Version in base suite: 9.4.0+dfsg-1+deb11u1 Base version: org-mode_9.4.0+dfsg-1+deb11u1 Target version: org-mode_9.4.0+dfsg-1+deb11u2 Base file: /srv/ftp-master.debian.org/ftp/pool/main/o/org-mode/org-mode_9.4.0+dfsg-1+deb11u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/o/org-mode/org-mode_9.4.0+dfsg-1+deb11u2.dsc changelog | 8 control | 3 patches/CVE-2024-30203_CVE-2024-30204_01.patch | 56 ++++++ patches/CVE-2024-30203_CVE-2024-30204_02.patch | 208 +++++++++++++++++++++++++ patches/CVE-2024-30203_CVE-2024-30204_03.patch | 34 ++++ patches/CVE-2024-30203_CVE-2024-30204_04.patch | 25 +++ patches/CVE-2024-30203_CVE-2024-30204_05.patch | 44 +++++ patches/CVE-2024-30203_CVE-2024-30204_06.patch | 78 +++++++++ patches/CVE-2024-30203_CVE-2024-30204_07.patch | 34 ++++ patches/CVE-2024-30203_CVE-2024-30204_08.patch | 39 ++++ patches/CVE-2024-30205_01.patch | 34 ++++ patches/CVE-2024-30205_02.patch | 28 +++ patches/CVE-2024-30205_03.patch | 27 +++ patches/series | 11 + 14 files changed, 628 insertions(+), 1 deletion(-) diff -Nru org-mode-9.4.0+dfsg/debian/changelog org-mode-9.4.0+dfsg/debian/changelog --- org-mode-9.4.0+dfsg/debian/changelog 2023-08-03 13:28:47.000000000 +0000 +++ org-mode-9.4.0+dfsg/debian/changelog 2024-04-30 08:08:33.000000000 +0000 @@ -1,3 +1,11 @@ +org-mode (9.4.0+dfsg-1+deb11u2) bullseye; urgency=high + + * Team upload. + * Fix CVE-2024-30203, CVE-2024-30204 & CVE-2024-30205 (Closes: #1067663). + - Require Emacs 1:27.1+1-3.1+deb11u3 to ensure we get the whole fix. + + -- Sean Whitton Tue, 30 Apr 2024 09:08:33 +0100 + org-mode (9.4.0+dfsg-1+deb11u1) bullseye; urgency=medium * Team upload. diff -Nru org-mode-9.4.0+dfsg/debian/control org-mode-9.4.0+dfsg/debian/control --- org-mode-9.4.0+dfsg/debian/control 2023-08-03 13:28:47.000000000 +0000 +++ org-mode-9.4.0+dfsg/debian/control 2024-04-30 08:08:33.000000000 +0000 @@ -11,7 +11,8 @@ Package: elpa-org Architecture: all -Depends: ${elpa:Depends}, ${misc:Depends}, elpa-htmlize +Depends: ${elpa:Depends}, ${misc:Depends}, elpa-htmlize, + emacs-gtk (>= 1:27.1+1-3.1+deb11u3) | emacs-lucid (>= 1:27.1+1-3.1+deb11u3) | emacs-nox (>= 1:27.1+1-3.1+deb11u3) Recommends: emacs (>= 46.0) Suggests: org-mode-doc, ditaa, texlive-latex-extra, texlive-fonts-recommended, texinfo Enhances: emacs, diff -Nru org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_01.patch org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_01.patch --- org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_01.patch 1970-01-01 00:00:00.000000000 +0000 +++ org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_01.patch 2024-04-30 08:08:33.000000000 +0000 @@ -0,0 +1,56 @@ +From: Ihor Radchenko +Date: Tue, 20 Feb 2024 12:47:24 +0300 +Subject: org-latex-preview: Add protection when `untrusted-content' is + non-nil + +* lisp/org/org.el (org--latex-preview-when-risky): New variable +controlling how to handle LaTeX previews in Org files from untrusted +origin. +(org-latex-preview): Consult `org--latex-preview-when-risky' before +generating previews. + +This patch adds a layer of protection when LaTeX preview is requested +for an email attachment, where `untrusted-content' is set to non-nil. + +(cherry picked from Emacs commit 6f9ea396f49cbe38c2173e0a72ba6af3e03b271c) +--- + lisp/org.el | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +diff --git a/lisp/org.el b/lisp/org.el +index 4964e01..eea46cb 100644 +--- a/lisp/org.el ++++ b/lisp/org.el +@@ -1074,6 +1074,24 @@ the following lines anywhere in the buffer: + :package-version '(Org . "8.0") + :type 'boolean) + ++(defvar untrusted-content) ; defined in files.el ++(defvar org--latex-preview-when-risky nil ++ "If non-nil, enable LaTeX preview in Org buffers from unsafe source. ++ ++Some specially designed LaTeX code may generate huge pdf or log files ++that may exhaust disk space. ++ ++This variable controls how to handle LaTeX preview when rendering LaTeX ++fragments that originate from incoming email messages. It has no effect ++when Org mode is unable to determine the origin of the Org buffer. ++ ++An Org buffer is considered to be from unsafe source when the ++variable `untrusted-content' has a non-nil value in the buffer. ++ ++If this variable is non-nil, LaTeX previews are rendered unconditionally. ++ ++This variable may be renamed or changed in the future.") ++ + (defcustom org-insert-mode-line-in-empty-file nil + "Non-nil means insert the first line setting Org mode in empty files. + When the function `org-mode' is called interactively in an empty file, this +@@ -15820,6 +15838,7 @@ fragments in the buffer." + (interactive "P") + (cond + ((not (display-graphic-p)) nil) ++ ((and untrusted-content (not org--latex-preview-when-risky)) nil) + ;; Clear whole buffer. + ((equal arg '(64)) + (org-clear-latex-preview (point-min) (point-max)) diff -Nru org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_02.patch org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_02.patch --- org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_02.patch 1970-01-01 00:00:00.000000000 +0000 +++ org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_02.patch 2024-04-30 08:08:33.000000000 +0000 @@ -0,0 +1,208 @@ +From: TEC +Date: Sun, 12 Jun 2022 22:37:42 +0800 +Subject: org: Add setting for remote file download policy + +* lisp/org/org.el (org-resource-download-policy, org-safe-remote-resources): +Two new customisations to configure the policy for downloading remote +resources. +(org--should-fetch-remote-resource-p, org--safe-remote-resource-p, +org--confirm-resource-safe): Introduce the new function +`org--should-fetch-remote-resource-p' for internal use determining +whether a remote resource should be downloaded according to the download +policy. This function makes use of two helper functions, +`org--safe-remote-resource-p' and `org--confirm-resource-safe'. +(org-file-contents): Apply `org--safe-remote-resource-p' to file +downloading. + +* lisp/org/org-attach.el (org-attach-attach, org-attach-url): Apply +`org--safe-remote-resource-p' to url downloading. + +(cherry picked from commit 0583a0c5eaa955d4370558b980b3772bb91dd057) +--- + lisp/org-attach.el | 10 ++++- + lisp/org.el | 130 ++++++++++++++++++++++++++++++++++++++++++++++------- + 2 files changed, 123 insertions(+), 17 deletions(-) + +diff --git a/lisp/org-attach.el b/lisp/org-attach.el +index e6aa97e..6345af3a 100644 +--- a/lisp/org-attach.el ++++ b/lisp/org-attach.el +@@ -463,7 +463,9 @@ DIR-property exists (that is different from the unset one)." + + (defun org-attach-url (url) + (interactive "MURL of the file to attach: \n") +- (let ((org-attach-method 'url)) ++ (let ((org-attach-method 'url) ++ (org-safe-remote-resources ; Assume safety if in an interactive session ++ (if noninteractive org-safe-remote-resources '("")))) + (org-attach-attach url))) + + (defun org-attach-buffer (buffer-name) +@@ -503,7 +505,11 @@ METHOD may be `cp', `mv', `ln', `lns' or `url' default taken from + ((eq method 'cp) (copy-file file attach-file)) + ((eq method 'ln) (add-name-to-file file attach-file)) + ((eq method 'lns) (make-symbolic-link file attach-file)) +- ((eq method 'url) (url-copy-file file attach-file))) ++ ((eq method 'url) ++ (if (org--should-fetch-remote-resource-p file) ++ (url-copy-file file attach-file) ++ (error "The remote resources %S is considered unsafe, and will not be downloaded" ++ file)))) + (run-hook-with-args 'org-attach-after-change-hook attach-dir) + (org-attach-tag) + (cond ((eq org-attach-store-link-p 'attached) +diff --git a/lisp/org.el b/lisp/org.el +index eea46cb..ca2e166 100644 +--- a/lisp/org.el ++++ b/lisp/org.el +@@ -1410,6 +1410,34 @@ For more examples, see the system specific constants + (string :tag "Command") + (function :tag "Function"))))) + ++(defcustom org-resource-download-policy 'prompt ++ "The policy applied to requests to obtain remote resources. ++ ++This affects keywords like #+setupfile and #+incude on export, ++`org-persist-write:url',and `org-attach-url' in non-interactive ++Emacs sessions. ++ ++This recognises four possible values: ++- t, remote resources should always be downloaded. ++- prompt, you will be prompted to download resources nt considered safe. ++- safe, only resources considered safe will be downloaded. ++- nil, never download remote resources. ++ ++A resource is considered safe if it matches one of the patterns ++in `org-safe-remote-resources'." ++ :group 'org ++ :type '(choice (const :tag "Always download remote resources" t) ++ (const :tag "Prompt before downloading an unsafe resource" prompt) ++ (const :tag "Only download resources considered safe" safe) ++ (const :tag "Never download any resources" nil))) ++ ++(defcustom org-safe-remote-resources nil ++ "A list of regexp patterns matching safe URIs. ++URI regexps are applied to both URLs and Org files requesting ++remote resources." ++ :group 'org ++ :type '(list regexp)) ++ + (defcustom org-open-non-existing-files nil + "Non-nil means `org-open-file' opens non-existing files. + +@@ -4668,21 +4696,25 @@ is available. This option applies only if FILE is a URL." + (cond + (cache) + (is-url +- (with-current-buffer (url-retrieve-synchronously file) +- (goto-char (point-min)) +- ;; Move point to after the url-retrieve header. +- (search-forward "\n\n" nil :move) +- ;; Search for the success code only in the url-retrieve header. +- (if (save-excursion +- (re-search-backward "HTTP.*\\s-+200\\s-OK" nil :noerror)) +- ;; Update the cache `org--file-cache' and return contents. +- (puthash file +- (buffer-substring-no-properties (point) (point-max)) +- org--file-cache) +- (funcall (if noerror #'message #'user-error) +- "Unable to fetch file from %S" +- file) +- nil))) ++ (if (org--should-fetch-remote-resource-p file) ++ (with-current-buffer (url-retrieve-synchronously file) ++ (goto-char (point-min)) ++ ;; Move point to after the url-retrieve header. ++ (search-forward "\n\n" nil :move) ++ ;; Search for the success code only in the url-retrieve header. ++ (if (save-excursion ++ (re-search-backward "HTTP.*\\s-+200\\s-OK" nil :noerror)) ++ ;; Update the cache `org--file-cache' and return contents. ++ (puthash file ++ (buffer-substring-no-properties (point) (point-max)) ++ org--file-cache) ++ (funcall (if noerror #'message #'user-error) ++ "Unable to fetch file from %S" ++ file) ++ nil)) ++ (funcall (if noerror #'message #'user-error) ++ "The remote resource %S is considered unsafe, and will not be downloaded" ++ file))) + (t + (with-temp-buffer + (condition-case nil +@@ -4695,6 +4727,74 @@ is available. This option applies only if FILE is a URL." + file) + nil))))))) + ++(defun org--should-fetch-remote-resource-p (uri) ++ "Return non-nil if the URI should be fetched." ++ (or (eq org-resource-download-policy t) ++ (org--safe-remote-resource-p uri) ++ (and (eq org-resource-download-policy 'prompt) ++ (org--confirm-resource-safe uri)))) ++ ++(defun org--safe-remote-resource-p (uri) ++ "Return non-nil if URI is considered safe. ++This checks every pattern in `org-safe-remote-resources', and ++returns non-nil if any of them match." ++ (let ((uri-patterns org-safe-remote-resources) ++ (file-uri (and buffer-file-name ++ (concat "file://" (file-truename buffer-file-name)))) ++ match-p) ++ (while (and (not match-p) uri-patterns) ++ (setq match-p (or (string-match-p (car uri-patterns) uri) ++ (and file-uri (string-match-p (car uri-patterns) file-uri))) ++ uri-patterns (cdr uri-patterns))) ++ match-p)) ++ ++(defun org--confirm-resource-safe (uri) ++ "Ask the user if URI should be considered safe, returning non-nil if so." ++ (unless noninteractive ++ (let ((current-file (and buffer-file-name (file-truename buffer-file-name))) ++ (buf (get-buffer-create "*Org Remote Resource*"))) ++ ;; Set up the contents of the *Org Remote Resource* buffer. ++ (with-current-buffer buf ++ (erase-buffer) ++ (insert "An org-mode document would like to download " ++ (propertize uri 'face '(:inherit org-link :weight normal)) ++ ", which is not considered safe.\n\n" ++ "Do you want to download this? You can type\n " ++ (propertize "!" 'face 'success) ++ " to download this resource, and permanantly mark it as safe.\n " ++ (propertize "f" 'face 'success) ++ " to download this resource, and permanantly mark all resources in " ++ (propertize current-file 'face 'fixed-pitch-serif) ++ " as safe.\n " ++ (propertize "y" 'face 'warning) ++ " to download this resource, just this once.\n " ++ (propertize "n" 'face 'error) ++ " to skip this resource.\n") ++ (setq-local cursor-type nil) ++ (set-buffer-modified-p nil) ++ (goto-char (point-min))) ++ ;; Display the buffer and read a choice. ++ (save-window-excursion ++ (pop-to-buffer buf) ++ (let* ((exit-chars '(?y ?n ?! ?f ?\s)) ++ (prompt (format "Please type y, n, f, or !%s: " ++ (if (< (line-number-at-pos (point-max)) ++ (window-body-height)) ++ "" ++ ", or C-v/M-v to scroll"))) ++ char) ++ (setq char (read-char-choice prompt exit-chars)) ++ (when (memq char '(?! ?f)) ++ (customize-push-and-save ++ 'org-safe-remote-resources ++ (list (rx string-start ++ (literal ++ (if (and (= char ?f) current-file) ++ (concat "file://" current-file) uri)) ++ string-end)))) ++ (prog1 (memq char '(?! ?\s ?y ?f)) ++ (quit-window t))))))) ++ + (defun org-extract-log-state-settings (x) + "Extract the log state setting from a TODO keyword string. + This will extract info from a string like \"WAIT(w@/!)\"." diff -Nru org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_03.patch org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_03.patch --- org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_03.patch 1970-01-01 00:00:00.000000000 +0000 +++ org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_03.patch 2024-04-30 08:08:33.000000000 +0000 @@ -0,0 +1,34 @@ +From: TEC +Date: Sun, 24 Jul 2022 22:03:20 +0800 +Subject: org: Refactor rx to concat + regexp-opt + +* lisp/org.el (org--confirm-resource-safe): Since Emacs 26 doesn't +support rx's (literal S) construct, use (concat (regexp-opt ...) ...) +instead. + +(cherry picked from commit 6de5431acc8b77548e89c61a6ae0ebc1b57540bb) +--- + lisp/org.el | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/lisp/org.el b/lisp/org.el +index ca2e166..91a569f 100644 +--- a/lisp/org.el ++++ b/lisp/org.el +@@ -4787,11 +4787,11 @@ returns non-nil if any of them match." + (when (memq char '(?! ?f)) + (customize-push-and-save + 'org-safe-remote-resources +- (list (rx string-start +- (literal +- (if (and (= char ?f) current-file) +- (concat "file://" current-file) uri)) +- string-end)))) ++ (list (concat "\\`" ++ (regexp-opt ++ (if (and (= char ?f) current-file) ++ (concat "file://" current-file) uri)) ++ "\\'")))) + (prog1 (memq char '(?! ?