Bug#1033844: marked as done (unblock: emacs/1:28.2+1-14)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Wed, 3 May 2023 20:06:30 +0200
with message-id <e4091dda-ab1d-2fe2-4022-dfa6786a5a41@debian.org>
and subject line Re: Bug#1033844: unblock: emacs/1:28.2+1-13
has caused the Debian Bug report #1033844,
regarding unblock: emacs/1:28.2+1-14
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1033844: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033844
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: emacs/1:28.2+1-13
• From: Rob Browning <rlb@defaultvalue.org>
• Date: Sun, 02 Apr 2023 12:44:36 -0500
• Message-id: <874jpy41rv.fsf@trouble.defaultvalue.org>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: emacs@packages.debian.org
Control: affects -1 + src:emacs

Please unblock package emacs

The only changes are two bug fixes, one for the Org Mode CVE.  The
patches added are the cherry-picked upstream changes, as indicated in
the patch headers.

https://bugs.debian.org/1033342
https://bugs.debian.org/1033397

unblock emacs/1:28.2+1-14

(Package hasn't been uploaded yet; this is a preapproval request.)

diff -Nru emacs-28.2+1/debian/.git-dpm emacs-28.2+1/debian/.git-dpm
--- emacs-28.2+1/debian/.git-dpm	2023-03-14 15:30:28.000000000 -0500
+++ emacs-28.2+1/debian/.git-dpm	2023-03-31 13:22:32.000000000 -0500
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-4e6971c25c27c9a3f34cc69b51db894105362d08
-4e6971c25c27c9a3f34cc69b51db894105362d08
+023ac1eff558f6fb387fea1629b084c8929de18d
+023ac1eff558f6fb387fea1629b084c8929de18d
 279b82e64e15b5e2df3cb522636c6db85a8ee659
 279b82e64e15b5e2df3cb522636c6db85a8ee659
 emacs_28.2+1.orig.tar.xz
diff -Nru emacs-28.2+1/debian/changelog emacs-28.2+1/debian/changelog
--- emacs-28.2+1/debian/changelog	2023-03-14 15:30:28.000000000 -0500
+++ emacs-28.2+1/debian/changelog	2023-04-01 22:38:56.000000000 -0500
@@ -1,7 +1,20 @@
+emacs (1:28.2+1-14) unstable; urgency=medium
+
+  * Fix gnus nnml crash on some invalid headers.  Add
+    0026-Gnus-nnml-should-avoid-crashing-on-some-invalid-head.patch to
+    address the issue. (Closes: 1033397)
+
+  * Fix Org Mode command injection vulnerability CVE-2023-28617.  Add
+    0027-Org-Mode-vulnerability-CVE-2023-28617-is-fixed-1-2.patch and
+    0028-Org-Mode-vulnerability-CVE-2023-28617-is-fixed-2-2.patch to
+    address the issue. (Closes: 1033342)
+
+ -- Rob Browning <rlb@defaultvalue.org>  Sat, 01 Apr 2023 22:38:56 -0500
+
 emacs (1:28.2+1-13) unstable; urgency=high
 
   * Cherry-pick upstream fixes for command injection vulnerabilities
-    (CVE-2023-27984, CVE-2023-27986) (Closes: #1032538).
+    (CVE-2023-27985, CVE-2023-27986) (Closes: #1032538).
 
