Your message dated Tue, 21 Mar 2023 21:35:27 +0000
with message-id <e1pejdf-004yx8...@respighi.debian.org>
and subject line unblock emacs
has caused the Debian Bug report #1033268,
regarding unblock: emacs/1:28.2+1-13
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1033268: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033268
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: em...@packages.debian.org, Sean Whitton 
<spwhit...@spwhitton.name>, j...@debian.org, car...@debian.org
Control: affects -1 + src:emacs

Hi release team members,

Please unblock package emacs

Sean might give some additional input if you need some additional
information. Between 1:28.2+1-10 and 1:28.2+1-13 of emacs, there were
security fixes for CVE-2022-48337, CVE-2022-48338, CVE-2022-48339,
CVE-2023-27985 and CVE-2023-27986.

CVE-2022-48337, CVE-2022-48338 and CVE-2022-48339 were covered as well
in DSA-5360-1 for bullseye.

Can you please unblock emacs/1:28.2+1-13 so we do not have regression
for those fixes from bullseye to bookworm?

(note the -13 entry has a off-by-one typo in one CVE identifier)

Regards,
Salvatore
diff -Nru emacs-28.2+1/debian/.git-dpm emacs-28.2+1/debian/.git-dpm
--- emacs-28.2+1/debian/.git-dpm        2023-01-18 01:32:40.000000000 +0100
+++ emacs-28.2+1/debian/.git-dpm        2023-03-14 21:30:28.000000000 +0100
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-595617abab6964ac0c6e617bae3d82692bf298b9
-595617abab6964ac0c6e617bae3d82692bf298b9
+4e6971c25c27c9a3f34cc69b51db894105362d08
+4e6971c25c27c9a3f34cc69b51db894105362d08
 279b82e64e15b5e2df3cb522636c6db85a8ee659
 279b82e64e15b5e2df3cb522636c6db85a8ee659
 emacs_28.2+1.orig.tar.xz
diff -Nru emacs-28.2+1/debian/changelog emacs-28.2+1/debian/changelog
--- emacs-28.2+1/debian/changelog       2023-01-18 01:32:40.000000000 +0100
+++ emacs-28.2+1/debian/changelog       2023-03-14 21:30:28.000000000 +0100
@@ -1,3 +1,24 @@
+emacs (1:28.2+1-13) unstable; urgency=high
+
+  * Cherry-pick upstream fixes for command injection vulnerabilities
+    (CVE-2023-27984, CVE-2023-27986) (Closes: #1032538).
+
+ -- Sean Whitton <spwhit...@spwhitton.name>  Tue, 14 Mar 2023 13:30:28 -0700
+
+emacs (1:28.2+1-12) unstable; urgency=medium
+
+  * Fix memory leak in etags.c introduced by recent security fix.
+    Thanks to Adrian Bunk for identifying the issue.
+
+ -- Sean Whitton <spwhit...@spwhitton.name>  Thu, 02 Mar 2023 12:21:19 -0700
+
+emacs (1:28.2+1-11) unstable; urgency=high
+
+  * Cherry-pick upstream fixes for command injection vulnerabilities
+    (CVE-2022-48337, CVE-2022-48338, CVE-2022-48339) (Closes: #1031730).
+
+ -- Sean Whitton <spwhit...@spwhitton.name>  Wed, 22 Feb 2023 11:01:50 -0700
+
 emacs (1:28.2+1-10) unstable; urgency=medium
 
   * Fix copyright tests for 2023 onwards.  Thanks to Mattias EngdegÄrd for
diff -Nru 
emacs-28.2+1/debian/patches/0020-Fix-htmlfontify.el-command-injection-vulnerability-C.patch
 
