@@ -6,6 +6,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=1ebbd3e34237af26da5dc08a4e440464"
SRC_URI = "https://ftp.gnu.org/pub/gnu/emacs/emacs-${PV}.tar.xz \
file://emacs-glibc-2.34.patch \
+ file://CVE-2022-48337.patch \
"
SRC_URI:append:class-target = " file://usemake-docfile-native.patch"
new file mode 100644
@@ -0,0 +1,108 @@
+From a10958677d359e016a4e857a9cd7c98258061f5f Mon Sep 17 00:00:00 2001
+From: Gyorgy Sarvari <skandigraun@gmail.com>
+Date: Tue, 6 Dec 2022 15:42:40 +0800
+Subject: [PATCH] Fix etags local command injection vulnerability
+
+From: lu4nx <lx@shellcodes.org>
+
+* lib-src/etags.c: (escape_shell_arg_string): New function.
+(process_file_name): Use it to quote file names passed to the
+shell. (Bug#59817)
+
+CVE: CVE-2022-48337
+Upstream-Status: Backport [https://cgit.git.savannah.gnu.org/cgit/emacs.git/commit/?id=01a4035c869b91c153af9a9132c87adb7669ea1c]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ lib-src/etags.c | 63 +++++++++++++++++++++++++++++++++++++++++++++----
+ 1 file changed, 58 insertions(+), 5 deletions(-)
+
+diff --git a/lib-src/etags.c b/lib-src/etags.c
+index bb92f2b..7cecfe2 100644
+--- a/lib-src/etags.c
++++ b/lib-src/etags.c
+@@ -397,6 +397,7 @@ static void pfnote (char *, bool, char *, ptrdiff_t, intmax_t, intmax_t);
+ static void invalidate_nodes (fdesc *, node **);
+ static void put_entries (node *);
+
++static char *escape_shell_arg_string (char *);
+ static char *concat (const char *, const char *, const char *);
+ static char *skip_spaces (char *);
+ static char *skip_non_spaces (char *);
+@@ -1635,13 +1636,16 @@ process_file_name (char *file, language *lang)
+ else
+ {
+ #if MSDOS || defined (DOS_NT)
+- char *cmd1 = concat (compr->command, " \"", real_name);
+- char *cmd = concat (cmd1, "\" > ", tmp_name);
++ int buf_len = strlen (compr->command) + strlen (" \"\" > \"\"") + strlen (real_name) + strlen (tmp_name) + 1;
++ char *cmd = xmalloc (buf_len);
++ snprintf (cmd, buf_len, "%s \"%s\" > \"%s\"", compr->command, real_name, tmp_name);
+ #else
+- char *cmd1 = concat (compr->command, " '", real_name);
+- char *cmd = concat (cmd1, "' > ", tmp_name);
++ char *new_real_name = escape_shell_arg_string (real_name);
++ char *new_tmp_name = escape_shell_arg_string (tmp_name);
++ int buf_len = strlen (compr->command) + strlen (" > ") + strlen (new_real_name) + strlen (new_tmp_name) + 1;
++ char *cmd = xmalloc (buf_len);
++ snprintf (cmd, buf_len, "%s %s > %s", compr->command, new_real_name, new_tmp_name);
+ #endif
+- free (cmd1);
+ int tmp_errno;
+ if (system (cmd) == -1)
+ {
+@@ -1685,6 +1689,55 @@ process_file_name (char *file, language *lang)
+ return;
+ }
+
++/*
++ * Adds single quotes around a string, if found single quotes, escaped it.
++ * Return a newly-allocated string.
++ *
++ * For example:
++ * escape_shell_arg_string("test.txt") => 'test.txt'
++ * escape_shell_arg_string("'test.txt") => ''\''test.txt'
++ */
++static char *
++escape_shell_arg_string (char *str)
++{
++ char *p = str;
++ int need_space = 2; /* ' at begin and end */
++
++ while (*p != '\0')
++ {
++ if (*p == '\'')
++ need_space += 4; /* ' to '\'', length is 4 */
++ else
++ need_space++;
++
++ p++;
++ }
++
++ char *new_str = xnew (need_space + 1, char);
++ new_str[0] = '\'';
++ new_str[need_space-1] = '\'';
++
++ int i = 1; /* skip first byte */
++ p = str;
++ while (*p != '\0')
++ {
++ new_str[i] = *p;
++ if (*p == '\'')
++ {
++ new_str[i+1] = '\\';
++ new_str[i+2] = '\'';
++ new_str[i+3] = '\'';
++ i += 3;
++ }
++
++ i++;
++ p++;
++ }
++
++ new_str[need_space] = '\0';
++ return new_str;
++}
++
+ static void
+ process_file (FILE *fh, char *fn, language *lang)
+ {
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-48337 Backport the patch that is referenced by he NVD advisory. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> --- meta-oe/recipes-support/emacs/emacs_27.2.bb | 1 + .../emacs/files/CVE-2022-48337.patch | 108 ++++++++++++++++++ 2 files changed, 109 insertions(+) create mode 100644 meta-oe/recipes-support/emacs/files/CVE-2022-48337.patch