Version in base suite: 28.2+1-15 Base version: emacs_28.2+1-15 Target version: emacs_28.2+1-15+deb12u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/e/emacs/emacs_28.2+1-15.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/e/emacs/emacs_28.2+1-15+deb12u1.dsc .git-dpm | 4 .gitignore | 81 +++ changelog | 7 patches/0029-org-macro-set-templates-Prevent-code-evaluation.patch | 44 ++ patches/0030-lisp-files.el-untrusted-content-New-variable.patch | 32 + patches/0031-lisp-gnus-mm-view.el-mm-display-inline-fontify-Mark-.patch | 23 + patches/0032-org-latex-preview-Add-protection-when-untrusted-cont.patch | 56 ++ patches/0033-org-Add-setting-for-remote-file-download-policy.patch | 209 ++++++++++ patches/0034-org-Refactor-rx-to-concat-regexp-opt.patch | 35 + patches/0035-org-Correct-regexp-escaping-to-use-regexp-quote.patch | 26 + patches/0036-org-Fix-resource-prompt-in-non-file-buffers.patch | 45 ++ patches/0037-org-Add-mark-domain-as-safe-convenience-action.patch | 79 +++ patches/0038-org-Tweak-styling-of-url-in-resource-prompt.patch | 35 + patches/0039-org-Use-buffer-base-buffer-in-safe-resource-fns.patch | 40 + patches/0040-org-file-contents-Consider-all-remote-files-unsafe.patch | 35 + patches/0041-org-confirm-resource-safe-Fix-prompt-when-prompting-.patch | 29 + patches/0042-org-Fix-security-prompt-for-downloading-remote-resou.patch | 28 + patches/series | 14 18 files changed, 820 insertions(+), 2 deletions(-) diff -Nru emacs-28.2+1/debian/.git-dpm emacs-28.2+1/debian/.git-dpm --- emacs-28.2+1/debian/.git-dpm 2023-03-31 18:22:32.000000000 +0000 +++ emacs-28.2+1/debian/.git-dpm 2024-04-27 09:49:04.000000000 +0000 @@ -1,6 +1,6 @@ # see git-dpm(1) from git-dpm package -023ac1eff558f6fb387fea1629b084c8929de18d -023ac1eff558f6fb387fea1629b084c8929de18d +1c0b3e5ae5cef71210b094bfd1f8582efe3a7b90 +1c0b3e5ae5cef71210b094bfd1f8582efe3a7b90 279b82e64e15b5e2df3cb522636c6db85a8ee659 279b82e64e15b5e2df3cb522636c6db85a8ee659 emacs_28.2+1.orig.tar.xz diff -Nru emacs-28.2+1/debian/.gitignore emacs-28.2+1/debian/.gitignore --- emacs-28.2+1/debian/.gitignore 1970-01-01 00:00:00.000000000 +0000 +++ emacs-28.2+1/debian/.gitignore 2024-04-27 09:49:04.000000000 +0000 @@ -0,0 +1,81 @@ +*~ +.\#* +/*-stamp +/.debhelper/ +/build-gtk/ +/build-lucid/ +/build-nox/ +/build-src/ +/build-x/ +/elgz-canary +/elgz-info +/emacs +/emacs-bin-common +/emacs-bin-common.README.Debian +/emacs-bin-common.debhelper.log +/emacs-bin-common.lintian-overrides +/emacs-bin-common.postinst +/emacs-bin-common.postrm +/emacs-bin-common.prerm +/emacs-bin-common.substvars +/emacs-common +/emacs-common.README.00 +/emacs-common.README.01 +/emacs-common.README.Debian +/emacs-common.debhelper.log +/emacs-common.docs +/emacs-common.links +/emacs-common.lintian-overrides +/emacs-common.postinst +/emacs-common.postinst.debhelper +/emacs-common.postrm.debhelper +/emacs-common.prerm +/emacs-common.prerm.debhelper +/emacs-common.substvars +/emacs-el +/emacs-el.debhelper.log +/emacs-el.prerm +/emacs-el.substvars +/emacs-gtk +/emacs-gtk.README.Debian +/emacs-gtk.debhelper.log +/emacs-gtk.desktop +/emacs-gtk.links +/emacs-gtk.lintian-overrides +/emacs-gtk.menu +/emacs-gtk.postinst +/emacs-gtk.postinst.debhelper +/emacs-gtk.postrm +/emacs-gtk.postrm.debhelper +/emacs-gtk.prerm +/emacs-gtk.substvars +/emacs-lucid +/emacs-lucid.README.Debian +/emacs-lucid.debhelper.log +/emacs-lucid.desktop +/emacs-lucid.lintian-overrides +/emacs-lucid.menu +/emacs-lucid.postinst +/emacs-lucid.postinst.debhelper +/emacs-lucid.postrm.debhelper +/emacs-lucid.prerm +/emacs-lucid.substvars +/emacs-nox +/emacs-nox.README.Debian +/emacs-nox.debhelper.log +/emacs-nox.desktop +/emacs-nox.links +/emacs-nox.lintian-overrides +/emacs-nox.menu +/emacs-nox.postinst +/emacs-nox.postinst.debhelper +/emacs-nox.postrm +/emacs-nox.postrm.debhelper +/emacs-nox.prerm +/emacs-nox.substvars +/emacs.debhelper.log +/emacs.substvars +/files +/stamp-configured +/tmp-alt-list +\#*\# diff -Nru emacs-28.2+1/debian/changelog emacs-28.2+1/debian/changelog --- emacs-28.2+1/debian/changelog 2023-05-13 20:17:27.000000000 +0000 +++ emacs-28.2+1/debian/changelog 2024-04-27 09:49:04.000000000 +0000 @@ -1,3 +1,10 @@ +emacs (1:28.2+1-15+deb12u1) bookworm; urgency=high + + * Fix CVE-2024-30202, CVE-2024-30203, CVE-2024-30204 & CVE-2024-30205 + (Closes: #1067630). + + -- Sean Whitton Sat, 27 Apr 2024 10:49:04 +0100 + emacs (1:28.2+1-15) unstable; urgency=medium * emacs-common: add breaks/replaces emacs-bin-common (<< 1:28) since the diff -Nru emacs-28.2+1/debian/patches/0029-org-macro-set-templates-Prevent-code-evaluation.patch emacs-28.2+1/debian/patches/0029-org-macro-set-templates-Prevent-code-evaluation.patch --- emacs-28.2+1/debian/patches/0029-org-macro-set-templates-Prevent-code-evaluation.patch 1970-01-01 00:00:00.000000000 +0000 +++ emacs-28.2+1/debian/patches/0029-org-macro-set-templates-Prevent-code-evaluation.patch 