emacs-28.2+1/debian/patches/0020-Fix-htmlfontify.el-command-injection-vulnerability-C.patch
--- 
emacs-28.2+1/debian/patches/0020-Fix-htmlfontify.el-command-injection-vulnerability-C.patch
 1970-01-01 01:00:00.000000000 +0100
+++ 
emacs-28.2+1/debian/patches/0020-Fix-htmlfontify.el-command-injection-vulnerability-C.patch
 2023-03-14 21:30:28.000000000 +0100
@@ -0,0 +1,33 @@
+From 665489d7de786a61fa0c0883b9dffbc76487e37e Mon Sep 17 00:00:00 2001
+From: Xi Lu <l...@shellcodes.org>
+Date: Sat, 24 Dec 2022 16:28:54 +0800
+Subject: Fix htmlfontify.el command injection vulnerability (CVE-2022-48339)
+
+This upstream patch has been incorporated to fix the problem:
+
+  Fix htmlfontify.el command injection vulnerability.
+
+  * lisp/htmlfontify.el (hfy-text-p): Fix command injection
+  vulnerability.  (Bug#60295)
+
+Origin: upstream, commit 807d2d5b3a7cd1d0e3f7dd24de22770f54f5ae16
+Bug: https://debbugs.gnu.org/60295
+Bug-Debian: https://bugs.debian.org/1031730
+Forwarded: not-needed
+---
+ lisp/htmlfontify.el | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lisp/htmlfontify.el b/lisp/htmlfontify.el
+index 115f67c9560..f8d1e205369 100644
+--- a/lisp/htmlfontify.el
++++ b/lisp/htmlfontify.el
+@@ -1882,7 +1882,7 @@ hfy-make-directory
+ 
+ (defun hfy-text-p (srcdir file)
+   "Is SRCDIR/FILE text?  Use `hfy-istext-command' to determine this."
+-  (let* ((cmd (format hfy-istext-command (expand-file-name file srcdir)))
++  (let* ((cmd (format hfy-istext-command (shell-quote-argument 
(expand-file-name file srcdir))))
+          (rsp (shell-command-to-string    cmd)))
+     (string-match "text" rsp)))
+ 
diff -Nru 
emacs-28.2+1/debian/patches/0021-Fix-ruby-mode.el-command-injection-vulnerability-CVE.patch
 
emacs-28.2+1/debian/patches/0021-Fix-ruby-mode.el-command-injection-vulnerability-CVE.patch
--- 
emacs-28.2+1/debian/patches/0021-Fix-ruby-mode.el-command-injection-vulnerability-CVE.patch
 1970-01-01 01:00:00.000000000 +0100
+++ 
emacs-28.2+1/debian/patches/0021-Fix-ruby-mode.el-command-injection-vulnerability-CVE.patch
 2023-03-14 21:30:28.000000000 +0100
@@ -0,0 +1,33 @@
+From 52fb40cf6a3c50c996cff79b0d4f81fc39c7badf Mon Sep 17 00:00:00 2001
+From: Xi Lu <l...@shellcodes.org>
+Date: Fri, 23 Dec 2022 12:52:48 +0800
+Subject: Fix ruby-mode.el command injection vulnerability (CVE-2022-48338)
+
+This upstream patch has been incorporated to fix the problem:
+
+  Fix ruby-mode.el local command injection vulnerability (bug#60268)
+
+  * lisp/progmodes/ruby-mode.el
+  (ruby-find-library-file): Fix local command injection vulnerability.
+
+Origin: upstream, commit 22fb5ff5126dc8bb01edaa0252829d853afb284f
+Bug: https://debbugs.gnu.org/60268
+Bug-Debian: https://bugs.debian.org/1031730
+Forwarded: not-needed
+---
+ lisp/progmodes/ruby-mode.el | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lisp/progmodes/ruby-mode.el b/lisp/progmodes/ruby-mode.el
+index 72631a6557f..9b05b04a52c 100644
+--- a/lisp/progmodes/ruby-mode.el
++++ b/lisp/progmodes/ruby-mode.el
+@@ -1819,7 +1819,7 @@ ruby-find-library-file
+       (setq feature-name (read-string "Feature name: " init))))
+   (let ((out
+          (substring
+-          (shell-command-to-string (concat "gem which " feature-name))
++          (shell-command-to-string (concat "gem which " (shell-quote-argument 
feature-name)))
+           0 -1)))
+     (if (string-match-p "\\`ERROR" out)
+         (user-error "%s" out)
diff -Nru 
emacs-28.2+1/debian/patches/0022-Fix-etags-local-command-injection-vulnerability-CVE-.patch
 
emacs-28.2+1/debian/patches/0022-Fix-etags-local-command-injection-vulnerability-CVE-.patch
--- 
emacs-28.2+1/debian/patches/0022-Fix-etags-local-command-injection-vulnerability-CVE-.patch
 1970-01-01 01:00:00.000000000 +0100
+++ 
emacs-28.2+1/debian/patches/0022-Fix-etags-local-command-injection-vulnerability-CVE-.patch
 2023-03-14 21:30:28.000000000 +0100
@@ -0,0 +1,111 @@
+From f8822cd42a828c42d9b76bcd32de7e595ffb73c1 Mon Sep 17 00:00:00 2001
+From: lu4nx <l...@shellcodes.org>
+Date: Tue, 6 Dec 2022 15:42:40 +0800
+Subject: Fix etags local command injection vulnerability (CVE-2022-48337)
+
+This upstream patch has been incorporated to fix the problem:
+
+  Fix etags local command injection vulnerability
+
+  * lib-src/etags.c: (escape_shell_arg_string): New function.
+  (process_file_name): Use it to quote file names passed to the
+  shell.  (Bug#59817)
+
+Origin: upstream, commit e339926272a598bd9ee7e02989c1662b89e64cf0
+Bug: https://debbugs.gnu.org/59817
+Bug-Debian: https://bugs.debian.org/1031730
+Forwarded: not-needed
+---
+ lib-src/etags.c | 63 +++++++++++++++++++++++++++++++++++++++++++++----
+ 1 file changed, 58 insertions(+), 5 deletions(-)
+
+diff --git a/lib-src/etags.c b/lib-src/etags.c
+index c9c32691016..a6bd7f66e29 100644
+--- a/lib-src/etags.c
++++ b/lib-src/etags.c
+@@ -408,6 +408,7 @@ #define xrnew(op, n, m) ((op) = xnrealloc (op, n, (m) * 
sizeof *(op)))
+ static void put_entries (node *);
+ static void clean_matched_file_tag (char const * const, char const * const);
+ 
++static char *escape_shell_arg_string (char *);
+ static void do_move_file (const char *, const char *);
+ static char *concat (const char *, const char *, const char *);
+ static char *skip_spaces (char *);
+@@ -1704,13 +1705,16 @@ process_file_name (char *file, language *lang)
+       else
+       {
+ #if MSDOS || defined (DOS_NT)
+-        char *cmd1 = concat (compr->command, " \"", real_name);
+-        char *cmd = concat (cmd1, "\" > ", tmp_name);
++          int buf_len = strlen (compr->command) + strlen (" \"\" > \"\"") + 
strlen (real_name) + strlen (tmp_name) + 1;
++          char *cmd = xmalloc (buf_len);
++          snprintf (cmd, buf_len, "%s \"%s\" > \"%s\"", compr->command, 
real_name, tmp_name);
+ #else
+-        char *cmd1 = concat (compr->command, " '", real_name);
+-        char *cmd = concat (cmd1, "' > ", tmp_name);
++          char *new_real_name = escape_shell_arg_string (real_name);
++          char *new_tmp_name = escape_shell_arg_string (tmp_name);
++          int buf_len = strlen (compr->command) + strlen ("  > ") + strlen 
(new_real_name) + strlen (new_tmp_name) + 1;
++          char *cmd = xmalloc (buf_len);
++          snprintf (cmd, buf_len, "%s %s > %s", compr->command, 
new_real_name, new_tmp_name);
+ #endif
+-        free (cmd1);
+         inf = (system (cmd) == -1
+                ? NULL
+                : fopen (tmp_name, "r" FOPEN_BINARY));
+@@ -7689,6 +7693,55 @@ etags_mktmp (void)
+   return templt;
+ }
+ 
++/*
++ * Adds single quotes around a string, if found single quotes, escaped it.
++ * Return a newly-allocated string.
++ *
++ * For example:
++ * escape_shell_arg_string("test.txt") => 'test.txt'
++ * escape_shell_arg_string("'test.txt") => ''\''test.txt'
++ */
++static char *
++escape_shell_arg_string (char *str)
++{
++  char *p = str;
++  int need_space = 2;           /* ' at begin and end */
++
++  while (*p != '\0')
++    {
++      if (*p == '\'')
++        need_space += 4;        /* ' to '\'', length is 4 */
++      else
++        need_space++;
++
++      p++;
++    }
++
++  char *new_str = xnew (need_space + 1, char);
++  new_str[0] = '\'';
++  new_str[need_space-1] = '\'';
++
++  int i = 1;                    /* skip first byte */
++  p = str;
++  while (*p != '\0')
++    {
++      new_str[i] = *p;
++      if (*p == '\'')
++        {
++          new_str[i+1] = '\\';
++          new_str[i+2] = '\'';
++          new_str[i+3] = '\'';
++          i += 3;
++        }
++
++      i++;
++      p++;
++    }
++
++  new_str[need_space] = '\0';
++  return new_str;
++}
++
+ static void
+ do_move_file(const char *src_file, const char *dst_file)
+ {
diff -Nru emacs-28.2+1/debian/patches/0023-Fix-memory-leak-in-etags.c.patch 
emacs-28.2+1/debian/patches/0023-Fix-memory-leak-in-etags.c.patch
--- emacs-28.2+1/debian/patches/0023-Fix-memory-leak-in-etags.c.patch   
1970-01-01 01:00:00.000000000 +0100
+++ emacs-28.2+1/debian/patches/0023-Fix-memory-leak-in-etags.c.patch   
2023-03-14 21:30:28.000000000 +0100
@@ -0,0 +1,30 @@
+From 3f6e215ea8d05e2760981c8ab5bce41879e54703 Mon Sep 17 00:00:00 2001
+From: Eli Zaretskii <e...@gnu.org>
+Date: Sun, 26 Feb 2023 20:03:20 +0200
+Subject: Fix memory leak in etags.c
+
+This upstream patch has been incorporated to fix the problem:
+
+  * lib-src/etags.c (process_file_name): Free malloc'ed vars (bug#61819).
+
+Origin: upstream, commit 0fde314f6f6e6664cddab1b2f0fe20629cd39d14
+Bug: https://debbugs.gnu.org/61819
+Bug-Debian: https://bugs.debian.org/1031888
+Forwarded: not-needed
+---
+ lib-src/etags.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/lib-src/etags.c b/lib-src/etags.c
+index a6bd7f66e29..ea80ba6e49a 100644
+--- a/lib-src/etags.c
++++ b/lib-src/etags.c
+@@ -1714,6 +1714,8 @@ process_file_name (char *file, language *lang)
+           int buf_len = strlen (compr->command) + strlen ("  > ") + strlen 
(new_real_name) + strlen (new_tmp_name) + 1;
+           char *cmd = xmalloc (buf_len);
+           snprintf (cmd, buf_len, "%s %s > %s", compr->command, 
new_real_name, new_tmp_name);
++        free (new_real_name);
++        free (new_tmp_name);
+ #endif
+         inf = (system (cmd) == -1
+                ? NULL
diff -Nru 
emacs-28.2+1/debian/patches/0024-Fix-quoted-argument-in-emacsclient-mail.desktop-CVE-.patch
 
emacs-28.2+1/debian/patches/0024-Fix-quoted-argument-in-emacsclient-mail.desktop-CVE-.patch
--- 
emacs-28.2+1/debian/patches/0024-Fix-quoted-argument-in-emacsclient-mail.desktop-CVE-.patch
 1970-01-01 01:00:00.000000000 +0100
+++ 
emacs-28.2+1/debian/patches/0024-Fix-quoted-argument-in-emacsclient-mail.desktop-CVE-.patch
 2023-03-14 21:30:28.000000000 +0100
@@ -0,0 +1,71 @@
+From a7bd44852551bd9a4c04d56bac64a6ca3d9af9a3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ulrich=20M=C3=BCller?= <u...@gentoo.org>
+Date: Mon, 19 Dec 2022 16:51:20 +0100
+Subject: Fix quoted argument in emacsclient-mail.desktop (CVE-2023-27985)
+
+This upstream patch has been incorporated to fix the problem:
+
+  Fix quoted argument in emacsclient-mail.desktop Exec key
+
+  Apparently the emacsclient-mail.desktop file doesn't conform to the
+  Desktop Entry Specification at
+  
https://specifications.freedesktop.org/desktop-entry-spec/desktop-entry-spec-latest.html#exec-variables
+  which says about the Exec key:
+
+  | Field codes must not be used inside a quoted argument, the result of
+  | field code expansion inside a quoted argument is undefined.
+
+  However, the %u field code is used inside a quoted argument of the
+  Exec key in both the [Desktop Entry] and [Desktop Action new-window]
+  sections.
+  * etc/emacsclient-mail.desktop (Exec): The Desktop Entry
+  Specification does not allow field codes like %u inside a quoted
+  argument. Work around it by passing %u as first parameter ($1)
+  to the shell wrapper.
+  * etc/emacsclient.desktop (Exec): Use `sh` rather than `placeholder`
+  as the command name of the shell wrapper.  (Bug#60204)
+
+Origin: upstream, commit d32091199ae5de590a83f1542a01d75fba000467
+Bug: https://debbugs.gnu.org/60204
+Bug-Debian: https://bugs.debian.org/1032538
+Forwarded: not-needed
+---
+ etc/emacsclient-mail.desktop | 4 ++--
+ etc/emacsclient.desktop      | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/etc/emacsclient-mail.desktop b/etc/emacsclient-mail.desktop
+index b575a41758a..91df122c594 100644
+--- a/etc/emacsclient-mail.desktop
++++ b/etc/emacsclient-mail.desktop
+@@ -1,7 +1,7 @@
+ [Desktop Entry]
+ Categories=Network;Email;
+ Comment=GNU Emacs is an extensible, customizable text editor - and more
+-Exec=sh -c "exec emacsclient --alternate-editor= --display=\\"\\$DISPLAY\\" 
--eval \\\\(message-mailto\\\\ \\\\\\"%u\\\\\\"\\\\)"
++Exec=sh -c "exec emacsclient --alternate-editor= --display=\\"\\$DISPLAY\\" 
--eval \\"(message-mailto \\\\\\"\\$1\\\\\\")\\"" sh %u
+ Icon=emacs
+ Name=Emacs (Mail, Client)
+ MimeType=x-scheme-handler/mailto;
+@@ -13,7 +13,7 @@ Actions=new-window;new-instance;
+ 
+ [Desktop Action new-window]
+ Name=New Window
+-Exec=emacsclient --alternate-editor= --create-frame --eval "(message-mailto 
\\"%u\\")"
++Exec=sh -c "exec emacsclient --alternate-editor= --create-frame --eval 
\\"(message-mailto \\\\\\"\\$1\\\\\\")\\"" sh %u
+ 
+ [Desktop Action new-instance]
+ Name=New Instance
+diff --git a/etc/emacsclient.desktop b/etc/emacsclient.desktop
+index 1ecdecffafd..a9f840c7033 100644
+--- a/etc/emacsclient.desktop
++++ b/etc/emacsclient.desktop
+@@ -3,7 +3,7 @@ Name=Emacs (Client)
+ GenericName=Text Editor
+ Comment=Edit text
+ 
MimeType=text/english;text/plain;text/x-makefile;text/x-c++hdr;text/x-c++src;text/x-chdr;text/x-csrc;text/x-java;text/x-moc;text/x-pascal;text/x-tcl;text/x-tex;application/x-shellscript;text/x-c;text/x-c++;
+-Exec=sh -c "if [ -n \\"\\$*\\" ]; then exec emacsclient --alternate-editor= 
--display=\\"\\$DISPLAY\\" \\"\\$@\\"; else exec emacsclient 
--alternate-editor= --create-frame; fi" placeholder %F
++Exec=sh -c "if [ -n \\"\\$*\\" ]; then exec emacsclient --alternate-editor= 
--display=\\"\\$DISPLAY\\" \\"\\$@\\"; else exec emacsclient 
--alternate-editor= --create-frame; fi" sh %F
+ Icon=emacs
+ Type=Application
+ Terminal=false
diff -Nru 
emacs-28.2+1/debian/patches/0025-Fix-code-injection-vulnerability-CVE-2023-27986.patch
 
emacs-28.2+1/debian/patches/0025-Fix-code-injection-vulnerability-CVE-2023-27986.patch
--- 
emacs-28.2+1/debian/patches/0025-Fix-code-injection-vulnerability-CVE-2023-27986.patch
      1970-01-01 01:00:00.000000000 +0100
+++ 
emacs-28.2+1/debian/patches/0025-Fix-code-injection-vulnerability-CVE-2023-27986.patch
      2023-03-14 21:30:28.000000000 +0100
@@ -0,0 +1,56 @@
+From 4e6971c25c27c9a3f34cc69b51db894105362d08 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ulrich=20M=C3=BCller?= <u...@gentoo.org>
+Date: Tue, 7 Mar 2023 18:25:37 +0100
+Subject: Fix code injection vulnerability (CVE-2023-27986)
+
+This upstream patch has been incorporated to fix the problem:
+
+  Fix Elisp code injection vulnerability in emacsclient-mail.desktop
+
+  A crafted mailto URI could contain unescaped double-quote
+  characters, allowing injection of Elisp code.  Therefore, any
+  '\' and '"' characters are replaced by '\\' and '\"', using Bash
+  pattern substitution (which is not available in the POSIX shell).
+
+  We want to pass literal 'u=${1//\\/\\\\}; u=${u//\"/\\\"};' in the
+  bash -c command, but in the desktop entry '"', '$', and '\' must
+  be escaped as '\\"', '\\$', and '\\\\', respectively (backslashes
+  are expanded twice, see the Desktop Entry Specification).
+
+  Reported by Gabriel Corona <gabriel.cor...@free.fr>.
+
+  * etc/emacsclient-mail.desktop (Exec): Escape backslash and
+  double-quote characters.
+
+Origin: upstream, commit 3c1693d08b0a71d40a77e7b40c0ebc42dca2d2cc
+Bug-Debian: https://bugs.debian.org/1032538
+Forwarded: not-needed
+---
+ etc/emacsclient-mail.desktop | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/etc/emacsclient-mail.desktop b/etc/emacsclient-mail.desktop
+index 91df122c594..49c6f99f317 100644
+--- a/etc/emacsclient-mail.desktop
++++ b/etc/emacsclient-mail.desktop
+@@ -1,7 +1,10 @@
+ [Desktop Entry]
+ Categories=Network;Email;
+ Comment=GNU Emacs is an extensible, customizable text editor - and more
+-Exec=sh -c "exec emacsclient --alternate-editor= --display=\\"\\$DISPLAY\\" 
--eval \\"(message-mailto \\\\\\"\\$1\\\\\\")\\"" sh %u
++# We want to pass the following commands to the shell wrapper:
++# u=${1//\\/\\\\}; u=${u//\"/\\\"}; exec emacsclient --alternate-editor= 
--display="$DISPLAY" --eval "(message-mailto \"$u\")"
++# Special chars '"', '$', and '\' must be escaped as '\\"', '\\$', and '\\\\'.
++Exec=bash -c "u=\\${1//\\\\\\\\/\\\\\\\\\\\\\\\\}; 
u=\\${u//\\\\\\"/\\\\\\\\\\\\\\"}; exec emacsclient --alternate-editor= 
--display=\\"\\$DISPLAY\\" --eval \\"(message-mailto \\\\\\"\\$u\\\\\\")\\"" 
bash %u
+ Icon=emacs
+ Name=Emacs (Mail, Client)
+ MimeType=x-scheme-handler/mailto;
+@@ -13,7 +16,7 @@ Actions=new-window;new-instance;
+ 
+ [Desktop Action new-window]
+ Name=New Window
+-Exec=sh -c "exec emacsclient --alternate-editor= --create-frame --eval 
\\"(message-mailto \\\\\\"\\$1\\\\\\")\\"" sh %u
++Exec=bash -c "u=\\${1//\\\\\\\\/\\\\\\\\\\\\\\\\}; 
u=\\${u//\\\\\\"/\\\\\\\\\\\\\\"}; exec emacsclient --alternate-editor= 
--create-frame --eval \\"(message-mailto \\\\\\"\\$u\\\\\\")\\"" bash %u
+ 
+ [Desktop Action new-instance]
+ Name=New Instance
diff -Nru emacs-28.2+1/debian/patches/series emacs-28.2+1/debian/patches/series
--- emacs-28.2+1/debian/patches/series  2023-01-18 01:32:40.000000000 +0100
+++ emacs-28.2+1/debian/patches/series  2023-03-14 21:30:28.000000000 +0100
@@ -17,3 +17,9 @@
 0017-Add-inhibit-native-compilation.patch
 0018-Rename-to-inhibit-automatic-native-compilation.patch
 0019-Fix-copyright-tests-for-2023-onwards.patch
+0020-Fix-htmlfontify.el-command-injection-vulnerability-C.patch
+0021-Fix-ruby-mode.el-command-injection-vulnerability-CVE.patch
+0022-Fix-etags-local-command-injection-vulnerability-CVE-.patch
+0023-Fix-memory-leak-in-etags.c.patch
+0024-Fix-quoted-argument-in-emacsclient-mail.desktop-CVE-.patch
+0025-Fix-code-injection-vulnerability-CVE-2023-27986.patch

--- End Message ---
--- Begin Message ---
Unblocked.

--- End Message ---

Reply via email to