Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock X-Debbugs-Cc: em...@packages.debian.org, Sean Whitton <spwhit...@spwhitton.name>, j...@debian.org, car...@debian.org Control: affects -1 + src:emacs
Hi release team members, Please unblock package emacs Sean might give some additional input if you need some additional information. Between 1:28.2+1-10 and 1:28.2+1-13 of emacs, there were security fixes for CVE-2022-48337, CVE-2022-48338, CVE-2022-48339, CVE-2023-27985 and CVE-2023-27986. CVE-2022-48337, CVE-2022-48338 and CVE-2022-48339 were covered as well in DSA-5360-1 for bullseye. Can you please unblock emacs/1:28.2+1-13 so we do not have regression for those fixes from bullseye to bookworm? (note the -13 entry has a off-by-one typo in one CVE identifier) Regards, Salvatore
diff -Nru emacs-28.2+1/debian/.git-dpm emacs-28.2+1/debian/.git-dpm --- emacs-28.2+1/debian/.git-dpm 2023-01-18 01:32:40.000000000 +0100 +++ emacs-28.2+1/debian/.git-dpm 2023-03-14 21:30:28.000000000 +0100 @@ -1,6 +1,6 @@ # see git-dpm(1) from git-dpm package -595617abab6964ac0c6e617bae3d82692bf298b9 -595617abab6964ac0c6e617bae3d82692bf298b9 +4e6971c25c27c9a3f34cc69b51db894105362d08 +4e6971c25c27c9a3f34cc69b51db894105362d08 279b82e64e15b5e2df3cb522636c6db85a8ee659 279b82e64e15b5e2df3cb522636c6db85a8ee659 emacs_28.2+1.orig.tar.xz diff -Nru emacs-28.2+1/debian/changelog emacs-28.2+1/debian/changelog --- emacs-28.2+1/debian/changelog 2023-01-18 01:32:40.000000000 +0100 +++ emacs-28.2+1/debian/changelog 2023-03-14 21:30:28.000000000 +0100 @@ -1,3 +1,24 @@ +emacs (1:28.2+1-13) unstable; urgency=high + + * Cherry-pick upstream fixes for command injection vulnerabilities + (CVE-2023-27984, CVE-2023-27986) (Closes: #1032538). + + -- Sean Whitton <spwhit...@spwhitton.name> Tue, 14 Mar 2023 13:30:28 -0700 + +emacs (1:28.2+1-12) unstable; urgency=medium + + * Fix memory leak in etags.c introduced by recent security fix. + Thanks to Adrian Bunk for identifying the issue. + + -- Sean Whitton <spwhit...@spwhitton.name> Thu, 02 Mar 2023 12:21:19 -0700 + +emacs (1:28.2+1-11) unstable; urgency=high + + * Cherry-pick upstream fixes for command injection vulnerabilities + (CVE-2022-48337, CVE-2022-48338, CVE-2022-48339) (Closes: #1031730). + + -- Sean Whitton <spwhit...@spwhitton.name> Wed, 22 Feb 2023 11:01:50 -0700 + emacs (1:28.2+1-10) unstable; urgency=medium * Fix copyright tests for 2023 onwards. Thanks to Mattias EngdegÄrd for diff -Nru emacs-28.2+1/debian/patches/0020-Fix-htmlfontify.el-command-injection-vulnerability-C.patch emacs-28.2+1/debian/patches/0020-Fix-htmlfontify.el-command-injection-vulnerability-C.patch --- emacs-28.2+1/debian/patches/0020-Fix-htmlfontify.el-command-injection-vulnerability-C.patch 1970-01-01 01:00:00.000000000 +0100 +++ emacs-28.2+1/debian/patches/0020-Fix-htmlfontify.el-command-injection-vulnerability-C.patch 2023-03-14 21:30:28.000000000 +0100 @@ -0,0 +1,33 @@ +From 665489d7de786a61fa0c0883b9dffbc76487e37e Mon Sep 17 00:00:00 2001 +From: Xi Lu <l...