Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
---|---|---|---|---|---|---|
10-shebang.patch | Make lintian happy | Sebastien Delafond <seb@debian.org> | not-needed | |||
30-local-mk.patch | Generate all the doc. including the refcard | Sebastien Delafond <seb@debian.org> | not-needed | |||
0004-Org-Mode-vulnerability-CVE-2023-28617-is-fixed.patch | Fix command injection vulnerability CVE-2023-28617 https://security-tracker.debian.org/tracker/CVE-2023-28617 Trivially backport the following upstream patch like emacs-1:28.2+1-15 did: * lisp/ob-latex.el: Fix command injection vulnerability (org-babel-execute:latex): Replaced the `(shell-command "mv BAR NEWBAR")' with `rename-file'. TINYCHANGE The second patch of the series does not appear to needed by Org-mode 9.4.0. |
Xi Lu <lx@shellcodes.org> | no | debian | https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=a8006ea580ed74f27f974d60b598143b04ad1741 | 2023-03-11 |
CVE-2024-30203_CVE-2024-30204_01.patch | org-latex-preview: Add protection when `untrusted-content' is non-nil * lisp/org/org.el (org--latex-preview-when-risky): New variable controlling how to handle LaTeX previews in Org files from untrusted origin. (org-latex-preview): Consult `org--latex-preview-when-risky' before generating previews. This patch adds a layer of protection when LaTeX preview is requested for an email attachment, where `untrusted-content' is set to non-nil. (cherry picked from Emacs commit 6f9ea396f49cbe38c2173e0a72ba6af3e03b271c) |
Ihor Radchenko <yantar92@posteo.net> | no | 2024-02-20 | ||
CVE-2024-30203_CVE-2024-30204_02.patch | org: Add setting for remote file download policy * lisp/org/org.el (org-resource-download-policy, org-safe-remote-resources): Two new customisations to configure the policy for downloading remote resources. (org--should-fetch-remote-resource-p, org--safe-remote-resource-p, org--confirm-resource-safe): Introduce the new function `org--should-fetch-remote-resource-p' for internal use determining whether a remote resource should be downloaded according to the download policy. This function makes use of two helper functions, `org--safe-remote-resource-p' and `org--confirm-resource-safe'. (org-file-contents): Apply `org--safe-remote-resource-p' to file downloading. * lisp/org/org-attach.el (org-attach-attach, org-attach-url): Apply `org--safe-remote-resource-p' to url downloading. (cherry picked from commit 0583a0c5eaa955d4370558b980b3772bb91dd057) |
TEC <tec@tecosaur.com> | no | 2022-06-12 | ||
CVE-2024-30203_CVE-2024-30204_03.patch | org: Refactor rx to concat + regexp-opt * lisp/org.el (org--confirm-resource-safe): Since Emacs 26 doesn't support rx's (literal S) construct, use (concat (regexp-opt ...) ...) instead. (cherry picked from commit 6de5431acc8b77548e89c61a6ae0ebc1b57540bb) |
TEC <tec@tecosaur.com> | no | 2022-07-24 | ||
CVE-2024-30203_CVE-2024-30204_04.patch | org: Correct regexp escaping to use regexp-quote * lisp/org.el (org--confirm-resource-safe): `regexp-opt' was accidentally used instead of `regexp-quote'. (cherry picked from commit 6ad53fa22eab5830f85a401960dc1e7d00154a27) |
TEC <tec@tecosaur.com> | no | 2022-07-26 | ||
CVE-2024-30203_CVE-2024-30204_05.patch | org: Fix resource prompt in non-file buffers * lisp/org.el (org--confirm-resource-safe): When `buffer-file-name' is nil, skip over file-specific behaviour. (cherry picked from commit 4702a73031c77ba03b480b0848c137d5d8773e07) |
TEC <git@tecosaur.net> | no | 2022-08-03 | ||
CVE-2024-30203_CVE-2024-30204_06.patch | org: Add "mark domain as safe" convenience action * lisp/org.el (org--confirm-resource-safe): Pick out domains from URLs, and provide an option of marking that domain as safe. (cherry picked from commit 1ae801e9c86d5b150fd085230722e4dac550df30) |
TEC <git@tecosaur.net> | no | 2022-08-07 | ||
CVE-2024-30203_CVE-2024-30204_07.patch | org: Tweak styling of url in resource prompt * lisp/org.el (org--confirm-resource-safe): Style domain with a link, and url with an underline. (cherry picked from commit 1061db94acf785f4b8f1140649e3857d52693115) |
TEC <git@tecosaur.net> | no | 2022-08-30 | ||
CVE-2024-30203_CVE-2024-30204_08.patch | org: Use buffer-base-buffer in safe resource fns * lisp/org.el (org--confirm-resource-safe, org--safe-remote-resource-p): Replace instances of buffer-file-name with (buffer-file-name (buffer-base-buffer)) so these functions work in indirect buffers. (cherry picked from commit 88329143c86b34195af68a8e5d5fd3d00a5dcae6) |
TEC <git@tecosaur.net> | no | 2022-12-10 | ||
CVE-2024-30205_01.patch | org-file-contents: Consider all remote files unsafe * lisp/org/org.el (org-file-contents): When loading files, consider all remote files (like TRAMP-fetched files) unsafe, in addition to URLs. (cherry picked from Emacs commit 2bc865ace050ff118db43f01457f95f95112b877) |
Ihor Radchenko <yantar92@posteo.net> | no | 2024-02-20 | ||
CVE-2024-30205_02.patch | org--confirm-resource-safe: Fix prompt when prompting in non-file Org buffers * lisp/org/org.el (org--confirm-resource-safe): When called from non-file buffer, do not put stray "f" in the prompt. (cherry picked from Emacs commit 7a5d7be52c5f0690ee47f30bfad973827261abf2) |
Ihor Radchenko <yantar92@posteo.net> | no | 2024-02-23 | ||
CVE-2024-30205_03.patch | org: Fix security prompt for downloading remote resource * lisp/org.el (org--confirm-resource-safe): Do not assume that resource is safe when user replies "n" (do not download). (cherry picked from Emacs commit e56f0ef51bfdd0e03e817670754bc813fb3702a2) |
Ihor Radchenko <yantar92@posteo.net> | no | 2024-02-02 | ||
org-link-expand-abbrev-Do-not-evaluate-arbitrary-uns.patch | org-link-expand-abbrev: Do not evaluate arbitrary unsafe Elisp code * lisp/ol.el (org-link-expand-abbrev): Refuse expanding %(...) link abbrevs that specify unsafe function. Instead, display a warning, and do not expand the abbrev. Clear all the text properties from the returned link, to avoid any potential vulnerabilities caused by properties that may contain arbitrary Elisp. |
Ihor Radchenko <yantar92@posteo.net> | no | debian | https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=f4cc61636947b5c2f0afc67174dd369fe3277aa8 | 2024-06-18 |