From bfff201fff61c301a101ff751af7941a68a6e7b5 Mon Sep 17 00:00:00 2001 From: Gyorgy Sarvari Date: Sun, 19 Oct 2025 19:37:11 +0200 Subject: [PATCH] emacs: patch CVE-2024-30205 Details: https://nvd.nist.gov/vuln/detail/CVE-2024-30205 Pick the patch that's in the description. Signed-off-by: Gyorgy Sarvari Signed-off-by: Anuj Mittal --- meta-oe/recipes-support/emacs/emacs_29.1.bb | 1 + ...nts-Consider-all-remote-files-unsafe.patch | 38 +++++++++++++++++++ 2 files changed, 39 insertions(+) create mode 100644 meta-oe/recipes-support/emacs/files/0001-org-file-contents-Consider-all-remote-files-unsafe.patch diff --git a/meta-oe/recipes-support/emacs/emacs_29.1.bb b/meta-oe/recipes-support/emacs/emacs_29.1.bb index f0666a41c4..abc99d3e08 100644 --- a/meta-oe/recipes-support/emacs/emacs_29.1.bb +++ b/meta-oe/recipes-support/emacs/emacs_29.1.bb @@ -8,6 +8,7 @@ SRC_URI = "https://ftp.gnu.org/pub/gnu/emacs/emacs-${PV}.tar.xz \ file://0001-org-macro-set-templates-Prevent-code-evaluation.patch \ file://0001-lisp-gnus-mm-view.el-mm-display-inline-fontify-Mark-.patch \ file://0001-org-latex-preview-Add-protection-when-untrusted-cont.patch \ + file://0001-org-file-contents-Consider-all-remote-files-unsafe.patch \ " SRC_URI:append:class-target = " \ file://use-emacs-native-tools-for-cross-compiling.patch \ diff --git a/meta-oe/recipes-support/emacs/files/0001-org-file-contents-Consider-all-remote-files-unsafe.patch b/meta-oe/recipes-support/emacs/files/0001-org-file-contents-Consider-all-remote-files-unsafe.patch new file mode 100644 index 0000000000..7408f0e404 --- /dev/null +++ b/meta-oe/recipes-support/emacs/files/0001-org-file-contents-Consider-all-remote-files-unsafe.patch @@ -0,0 +1,38 @@ +From 3a3bc6df4295ff7d5ea7193dfe0492cd858e1664 Mon Sep 17 00:00:00 2001 +From: Ihor Radchenko +Date: Tue, 20 Feb 2024 14:59:20 +0300 +Subject: [PATCH] org-file-contents: Consider all remote files unsafe + +* lisp/org/org.el (org-file-contents): When loading files, consider all +remote files (like TRAMP-fetched files) unsafe, in addition to URLs. + +CVE: CVE-2024-30205 +Upstream-Status: Backport [https://cgit.git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-29&id=2bc865ace050ff118db43f01457f95f95112b877] + +Signed-off-by: Gyorgy Sarvari +--- + lisp/org/org.el | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/lisp/org/org.el b/lisp/org/org.el +index ab58978..03140bd 100644 +--- a/lisp/org/org.el ++++ b/lisp/org/org.el +@@ -4576,12 +4576,16 @@ from file or URL, and return nil. + If NOCACHE is non-nil, do a fresh fetch of FILE even if cached version + is available. This option applies only if FILE is a URL." + (let* ((is-url (org-url-p file)) ++ (is-remote (condition-case nil ++ (file-remote-p file) ++ ;; In case of error, be safe. ++ (t t))) + (cache (and is-url + (not nocache) + (gethash file org--file-cache)))) + (cond + (cache) +- (is-url ++ ((or is-url is-remote) + (if (org--should-fetch-remote-resource-p file) + (condition-case error + (with-current-buffer (url-retrieve-synchronously file)