2024-04-27 09:49:04.000000000 +0000 @@ -0,0 +1,44 @@ +From d9bd61923515607fcc7ada4ba66b7e58e8ba00d9 Mon Sep 17 00:00:00 2001 +From: Ihor Radchenko +Date: Tue, 20 Feb 2024 12:19:46 +0300 +Subject: org-macro--set-templates: Prevent code evaluation + +* lisp/org/org-macro.el (org-macro--set-templates): Get rid of any +risk to evaluate code when `org-macro--set-templates' is called as a +part of major mode initialization. This way, no code evaluation is +ever triggered when user merely opens the file or when +`mm-display-org-inline' invokes Org major mode to fontify mime part +preview in email messages. + +(cherry picked from commit befa9fcaae29a6c9a283ba371c3c5234c7f644eb) +--- + lisp/org/org-macro.el | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/lisp/org/org-macro.el b/lisp/org/org-macro.el +index 0921f3aa27c..5619cadf841 100644 +--- a/lisp/org/org-macro.el ++++ b/lisp/org/org-macro.el +@@ -103,6 +103,13 @@ org-macro--set-templates + (let ((new-templates nil)) + (pcase-dolist (`(,name . ,value) templates) + (let ((old-definition (assoc name new-templates))) ++ ;; This code can be evaluated unconditionally, as a part of ++ ;; loading Org mode. We *must not* evaluate any code present ++ ;; inside the Org buffer while loading. Org buffers may come ++ ;; from various sources, like received email messages from ++ ;; potentially malicious senders. Org mode might be used to ++ ;; preview such messages and no code evaluation from inside the ++ ;; received Org text should ever happen without user consent. + (when (and (stringp value) (string-match-p "\\`(eval\\>" value)) + ;; Pre-process the evaluation form for faster macro expansion. + (let* ((args (org-macro--makeargs value)) +@@ -115,7 +122,7 @@ org-macro--set-templates + (cadr (read value)) + (error + (user-error "Invalid definition for macro %S" name))))) +- (setq value (eval (macroexpand-all `(lambda ,args ,body)) t)))) ++ (setq value `(lambda ,args ,body)))) + (cond ((and value old-definition) (setcdr old-definition value)) + (old-definition) + (t (push (cons name (or value "")) new-templates))))) diff -Nru emacs-28.2+1/debian/patches/0030-lisp-files.el-untrusted-content-New-variable.patch emacs-28.2+1/debian/patches/0030-lisp-files.el-untrusted-content-New-variable.patch --- emacs-28.2+1/debian/patches/0030-lisp-files.el-untrusted-content-New-variable.patch 1970-01-01 00:00:00.000000000 +0000 +++ emacs-28.2+1/debian/patches/0030-lisp-files.el-untrusted-content-New-variable.patch 2024-04-27 09:49:04.000000000 +0000 @@ -0,0 +1,32 @@ +From f6f7f00156e13af3922eb2b1b2676e8a2cb21620 Mon Sep 17 00:00:00 2001 +From: Ihor Radchenko +Date: Tue, 20 Feb 2024 12:43:51 +0300 +Subject: * lisp/files.el (untrusted-content): New variable. + +The new variable is to be used when buffer contents comes from untrusted +source. + +(cherry picked from commit ccc188fcf98ad9166ee551fac9d94b2603c3a51b) +--- + lisp/files.el | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/lisp/files.el b/lisp/files.el +index 860b9ca7249..e127e99d410 100644 +--- a/lisp/files.el ++++ b/lisp/files.el +@@ -623,6 +623,14 @@ enable-dir-local-variables + Some modes may wish to set this to nil to prevent directory-local + settings being applied, but still respect file-local ones.") + ++(defvar-local untrusted-content nil ++ "Non-nil means that current buffer originated from an untrusted source. ++Email clients and some other modes may set this non-nil to mark the ++buffer contents as untrusted. ++ ++This variable might be subject to change without notice.") ++(put 'untrusted-content 'permanent-local t) ++ + ;; This is an odd variable IMO. + ;; You might wonder why it is needed, when we could just do: + ;; (setq-local enable-local-variables nil) diff -Nru emacs-28.2+1/debian/patches/0031-lisp-gnus-mm-view.el-mm-display-inline-fontify-Mark-.patch emacs-28.2+1/debian/patches/0031-lisp-gnus-mm-view.el-mm-display-inline-fontify-Mark-.patch --- emacs-28.2+1/debian/patches/0031-lisp-gnus-mm-view.el-mm-display-inline-fontify-Mark-.patch 1970-01-01 00:00:00.000000000 +0000 +++ emacs-28.2+1/debian/patches/0031-lisp-gnus-mm-view.el-mm-display-inline-fontify-Mark-.patch 2024-04-27 09:49:04.000000000 +0000 @@ -0,0 +1,23 @@ +From 075a7ec4aca2477354b63a273f4571e00d53a1a7 Mon Sep 17 00:00:00 2001 +From: Ihor Radchenko +Date: Tue, 20 Feb 2024 12:44:30 +0300 +Subject: * lisp/gnus/mm-view.el (mm-display-inline-fontify): Mark contents + untrusted. + +(cherry picked from commit 937b9042ad7426acdcca33e3d931d8f495bdd804) +--- + lisp/gnus/mm-view.el | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lisp/gnus/mm-view.el b/lisp/gnus/mm-view.el +index 44c744b068b..507978fa320 100644 +--- a/lisp/gnus/mm-view.el ++++ b/lisp/gnus/mm-view.el +@@ -506,6 +506,7 @@ mm-display-inline-fontify + (with-temp-buffer + (buffer-disable-undo) + (mm-enable-multibyte) ++ (setq untrusted-content t) + (insert (cond ((eq charset 'gnus-decoded) + (with-current-buffer (mm-handle-buffer handle) + (buffer-string))) diff -Nru emacs-28.2+1/debian/patches/0032-org-latex-preview-Add-protection-when-untrusted-cont.patch emacs-28.2+1/debian/patches/0032-org-latex-preview-Add-protection-when-untrusted-cont.patch --- emacs-28.2+1/debian/patches/0032-org-latex-preview-Add-protection-when-untrusted-cont.patch 1970-01-01 00:00:00.000000000 +0000 +++ emacs-28.2+1/debian/patches/0032-org-latex-preview-Add-protection-when-untrusted-cont.patch 2024-04-27 09:49:04.000000000 +0000 @@ -0,0 +1,56 @@ +From 6031a74488aeafb952f7ad05c0d2f6f7a8c933bf Mon Sep 17 00:00:00 2001 +From: Ihor Radchenko +Date: Tue, 20 Feb 2024 12:47:24 +0300 +Subject: org-latex-preview: Add protection when `untrusted-content' is non-nil + +* lisp/org/org.el (org--latex-preview-when-risky): New variable +controlling how to handle LaTeX previews in Org files from untrusted +origin. +(org-latex-preview): Consult `org--latex-preview-when-risky' before +generating previews. + +This patch adds a layer of protection when LaTeX preview is requested +for an email attachment, where `untrusted-content' is set to non-nil. + +(cherry picked from commit 6f9ea396f49cbe38c2173e0a72ba6af3e03b271c) +--- + lisp/org/org.el | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +diff --git a/lisp/org/org.el b/lisp/org/org.el +index bc4c83b7d97..41e8bd79114 100644 +--- a/lisp/org/org.el ++++ b/lisp/org/org.el +@@ -1092,6 +1092,24 @@ org-startup-with-latex-preview + :package-version '(Org . "8.0") + :type 'boolean) + ++(defvar untrusted-content) ; defined in files.el ++(defvar org--latex-preview-when-risky nil ++ "If non-nil, enable LaTeX preview in Org buffers from unsafe source. ++ ++Some specially designed LaTeX code may generate huge pdf or log files ++that may exhaust disk space. ++ ++This variable controls how to handle LaTeX preview when rendering LaTeX ++fragments that originate from incoming email messages. It has no effect ++when Org mode is unable to determine the origin of the Org buffer. ++ ++An Org buffer is considered to be from unsafe source when the ++variable `untrusted-content' has a non-nil value in the buffer. ++ ++If this variable is non-nil, LaTeX previews are rendered unconditionally. ++ ++This variable may be renamed or changed in the future.") ++ + (defcustom org-insert-mode-line-in-empty-file nil + "Non-nil means insert the first line setting Org mode in empty files. + When the function `org-mode' is called interactively in an empty file, this +@@ -16000,6 +16018,7 @@ org-latex-preview + (interactive "P") + (cond + ((not (display-graphic-p)) nil) ++ ((and untrusted-content (not org--latex-preview-when-risky)) nil) + ;; Clear whole buffer. + ((equal arg '(64)) + (org-clear-latex-preview (point-min) (point-max)) diff -Nru emacs-28.2+1/debian/patches/0033-org-Add-setting-for-remote-file-download-policy.patch emacs-28.2+1/debian/patches/0033-org-Add-setting-for-remote-file-download-policy.patch --- emacs-28.2+1/debian/patches/0033-org-Add-setting-for-remote-file-download-policy.patch 1970-01-01 00:00:00.000000000 +0000 +++ emacs-28.2+1/debian/patches/0033-org-Add-setting-for-remote-file-download-policy.patch 2024-04-27 09:49:04.000000000 +0000 @@ -0,0 +1,209 @@ +From 34f1e76df1411a7d542292f3fb1fd5111fabe2fa Mon Sep 17 00:00:00 2001 +From: TEC +Date: Sun, 12 Jun 2022 22:37:42 +0800 +Subject: org: Add setting for remote file download policy + +* lisp/org/org.el (org-resource-download-policy, org-safe-remote-resources): +Two new customisations to configure the policy for downloading remote +resources. +(org--should-fetch-remote-resource-p, org--safe-remote-resource-p, +org--confirm-resource-safe): Introduce the new function +`org--should-fetch-remote-resource-p' for internal use determining +whether a remote resource should be downloaded according to the download +policy. This function makes use of two helper functions, +`org--safe-remote-resource-p' and `org--confirm-resource-safe'. +(org-file-contents): Apply `org--safe-remote-resource-p' to file +downloading. + +* lisp/org/org-attach.el (org-attach-attach, org-attach-url): Apply +`org--safe-remote-resource-p' to url downloading. + +(cherry picked from Org-mode commit 0583a0c5eaa955d4370558b980b3772bb91dd057) +--- + lisp/org/org-attach.el | 10 +++- + lisp/org/org.el | 130 ++++++++++++++++++++++++++++++++++++----- + 2 files changed, 123 insertions(+), 17 deletions(-) + +diff --git a/lisp/org/org-attach.el b/lisp/org/org-attach.el +index 36c21b7021c..c80f7f35ea9 100644 +--- a/lisp/org/org-attach.el ++++ b/lisp/org/org-attach.el +@@ -484,7 +484,9 @@ org-attach-untag + + (defun org-attach-url (url) + (interactive "MURL of the file to attach: \n") +- (let ((org-attach-method 'url)) ++ (let ((org-attach-method 'url) ++ (org-safe-remote-resources ; Assume safety if in an interactive session ++ (if noninteractive org-safe-remote-resources '("")))) + (org-attach-attach url))) + + (defun org-attach-buffer (buffer-name) +@@ -524,7 +526,11 @@ org-attach-attach + ((eq method 'cp) (copy-file file attach-file)) + ((eq method 'ln) (add-name-to-file file attach-file)) + ((eq method 'lns) (make-symbolic-link file attach-file)) +- ((eq method 'url) (url-copy-file file attach-file))) ++ ((eq method 'url) ++ (if (org--should-fetch-remote-resource-p file) ++ (url-copy-file file attach-file) ++ (error "The remote resources %S is considered unsafe, and will not be downloaded" ++ file)))) + (run-hook-with-args 'org-attach-after-change-hook attach-dir) + (org-attach-tag) + (cond ((eq org-attach-store-link-p 'attached) +diff --git a/lisp/org/org.el b/lisp/org/org.el +index 41e8bd79114..f13f780fda5 100644 +--- a/lisp/org/org.el ++++ b/lisp/org/org.el +@@ -1431,6 +1431,34 @@ org-file-apps + (string :tag "Command") + (function :tag "Function"))))) + ++(defcustom org-resource-download-policy 'prompt ++ "The policy applied to requests to obtain remote resources. ++ ++This affects keywords like #+setupfile and #+incude on export, ++`org-persist-write:url',and `org-attach-url' in non-interactive ++Emacs sessions. ++ ++This recognises four possible values: ++- t, remote resources should always be downloaded. ++- prompt, you will be prompted to download resources nt considered safe. ++- safe, only resources considered safe will be downloaded. ++- nil, never download remote resources. ++ ++A resource is considered safe if it matches one of the patterns ++in `org-safe-remote-resources'." ++ :group 'org ++ :type '(choice (const :tag "Always download remote resources" t) ++ (const :tag "Prompt before downloading an unsafe resource" prompt) ++ (const :tag "Only download resources considered safe" safe) ++ (const :tag "Never download any resources" nil))) ++ ++(defcustom org-safe-remote-resources nil ++ "A list of regexp patterns matching safe URIs. ++URI regexps are applied to both URLs and Org files requesting ++remote resources." ++ :group 'org ++ :type '(list regexp)) ++ + (defcustom org-open-non-existing-files nil + "Non-nil means `org-open-file' opens non-existing files. + +@@ -4711,21 +4739,25 @@ org-file-contents + (cond + (cache) + (is-url +- (with-current-buffer (url-retrieve-synchronously file) +- (goto-char (point-min)) +- ;; Move point to after the url-retrieve header. +- (search-forward "\n\n" nil :move) +- ;; Search for the success code only in the url-retrieve header. +- (if (save-excursion +- (re-search-backward "HTTP.*\\s-+200\\s-OK" nil :noerror)) +- ;; Update the cache `org--file-cache' and return contents. +- (puthash file +- (buffer-substring-no-properties (point) (point-max)) +- org--file-cache) +- (funcall (if noerror #'message #'user-error) +- "Unable to fetch file from %S" +- file) +- nil))) ++ (if (org--should-fetch-remote-resource-p file) ++ (with-current-buffer (url-retrieve-synchronously file) ++ (goto-char (point-min)) ++ ;; Move point to after the url-retrieve header. ++ (search-forward "\n\n" nil :move) ++ ;; Search for the success code only in the url-retrieve header. ++ (if (save-excursion ++ (re-search-backward "HTTP.*\\s-+200\\s-OK" nil :noerror)) ++ ;; Update the cache `org--file-cache' and return contents. ++ (puthash file ++ (buffer-substring-no-properties (point) (point-max)) ++ org--file-cache) ++ (funcall (if noerror #'message #'user-error) ++ "Unable to fetch file from %S" ++ file) ++ nil)) ++ (funcall (if noerror #'message #'user-error) ++ "The remote resource %S is considered unsafe, and will not be downloaded" ++ file))) + (t + (with-temp-buffer + (condition-case nil +@@ -4738,6 +4770,74 @@ org-file-contents + file) + nil))))))) + ++(defun org--should-fetch-remote-resource-p (uri) ++ "Return non-nil if the URI should be fetched." ++ (or (eq org-resource-download-policy t) ++ (org--safe-remote-resource-p uri) ++ (and (eq org-resource-download-policy 'prompt) ++ (org--confirm-resource-safe uri)))) ++ ++(defun org--safe-remote-resource-p (uri) ++ "Return non-nil if URI is considered safe. ++This checks every pattern in `org-safe-remote-resources', and ++returns non-nil if any of them match." ++ (let ((uri-patterns org-safe-remote-resources) ++ (file-uri (and buffer-file-name ++ (concat "file://" (file-truename buffer-file-name)))) ++ match-p) ++ (while (and (not match-p) uri-patterns) ++ (setq match-p (or (string-match-p (car uri-patterns) uri) ++ (and file-uri (string-match-p (car uri-patterns) file-uri))) ++ uri-patterns (cdr uri-patterns))) ++ match-p)) ++ ++(defun org--confirm-resource-safe (uri) ++ "Ask the user if URI should be considered safe, returning non-nil if so." ++ (unless noninteractive ++ (let ((current-file (and buffer-file-name (file-truename buffer-file-name))) ++ (buf (get-buffer-create "*Org Remote Resource*"))) ++ ;; Set up the contents of the *Org Remote Resource* buffer. ++ (with-current-buffer buf ++ (erase-buffer) ++ (insert "An org-mode document would like to download " ++ (propertize uri 'face '(:inherit org-link :weight normal)) ++ ", which is not considered safe.