@shellcodes.org> +Date: Sat, 24 Dec 2022 16:28:54 +0800 +Subject: Fix htmlfontify.el command injection vulnerability (CVE-2022-48339) + +This upstream patch has been incorporated to fix the problem: + + Fix htmlfontify.el command injection vulnerability. + + * lisp/htmlfontify.el (hfy-text-p): Fix command injection + vulnerability. (Bug#60295) + +Origin: upstream, commit 807d2d5b3a7cd1d0e3f7dd24de22770f54f5ae16 +Bug: https://debbugs.gnu.org/60295 +Bug-Debian: https://bugs.debian.org/1031730 +Forwarded: not-needed +--- + lisp/htmlfontify.el | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lisp/htmlfontify.el b/lisp/htmlfontify.el +index 115f67c9560..f8d1e205369 100644 +--- a/lisp/htmlfontify.el ++++ b/lisp/htmlfontify.el +@@ -1882,7 +1882,7 @@ hfy-make-directory + + (defun hfy-text-p (srcdir file) + "Is SRCDIR/FILE text? Use `hfy-istext-command' to determine this." +- (let* ((cmd (format hfy-istext-command (expand-file-name file srcdir))) ++ (let* ((cmd (format hfy-istext-command (shell-quote-argument (expand-file-name file srcdir)))) + (rsp (shell-command-to-string cmd))) + (string-match "text" rsp))) + diff -Nru emacs-28.2+1/debian/patches/0021-Fix-ruby-mode.el-command-injection-vulnerability-CVE.patch emacs-28.2+1/debian/patches/0021-Fix-ruby-mode.el-command-injection-vulnerability-CVE.patch --- emacs-28.2+1/debian/patches/0021-Fix-ruby-mode.el-command-injection-vulnerability-CVE.patch 1970-01-01 01:00:00.000000000 +0100 +++ emacs-28.2+1/debian/patches/0021-Fix-ruby-mode.el-command-injection-vulnerability-CVE.patch 2023-03-14 21:30:28.000000000 +0100 @@ -0,0 +1,33 @@ +From 52fb40cf6a3c50c996cff79b0d4f81fc39c7badf Mon Sep 17 00:00:00 2001 +From: Xi Lu <l...@shellcodes.org> +Date: Fri, 23 Dec 2022 12:52:48 +0800 +Subject: Fix ruby-mode.el command injection vulnerability (CVE-2022-48338) + +This upstream patch has been incorporated to fix the problem: + + Fix ruby-mode.el local command injection vulnerability (bug#60268) + + * lisp/progmodes/ruby-mode.el + (ruby-find-library-file): Fix local command injection vulnerability. + +Origin: upstream, commit 22fb5ff5126dc8bb01edaa0252829d853afb284f +Bug: https://debbugs.gnu.org/60268 +Bug-Debian: https://bugs.debian.org/1031730 +Forwarded: not-needed +--- + lisp/progmodes/ruby-mode.el | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lisp/progmodes/ruby-mode.el b/lisp/progmodes/ruby-mode.el +index 72631a6557f..9b05b04a52c 100644 +--- a/lisp/progmodes/ruby-mode.el ++++ b/lisp/progmodes/ruby-mode.el +@@ -1819,7 +1819,7 @@ ruby-find-library-file + (setq feature-name (read-string "Feature name: " init)))) + (let ((out + (substring +- (shell-command-to-string (concat "gem which " feature-name)) ++ (shell-command-to-string (concat "gem which " (shell-quote-argument feature-name))) + 0 -1))) + (if (string-match-p "\\`ERROR" out) + (user-error "%s" out) diff -Nru emacs-28.2+1/debian/patches/0022-Fix-etags-local-command-injection-vulnerability-CVE-.patch emacs-28.2+1/debian/patches/0022-Fix-etags-local-command-injection-vulnerability-CVE-.patch --- emacs-28.2+1/debian/patches/0022-Fix-etags-local-command-injection-vulnerability-CVE-.patch 1970-01-01 01:00:00.000000000 +0100 +++ emacs-28.2+1/debian/patches/0022-Fix-etags-local-command-injection-vulnerability-CVE-.patch 2023-03-14 21:30:28.000000000 +0100 @@ -0,0 +1,111 @@ +From f8822cd42a828c42d9b76bcd32de7e595ffb73c1 Mon Sep 17 00:00:00 2001 +From: lu4nx <l...