  -- Sean Whitton <spwhitton@spwhitton.name>  Tue, 14 Mar 2023 13:30:28 -0700
 
diff -Nru emacs-28.2+1/debian/patches/0026-Gnus-nnml-should-avoid-crashing-on-some-invalid-head.patch emacs-28.2+1/debian/patches/0026-Gnus-nnml-should-avoid-crashing-on-some-invalid-head.patch
--- emacs-28.2+1/debian/patches/0026-Gnus-nnml-should-avoid-crashing-on-some-invalid-head.patch	1969-12-31 18:00:00.000000000 -0600
+++ emacs-28.2+1/debian/patches/0026-Gnus-nnml-should-avoid-crashing-on-some-invalid-head.patch	2023-03-31 13:22:31.000000000 -0500
@@ -0,0 +1,52 @@
+From cf3c2037c3531b756fbb443b8ab2f6873f10930e Mon Sep 17 00:00:00 2001
+From: Eli Zaretskii <eliz@gnu.org>
+Date: Mon, 19 Dec 2022 19:01:04 +0200
+Subject: Gnus nnml should avoid crashing on some invalid headers
+
+This upstream patch has been incorporated to fix the problem:
+
+  Fix storing email into nnmail by Gnus
+
+  * lisp/gnus/nnml.el (nnml--encode-headers): Wrap
+  'rfc2047-encode-string' calls with 'ignore-errors', to avoid
+  disrupting email workflows due to possibly-invalid headers.
+  Reported by Florian Weimer <fweimer@redhat.com>.
+
+Origin: upstream, commit: 23f7c9c2a92e4619b7c4d2286d4249f812cd695d
+Bug-Debian: https://bugs.debian.org/1033397
+Forwarded: not-needed
+---
+ lisp/gnus/nnml.el | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/lisp/gnus/nnml.el b/lisp/gnus/nnml.el
+index afdb0c780a5..258c5efc79f 100644
+--- a/lisp/gnus/nnml.el
++++ b/lisp/gnus/nnml.el
+@@ -775,17 +775,22 @@ nnml-parse-head
+ 	(nnml--encode-headers headers)
+ 	headers))))
+ 
++;; RFC2047-encode Subject and From, but leave invalid headers unencoded.
+ (defun nnml--encode-headers (headers)
+   (let ((subject (mail-header-subject headers))
+ 	(rfc2047-encoding-type 'mime))
+     (unless (string-match "\\`[[:ascii:]]*\\'" subject)
+-      (setf (mail-header-subject headers)
+-	    (mail-encode-encoded-word-string subject t))))
++      (let ((encoded-subject
++             (ignore-errors (mail-encode-encoded-word-string subject t))))
++        (if encoded-subject
++            (setf (mail-header-subject headers) encoded-subject)))))
+   (let ((from (mail-header-from headers))
+ 	(rfc2047-encoding-type 'address-mime))
+     (unless (string-match "\\`[[:ascii:]]*\\'" from)
+-      (setf (mail-header-from headers)
+-	    (rfc2047-encode-string from t)))))
++      (let ((encoded-from
++             (ignore-errors (rfc2047-encode-string from t))))
++        (if encoded-from
++            (setf (mail-header-from headers) encoded-from))))))
+ 
+ (defun nnml-get-nov-buffer (group &optional incrementalp)
+   (let ((buffer (gnus-get-buffer-create
diff -Nru emacs-28.2+1/debian/patches/0027-Org-Mode-vulnerability-CVE-2023-28617-is-fixed-1-2.patch emacs-28.2+1/debian/patches/0027-Org-Mode-vulnerability-CVE-2023-28617-is-fixed-1-2.patch
--- emacs-28.2+1/debian/patches/0027-Org-Mode-vulnerability-CVE-2023-28617-is-fixed-1-2.patch	1969-12-31 18:00:00.000000000 -0600
+++ emacs-28.2+1/debian/patches/0027-Org-Mode-vulnerability-CVE-2023-28617-is-fixed-1-2.patch	2023-03-31 13:22:32.000000000 -0500
@@ -0,0 +1,49 @@
+From 320ab831aad7b66605e3778abe51a29cc377fb46 Mon Sep 17 00:00:00 2001
+From: Xi Lu <lx@shellcodes.org>
+Date: Sat, 11 Mar 2023 18:53:37 +0800
+Subject: Org Mode vulnerability CVE-2023-28617 is fixed (1/2)
+
+https://security-tracker.debian.org/tracker/CVE-2023-28617
+
+This upstream patch (1/2) has been incorporated to fix the problem:
+
+  * lisp/ob-latex.el: Fix command injection vulnerability
+
+  (org-babel-execute:latex):
+  Replaced the `(shell-command "mv BAR NEWBAR")' with `rename-file'.
+
+  TINYCHANGE
+
+Origin: https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=a8006ea580ed74f27f974d60b598143b04ad1741
+Bug-Debian: https://bugs.debian.org/1033342
+---
+ lisp/org/ob-latex.el | 13 +++++--------
+ 1 file changed, 5 insertions(+), 8 deletions(-)
+
+diff --git a/lisp/org/ob-latex.el b/lisp/org/ob-latex.el
+index 7253803af9e..73139c836b8 100644
+--- a/lisp/org/ob-latex.el
++++ b/lisp/org/ob-latex.el
+@@ -205,17 +205,14 @@ org-babel-execute:latex
+ 	    (if (string-suffix-p ".svg" out-file)
+ 		(progn
+ 		  (shell-command "pwd")
+-		  (shell-command (format "mv %s %s"
+-					 (concat (file-name-sans-extension tex-file) "-1.svg")
+-					 out-file)))
++                  (rename-file (concat (file-name-sans-extension tex-file) "-1.svg")
++                               out-file t))
+ 	      (error "SVG file produced but HTML file requested")))
+ 	   ((file-exists-p (concat (file-name-sans-extension tex-file) ".html"))
+ 	    (if (string-suffix-p ".html" out-file)
+-		(shell-command "mv %s %s"
+-			       (concat (file-name-sans-extension tex-file)
+-				       ".html")
+-			       out-file)
+-	      (error "HTML file produced but SVG file requested")))))
++                (rename-file (concat (file-name-sans-extension tex-file) ".html")
++                             out-file t)
++              (error "HTML file produced but SVG file requested")))))
+ 	 ((or (string= "pdf" extension) imagemagick)
+ 	  (with-temp-file tex-file
+ 	    (require 'ox-latex)
diff -Nru emacs-28.2+1/debian/patches/0028-Org-Mode-vulnerability-CVE-2023-28617-is-fixed-2-2.patch emacs-28.2+1/debian/patches/0028-Org-Mode-vulnerability-CVE-2023-28617-is-fixed-2-2.patch
--- emacs-28.2+1/debian/patches/0028-Org-Mode-vulnerability-CVE-2023-28617-is-fixed-2-2.patch	1969-12-31 18:00:00.000000000 -0600
+++ emacs-28.2+1/debian/patches/0028-Org-Mode-vulnerability-CVE-2023-28617-is-fixed-2-2.patch	2023-03-31 13:22:32.000000000 -0500
@@ -0,0 +1,36 @@
+From 023ac1eff558f6fb387fea1629b084c8929de18d Mon Sep 17 00:00:00 2001
+From: Xi Lu <lx@shellcodes.org>
+Date: Sat, 18 Feb 2023 18:03:28 +0800
+Subject: Org Mode vulnerability CVE-2023-28617 is fixed (2/2)
+
+https://security-tracker.debian.org/tracker/CVE-2023-28617
+
+This upstream patch (2/2) has been incorporated to fix the problem:
+
+Org Mode command injection vulnerability has been fixed (CVE-2023-28617)
+
+  * lisp/ob-latex.el (org-babel-execute:latex): Fix command injection vulnerability
+
+  Link: https://orgmode.org/list/tencent_5C4D5D0DEFDDBBFC66F855703927E60C7706@qq.com
+
+  TINYCHANGE
+
+Origin: https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=8f8ec2ccf3f5ef8f38d68ec84a7e4739c45db485
+Bug-Debian: https://bugs.debian.org/1033342
+---
+ lisp/org/ob-latex.el | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lisp/org/ob-latex.el b/lisp/org/ob-latex.el
+index 73139c836b8..1c5df6fe85d 100644
+--- a/lisp/org/ob-latex.el
++++ b/lisp/org/ob-latex.el
+@@ -167,7 +167,7 @@ org-babel-execute:latex
+ 	                     tmp-pdf
+                              (list org-babel-latex-pdf-svg-process)
+                              extension err-msg log-buf)))
+-              (shell-command (format "mv %s %s" img-out out-file)))))
++              (rename-file img-out out-file t))))
+          ((string-suffix-p ".tikz" out-file)
+ 	  (when (file-exists-p out-file) (delete-file out-file))
+ 	  (with-temp-file out-file
diff -Nru emacs-28.2+1/debian/patches/series emacs-28.2+1/debian/patches/series
--- emacs-28.2+1/debian/patches/series	2023-03-14 15:30:28.000000000 -0500
+++ emacs-28.2+1/debian/patches/series	2023-03-31 13:22:32.000000000 -0500
@@ -23,3 +23,6 @@
 0023-Fix-memory-leak-in-etags.c.patch
 0024-Fix-quoted-argument-in-emacsclient-mail.desktop-CVE-.patch
 0025-Fix-code-injection-vulnerability-CVE-2023-27986.patch
+0026-Gnus-nnml-should-avoid-crashing-on-some-invalid-head.patch
+0027-Org-Mode-vulnerability-CVE-2023-28617-is-fixed-1-2.patch
+0028-Org-Mode-vulnerability-CVE-2023-28617-is-fixed-2-2.patch