\n\n" ++ "Do you want to download this? You can type\n " ++ (propertize "!" 'face 'success) ++ " to download this resource, and permanantly mark it as safe.\n " ++ (propertize "f" 'face 'success) ++ " to download this resource, and permanantly mark all resources in " ++ (propertize current-file 'face 'fixed-pitch-serif) ++ " as safe.\n " ++ (propertize "y" 'face 'warning) ++ " to download this resource, just this once.\n " ++ (propertize "n" 'face 'error) ++ " to skip this resource.\n") ++ (setq-local cursor-type nil) ++ (set-buffer-modified-p nil) ++ (goto-char (point-min))) ++ ;; Display the buffer and read a choice. ++ (save-window-excursion ++ (pop-to-buffer buf) ++ (let* ((exit-chars '(?y ?n ?! ?f ?\s)) ++ (prompt (format "Please type y, n, f, or !%s: " ++ (if (< (line-number-at-pos (point-max)) ++ (window-body-height)) ++ "" ++ ", or C-v/M-v to scroll"))) ++ char) ++ (setq char (read-char-choice prompt exit-chars)) ++ (when (memq char '(?! ?f)) ++ (customize-push-and-save ++ 'org-safe-remote-resources ++ (list (rx string-start ++ (literal ++ (if (and (= char ?f) current-file) ++ (concat "file://" current-file) uri)) ++ string-end)))) ++ (prog1 (memq char '(?! ?\s ?y ?f)) ++ (quit-window t))))))) ++ + (defun org-extract-log-state-settings (x) + "Extract the log state setting from a TODO keyword string. + This will extract info from a string like \"WAIT(w@/!)\"." diff -Nru emacs-28.2+1/debian/patches/0034-org-Refactor-rx-to-concat-regexp-opt.patch emacs-28.2+1/debian/patches/0034-org-Refactor-rx-to-concat-regexp-opt.patch --- emacs-28.2+1/debian/patches/0034-org-Refactor-rx-to-concat-regexp-opt.patch 1970-01-01 00:00:00.000000000 +0000 +++ emacs-28.2+1/debian/patches/0034-org-Refactor-rx-to-concat-regexp-opt.patch 2024-04-27 09:49:04.000000000 +0000 @@ -0,0 +1,35 @@ +From ef9d16949ada26721559024b9534252fdaf10db8 Mon Sep 17 00:00:00 2001 +From: TEC +Date: Sun, 24 Jul 2022 22:03:20 +0800 +Subject: org: Refactor rx to concat + regexp-opt + +* lisp/org.el (org--confirm-resource-safe): Since Emacs 26 doesn't +support rx's (literal S) construct, use (concat (regexp-opt ...) ...) +instead. + +(cherry picked from Org-mode commit 6de5431acc8b77548e89c61a6ae0ebc1b57540bb) +--- + lisp/org/org.el | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/lisp/org/org.el b/lisp/org/org.el +index f13f780fda5..e21f972e747 100644 +--- a/lisp/org/org.el ++++ b/lisp/org/org.el +@@ -4830,11 +4830,11 @@ org--confirm-resource-safe + (when (memq char '(?! ?f)) + (customize-push-and-save + 'org-safe-remote-resources +- (list (rx string-start +- (literal +- (if (and (= char ?f) current-file) +- (concat "file://" current-file) uri)) +- string-end)))) ++ (list (concat "\\`" ++ (regexp-opt ++ (if (and (= char ?f) current-file) ++ (concat "file://" current-file) uri)) ++ "\\'")))) + (prog1 (memq char '(?! ?\s ?y ?f)) + (quit-window t))))))) + diff -Nru emacs-28.2+1/debian/patches/0035-org-Correct-regexp-escaping-to-use-regexp-quote.patch emacs-28.2+1/debian/patches/0035-org-Correct-regexp-escaping-to-use-regexp-quote.patch --- emacs-28.2+1/debian/patches/0035-org-Correct-regexp-escaping-to-use-regexp-quote.patch 1970-01-01 00:00:00.000000000 +0000 +++ emacs-28.2+1/debian/patches/0035-org-Correct-regexp-escaping-to-use-regexp-quote.patch 2024-04-27 09:49:04.000000000 +0000 @@ -0,0 +1,26 @@ +From df00eab6bfb8d39028485ab9d8d4b42851f2db14 Mon Sep 17 00:00:00 2001 +From: TEC +Date: Tue, 26 Jul 2022 12:22:07 +0800 +Subject: org: Correct regexp escaping to use regexp-quote + +* lisp/org.el (org--confirm-resource-safe): `regexp-opt' was +accidentally used instead of `regexp-quote'. + +(cherry picked from Org-mode commit 6ad53fa22eab5830f85a401960dc1e7d00154a27) +--- + lisp/org/org.el | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lisp/org/org.el b/lisp/org/org.el +index e21f972e747..62d07af4079 100644 +--- a/lisp/org/org.el ++++ b/lisp/org/org.el +@@ -4831,7 +4831,7 @@ org--confirm-resource-safe + (customize-push-and-save + 'org-safe-remote-resources + (list (concat "\\`" +- (regexp-opt ++ (regexp-quote + (if (and (= char ?f) current-file) + (concat "file://" current-file) uri)) + "\\'")))) diff -Nru emacs-28.2+1/debian/patches/0036-org-Fix-resource-prompt-in-non-file-buffers.patch emacs-28.2+1/debian/patches/0036-org-Fix-resource-prompt-in-non-file-buffers.patch --- emacs-28.2+1/debian/patches/0036-org-Fix-resource-prompt-in-non-file-buffers.patch 1970-01-01 00:00:00.000000000 +0000 +++ emacs-28.2+1/debian/patches/0036-org-Fix-resource-prompt-in-non-file-buffers.patch 2024-04-27 09:49:04.000000000 +0000 @@ -0,0 +1,45 @@ +From c6d219de2f3f0b6fa11f7edbc974c291ea464c4c Mon Sep 17 00:00:00 2001 +From: TEC +Date: Wed, 3 Aug 2022 21:38:49 +0800 +Subject: org: Fix resource prompt in non-file buffers + +* lisp/org.el (org--confirm-resource-safe): When `buffer-file-name' is +nil, skip over file-specific behaviour. + +(cherry picked from Org-mode commit 4702a73031c77ba03b480b0848c137d5d8773e07) +--- + lisp/org/org.el | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/lisp/org/org.el b/lisp/org/org.el +index 62d07af4079..8f57e7c5bdb 100644 +--- a/lisp/org/org.el ++++ b/lisp/org/org.el +@@ -4806,9 +4806,12 @@ org--confirm-resource-safe + (propertize "!" 