aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorUlrich Müller <ulm@gentoo.org>2024-03-25 15:39:54 +0100
committerUlrich Müller <ulm@gentoo.org>2024-03-25 15:39:54 +0100
commitaf40e12cb742510e5d40a06ffc6dfca97e340dd6 (patch)
tree8cea4a623c8ffe136d758fbb27596a81e34cd3b5
parent29.3: Copy patches from 29.2 (diff)
downloademacs-patches-af40e12cb742510e5d40a06ffc6dfca97e340dd6.tar.gz
emacs-patches-af40e12cb742510e5d40a06ffc6dfca97e340dd6.tar.bz2
emacs-patches-af40e12cb742510e5d40a06ffc6dfca97e340dd6.zip
26.3, 27.2, 28.2: Backport security fixes from 29.3emacs-28.2-patches-6emacs-27.2-patches-8emacs-26.3-patches-7
Signed-off-by: Ulrich Müller <ulm@gentoo.org>
-rw-r--r--emacs/26.3/08_all_org-remote-unsafe.patch30
-rw-r--r--emacs/27.2/09_all_untrusted-content.patch84
-rw-r--r--emacs/27.2/10_all_org-remote-unsafe.patch30
-rw-r--r--emacs/28.2/10_all_org-macro-eval.patch35
-rw-r--r--emacs/28.2/11_all_untrusted-content.patch84
-rw-r--r--emacs/28.2/12_all_org-remote-unsafe.patch30
6 files changed, 293 insertions, 0 deletions
diff --git a/emacs/26.3/08_all_org-remote-unsafe.patch b/emacs/26.3/08_all_org-remote-unsafe.patch
new file mode 100644
index 0000000..9124db5
--- /dev/null
+++ b/emacs/26.3/08_all_org-remote-unsafe.patch
@@ -0,0 +1,30 @@
+org-mode should consider remote files unsafe
+Backported from emacs-29 branch
+https://bugs.gentoo.org/927727
+
+commit 2bc865ace050ff118db43f01457f95f95112b877
+Author: Ihor Radchenko <yantar92@posteo.net>
+Date: Tue Feb 20 14:59:20 2024 +0300
+
+ org-file-contents: Consider all remote files unsafe
+
+--- emacs-26.3/lisp/org/org.el
++++ emacs-26.3/lisp/org/org.el
+@@ -5297,12 +5297,16 @@ org-file-contents
+ If NOCACHE is non-nil, do a fresh fetch of FILE even if cached version
+ is available. This option applies only if FILE is a URL."
+ (let* ((is-url (org-file-url-p file))
++ (is-remote (condition-case nil
++ (file-remote-p file)
++ ;; In case of error, be safe.
++ (t t)))
+ (cache (and is-url
+ (not nocache)
+ (gethash file org--file-cache))))
+ (cond
+ (cache)
+- (is-url
++ ((or is-url is-remote)
+ (with-current-buffer (url-retrieve-synchronously file)
+ (goto-char (point-min))
+ ;; Move point to after the url-retrieve header.
diff --git a/emacs/27.2/09_all_untrusted-content.patch b/emacs/27.2/09_all_untrusted-content.patch
new file mode 100644
index 0000000..0ff1d36
--- /dev/null
+++ b/emacs/27.2/09_all_untrusted-content.patch
@@ -0,0 +1,84 @@
+New variable untrusted-content
+Backported from emacs-29 branch
+https://bugs.gentoo.org/927727
+
+commit ccc188fcf98ad9166ee551fac9d94b2603c3a51b
+Author: Ihor Radchenko <yantar92@posteo.net>
+Date: Tue Feb 20 12:43:51 2024 +0300
+
+ * lisp/files.el (untrusted-content): New variable.
+
+commit 937b9042ad7426acdcca33e3d931d8f495bdd804
+Author: Ihor Radchenko <yantar92@posteo.net>
+Date: Tue Feb 20 12:44:30 2024 +0300
+
+ * lisp/gnus/mm-view.el (mm-display-inline-fontify): Mark contents untrusted.