@shellcodes.org> +Date: Tue, 6 Dec 2022 15:42:40 +0800 +Subject: Fix etags local command injection vulnerability (CVE-2022-48337) + +This upstream patch has been incorporated to fix the problem: + + Fix etags local command injection vulnerability + + * lib-src/etags.c: (escape_shell_arg_string): New function. + (process_file_name): Use it to quote file names passed to the + shell. (Bug#59817) + +Origin: upstream, commit e339926272a598bd9ee7e02989c1662b89e64cf0 +Bug: https://debbugs.gnu.org/59817 +Bug-Debian: https://bugs.debian.org/1031730 +Forwarded: not-needed +--- + lib-src/etags.c | 63 +++++++++++++++++++++++++++++++++++++++++++++---- + 1 file changed, 58 insertions(+), 5 deletions(-) + +diff --git a/lib-src/etags.c b/lib-src/etags.c +index c9c32691016..a6bd7f66e29 100644 +--- a/lib-src/etags.c ++++ b/lib-src/etags.c +@@ -408,6 +408,7 @@ #define xrnew(op, n, m) ((op) = xnrealloc (op, n, (m) * sizeof *(op))) + static void put_entries (node *); + static void clean_matched_file_tag (char const * const, char const * const); + ++static char *escape_shell_arg_string (char *); + static void do_move_file (const char *, const char *); + static char *concat (const char *, const char *, const char *); + static char *skip_spaces (char *); +@@ -1704,13 +1705,16 @@ process_file_name (char *file, language *lang) + else + { + #if MSDOS || defined (DOS_NT) +- char *cmd1 = concat (compr->command, " \"", real_name); +- char *cmd = concat (cmd1, "\" > ", tmp_name); ++ int buf_len = strlen (compr->command) + strlen (" \"\" > \"\"") + strlen (real_name) + strlen (tmp_name) + 1; ++ char *cmd = xmalloc (buf_len); ++ snprintf (cmd, buf_len, "%s \"%s\" > \"%s\"", compr->command, real_name, tmp_name); + #else +- char *cmd1 = concat (compr->command, " '", real_name); +- char *cmd = concat (cmd1, "' > ", tmp_name); ++ char *new_real_name = escape_shell_arg_string (real_name); ++ char *new_tmp_name = escape_shell_arg_string (tmp_name); ++ int buf_len = strlen (compr->command) + strlen (" > ") + strlen (new_real_name) + strlen (new_tmp_name) + 1; ++ char *cmd = xmalloc (buf_len); ++ snprintf (cmd, buf_len, "%s %s > %s", compr->command, new_real_name, new_tmp_name); + #endif +- free (cmd1); + inf = (system (cmd) == -1 + ? NULL + : fopen (tmp_name, "r" FOPEN_BINARY)); +@@ -7689,6 +7693,55 @@ etags_mktmp (void) + return templt; + } + ++/* ++ * Adds single quotes around a string, if found single quotes, escaped it. ++ * Return a newly-allocated string. ++ * ++ * For example: ++ * escape_shell_arg_string("test.txt") => 'test.txt' ++ * escape_shell_arg_string("'test.txt") => ''\''test.txt' ++ */ ++static char * ++escape_shell_arg_string (char *str) ++{ ++ char *p = str; ++ int need_space = 2; /* ' at begin and end */ ++ ++ while (*p != '\0') ++ { ++ if (*p == '\'') ++ need_space += 4; /* ' to '\'', length is 4 */ ++ else ++ need_space++; ++ ++ p++; ++ } ++ ++ char *new_str = xnew (need_space + 1, char); ++ new_str[0] = '\''; ++ new_str[need_space-1] = '\''; ++ ++ int i = 1; /* skip first byte */ ++ p = str; ++ while (*p != '\0') ++ { ++ new_str[i] = *p; ++ if (*p == '\'') ++ { ++ new_str[i+1] = '\\'; ++ new_str[i+2] = '\''; ++ new_str[i+3] = '\''; ++ i += 3; ++ } ++ ++ i++; ++ p++; ++ } ++ ++ new_str[need_space] = '\0'; ++ return new_str; ++} ++ + static void + do_move_file(const char *src_file, const char *dst_file) + { diff -Nru emacs-28.2+1/debian/patches/0023-Fix-memory-leak-in-etags.c.patch emacs-28.2+1/debian/patches/0023-Fix-memory-leak-in-etags.c.patch --- emacs-28.2+1/debian/patches/0023-Fix-memory-leak-in-etags.c.patch 1970-01-01 01:00:00.000000000 +0100 +++ emacs-28.2+1/debian/patches/0023-Fix-memory-leak-in-etags.c.patch 2023-03-14 21:30:28.000000000 +0100 @@ -0,0 +1,30 @@ +From 3f6e215ea8d05e2760981c8ab5bce41879e54703 Mon Sep 17 00:00:00 2001 +From: Eli Zaretskii <e...@gnu.org> +Date: Sun, 26 Feb 2023 20:03:20 +0200 +Subject: Fix memory leak in etags.c + +This upstream patch has been incorporated to fix the problem: + + * lib-src/etags.c (process_file_name): Free malloc'ed vars (bug#61819). + +Origin: upstream, commit 0fde314f6f6e6664cddab1b2f0fe20629cd39d14 +Bug: https://debbugs.gnu.org/61819 +Bug-Debian: https://bugs.debian.org/1031888 +Forwarded: not-needed +--- + lib-src/etags.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/lib-src/etags.c b/lib-src/etags.c +index a6bd7f66e29..ea80ba6e49a 100644 +--- a/lib-src/etags.c ++++ b/lib-src/etags.c +@@ -1714,6 +1714,8 @@ process_file_name (char *file, language *lang) + int buf_len = strlen (compr->command) + strlen (" > ") + strlen (new_real_name) + strlen (new_tmp_name) + 1; + char *cmd = xmalloc (buf_len); + snprintf (cmd, buf_len, "%s %s > %s", compr->command, new_real_name, new_tmp_name); ++ free (new_real_name); ++ free (new_tmp_name); + #endif + inf = (system (cmd) == -1 + ? NULL diff -Nru emacs-28.2+1/debian/patches/0024-Fix-quoted-argument-in-emacsclient-mail.desktop-CVE-.patch emacs-28.2+1/debian/patches/0024-Fix-quoted-argument-in-emacsclient-mail.desktop-CVE-.patch --- emacs-28.2+1/debian/patches/0024-Fix-quoted-argument-in-emacsclient-mail.desktop-CVE-.patch 1970-01-01 01:00:00.000000000 +0100 +++ emacs-28.2+1/debian/patches/0024-Fix-quoted-argument-in-emacsclient-mail.desktop-CVE-.patch 2023-03-14 21:30:28.000000000 +0100 @@ -0,0 +1,71 @@ +From a7bd44852551bd9a4c04d56bac64a6ca3d9af9a3 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ulrich=20M=C3=BCller?= <u...@gentoo.org> +Date: Mon, 19 Dec 2022 16:51:20 +0100 +Subject: Fix quoted argument in emacsclient-mail.desktop (CVE-2023-27985) + +This upstream patch has been incorporated to fix the problem: + + Fix quoted argument in emacsclient-mail.desktop Exec key + + Apparently the emacsclient-mail.desktop file doesn't conform to the + Desktop Entry Specification at + https://specifications.freedesktop.org/desktop-entry-spec/desktop-entry-spec-latest.html#exec-variables + which says about the Exec key: + + | Field codes must not be used inside a quoted argument, the result of + | field code expansion inside a quoted argument is undefined. + + However, the %u field code is used inside a quoted argument of the + Exec key in both the [Desktop Entry] and [Desktop Action new-window] + sections. + * etc/emacsclient-mail.desktop (Exec): The Desktop Entry + Specification does not allow field codes like %u inside a quoted + argument. Work