'face 'success) + " to download this resource, and permanantly mark it as safe.\n " + (propertize "f" 'face 'success) +- " to download this resource, and permanantly mark all resources in " +- (propertize current-file 'face 'fixed-pitch-serif) +- " as safe.\n " ++ (if current-file ++ (concat ++ " to download this resource, and permanantly mark all resources in " ++ (propertize current-file 'face 'fixed-pitch-serif) ++ " as safe.\n ") ++ "") + (propertize "y" 'face 'warning) + " to download this resource, just this once.\n " + (propertize "n" 'face 'error) +@@ -4819,8 +4822,9 @@ org--confirm-resource-safe + ;; Display the buffer and read a choice. + (save-window-excursion + (pop-to-buffer buf) +- (let* ((exit-chars '(?y ?n ?! ?f ?\s)) +- (prompt (format "Please type y, n, f, or !%s: " ++ (let* ((exit-chars (append '(?y ?n ?! ?\s) (and current-file '(?f)))) ++ (prompt (format "Please type y, n%s, or !%s: " ++ (if current-file ", f" "") + (if (< (line-number-at-pos (point-max)) + (window-body-height)) + "" diff -Nru emacs-28.2+1/debian/patches/0037-org-Add-mark-domain-as-safe-convenience-action.patch emacs-28.2+1/debian/patches/0037-org-Add-mark-domain-as-safe-convenience-action.patch --- emacs-28.2+1/debian/patches/0037-org-Add-mark-domain-as-safe-convenience-action.patch 1970-01-01 00:00:00.000000000 +0000 +++ emacs-28.2+1/debian/patches/0037-org-Add-mark-domain-as-safe-convenience-action.patch 2024-04-27 09:49:04.000000000 +0000 @@ -0,0 +1,79 @@ +From 1999648553f930c4ff4fb83104fb7148dfc49c07 Mon Sep 17 00:00:00 2001 +From: TEC +Date: Sun, 7 Aug 2022 16:21:21 +0800 +Subject: org: Add "mark domain as safe" convenience action + +* lisp/org.el (org--confirm-resource-safe): Pick out domains from URLs, +and provide an option of marking that domain as safe. + +(cherry picked from Org-mode commit 1ae801e9c86d5b150fd085230722e4dac550df30) +--- + lisp/org/org.el | 32 +++++++++++++++++++++++--------- + 1 file changed, 23 insertions(+), 9 deletions(-) + +diff --git a/lisp/org/org.el b/lisp/org/org.el +index 8f57e7c5bdb..accb57e1167 100644 +--- a/lisp/org/org.el ++++ b/lisp/org/org.el +@@ -4795,6 +4795,13 @@ org--confirm-resource-safe + "Ask the user if URI should be considered safe, returning non-nil if so." + (unless noninteractive + (let ((current-file (and buffer-file-name (file-truename buffer-file-name))) ++ (domain (and (string-match ++ (rx (seq "http" (? "s") "://") ++ (optional (+ (not (any "@/\n"))) "@") ++ (optional "www.") ++ (one-or-more (not (any ":/?\n")))) ++ uri) ++ (match-string 0 uri))) + (buf (get-buffer-create "*Org Remote Resource*"))) + ;; Set up the contents of the *Org Remote Resource* buffer. + (with-current-buffer buf +@@ -4805,6 +4812,11 @@ org--confirm-resource-safe + "Do you want to download this? You can type\n " + (propertize "!" 'face 'success) + " to download this resource, and permanantly mark it as safe.\n " ++ (if domain ++ (concat ++ (propertize "d" 'face 'success) ++ " to download this resource, and mark this domain as safe.\n ") ++ "") + (propertize "f" 'face 'success) + (if current-file + (concat +@@ -4822,8 +4834,8 @@ org--confirm-resource-safe + ;; Display the buffer and read a choice. + (save-window-excursion + (pop-to-buffer buf) +- (let* ((exit-chars (append '(?y ?n ?! ?\s) (and current-file '(?f)))) +- (prompt (format "Please type y, n%s, or !%s: " ++ (let* ((exit-chars (append '(?y ?n ?! ?d ?\s) (and current-file '(?f)))) ++ (prompt (format "Please type y, n%s, d, or !%s: " + (if current-file ", f" "") + (if (< (line-number-at-pos (point-max)) + (window-body-height)) +@@ -4831,15 +4843,17 @@ org--confirm-resource-safe + ", or C-v/M-v to scroll"))) + char) + (setq char (read-char-choice prompt exit-chars)) +- (when (memq char '(?! ?f)) ++ (when (memq char '(?! ?f ?d)) + (customize-push-and-save + 'org-safe-remote-resources +- (list (concat "\\`" +- (regexp-quote +- (if (and (= char ?f) current-file) +- (concat "file://" current-file) uri)) +- "\\'")))) +- (prog1 (memq char '(?! ?\s ?y ?f)) ++ (list (if (eq char ?d) ++ (concat "\\`" (regexp-quote domain) "\\(?:/\\|\\'\\)") ++ (concat "\\`" ++ (regexp-quote ++ (if (and (= char ?f) current-file) ++ (concat "file://" current-file) uri)) ++ "\\'"))))) ++ (prog1 (memq char '(?y ?n ?! ?d ?