+
+commit 6f9ea396f49cbe38c2173e0a72ba6af3e03b271c
+Author: Ihor Radchenko <yantar92@posteo.net>
+Date: Tue Feb 20 12:47:24 2024 +0300
+
+ org-latex-preview: Add protection when `untrusted-content' is non-nil
+
+--- emacs-27.2/lisp/files.el
++++ emacs-27.2/lisp/files.el
+@@ -588,6 +588,14 @@
+ Some modes may wish to set this to nil to prevent directory-local
+ settings being applied, but still respect file-local ones.")
+
++(defvar-local untrusted-content nil
++ "Non-nil means that current buffer originated from an untrusted source.
++Email clients and some other modes may set this non-nil to mark the
++buffer contents as untrusted.
++
++This variable might be subject to change without notice.")
++(put 'untrusted-content 'permanent-local t)
++
+ ;; This is an odd variable IMO.
+ ;; You might wonder why it is needed, when we could just do:
+ ;; (set (make-local-variable 'enable-local-variables) nil)
+--- emacs-27.2/lisp/gnus/mm-view.el
++++ emacs-27.2/lisp/gnus/mm-view.el
+@@ -466,6 +466,7 @@ mm-display-inline-fontify
+ (setq coding-system (mm-find-buffer-file-coding-system)))
+ (setq text (buffer-string))))
+ (with-temp-buffer
++ (setq untrusted-content t)
+ (buffer-disable-undo)
+ (mm-enable-multibyte)
+ (insert (cond ((eq charset 'gnus-decoded)
+--- emacs-27.2/lisp/org/org.el
++++ emacs-27.2/lisp/org/org.el
+@@ -1077,6 +1077,24 @@
+ :package-version '(Org . "8.0")
+ :type 'boolean)
+
++(defvar untrusted-content) ; defined in files.el
++(defvar org--latex-preview-when-risky nil
++ "If non-nil, enable LaTeX preview in Org buffers from unsafe source.
++
++Some specially designed LaTeX code may generate huge pdf or log files
++that may exhaust disk space.
++
++This variable controls how to handle LaTeX preview when rendering LaTeX
++fragments that originate from incoming email messages. It has no effect
++when Org mode is unable to determine the origin of the Org buffer.
++
++An Org buffer is considered to be from unsafe source when the
++variable `untrusted-content' has a non-nil value in the buffer.
++
++If this variable is non-nil, LaTeX previews are rendered unconditionally.
++
++This variable may be renamed or changed in the future.")
++
+ (defcustom org-insert-mode-line-in-empty-file nil
+ "Non-nil means insert the first line setting Org mode in empty files.
+ When the function `org-mode' is called interactively in an empty file, this
+@@ -15827,6 +15845,7 @@ org-latex-preview
+ (interactive "P")
+ (cond
+ ((not (display-graphic-p)) nil)
++ ((and untrusted-content (not org--latex-preview-when-risky)) nil)
+ ;; Clear whole buffer.
+ ((equal arg '(64))
+ (org-clear-latex-preview (point-min) (point-max))
diff --git a/emacs/27.2/10_all_org-remote-unsafe.patch b/emacs/27.2/10_all_org-remote-unsafe.patch
new file mode 100644
index 0000000..65f6a34
--- /dev/null
+++ b/emacs/27.2/10_all_org-remote-unsafe.patch
@@ -0,0 +1,30 @@
+org-mode should consider remote files unsafe
+Backported from emacs-29 branch
+https://bugs.gentoo.org/927727
+
+commit 2bc865ace050ff118db43f01457f95f95112b877
+Author: Ihor Radchenko <yantar92@posteo.net>
+Date: Tue Feb 20 14:59:20 2024 +0300
+
+ org-file-contents: Consider all remote files unsafe
+
+--- emacs-27.2/lisp/org/org.el
++++ emacs-27.2/lisp/org/org.el
+@@ -4665,12 +4665,16 @@ org-file-contents
+ If NOCACHE is non-nil, do a fresh fetch of FILE even if cached version
+ is available. This option applies only if FILE is a URL."
+ (let* ((is-url (org-file-url-p file))
++ (is-remote (condition-case nil
++ (file-remote-p file)
++ ;; In case of error, be safe.
++ (t t)))
+ (cache (and is-url
+ (not nocache)
+ (gethash file org--file-cache))))
+ (cond
+ (cache)
+- (is-url
++ ((or is-url is-remote)
+ (with-current-buffer (url-retrieve-synchronously file)
+ (goto-char (point-min))
+ ;; Move point to after the url-retrieve header.
diff --git a/emacs/28.2/10_all_org-macro-eval.patch b/emacs/28.2/10_all_org-macro-eval.patch
new file mode 100644
index 0000000..d3c8bb7
--- /dev/null
+++ b/emacs/28.2/10_all_org-macro-eval.patch
@@ -0,0 +1,35 @@
+Prevent code evaluation in org-macro--set-templates
+Backported from emacs-29 branch
+https://bugs.gentoo.org/927727
+
+commit befa9fcaae29a6c9a283ba371c3c5234c7f644eb
+Author: Ihor Radchenko <yantar92@posteo.net>
+Date: Tue Feb 20 12:19:46 2024 +0300
+
+ org-macro--set-templates: Prevent code evaluation
+
+--- emacs-28.2/lisp/org/org-macro.el
++++ emacs-28.2/lisp/org/org-macro.el
+@@ -103,6 +103,13 @@ org-macro--set-templates
+ (let ((new-templates nil))
+ (pcase-dolist (`(,name . ,value) templates)
+ (let ((old-definition (assoc name new-templates)))
++ ;; This code can be evaluated unconditionally, as a part of
++ ;; loading Org mode. We *must not* evaluate any code present
++ ;; inside the Org buffer while loading. Org buffers may come
++ ;; from various sources, like received email messages from
++ ;; potentially malicious senders. Org mode might be used to
++ ;; preview such messages and no code evaluation from inside the
++ ;; received Org text should ever happen without user consent.
+ (when (and (stringp value) (string-match-p "\\`(eval\\>" value))
+ ;; Pre-process the evaluation form for faster macro expansion.
+ (let* ((args (org-macro--makeargs value))
+@@ -115,7 +122,7 @@ org-macro--set-templates
+ (cadr (read value))
+ (error
+ (user-error "Invalid definition for macro %S" name)))))
+- (setq value (eval (macroexpand-all `(lambda ,args ,body)) t))))
++ (setq value `(lambda ,args ,body))))
+ (cond ((and value old-definition) (setcdr old-definition value))
+ (old-definition)
+ (t (push (cons name (or value "")) new-templates)))))
diff --git a/emacs/28.2/11_all_untrusted-content.patch b/emacs/28.2/11_all_untrusted-content.patch
new file mode 100644
index 0000000..4cd20c0
--- /dev/null
+++ b/emacs/28.2/11_all_untrusted-content.patch
@@ -0,0 +1,84 @@
+New variable untrusted-content
+Backported from emacs-29 branch
+https://bugs.gentoo.org/927727
+
+commit ccc188fcf98ad9166ee551fac9d94b2603c3a51b
+Author: Ihor Radchenko <yantar92@posteo.net>
+Date: Tue Feb 20 12:43:51 2024 +0300
+
+ * lisp/files.el (untrusted-content): New variable.
+
+commit 937b9042ad7426acdcca33e3d931d8f495bdd804
+Author: Ihor Radchenko <yantar92@posteo.net>
+Date: Tue Feb 20 12:44:30 2024 +0300
+
+ * lisp/gnus/mm-view.el (mm-display-inline-fontify): Mark contents untrusted.
+
+commit 6f9ea396f49cbe38c2173e0a72ba6af3e03b271c
+Author: Ihor Radchenko <yantar92@posteo.net>
+Date: Tue Feb 20 12:47:24 2024 +0300
+
+ org-latex-preview: Add protection when `untrusted-content' is non-nil
+
+--- emacs-28.2/lisp/files.el
++++ emacs-28.2/lisp/files.el
+@@ -623,6 +623,14 @@
+ Some modes may wish to set this to nil to prevent directory-local
+ settings being applied, but still respect file-local ones.")
