[oe] [meta-oe][kirkstone][PATCH 4/4] emacs: patch CVE-2022-48337

Fri, 27 Feb 2026 07:40:41 -0800 

Details: https://nvd.nist.gov/vuln/detail/CVE-2022-48337

Backport the patch that is referenced by he NVD advisory.

Signed-off-by: Gyorgy Sarvari <[email protected]>
---
 meta-oe/recipes-support/emacs/emacs_27.2.bb   |   1 +
 .../emacs/files/CVE-2022-48337.patch          | 108 ++++++++++++++++++
 2 files changed, 109 insertions(+)
 create mode 100644 meta-oe/recipes-support/emacs/files/CVE-2022-48337.patch

diff --git a/meta-oe/recipes-support/emacs/emacs_27.2.bb 
b/meta-oe/recipes-support/emacs/emacs_27.2.bb
index 4a7e7aba5c..c17059b15d 100644
--- a/meta-oe/recipes-support/emacs/emacs_27.2.bb
+++ b/meta-oe/recipes-support/emacs/emacs_27.2.bb
@@ -6,6 +6,7 @@ LIC_FILES_CHKSUM = 
"file://COPYING;md5=1ebbd3e34237af26da5dc08a4e440464"
 
 SRC_URI = "https://ftp.gnu.org/pub/gnu/emacs/emacs-${PV}.tar.xz \
            file://emacs-glibc-2.34.patch \
+           file://CVE-2022-48337.patch \
           "
 SRC_URI:append:class-target = " file://usemake-docfile-native.patch"
 
diff --git a/meta-oe/recipes-support/emacs/files/CVE-2022-48337.patch 
b/meta-oe/recipes-support/emacs/files/CVE-2022-48337.patch
new file mode 100644
index 0000000000..351ffc4338
--- /dev/null
+++ b/meta-oe/recipes-support/emacs/files/CVE-2022-48337.patch
@@ -0,0 +1,108 @@
+From a10958677d359e016a4e857a9cd7c98258061f5f Mon Sep 17 00:00:00 2001
+From: Gyorgy Sarvari <[email protected]>
+Date: Tue, 6 Dec 2022 15:42:40 +0800
+Subject: [PATCH] Fix etags local command injection vulnerability
+
+From: lu4nx <[email protected]>
+
+* lib-src/etags.c: (escape_shell_arg_string): New function.
+(process_file_name): Use it to quote file names passed to the
+shell.  (Bug#59817)
+
+CVE: CVE-2022-48337
+Upstream-Status: Backport 
[https://cgit.git.savannah.gnu.org/cgit/emacs.git/commit/?id=01a4035c869b91c153af9a9132c87adb7669ea1c]
+Signed-off-by: Gyorgy Sarvari <[email protected]>
+---
+ lib-src/etags.c | 63 +++++++++++++++++++++++++++++++++++++++++++++----
+ 1 file changed, 58 insertions(+), 5 deletions(-)
+
+diff --git a/lib-src/etags.c b/lib-src/etags.c
+index bb92f2b..7cecfe2 100644
+--- a/lib-src/etags.c
++++ b/lib-src/etags.c
+@@ -397,6 +397,7 @@ static void pfnote (char *, bool, char *, ptrdiff_t, 
intmax_t, intmax_t);
+ static void invalidate_nodes (fdesc *, node **);
+ static void put_entries (node *);
+ 
++static char *escape_shell_arg_string (char *);
+ static char *concat (const char *, const char *, const char *);
+ static char *skip_spaces (char *);
+ static char *skip_non_spaces (char *);
+@@ -1635,13 +1636,16 @@ process_file_name (char *file, language *lang)
+       else
+       {
+ #if MSDOS || defined (DOS_NT)
+-        char *cmd1 = concat (compr->command, " \"", real_name);
+-        char *cmd = concat (cmd1, "\" > ", tmp_name);
++          int buf_len = strlen (compr->command) + strlen (" \"\" > \"\"") + 
strlen (real_name) + strlen (tmp_name) + 1;
++          char *cmd = xmalloc (buf_len);
++          snprintf (cmd, buf_len, "%s \"%s\" > \"%s\"", compr->command, 
real_name, tmp_name);
+ #else
+-        char *cmd1 = concat (compr->command, " '", real_name);
+-        char *cmd = concat (cmd1, "' > ", tmp_name);
++          char *new_real_name = escape_shell_arg_string (real_name);
++          char *new_tmp_name = escape_shell_arg_string (tmp_name);
++          int buf_len = strlen (compr->command) + strlen ("  > ") + strlen 
(new_real_name) + strlen (new_tmp_name) + 1;
++          char *cmd = xmalloc (buf_len);
++          snprintf (cmd, buf_len, "%s %s > %s", compr->command, 
new_real_name, new_tmp_name);
+ #endif
+-        free (cmd1);
+         int tmp_errno;
+         if (system (cmd) == -1)
+           {
+@@ -1685,6 +1689,55 @@ process_file_name (char *file, language *lang)
+   return;
+ }
+ 
++/*
++ * Adds single quotes around a string, if found single quotes, escaped it.
++ * Return a newly-allocated string.
++ *
++ * For example:
++ * escape_shell_arg_string("test.txt") => 'test.txt'
++ * escape_shell_arg_string("'test.txt") => ''\''test.txt'
++ */
++static char *
++escape_shell_arg_string (char *str)
++{
++  char *p = str;
++  int need_space = 2;           /* ' at begin and end */
++
++  while (*p != '\0')
++    {
++      if (*p == '\'')
++        need_space += 4;        /* ' to '\'', length is 4 */
++      else
++        need_space++;
++
++      p++;
++    }
++
++  char *new_str = xnew (need_space + 1, char);
++  new_str[0] = '\'';
++  new_str[need_space-1] = '\'';
++
++  int i = 1;                    /* skip first byte */
++  p = str;
++  while (*p != '\0')
++    {
++      new_str[i] = *p;
++      if (*p == '\'')
++        {
++          new_str[i+1] = '\\';
++          new_str[i+2] = '\'';
++          new_str[i+3] = '\'';
++          i += 3;
++        }
++
++      i++;
++      p++;
++    }
++
++  new_str[need_space] = '\0';
++  return new_str;
++}
++
+ static void
+ process_file (FILE *fh, char *fn, language *lang)
+ {

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#124761): 
https://lists.openembedded.org/g/openembedded-devel/message/124761
Mute This Topic: https://lists.openembedded.org/mt/118031978/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to