\s ?f)) + (quit-window t))))))) + + (defun org-extract-log-state-settings (x) diff -Nru emacs-28.2+1/debian/patches/0038-org-Tweak-styling-of-url-in-resource-prompt.patch emacs-28.2+1/debian/patches/0038-org-Tweak-styling-of-url-in-resource-prompt.patch --- emacs-28.2+1/debian/patches/0038-org-Tweak-styling-of-url-in-resource-prompt.patch 1970-01-01 00:00:00.000000000 +0000 +++ emacs-28.2+1/debian/patches/0038-org-Tweak-styling-of-url-in-resource-prompt.patch 2024-04-27 09:49:04.000000000 +0000 @@ -0,0 +1,35 @@ +From d466ae9051c097fb3cff044159f65ccaad491079 Mon Sep 17 00:00:00 2001 +From: TEC +Date: Tue, 30 Aug 2022 01:45:41 +0800 +Subject: org: Tweak styling of url in resource prompt + +* lisp/org.el (org--confirm-resource-safe): Style domain with a link, +and url with an underline. + +(cherry picked from Org-mode commit 1061db94acf785f4b8f1140649e3857d52693115) +--- + lisp/org/org.el | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/lisp/org/org.el b/lisp/org/org.el +index accb57e1167..5e9740ef2d2 100644 +--- a/lisp/org/org.el ++++ b/lisp/org/org.el +@@ -4815,13 +4815,15 @@ org--confirm-resource-safe + (if domain + (concat + (propertize "d" 'face 'success) +- " to download this resource, and mark this domain as safe.\n ") ++ " to download this resource, and mark the domain (" ++ (propertize domain 'face '(:inherit org-link :weight normal)) ++ ") as safe.\n ") + "") + (propertize "f" 'face 'success) + (if current-file + (concat + " to download this resource, and permanantly mark all resources in " +- (propertize current-file 'face 'fixed-pitch-serif) ++ (propertize current-file 'face 'underline) + " as safe.\n ") + "") + (propertize "y" 'face 'warning) diff -Nru emacs-28.2+1/debian/patches/0039-org-Use-buffer-base-buffer-in-safe-resource-fns.patch emacs-28.2+1/debian/patches/0039-org-Use-buffer-base-buffer-in-safe-resource-fns.patch --- emacs-28.2+1/debian/patches/0039-org-Use-buffer-base-buffer-in-safe-resource-fns.patch 1970-01-01 00:00:00.000000000 +0000 +++ emacs-28.2+1/debian/patches/0039-org-Use-buffer-base-buffer-in-safe-resource-fns.patch 2024-04-27 09:49:04.000000000 +0000 @@ -0,0 +1,40 @@ +From 5deff1d7befcff86f87cfb51f9fc9236c6d0cde9 Mon Sep 17 00:00:00 2001 +From: TEC +Date: Sat, 10 Dec 2022 21:38:21 +0800 +Subject: org: Use buffer-base-buffer in safe resource fns + +* lisp/org.el (org--confirm-resource-safe, org--safe-remote-resource-p): +Replace instances of buffer-file-name +with (buffer-file-name (buffer-base-buffer)) so these functions work in +indirect buffers. + +(cherry picked from Org-mode commit 88329143c86b34195af68a8e5d5fd3d00a5dcae6) +--- + lisp/org/org.el | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/lisp/org/org.el b/lisp/org/org.el +index 5e9740ef2d2..6871580265f 100644 +--- a/lisp/org/org.el ++++ b/lisp/org/org.el +@@ -4782,8 +4782,8 @@ org--safe-remote-resource-p + This checks every pattern in `org-safe-remote-resources', and + returns non-nil if any of them match." + (let ((uri-patterns org-safe-remote-resources) +- (file-uri (and buffer-file-name +- (concat "file://" (file-truename buffer-file-name)))) ++ (file-uri (and (buffer-file-name (buffer-base-buffer)) ++ (concat "file://" (file-truename (buffer-file-name (buffer-base-buffer)))))) + match-p) + (while (and (not match-p) uri-patterns) + (setq match-p (or (string-match-p (car uri-patterns) uri) +@@ -4794,7 +4794,8 @@ org--safe-remote-resource-p + (defun org--confirm-resource-safe (uri) + "Ask the user if URI should be considered safe, returning non-nil if so." + (unless noninteractive +- (let ((current-file (and buffer-file-name (file-truename buffer-file-name))) ++ (let ((current-file (and (buffer-file-name (buffer-base-buffer)) ++ (file-truename (buffer-file-name (buffer-base-buffer))))) + (domain (and (string-match + (rx (seq "http" (? "s") "://") + (optional (+ (not (any "@/\n"))) "@") diff -Nru emacs-28.2+1/debian/patches/0040-org-file-contents-Consider-all-remote-files-unsafe.patch emacs-28.2+1/debian/patches/0040-org-file-contents-Consider-all-remote-files-unsafe.patch --- emacs-28.2+1/debian/patches/0040-org-file-contents-Consider-all-remote-files-unsafe.patch 1970-01-01 00:00:00.000000000 +0000 +++ emacs-28.2+1/debian/patches/0040-org-file-contents-Consider-all-remote-files-unsafe.patch 2024-04-27 09:49:04.000000000 +0000 @@ -0,0 +1,35 @@ +From 2719edd8ce6ba4473b1fbf761669b43c12b99df0 Mon Sep 17 00:00:00 2001 +From: Ihor Radchenko +Date: Tue, 20 Feb 2024 14:59:20 +0300 +Subject: org-file-contents: Consider all remote files unsafe + +* lisp/org/org.el (org-file-contents): When loading files, consider all +remote files (like TRAMP-fetched files) unsafe, in addition to URLs. + +(cherry picked from commit 2bc865ace050ff118db43f01457f95f95112b877) +--- + lisp/org/org.el | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/lisp/org/org.el