From af40e12cb742510e5d40a06ffc6dfca97e340dd6 Mon Sep 17 00:00:00 2001 From: Ulrich Müller Date: Mon, 25 Mar 2024 15:39:54 +0100 Subject: 26.3, 27.2, 28.2: Backport security fixes from 29.3 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Ulrich Müller --- emacs/26.3/08_all_org-remote-unsafe.patch | 30 +++++++++++ emacs/27.2/09_all_untrusted-content.patch | 84 +++++++++++++++++++++++++++++++ emacs/27.2/10_all_org-remote-unsafe.patch | 30 +++++++++++ emacs/28.2/10_all_org-macro-eval.patch | 35 +++++++++++++ emacs/28.2/11_all_untrusted-content.patch | 84 +++++++++++++++++++++++++++++++ emacs/28.2/12_all_org-remote-unsafe.patch | 30 +++++++++++ 6 files changed, 293 insertions(+) create mode 100644 emacs/26.3/08_all_org-remote-unsafe.patch create mode 100644 emacs/27.2/09_all_untrusted-content.patch create mode 100644 emacs/27.2/10_all_org-remote-unsafe.patch create mode 100644 emacs/28.2/10_all_org-macro-eval.patch create mode 100644 emacs/28.2/11_all_untrusted-content.patch create mode 100644 emacs/28.2/12_all_org-remote-unsafe.patch diff --git a/emacs/26.3/08_all_org-remote-unsafe.patch b/emacs/26.3/08_all_org-remote-unsafe.patch new file mode 100644 index 0000000..9124db5 --- /dev/null +++ b/emacs/26.3/08_all_org-remote-unsafe.patch @@ -0,0 +1,30 @@ +org-mode should consider remote files unsafe +Backported from emacs-29 branch +https://bugs.gentoo.org/927727 + +commit 2bc865ace050ff118db43f01457f95f95112b877 +Author: Ihor Radchenko +Date: Tue Feb 20 14:59:20 2024 +0300 + + org-file-contents: Consider all remote files unsafe + +--- emacs-26.3/lisp/org/org.el ++++ emacs-26.3/lisp/org/org.el +@@ -5297,12 +5297,16 @@ org-file-contents + If NOCACHE is non-nil, do a fresh fetch of FILE even if cached version + is available. This option applies only if FILE is a URL." + (let* ((is-url (org-file-url-p file)) ++ (is-remote (condition-case nil ++ (file-remote-p file) ++ ;; In case of error, be safe. ++ (t t))) + (cache (and is-url + (not nocache) + (gethash file org--file-cache)))) + (cond + (cache) +- (is-url ++ ((or is-url is-remote) + (with-current-buffer (url-retrieve-synchronously file) + (goto-char (point-min)) + ;; Move point to after the url-retrieve header. diff --git a/emacs/27.2/09_all_untrusted-content.patch b/emacs/27.2/09_all_untrusted-content.patch new file mode 100644 index 0000000..0ff1d36 --- /dev/null +++ b/emacs/27.2/09_all_untrusted-content.patch @@ -0,0 +1,84 @@ +New variable untrusted-content +Backported from emacs-29 branch +https://bugs.gentoo.org/927727 + +commit ccc188fcf98ad9166ee551fac9d94b2603c3a51b +Author: Ihor Radchenko +Date: Tue Feb 20 12:43:51 2024 +0300 + + * lisp/files.el (untrusted-content): New variable. + +commit 937b9042ad7426acdcca33e3d931d8f495bdd804 +Author: Ihor Radchenko +Date: Tue Feb 20 12:44:30 2024 +0300 + + * lisp/gnus/mm-view.el (mm-display-inline-fontify): Mark contents untrusted. + +commit 6f9ea396f49cbe38c2173e0a72ba6af3e03b271c +Author: Ihor Radchenko +Date: Tue Feb 20 12:47:24 2024 +0300 + + org-latex-preview: Add protection when `untrusted-content' is non-nil + +--- emacs-27.2/lisp/files.el ++++ emacs-27.2/lisp/files.el +@@ -588,6 +588,14 @@ + Some modes may wish to set this to nil to prevent directory-local + settings being applied, but still respect file-local ones.") + ++(defvar-local untrusted-content nil ++ "Non-nil means that current buffer originated from an untrusted source. ++Email clients and some other modes may set this non-nil to mark the ++buffer contents as untrusted. ++ ++This variable might be subject to change without notice.") ++(put 'untrusted-content 'permanent-local t) ++ + ;; This is an odd variable IMO. + ;; You might wonder why it is needed, when we could just do: + ;; (set (make-local-variable 'enable-local-variables) nil) +--- emacs-27.2/lisp/gnus/mm-view.el ++++ emacs-27.2/lisp/gnus/mm-view.el +@@ -466,6 +466,7 @@ mm-display-inline-fontify + (setq coding-system (mm-find-buffer-file-coding-system))) + (setq text (buffer-string)))) + (with-temp-buffer ++ (setq untrusted-content t) + (buffer-disable-undo) + (mm-enable-multibyte) + (insert (cond ((eq charset 'gnus-decoded) +--- emacs-27.2/lisp/org/org.el ++++ emacs-27.2/lisp/org/org.el +@@ -1077,6 +1077,24 @@ + :package-version '(Org . "8.0") + :type 'boolean) + ++(defvar untrusted-content) ; defined in files.el ++(defvar org--latex-preview-when-risky nil ++ "If non-nil, enable LaTeX preview in Org buffers from unsafe source. ++ ++Some specially designed LaTeX code may generate huge pdf or log files ++that may exhaust disk space. ++ ++This variable controls how to handle LaTeX preview when rendering LaTeX ++fragments that originate from incoming email messages. It has no effect ++when Org mode is unable to determine the origin of the Org buffer. ++ ++An Org buffer is considered to be from unsafe source when the ++variable `untrusted-content' has a non-nil value in the buffer. ++ ++If this variable is non-nil, LaTeX previews are rendered unconditionally. ++ ++This variable may be renamed or changed in the future.") ++ + (defcustom org-insert-mode-line-in-empty-file nil + "Non-nil means insert the first line setting Org mode in empty files. + When the function `org-mode' is called interactively in an empty file, this +@@ -15827,6 +15845,7 @@ org-latex-preview + (interactive "P") + (cond + ((not (display-graphic-p)) nil) ++ ((and untrusted-content (not org--latex-preview-when-risky)) nil) + ;; Clear whole buffer. + ((equal arg '(64)) + (org-clear-latex-preview (point-min) (point-max)) diff --git a/emacs/27.2/10_all_org-remote-unsafe.patch b/emacs/27.2/10_all_org-remote-unsafe.patch new file mode 100644 index 0000000..65f6a34 --- /dev/null +++ b/emacs/27.2/10_all_org-remote-unsafe.patch @@ -0,0 +1,30 @@ +org-mode should consider remote files unsafe +Backported from emacs-29 branch +https://bugs.gentoo.org/927727 + +commit 2bc865ace050ff118db43f01457f95f95112b877 +Author: Ihor Radchenko +Date: Tue Feb 20 14:59:20 2024 +0300 + + org-file-contents: Consider all remote files unsafe + +--- emacs-27.2/lisp/org/org.el ++++ emacs-27.2/lisp/org/org.el +@@ -4665,12 +4665,16 @@ org-file-contents + If NOCACHE is non-nil, do a fresh fetch of FILE even if cached version + is available. This option applies only if FILE is a URL." + (let* ((is-url (org-file-url-p file)) ++ (is-remote (condition-case nil ++ (file-remote-p file) ++ ;; In case of error, be safe. ++ (t t))) + (cache (and is-url + (not nocache) + (gethash file org--file-cache)))) + (cond + (cache) +- (is-url ++ ((or is-url is-remote) + (with-current-buffer (url-retrieve-synchronously file) + (goto-char (point-min)) + ;; Move point to after the url-retrieve header. diff --git a/emacs/28.2/10_all_org-macro-eval.patch b/emacs/28.2/10_all_org-macro-eval.patch new file mode 100644 index 0000000..d3c8bb7 --- /dev/null +++ b/emacs/28.2/10_all_org-macro-eval.patch @@ -0,0 +1,35 @@ +Prevent code evaluation in org-macro--set-templates +Backported from emacs-29 branch +https://bugs.gentoo.org/927727 + +commit befa9fcaae29a6c9a283ba371c3c5234c7f644eb +Author: Ihor Radchenko +Date: Tue Feb 20 12:19:46 2024 +0300 + + org-macro--set-templates: Prevent code evaluation + +--- emacs-28.2/lisp/org/org-macro.el ++++ emacs-28.2/lisp/org/org-macro.el +@@ -103,6 +103,13 @@ org-macro--set-templates + (let ((new-templates nil)) + (pcase-dolist (`(,name . ,value) templates) + (let ((old-definition (assoc name new-templates))) ++ ;; This code can be evaluated unconditionally, as a part of ++ ;; loading Org mode. We *must not* evaluate any code present ++ ;; inside the Org buffer while loading. Org buffers may come ++ ;; from various sources, like received email messages from ++ ;; potentially malicious senders. Org mode might be used to ++ ;; preview such messages and no code evaluation from inside the ++ ;; received Org text should ever happen without user consent. + (when (and (stringp value) (string-match-p "\\`(eval\\>" value)) + ;; Pre-process the evaluation form for faster macro expansion. + (let* ((args (org-macro--makeargs value)) +@@ -115,7 +122,7 @@ org-macro--set-templates + (cadr (read value)) + (error + (user-error "Invalid definition for macro %S" name))))) +- (setq value (eval (macroexpand-all `(lambda ,args ,body)) t)))) ++ (setq value `(lambda ,args ,body)))) + (cond ((and value old-definition) (setcdr old-definition value)) + (old-definition) + (t (push (cons name (or value "")) new-templates))))) diff --git a/emacs/28.2/11_all_untrusted-content.patch b/emacs/28.2/11_all_untrusted-content.patch new file mode 100644 index 0000000..4cd20c0 --- /dev/null +++ b/emacs/28.2/11_all_untrusted-content.patch @@ -0,0 +1,84 @@ +New variable untrusted-content +Backported from emacs-29 branch +https://bugs.gentoo.org/927727 + +commit ccc188fcf98ad9166ee551fac9d94b2603c3a51b +Author: Ihor Radchenko +Date: Tue Feb 20 12:43:51 2024 +0300 + + * lisp/files.el (untrusted-content): New variable. + +commit 937b9042ad7426acdcca33e3d931d8f495bdd804 +Author: Ihor Radchenko +Date: Tue Feb 20 12:44:30 2024 +0300 + + * lisp/gnus/mm-view.el (mm-display-inline-fontify): Mark contents untrusted. + +commit 6f9ea396f49cbe38c2173e0a72ba6af3e03b271c +Author: Ihor Radchenko +Date: Tue Feb 20 12:47:24 2024 +0300 + + org-latex-preview: Add protection when `untrusted-content' is non-nil + +--- emacs-28.2/lisp/files.el ++++ emacs-28.2/lisp/files.el +@@ -623,6 +623,14 @@ + Some modes may wish to set this to nil to prevent directory-local + settings being applied, but still respect file-local ones.") + ++(defvar-local untrusted-content nil ++ "Non-nil means that current buffer originated from an untrusted source. ++Email clients and some other modes may set this non-nil to mark the ++buffer contents as untrusted. ++ ++This variable might be subject to change without notice.") ++(put 'untrusted-content 'permanent-local t) ++ + ;; This is an odd variable IMO. + ;; You might wonder why it is needed, when we could just do: + ;; (setq-local enable-local-variables nil) +--- emacs-28.2/lisp/gnus/mm-view.el ++++ emacs-28.2/lisp/gnus/mm-view.el +@@ -504,6 +504,7 @@ mm-display-inline-fontify + (setq coding-system (mm-find-buffer-file-coding-system))) + (setq text (buffer-string)))) + (with-temp-buffer ++ (setq untrusted-content t) + (buffer-disable-undo) + (mm-enable-multibyte) + (insert (cond ((eq charset 'gnus-decoded) +--- emacs-28.2/lisp/org/org.el ++++ emacs-28.2/lisp/org/org.el +@@ -1092,6 +1092,24 @@ + :package-version '(Org . "8.0") + :type 'boolean) + ++(defvar untrusted-content) ; defined in files.el ++(defvar org--latex-preview-when-risky nil ++ "If non-nil, enable LaTeX preview in Org buffers from unsafe source. ++ ++Some specially designed LaTeX code may generate huge pdf or log files ++that may exhaust disk space. ++ ++This variable controls how to handle LaTeX preview when rendering LaTeX ++fragments that originate from incoming email messages. It has no effect ++when Org mode is unable to determine the origin of the Org buffer. ++ ++An Org buffer is considered to be from unsafe source when the ++variable `untrusted-content' has a non-nil value in the buffer. ++ ++If this variable is non-nil, LaTeX previews are rendered unconditionally. ++ ++This variable may be renamed or changed in the future.") ++ + (defcustom org-insert-mode-line-in-empty-file nil + "Non-nil means insert the first line setting Org mode in empty files. + When the function `org-mode' is called interactively in an empty file, this +@@ -16000,6 +16018,7 @@ org-latex-preview + (interactive "P") + (cond + ((not (display-graphic-p)) nil) ++ ((and untrusted-content (not org--latex-preview-when-risky)) nil) + ;; Clear whole buffer. + ((equal arg '(64)) + (org-clear-latex-preview (point-min) (point-max)) diff --git a/emacs/28.2/12_all_org-remote-unsafe.patch b/emacs/28.2/12_all_org-remote-unsafe.patch new file mode 100644 index 0000000..7236589 --- /dev/null +++ b/emacs/28.2/12_all_org-remote-unsafe.patch @@ -0,0 +1,30 @@ +org-mode should consider remote files unsafe +Backported from emacs-29 branch +https://bugs.gentoo.org/927727 + +commit 2bc865ace050ff118db43f01457f95f95112b877 +Author: Ihor Radchenko +Date: Tue Feb 20 14:59:20 2024 +0300 + + org-file-contents: Consider all remote files unsafe + +--- emacs-28.2/lisp/org/org.el ++++ emacs-28.2/lisp/org/org.el +@@ -4705,12 +4705,16 @@ org-file-contents + If NOCACHE is non-nil, do a fresh fetch of FILE even if cached version + is available. This option applies only if FILE is a URL." + (let* ((is-url (org-url-p file)) ++ (is-remote (condition-case nil ++ (file-remote-p file) ++ ;; In case of error, be safe. ++ (t t))) + (cache (and is-url + (not nocache) + (gethash file org--file-cache)))) + (cond + (cache) +- (is-url ++ ((or is-url is-remote) + (with-current-buffer (url-retrieve-synchronously file) + (goto-char (point-min)) + ;; Move point to after the url-retrieve header. -- cgit v1.2.3-65-gdbad