Version in base suite: 27.1+1-3.1
Version in overlay suite: 27.1+1-3.1+deb11u1

Base version: emacs_27.1+1-3.1+deb11u1
Target version: emacs_27.1+1-3.1+deb11u2
Base file: /srv/ftp-master.debian.org/ftp/pool/main/e/emacs/emacs_27.1+1-3.1+deb11u1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/e/emacs/emacs_27.1+1-3.1+deb11u2.dsc

 changelog                    |    6 ++
 patches/CVE-2022-48337.patch |  101 +++++++++++++++++++++++++++++++++++++++++++
 patches/CVE-2022-48338.patch |   23 +++++++++
 patches/CVE-2022-48339.patch |   23 +++++++++
 patches/series               |    3 +
 5 files changed, 156 insertions(+)

diff -Nru emacs-27.1+1/debian/changelog emacs-27.1+1/debian/changelog
--- emacs-27.1+1/debian/changelog	2023-01-04 19:23:36.000000000 +0000
+++ emacs-27.1+1/debian/changelog	2023-02-22 21:08:26.000000000 +0000
@@ -1,3 +1,9 @@
+emacs (1:27.1+1-3.1+deb11u2) bullseye-security; urgency=medium
+
+  * CVE-2022-48337 CVE-2022-48338 CVE-2022-48339 (Closes: #1031730)
+
+ -- Moritz Mühlenhoff <jmm@debian.org>  Wed, 22 Feb 2023 22:08:26 +0100
+
 emacs (1:27.1+1-3.1+deb11u1) bullseye-security; urgency=medium
 
   * CVE-2022-45939 (Closes: #1025009)
diff -Nru emacs-27.1+1/debian/patches/CVE-2022-48337.patch emacs-27.1+1/debian/patches/CVE-2022-48337.patch
--- emacs-27.1+1/debian/patches/CVE-2022-48337.patch	1970-01-01 00:00:00.000000000 +0000
+++ emacs-27.1+1/debian/patches/CVE-2022-48337.patch	2023-02-21 15:57:52.000000000 +0000
@@ -0,0 +1,101 @@
+From 6ddebf2f0b762a1aa54da9df016bc5d7aa7fb1b6 Mon Sep 17 00:00:00 2001
+From: Xi Lu <lx@shellcodes.org>
+Date: Thu, 16 Feb 2023 21:36:28 +0800
+Subject: [PATCH] Fix etags local command injection vulnerability
+ (CVE-2022-48337).
+
+* lib-src/etags.c: (escape_shell_arg_string): New function.
+(process_file_name): Use it to quote file names passed to the
+shell.  (Bug#59817)
+---
+ lib-src/etags.c | 63 +++++++++++++++++++++++++++++++++++++++++++++----
+ 1 file changed, 58 insertions(+), 5 deletions(-)
+
+--- emacs-27.1+1.orig/lib-src/etags.c
++++ emacs-27.1+1/lib-src/etags.c
+@@ -398,6 +398,7 @@ static void invalidate_nodes (fdesc *, n
+ static void put_entries (node *);
+ static void clean_matched_file_tag (char const * const, char const * const);
+ 
++static char *escape_shell_arg_string (char *);
+ static void do_move_file (const char *, const char *);
+ static char *concat (const char *, const char *, const char *);
+ static char *skip_spaces (char *);
+@@ -1670,13 +1671,16 @@ process_file_name (char *file, language
+       else
+ 	{
+ #if MSDOS || defined (DOS_NT)
+-	  char *cmd1 = concat (compr->command, " \"", real_name);
+-	  char *cmd = concat (cmd1, "\" > ", tmp_name);
++          int buf_len = strlen (compr->command) + strlen (" \"\" > \"\"") + strlen (real_name) + strlen (tmp_name) + 1;
++          char *cmd = xmalloc (buf_len);
++          snprintf (cmd, buf_len, "%s \"%s\" > \"%s\"", compr->command, real_name, tmp_name);
+ #else
+-	  char *cmd1 = concat (compr->command, " '", real_name);
+-	  char *cmd = concat (cmd1, "' > ", tmp_name);
++          char *new_real_name = escape_shell_arg_string (real_name);
++          char *new_tmp_name = escape_shell_arg_string (tmp_name);
++          int buf_len = strlen (compr->command) + strlen ("  > ") + strlen (new_real_name) + strlen (new_tmp_name) + 1;
++          char *cmd = xmalloc (buf_len);
++          snprintf (cmd, buf_len, "%s %s > %s", compr->command, new_real_name, new_tmp_name);
+ #endif
+-	  free (cmd1);
+ 	  int tmp_errno;
+ 	  if (system (cmd) == -1)
+ 	    {
+@@ -7127,6 +7131,55 @@ etags_mktmp (void)
+   return templt;
+ }
+ 
++/*
++ * Adds single quotes around a string, if found single quotes, escaped it.
++ * Return a newly-allocated string.
++ *
++ * For example:
++ * escape_shell_arg_string("test.txt") => 'test.txt'
++ * escape_shell_arg_string("'test.txt") => ''\''test.txt'
++ */
++static char *
++escape_shell_arg_string (char *str)
++{
++  char *p = str;
++  int need_space = 2;           /* ' at begin and end */
++
++  while (*p != '\0')
++    {
++      if (*p == '\'')
++        need_space += 4;        /* ' to '\'', length is 4 */
++      else
++        need_space++;
++
++      p++;
++    }
++
++  char *new_str = xnew (need_space + 1, char);
++  new_str[0] = '\'';
++  new_str[need_space-1] = '\'';
++
++  int i = 1;                    /* skip first byte */
++  p = str;
++  while (*p != '\0')
++    {
++      new_str[i] = *p;
++      if (*p == '\'')
++        {
++          new_str[i+1] = '\\';
++          new_str[i+2] = '\'';
++          new_str[i+3] = '\'';
++          i += 3;
++        }
++
++      i++;
++      p++;
++    }
++
++  new_str[need_space] = '\0';
++  return new_str;
++}
++
+ static void
+ do_move_file(const char *src_file, const char *dst_file)
+ {
diff -Nru emacs-27.1+1/debian/patches/CVE-2022-48338.patch emacs-27.1+1/debian/patches/CVE-2022-48338.patch
--- emacs-27.1+1/debian/patches/CVE-2022-48338.patch	1970-01-01 00:00:00.000000000 +0000
+++ emacs-27.1+1/debian/patches/CVE-2022-48338.patch	2023-02-21 15:58:30.000000000 +0000
@@ -0,0 +1,23 @@
+From 2f23e27d73ef12a7f74c12fc84b447058aa1a1f8 Mon Sep 17 00:00:00 2001
+From: Xi Lu <lx@shellcodes.org>
+Date: Fri, 23 Dec 2022 12:52:48 +0800
+Subject: [PATCH] Fix ruby-mode.el local command injection vulnerability
+ (CVE-2022-48338).
+
+* lisp/progmodes/ruby-mode.el
+(ruby-find-library-file): Fix local command injection vulnerability.
+---
+ lisp/progmodes/ruby-mode.el | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- emacs-27.1+1.orig/lisp/progmodes/ruby-mode.el
++++ emacs-27.1+1/lisp/progmodes/ruby-mode.el
+@@ -1820,7 +1820,7 @@ statement around point."
+       (setq feature-name (read-string "Feature name: " init))))
+   (let ((out
+          (substring
+-          (shell-command-to-string (concat "gem which " feature-name))
++          (shell-command-to-string (concat "gem which " (shell-quote-argument feature-name)))
+           0 -1)))
+     (if (string-match-p "\\`ERROR" out)
+         (user-error "%s" out)
diff -Nru emacs-27.1+1/debian/patches/CVE-2022-48339.patch emacs-27.1+1/debian/patches/CVE-2022-48339.patch
--- emacs-27.1+1/debian/patches/CVE-2022-48339.patch	1970-01-01 00:00:00.000000000 +0000
+++ emacs-27.1+1/debian/patches/CVE-2022-48339.patch	2023-02-21 16:00:15.000000000 +0000
@@ -0,0 +1,23 @@
+From 4869f116cf0365101a0bad10e662004fbd80eb81 Mon Sep 17 00:00:00 2001
+From: Xi Lu <lx@shellcodes.org>
+Date: Sat, 24 Dec 2022 16:28:54 +0800
+Subject: [PATCH] Fix htmlfontify.el command injection vulnerability
+ (CVE-2022-48339).
+
+* lisp/htmlfontify.el (hfy-text-p): Fix command injection
+vulnerability.  (Bug#60295)
+---
+ lisp/htmlfontify.el | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- emacs-27.1+1.orig/lisp/htmlfontify.el
++++ emacs-27.1+1/lisp/htmlfontify.el
+@@ -1912,7 +1912,7 @@ Hardly bombproof, but good enough in the
+ 
+ (defun hfy-text-p (srcdir file)
+   "Is SRCDIR/FILE text?  Uses `hfy-istext-command' to determine this."
+-  (let* ((cmd (format hfy-istext-command (expand-file-name file srcdir)))
++  (let* ((cmd (format hfy-istext-command (shell-quote-argument (expand-file-name file srcdir))))
+          (rsp (shell-command-to-string    cmd)))
+     (string-match "text" rsp)))
+ 
diff -Nru emacs-27.1+1/debian/patches/series emacs-27.1+1/debian/patches/series
--- emacs-27.1+1/debian/patches/series	2023-01-04 13:06:51.000000000 +0000
+++ emacs-27.1+1/debian/patches/series	2023-02-21 15:59:28.000000000 +0000
@@ -13,3 +13,6 @@
 0013-Recover-the-contents-of-the-schemas.xml-file.patch
 0014-Skip-tests-that-require-Internet-when-there-s-no-Int.patch
 CVE-2022-45939.patch
+CVE-2022-48337.patch
+CVE-2022-48338.patch
+CVE-2022-48339.patch