					 out-file)))
++                  (rename-file (concat (file-name-sans-extension tex-file) "-1.svg")
++                               out-file t))
+ 	      (error "SVG file produced but HTML file requested")))
+ 	   ((file-exists-p (concat (file-name-sans-extension tex-file) ".html"))
+ 	    (if (string-suffix-p ".html" out-file)
+-		(shell-command "mv %s %s"
+-			       (concat (file-name-sans-extension tex-file)
+-				       ".html")
+-			       out-file)
+-	      (error "HTML file produced but SVG file requested")))))
++                (rename-file (concat (file-name-sans-extension tex-file) ".html")
++                             out-file t)
++              (error "HTML file produced but SVG file requested")))))
+ 	 ((or (string= "pdf" extension) imagemagick)
+ 	  (with-temp-file tex-file
+ 	    (require 'ox-latex)
diff -Nru emacs-28.2+1/debian/patches/0028-Org-Mode-vulnerability-CVE-2023-28617-is-fixed-2-2.patch emacs-28.2+1/debian/patches/0028-Org-Mode-vulnerability-CVE-2023-28617-is-fixed-2-2.patch
--- emacs-28.2+1/debian/patches/0028-Org-Mode-vulnerability-CVE-2023-28617-is-fixed-2-2.patch	1969-12-31 18:00:00.000000000 -0600
+++ emacs-28.2+1/debian/patches/0028-Org-Mode-vulnerability-CVE-2023-28617-is-fixed-2-2.patch	2023-03-31 13:22:32.000000000 -0500
@@ -0,0 +1,36 @@
+From 023ac1eff558f6fb387fea1629b084c8929de18d Mon Sep 17 00:00:00 2001
+From: Xi Lu <lx@shellcodes.org>
+Date: Sat, 18 Feb 2023 18:03:28 +0800
+Subject: Org Mode vulnerability CVE-2023-28617 is fixed (2/2)
+
+https://security-tracker.debian.org/tracker/CVE-2023-28617
+
+This upstream patch (2/2) has been incorporated to fix the problem:
+
+Org Mode command injection vulnerability has been fixed (CVE-2023-28617)
+
+  * lisp/ob-latex.el (org-babel-execute:latex): Fix command injection vulnerability
+
+  Link: https://orgmode.org/list/tencent_5C4D5D0DEFDDBBFC66F855703927E60C7706@qq.com
+
+  TINYCHANGE
+
+Origin: https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=8f8ec2ccf3f5ef8f38d68ec84a7e4739c45db485
+Bug-Debian: https://bugs.debian.org/1033342
+---
+ lisp/org/ob-latex.el | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lisp/org/ob-latex.el b/lisp/org/ob-latex.el
+index 73139c836b8..1c5df6fe85d 100644
+--- a/lisp/org/ob-latex.el
++++ b/lisp/org/ob-latex.el
+@@ -167,7 +167,7 @@ org-babel-execute:latex
+ 	                     tmp-pdf
+                              (list org-babel-latex-pdf-svg-process)
+                              extension err-msg log-buf)))
+-              (shell-command (format "mv %s %s" img-out out-file)))))
++              (rename-file img-out out-file t))))
+          ((string-suffix-p ".tikz" out-file)
+ 	  (when (file-exists-p out-file) (delete-file out-file))
+ 	  (with-temp-file out-file
diff -Nru emacs-28.2+1/debian/patches/series emacs-28.2+1/debian/patches/series
--- emacs-28.2+1/debian/patches/series	2023-03-14 15:30:28.000000000 -0500
+++ emacs-28.2+1/debian/patches/series	2023-03-31 13:22:32.000000000 -0500
@@ -23,3 +23,6 @@
 0023-Fix-memory-leak-in-etags.c.patch
 0024-Fix-quoted-argument-in-emacsclient-mail.desktop-CVE-.patch
 0025-Fix-code-injection-vulnerability-CVE-2023-27986.patch
+0026-Gnus-nnml-should-avoid-crashing-on-some-invalid-head.patch
+0027-Org-Mode-vulnerability-CVE-2023-28617-is-fixed-1-2.patch
+0028-Org-Mode-vulnerability-CVE-2023-28617-is-fixed-2-2.patch

Thanks
-- 
Rob Browning
rlb @defaultvalue.org and @debian.org
GPG as of 2011-07-10 E6A9 DA3C C9FD 1FF8 C676 D2C4 C0F0 39E9 ED1B 597A
GPG as of 2002-11-03 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4
Reply to: