@@ -13,6 +13,7 @@ SRC_URI:append:class-target = " \
file://0001-lisp-gnus-mm-view.el-mm-display-inline-fontify-Mark-.patch \
file://0001-org-latex-preview-Add-protection-when-untrusted-cont.patch \
file://0001-org-file-contents-Consider-all-remote-files-unsafe.patch \
+ file://0001-org-link-expand-abbrev-Do-not-evaluate-arbitrary-uns.patch \
"
SRC_URI[sha256sum] = "d2f881a5cc231e2f5a03e86f4584b0438f83edd7598a09d24a21bd8d003e2e01"
new file mode 100644
@@ -0,0 +1,71 @@
+From 8b8866eb94c7b7140ba94eb2b4e6ead14c0d986d Mon Sep 17 00:00:00 2001
+From: Ihor Radchenko <yantar92@posteo.net>
+Date: Fri, 21 Jun 2024 15:45:25 +0200
+Subject: [PATCH] org-link-expand-abbrev: Do not evaluate arbitrary unsafe
+ Elisp code
+
+* lisp/org/ol.el (org-link-expand-abbrev): Refuse expanding %(...)
+link abbrevs that specify unsafe function. Instead, display a
+warning, and do not expand the abbrev. Clear all the text properties
+from the returned link, to avoid any potential vulnerabilities caused
+by properties that may contain arbitrary Elisp.
+
+CVE: CVE-2024-39331
+Upstream-Status: Backport [https://cgit.git.savannah.gnu.org/cgit/emacs.git/commit/?id=c645e1d8205f0f0663ec4a2d27575b238c646c7c]
+
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ lisp/org/ol.el | 40 +++++++++++++++++++++++++++++-----------
+ 1 file changed, 29 insertions(+), 11 deletions(-)
+
+diff --git a/lisp/org/ol.el b/lisp/org/ol.el
+index 9ad191c..c15128f 100644
+--- a/lisp/org/ol.el
++++ b/lisp/org/ol.el
+@@ -1063,17 +1063,35 @@ Abbreviations are defined in `org-link-abbrev-alist'."
+ (if (not as)
+ link
+ (setq rpl (cdr as))
+- (cond
+- ((symbolp rpl) (funcall rpl tag))
+- ((string-match "%(\\([^)]+\\))" rpl)
+- (replace-match
+- (save-match-data
+- (funcall (intern-soft (match-string 1 rpl)) tag))
+- t t rpl))
+- ((string-match "%s" rpl) (replace-match (or tag "") t t rpl))
+- ((string-match "%h" rpl)
+- (replace-match (url-hexify-string (or tag "")) t t rpl))
+- (t (concat rpl tag)))))))
++ ;; Drop any potentially dangerous text properties like
++ ;; `modification-hooks' that may be used as an attack vector.
++ (substring-no-properties
++ (cond
++ ((symbolp rpl) (funcall rpl tag))
++ ((string-match "%(\\([^)]+\\))" rpl)
++ (let ((rpl-fun-symbol (intern-soft (match-string 1 rpl))))
++ ;; Using `unsafep-function' is not quite enough because
++ ;; Emacs considers functions like `genenv' safe, while
++ ;; they can potentially be used to expose private system
++ ;; data to attacker if abbreviated link is clicked.
++ (if (or (eq t (get rpl-fun-symbol 'org-link-abbrev-safe))
++ (eq t (get rpl-fun-symbol 'pure)))
++ (replace-match
++ (save-match-data
++ (funcall (intern-soft (match-string 1 rpl)) tag))
++ t t rpl)
++ (org-display-warning
++ (format "Disabling unsafe link abbrev: %s
++You may mark function safe via (put '%s 'org-link-abbrev-safe t)"
++ rpl (match-string 1 rpl)))
++ (setq org-link-abbrev-alist-local (delete as org-link-abbrev-alist-local)
++ org-link-abbrev-alist (delete as org-link-abbrev-alist))
++ link
++ )))
++ ((string-match "%s" rpl) (replace-match (or tag "") t t rpl))
++ ((string-match "%h" rpl)
++ (replace-match (url-hexify-string (or tag "")) t t rpl))
++ (t (concat rpl tag))))))))
+
+ (defun org-link-open (link &optional arg)
+ "Open a link object LINK.
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-39331 Pick the patch that's mentioned in thee details. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> --- meta-oe/recipes-support/emacs/emacs_29.1.bb | 1 + ...abbrev-Do-not-evaluate-arbitrary-uns.patch | 71 +++++++++++++++++++ 2 files changed, 72 insertions(+) create mode 100644 meta-oe/recipes-support/emacs/files/0001-org-link-expand-abbrev-Do-not-evaluate-arbitrary-uns.patch