Debian Patches

Status for org-mode/9.4.0+dfsg-1+deb11u3

Patch Description Author Forwarded Bugs Origin Last update
10-shebang.patch Make lintian happy Sebastien Delafond <seb@debian.org> not-needed
30-local-mk.patch Generate all the doc. including the refcard Sebastien Delafond <seb@debian.org> not-needed
0004-Org-Mode-vulnerability-CVE-2023-28617-is-fixed.patch Fix command injection vulnerability CVE-2023-28617
https://security-tracker.debian.org/tracker/CVE-2023-28617

Trivially backport the following upstream patch like emacs-1:28.2+1-15 did:

* lisp/ob-latex.el: Fix command injection vulnerability

(org-babel-execute:latex):
Replaced the `(shell-command "mv BAR NEWBAR")' with `rename-file'.

TINYCHANGE

The second patch of the series does not appear to needed by Org-mode 9.4.0.
Xi Lu <lx@shellcodes.org> no debian https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=a8006ea580ed74f27f974d60b598143b04ad1741 2023-03-11
CVE-2024-30203_CVE-2024-30204_01.patch org-latex-preview: Add protection when `untrusted-content' is non-nil

* lisp/org/org.el (org--latex-preview-when-risky): New variable
controlling how to handle LaTeX previews in Org files from untrusted
origin.
(org-latex-preview): Consult `org--latex-preview-when-risky' before
generating previews.

This patch adds a layer of protection when LaTeX preview is requested
for an email attachment, where `untrusted-content' is set to non-nil.

(cherry picked from Emacs commit 6f9ea396f49cbe38c2173e0a72ba6af3e03b271c)
Ihor Radchenko <yantar92@posteo.net> no 2024-02-20
CVE-2024-30203_CVE-2024-30204_02.patch org: Add setting for remote file download policy
* lisp/org/org.el (org-resource-download-policy, org-safe-remote-resources):
Two new customisations to configure the policy for downloading remote
resources.
(org--should-fetch-remote-resource-p, org--safe-remote-resource-p,
org--confirm-resource-safe): Introduce the new function
`org--should-fetch-remote-resource-p' for internal use determining
whether a remote resource should be downloaded according to the download
policy. This function makes use of two helper functions,
`org--safe-remote-resource-p' and `org--confirm-resource-safe'.
(org-file-contents): Apply `org--safe-remote-resource-p' to file
downloading.

* lisp/org/org-attach.el (org-attach-attach, org-attach-url): Apply
`org--safe-remote-resource-p' to url downloading.

(cherry picked from commit 0583a0c5eaa955d4370558b980b3772bb91dd057)
TEC <tec@tecosaur.com> no 2022-06-12
CVE-2024-30203_CVE-2024-30204_03.patch org: Refactor rx to concat + regexp-opt
* lisp/org.el (org--confirm-resource-safe): Since Emacs 26 doesn't
support rx's (literal S) construct, use (concat (regexp-opt ...) ...)
instead.

(cherry picked from commit 6de5431acc8b77548e89c61a6ae0ebc1b57540bb)
TEC <tec@tecosaur.com> no 2022-07-24
CVE-2024-30203_CVE-2024-30204_04.patch org: Correct regexp escaping to use regexp-quote
* lisp/org.el (org--confirm-resource-safe): `regexp-opt' was
accidentally used instead of `regexp-quote'.

(cherry picked from commit 6ad53fa22eab5830f85a401960dc1e7d00154a27)
TEC <tec@tecosaur.com> no 2022-07-26
CVE-2024-30203_CVE-2024-30204_05.patch org: Fix resource prompt in non-file buffers
* lisp/org.el (org--confirm-resource-safe): When `buffer-file-name' is
nil, skip over file-specific behaviour.

(cherry picked from commit 4702a73031c77ba03b480b0848c137d5d8773e07)
TEC <git@tecosaur.net> no 2022-08-03
CVE-2024-30203_CVE-2024-30204_06.patch org: Add "mark domain as safe" convenience action
* lisp/org.el (org--confirm-resource-safe): Pick out domains from URLs,
and provide an option of marking that domain as safe.

(cherry picked from commit 1ae801e9c86d5b150fd085230722e4dac550df30)
TEC <git@tecosaur.net> no 2022-08-07
CVE-2024-30203_CVE-2024-30204_07.patch org: Tweak styling of url in resource prompt
* lisp/org.el (org--confirm-resource-safe): Style domain with a link,
and url with an underline.

(cherry picked from commit 1061db94acf785f4b8f1140649e3857d52693115)
TEC <git@tecosaur.net> no 2022-08-30
CVE-2024-30203_CVE-2024-30204_08.patch org: Use buffer-base-buffer in safe resource fns
* lisp/org.el (org--confirm-resource-safe, org--safe-remote-resource-p):
Replace instances of buffer-file-name
with (buffer-file-name (buffer-base-buffer)) so these functions work in
indirect buffers.

(cherry picked from commit 88329143c86b34195af68a8e5d5fd3d00a5dcae6)
TEC <git@tecosaur.net> no 2022-12-10
CVE-2024-30205_01.patch org-file-contents: Consider all remote files unsafe
* lisp/org/org.el (org-file-contents): When loading files, consider all
remote files (like TRAMP-fetched files) unsafe, in addition to URLs.

(cherry picked from Emacs commit 2bc865ace050ff118db43f01457f95f95112b877)
Ihor Radchenko <yantar92@posteo.net> no 2024-02-20
CVE-2024-30205_02.patch org--confirm-resource-safe: Fix prompt when prompting in non-file Org buffers

* lisp/org/org.el (org--confirm-resource-safe): When called from
non-file buffer, do not put stray "f" in the prompt.

(cherry picked from Emacs commit 7a5d7be52c5f0690ee47f30bfad973827261abf2)
Ihor Radchenko <yantar92@posteo.net> no 2024-02-23
CVE-2024-30205_03.patch org: Fix security prompt for downloading remote resource
* lisp/org.el (org--confirm-resource-safe): Do not assume that
resource is safe when user replies "n" (do not download).

(cherry picked from Emacs commit e56f0ef51bfdd0e03e817670754bc813fb3702a2)
Ihor Radchenko <yantar92@posteo.net> no 2024-02-02
org-link-expand-abbrev-Do-not-evaluate-arbitrary-uns.patch org-link-expand-abbrev: Do not evaluate arbitrary unsafe Elisp code
* lisp/ol.el (org-link-expand-abbrev): Refuse expanding %(...) link
abbrevs that specify unsafe function. Instead, display a warning, and
do not expand the abbrev. Clear all the text properties from the
returned link, to avoid any potential vulnerabilities caused by
properties that may contain arbitrary Elisp.
Ihor Radchenko <yantar92@posteo.net> no debian https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=f4cc61636947b5c2f0afc67174dd369fe3277aa8 2024-06-18

All known versions for source package 'org-mode'

Links