Thanks
-- 
Rob Browning
rlb @defaultvalue.org and @debian.org
GPG as of 2011-07-10 E6A9 DA3C C9FD 1FF8 C676 D2C4 C0F0 39E9 ED1B 597A
GPG as of 2002-11-03 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4

--- End Message ---

--- Begin Message ---

• To: 1033844-done@bugs.debian.org, Rob Browning <rlb@defaultvalue.org>
• Subject: Re: Bug#1033844: unblock: emacs/1:28.2+1-13
• From: Paul Gevers <elbrus@debian.org>
• Date: Wed, 3 May 2023 20:06:30 +0200
• Message-id: <e4091dda-ab1d-2fe2-4022-dfa6786a5a41@debian.org>
• In-reply-to: <503a564b-d1d1-3e4b-6763-dab50f3dfc18@debian.org>
• References: <874jpy41rv.fsf@trouble.defaultvalue.org> <874jpy41rv.fsf@trouble.defaultvalue.org> <ZCnEe6Y0+8QHEnAi@ramacher.at> <874jpy41rv.fsf@trouble.defaultvalue.org> <503a564b-d1d1-3e4b-6763-dab50f3dfc18@debian.org>

Hi Rob,

On 08-04-2023 21:54, Paul Gevers wrote:

On 02-04-2023 20:07, Sebastian Ramacher wrote:

(Package hasn't been uploaded yet; this is a preapproval request.)

Please go ahead

Please remove the moreinfo tag once the upload has happened.

The moreinfo tag was still attached to this bug report, hence we missed this upload for a while.

Anyways, unblocked.

Paul

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

--- End Message ---