b/lisp/org/org.el +index 6871580265f..cb5615e5b1f 100644 +--- a/lisp/org/org.el ++++ b/lisp/org/org.el +@@ -4733,12 +4733,16 @@ org-file-contents + If NOCACHE is non-nil, do a fresh fetch of FILE even if cached version + is available. This option applies only if FILE is a URL." + (let* ((is-url (org-url-p file)) ++ (is-remote (condition-case nil ++ (file-remote-p file) ++ ;; In case of error, be safe. ++ (t t))) + (cache (and is-url + (not nocache) + (gethash file org--file-cache)))) + (cond + (cache) +- (is-url ++ ((or is-url is-remote) + (if (org--should-fetch-remote-resource-p file) + (with-current-buffer (url-retrieve-synchronously file) + (goto-char (point-min)) diff -Nru emacs-28.2+1/debian/patches/0041-org-confirm-resource-safe-Fix-prompt-when-prompting-.patch emacs-28.2+1/debian/patches/0041-org-confirm-resource-safe-Fix-prompt-when-prompting-.patch --- emacs-28.2+1/debian/patches/0041-org-confirm-resource-safe-Fix-prompt-when-prompting-.patch 1970-01-01 00:00:00.000000000 +0000 +++ emacs-28.2+1/debian/patches/0041-org-confirm-resource-safe-Fix-prompt-when-prompting-.patch 2024-04-27 09:49:04.000000000 +0000 @@ -0,0 +1,29 @@ +From d3a160d4393dbc6d7c0b5e6dc61ff5ef09489f11 Mon Sep 17 00:00:00 2001 +From: Ihor Radchenko +Date: Fri, 23 Feb 2024 12:56:58 +0300 +Subject: org--confirm-resource-safe: Fix prompt when prompting in non-file Org + buffers + +* lisp/org/org.el (org--confirm-resource-safe): When called from +non-file buffer, do not put stray "f" in the prompt. + +(cherry picked from commit 7a5d7be52c5f0690ee47f30bfad973827261abf2) +--- + lisp/org/org.el | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lisp/org/org.el b/lisp/org/org.el +index cb5615e5b1f..7c6d8e1ea18 100644 +--- a/lisp/org/org.el ++++ b/lisp/org/org.el +@@ -4824,9 +4824,9 @@ org--confirm-resource-safe + (propertize domain 'face '(:inherit org-link :weight normal)) + ") as safe.\n ") + "") +- (propertize "f" 'face 'success) + (if current-file + (concat ++ (propertize "f" 'face 'success) + " to download this resource, and permanantly mark all resources in " + (propertize current-file 'face 'underline) + " as safe.\n ") diff -Nru emacs-28.2+1/debian/patches/0042-org-Fix-security-prompt-for-downloading-remote-resou.patch emacs-28.2+1/debian/patches/0042-org-Fix-security-prompt-for-downloading-remote-resou.patch --- emacs-28.2+1/debian/patches/0042-org-Fix-security-prompt-for-downloading-remote-resou.patch 1970-01-01 00:00:00.000000000 +0000 +++ emacs-28.2+1/debian/patches/0042-org-Fix-security-prompt-for-downloading-remote-resou.patch 2024-04-27 09:49:04.000000000 +0000 @@ -0,0 +1,28 @@ +From 1c0b3e5ae5cef71210b094bfd1f8582efe3a7b90 Mon Sep 17 00:00:00 2001 +From: Ihor Radchenko +Date: Fri, 2 Feb 2024 20:59:41 +0100 +Subject: org: Fix security prompt for downloading remote resource + +* lisp/org.el (org--confirm-resource-safe): Do not assume that +resource is safe when user replies "n" (do not download). + +Reported-by: Max Nikulin +Link: https://orgmode.org/list/upj6uk$b7o$1@ciao.gmane.io +(cherry picked from commit e56f0ef51bfdd0e03e817670754bc813fb3702a2) +--- + lisp/org/org.el | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lisp/org/org.el b/lisp/org/org.el +index 7c6d8e1ea18..3e1d5135f45 100644 +--- a/lisp/org/org.el ++++ b/lisp/org/org.el +@@ -4860,7 +4860,7 @@ org--confirm-resource-safe + (if (and (= char ?f) current-file) + (concat "file://" current-file) uri)) + "\\'"))))) +- (prog1 (memq char '(?y ?n ?! ?d ?\s ?f)) ++ (prog1 (memq char '(?y ?! ?d ?\s ?f)) + (quit-window t))))))) + + (defun org-extract-log-state-settings (x) diff -Nru emacs-28.2+1/debian/patches/series emacs-28.2+1/debian/patches/series --- emacs-28.2+1/debian/patches/series 2023-03-31 18:22:32.000000000 +0000 +++ emacs-28.2+1/debian/patches/series 2024-04-27 09:49:04.000000000 +0000 @@ -26,3 +26,17 @@ 0026-Gnus-nnml-should-avoid-crashing-on-some-invalid-head.patch 0027-Org-Mode-vulnerability-CVE-2023-28617-is-fixed-1-2.patch 0028-Org-Mode-vulnerability-CVE-2023-28617-is-fixed-2-2.patch +0029-org-macro-set-templates-Prevent-code-evaluation.patch +0030-lisp-files.el-untrusted-content-New-variable.patch +0031-lisp-gnus-mm-view.el-mm-display-inline-fontify-Mark-.patch +0032-org-latex-preview-Add-protection-when-untrusted-cont.patch +0033-org-Add-setting-for-remote-file-download-policy.patch +0034-org-Refactor-rx-to-concat-regexp-opt.patch +0035-org-Correct-regexp-escaping-to-use-regexp-quote.patch +0036-org-Fix-resource-prompt-in-non-file-buffers.patch +0037-org-Add-mark-domain-as-safe-convenience-action.patch +0038-org-Tweak-styling-of-url-in-resource-prompt.patch +0039-org-Use-buffer-base-buffer-in-safe-resource-fns.patch +0040-org-file-contents-Consider-all-remote-files-unsafe.patch +0041-org-confirm-resource-safe-Fix-prompt-when-prompting-.patch +0042-org-Fix-security-prompt-for-downloading-remote-resou.patch