Merge pull request #5175 from microsoft/pawelwi/emacs_cve_fix

Patched `emacs` to fix CVE-2023-28617.

Author: jslobodzian

SPECS/emacs/CVE-2023-28617.patch

@@ -0,0 +1,69 @@
+From 8f8ec2ccf3f5ef8f38d68ec84a7e4739c45db485 Mon Sep 17 00:00:00 2001
+From: Xi Lu <[email protected]>
+Date: Sat, 18 Feb 2023 18:03:28 +0800
+Subject: * lisp/ob-latex.el (org-babel-execute:latex): Fix command injection
+ vulnerability
+
+Link: https://orgmode.org/list/[email protected]
+
+TINYCHANGE
+---
+ lisp/org/ob-latex.el | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lisp/org/ob-latex.el b/lisp/org/ob-latex.el
+index 428907a..a0154bf 100644
+--- a/lisp/org/ob-latex.el
++++ b/lisp/org/ob-latex.el
+@@ -180,7 +180,7 @@ This function is called by `org-babel-execute-src-block'."
+ 	                     tmp-pdf
+                              (list org-babel-latex-pdf-svg-process)
+                              extension err-msg log-buf)))
+-              (shell-command (format "mv %s %s" img-out out-file)))))
++              (rename-file img-out out-file t))))
+          ((string-suffix-p ".tikz" out-file)
+ 	  (when (file-exists-p out-file) (delete-file out-file))
+ 	  (with-temp-file out-file
+--
+
+From a8006ea580ed74f27f974d60b598143b04ad1741 Mon Sep 17 00:00:00 2001
+From: Xi Lu <[email protected]>
+Date: Sat, 11 Mar 2023 18:53:37 +0800
+Subject: * lisp/ob-latex.el: Fix command injection vulnerability
+
+(org-babel-execute:latex):
+Replaced the `(shell-command "mv BAR NEWBAR")' with `rename-file'.
+
+TINYCHANGE
+---
+ lisp/org/ob-latex.el | 13 +++++--------
+ 1 file changed, 5 insertions(+), 8 deletions(-)
+
+diff --git a/lisp/org/ob-latex.el b/lisp/org/ob-latex.el
+index a2c24b3..ce39628 100644
+--- a/lisp/org/ob-latex.el
++++ b/lisp/org/ob-latex.el
+@@ -218,17 +218,14 @@ This function is called by `org-babel-execute-src-block'."
+ 	    (if (string-suffix-p ".svg" out-file)
+ 		(progn
+ 		  (shell-command "pwd")
+-		  (shell-command (format "mv %s %s"
+-					 (concat (file-name-sans-extension tex-file) "-1.svg")
+-					 out-file)))
++                  (rename-file (concat (file-name-sans-extension tex-file) "-1.svg")
++                               out-file t))
+ 	      (error "SVG file produced but HTML file requested")))
+ 	   ((file-exists-p (concat (file-name-sans-extension tex-file) ".html"))
+ 	    (if (string-suffix-p ".html" out-file)
+-		(shell-command "mv %s %s"
+-			       (concat (file-name-sans-extension tex-file)
+-				       ".html")
+-			       out-file)
+-	      (error "HTML file produced but SVG file requested")))))
++                (rename-file (concat (file-name-sans-extension tex-file) ".html")
++                             out-file t)
++              (error "HTML file produced but SVG file requested")))))
+ 	 ((or (string= "pdf" extension) imagemagick)
+ 	  (with-temp-file tex-file
+ 	    (require 'ox-latex)
+--

SPECS/emacs/emacs.spec

@@ -1,7 +1,7 @@
 Summary:        GNU Emacs text editor
 Name:           emacs
 Version:        28.2
-Release:        4%{?dist}
+Release:        5%{?dist}
 License:        GPLv3+ AND CC0-1.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -13,6 +13,7 @@ Patch1:         CVE-2022-48337.patch
 Patch2:         CVE-2022-48338.patch
 Patch3:         CVE-2022-48339.patch
 Patch4:         CVE-2023-27986.patch
+Patch5:         CVE-2023-28617.patch
 BuildRequires:  gcc
 BuildRequires:  glibc-devel
 BuildRequires:  gnutls-devel
@@ -89,6 +90,9 @@ mkdir -p %{buildroot}%{_datadir}/emacs/site-lisp/site-start.d
 %dir %{_datadir}/emacs/site-lisp/site-start.d
 
 %changelog
+* Mon Mar 27 2023 Pawel Winogrodzki <[email protected]> - 28.2-5
+- Applied upstream patches to fix CVE-2023-28617.
+
 * Thu Mar 16 2023 Nicolas Guibourge <[email protected]> - 28.2-4
 - Apply upstream patches to fix CVE-2023-27986, CVE-2023-27985