+
++(defvar-local untrusted-content nil
++ "Non-nil means that current buffer originated from an untrusted source.
++Email clients and some other modes may set this non-nil to mark the
++buffer contents as untrusted.
++
++This variable might be subject to change without notice.")
++(put 'untrusted-content 'permanent-local t)
++
+ ;; This is an odd variable IMO.
+ ;; You might wonder why it is needed, when we could just do:
+ ;; (setq-local enable-local-variables nil)
+--- emacs-28.2/lisp/gnus/mm-view.el
++++ emacs-28.2/lisp/gnus/mm-view.el
+@@ -504,6 +504,7 @@ mm-display-inline-fontify
+ (setq coding-system (mm-find-buffer-file-coding-system)))
+ (setq text (buffer-string))))
+ (with-temp-buffer
++ (setq untrusted-content t)
+ (buffer-disable-undo)
+ (mm-enable-multibyte)
+ (insert (cond ((eq charset 'gnus-decoded)
+--- emacs-28.2/lisp/org/org.el
++++ emacs-28.2/lisp/org/org.el
+@@ -1092,6 +1092,24 @@
+ :package-version '(Org . "8.0")
+ :type 'boolean)
+
++(defvar untrusted-content) ; defined in files.el
++(defvar org--latex-preview-when-risky nil
++ "If non-nil, enable LaTeX preview in Org buffers from unsafe source.
++
++Some specially designed LaTeX code may generate huge pdf or log files
++that may exhaust disk space.
++
++This variable controls how to handle LaTeX preview when rendering LaTeX
++fragments that originate from incoming email messages. It has no effect
++when Org mode is unable to determine the origin of the Org buffer.
++
++An Org buffer is considered to be from unsafe source when the
++variable `untrusted-content' has a non-nil value in the buffer.
++
++If this variable is non-nil, LaTeX previews are rendered unconditionally.
++
++This variable may be renamed or changed in the future.")
++
+ (defcustom org-insert-mode-line-in-empty-file nil
+ "Non-nil means insert the first line setting Org mode in empty files.
+ When the function `org-mode' is called interactively in an empty file, this
+@@ -16000,6 +16018,7 @@ org-latex-preview
+ (interactive "P")
+ (cond
+ ((not (display-graphic-p)) nil)
++ ((and untrusted-content (not org--latex-preview-when-risky)) nil)
+ ;; Clear whole buffer.
+ ((equal arg '(64))
+ (org-clear-latex-preview (point-min) (point-max))
diff --git a/emacs/28.2/12_all_org-remote-unsafe.patch b/emacs/28.2/12_all_org-remote-unsafe.patch
new file mode 100644
index 0000000..7236589
--- /dev/null
+++ b/emacs/28.2/12_all_org-remote-unsafe.patch
@@ -0,0 +1,30 @@
+org-mode should consider remote files unsafe
+Backported from emacs-29 branch
+https://bugs.gentoo.org/927727
+
+commit 2bc865ace050ff118db43f01457f95f95112b877
+Author: Ihor Radchenko <yantar92@posteo.net>
+Date: Tue Feb 20 14:59:20 2024 +0300
+
+ org-file-contents: Consider all remote files unsafe
+
+--- emacs-28.2/lisp/org/org.el
++++ emacs-28.2/lisp/org/org.el
+@@ -4705,12 +4705,16 @@ org-file-contents
+ If NOCACHE is non-nil, do a fresh fetch of FILE even if cached version
+ is available. This option applies only if FILE is a URL."
+ (let* ((is-url (org-url-p file))
++ (is-remote (condition-case nil
++ (file-remote-p file)
++ ;; In case of error, be safe.
++ (t t)))
+ (cache (and is-url
+ (not nocache)
+ (gethash file org--file-cache))))
+ (cond
+ (cache)
+- (is-url
++ ((or is-url is-remote)
+ (with-current-buffer (url-retrieve-synchronously file)
+ (goto-char (point-min))
+ ;; Move point to after the url-retrieve header.