around it by passing %u as first parameter ($1) + to the shell wrapper. + * etc/emacsclient.desktop (Exec): Use `sh` rather than `placeholder` + as the command name of the shell wrapper. (Bug#60204) + +Origin: upstream, commit d32091199ae5de590a83f1542a01d75fba000467 +Bug: https://debbugs.gnu.org/60204 +Bug-Debian: https://bugs.debian.org/1032538 +Forwarded: not-needed +--- + etc/emacsclient-mail.desktop | 4 ++-- + etc/emacsclient.desktop | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/etc/emacsclient-mail.desktop b/etc/emacsclient-mail.desktop +index b575a41758a..91df122c594 100644 +--- a/etc/emacsclient-mail.desktop ++++ b/etc/emacsclient-mail.desktop +@@ -1,7 +1,7 @@ + [Desktop Entry] + Categories=Network;Email; + Comment=GNU Emacs is an extensible, customizable text editor - and more +-Exec=sh -c "exec emacsclient --alternate-editor= --display=\\"\\$DISPLAY\\" --eval \\\\(message-mailto\\\\ \\\\\\"%u\\\\\\"\\\\)" ++Exec=sh -c "exec emacsclient --alternate-editor= --display=\\"\\$DISPLAY\\" --eval \\"(message-mailto \\\\\\"\\$1\\\\\\")\\"" sh %u + Icon=emacs + Name=Emacs (Mail, Client) + MimeType=x-scheme-handler/mailto; +@@ -13,7 +13,7 @@ Actions=new-window;new-instance; + + [Desktop Action new-window] + Name=New Window +-Exec=emacsclient --alternate-editor= --create-frame --eval "(message-mailto \\"%u\\")" ++Exec=sh -c "exec emacsclient --alternate-editor= --create-frame --eval \\"(message-mailto \\\\\\"\\$1\\\\\\")\\"" sh %u + + [Desktop Action new-instance] + Name=New Instance +diff --git a/etc/emacsclient.desktop b/etc/emacsclient.desktop +index 1ecdecffafd..a9f840c7033 100644 +--- a/etc/emacsclient.desktop ++++ b/etc/emacsclient.desktop +@@ -3,7 +3,7 @@ Name=Emacs (Client) + GenericName=Text Editor + Comment=Edit text + MimeType=text/english;text/plain;text/x-makefile;text/x-c++hdr;text/x-c++src;text/x-chdr;text/x-csrc;text/x-java;text/x-moc;text/x-pascal;text/x-tcl;text/x-tex;application/x-shellscript;text/x-c;text/x-c++; +-Exec=sh -c "if [ -n \\"\\$*\\" ]; then exec emacsclient --alternate-editor= --display=\\"\\$DISPLAY\\" \\"\\$@\\"; else exec emacsclient --alternate-editor= --create-frame; fi" placeholder %F ++Exec=sh -c "if [ -n \\"\\$*\\" ]; then exec emacsclient --alternate-editor= --display=\\"\\$DISPLAY\\" \\"\\$@\\"; else exec emacsclient --alternate-editor= --create-frame; fi" sh %F + Icon=emacs + Type=Application + Terminal=false diff -Nru emacs-28.2+1/debian/patches/0025-Fix-code-injection-vulnerability-CVE-2023-27986.patch emacs-28.2+1/debian/patches/0025-Fix-code-injection-vulnerability-CVE-2023-27986.patch --- emacs-28.2+1/debian/patches/0025-Fix-code-injection-vulnerability-CVE-2023-27986.patch 1970-01-01 01:00:00.000000000 +0100 +++ emacs-28.2+1/debian/patches/0025-Fix-code-injection-vulnerability-CVE-2023-27986.patch 2023-03-14 21:30:28.000000000 +0100 @@ -0,0 +1,56 @@ +From 4e6971c25c27c9a3f34cc69b51db894105362d08 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ulrich=20M=C3=BCller?= <u...@gentoo.org> +Date: Tue, 7 Mar 2023 18:25:37 +0100 +Subject: Fix code injection vulnerability (CVE-2023-27986) + +This upstream patch has been incorporated to fix the problem: + + Fix Elisp code injection vulnerability in emacsclient-mail.desktop + + A crafted mailto URI could contain unescaped double-quote + characters, allowing injection of Elisp code. Therefore, any + '\' and '"' characters are replaced by '\\' and '\"', using Bash + pattern substitution (which is not available in the POSIX shell). + + We want to pass literal 'u=${1//\\/\\\\}; u=${u//\"/\\\"};' in the + bash -c command, but in the desktop entry '"', '$', and '\' must + be escaped as '\\"', '\\$', and '\\\\', respectively (backslashes + are expanded twice, see the Desktop Entry Specification). + + Reported by Gabriel Corona <gabriel.cor...@free.fr>. + + * etc/emacsclient-mail.desktop (Exec): Escape backslash and + double-quote characters. + +Origin: upstream, commit 3c1693d08b0a71d40a77e7b40c0ebc42dca2d2cc +Bug-Debian: https://bugs.debian.org/1032538 +Forwarded: not-needed +--- + etc/emacsclient-mail.desktop | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/etc/emacsclient-mail.desktop b/etc/emacsclient-mail.desktop +index 91df122c594..49c6f99f317 100644 +--- a/etc/emacsclient-mail.desktop ++++ b/etc/emacsclient-mail.desktop +@@ -1,7 +1,10 @@ + [Desktop Entry] + Categories=Network;Email; + Comment=GNU Emacs is an extensible, customizable text editor - and more +-Exec=sh -c "exec emacsclient --alternate-editor= --display=\\"\\$DISPLAY\\" --eval \\"(message-mailto \\\\\\"\\$1\\\\\\")\\"" sh %u ++# We want to pass the following commands to the shell wrapper: ++# u=${1//\\/\\\\}; u=${u//\"/\\\"}; exec emacsclient --alternate-editor= --display="$DISPLAY" --eval "(message-mailto \"$u\")" ++# Special chars '"', '$', and '\' must be escaped as '\\"', '\\$', and '\\\\'. ++Exec=bash -c "u=\\${1//\\\\\\\\/\\\\\\\\\\\\\\\\}; u=\\${u//\\\\\\"/\\\\\\\\\\\\\\"}; exec emacsclient --alternate-editor= --display=\\"\\$DISPLAY\\" --eval \\"(message-mailto \\\\\\"\\$u\\\\\\")\\"" bash %u + Icon=emacs + Name=Emacs (Mail, Client) + MimeType=x-scheme-handler/mailto; +@@ -13,7 +16,7 @@ Actions=new-window;new-instance; + + [Desktop Action new-window] + Name=New Window +-Exec=sh -c "exec emacsclient --alternate-editor= --create-frame --eval \\"(message-mailto \\\\\\"\\$1\\\\\\")\\"" sh %u ++Exec=bash -c "u=\\${1//\\\\\\\\/\\\\\\\\\\\\\\\\}; u=\\${u//\\\\\\"/\\\\\\\\\\\\\\"}; exec emacsclient --alternate-editor= --create-frame --eval \\"(message-mailto \\\\\\"\\$u\\\\\\")\\"" bash %u + + [Desktop Action new-instance] + Name=New Instance diff -Nru emacs-28.2+1/debian/patches/series emacs-28.2+1/debian/patches/series --- emacs-28.2+1/debian/patches/series 2023-01-18 01:32:40.000000000 +0100 +++ emacs-28.2+1/debian/patches/series 2023-03-14 21:30:28.000000000 +0100 @@ -17,3 +17,9 @@ 0017-Add-inhibit-native-compilation.patch 0018-Rename-to-inhibit-automatic-native-compilation.patch 0019-Fix-copyright-tests-for-2023-onwards.patch +0020-Fix-htmlfontify.el-command-injection-vulnerability-C.patch +0021-Fix-ruby-mode.el-command-injection-vulnerability-CVE.patch +0022-Fix-etags-local-command-injection-vulnerability-CVE-.patch +0023-Fix-memory-leak-in-etags.c.patch +0024-Fix-quoted-argument-in-emacsclient-mail.desktop-CVE-.patch +0025-Fix-code-injection-vulnerability-CVE-2023-27986.patch