\s ?y ?f)) + (quit-window t))))))) + diff -Nru org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_04.patch org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_04.patch --- org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_04.patch 1970-01-01 00:00:00.000000000 +0000 +++ org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_04.patch 2024-04-30 08:08:33.000000000 +0000 @@ -0,0 +1,25 @@ +From: TEC +Date: Tue, 26 Jul 2022 12:22:07 +0800 +Subject: org: Correct regexp escaping to use regexp-quote + +* lisp/org.el (org--confirm-resource-safe): `regexp-opt' was +accidentally used instead of `regexp-quote'. + +(cherry picked from commit 6ad53fa22eab5830f85a401960dc1e7d00154a27) +--- + lisp/org.el | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lisp/org.el b/lisp/org.el +index 91a569f..86888c8 100644 +--- a/lisp/org.el ++++ b/lisp/org.el +@@ -4788,7 +4788,7 @@ returns non-nil if any of them match." + (customize-push-and-save + 'org-safe-remote-resources + (list (concat "\\`" +- (regexp-opt ++ (regexp-quote + (if (and (= char ?f) current-file) + (concat "file://" current-file) uri)) + "\\'")))) diff -Nru org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_05.patch org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_05.patch --- org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_05.patch 1970-01-01 00:00:00.000000000 +0000 +++ org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_05.patch 2024-04-30 08:08:33.000000000 +0000 @@ -0,0 +1,44 @@ +From: TEC +Date: Wed, 3 Aug 2022 21:38:49 +0800 +Subject: org: Fix resource prompt in non-file buffers + +* lisp/org.el (org--confirm-resource-safe): When `buffer-file-name' is +nil, skip over file-specific behaviour. + +(cherry picked from commit 4702a73031c77ba03b480b0848c137d5d8773e07) +--- + lisp/org.el | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/lisp/org.el b/lisp/org.el +index 86888c8..ca9d723 100644 +--- a/lisp/org.el ++++ b/lisp/org.el +@@ -4763,9 +4763,12 @@ returns non-nil if any of them match." + (propertize "!" 'face 'success) + " to download this resource, and permanantly mark it as safe.\n " + (propertize "f" 'face 'success) +- " to download this resource, and permanantly mark all resources in " +- (propertize current-file 'face 'fixed-pitch-serif) +- " as safe.\n " ++ (if current-file ++ (concat ++ " to download this resource, and permanantly mark all resources in " ++ (propertize current-file 'face 'fixed-pitch-serif) ++ " as safe.\n ") ++ "") + (propertize "y" 'face 'warning) + " to download this resource, just this once.\n " + (propertize "n" 'face 'error) +@@ -4776,8 +4779,9 @@ returns non-nil if any of them match." + ;; Display the buffer and read a choice. + (save-window-excursion + (pop-to-buffer buf) +- (let* ((exit-chars '(?y ?n ?! ?f ?\s)) +- (prompt (format "Please type y, n, f, or !%s: " ++ (let* ((exit-chars (append '(?y ?n ?! ?\s) (and current-file '(?f)))) ++ (prompt (format "Please type y, n%s, or !%s: " ++ (if current-file ", f" "") + (if (< (line-number-at-pos (point-max)) + (window-body-height)) + "" diff -Nru org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_06.patch org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_06.patch --- org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_06.patch 1970-01-01 00:00:00.000000000 +0000 +++ org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_06.patch 2024-04-30 08:08:33.000000000 +0000 @@ -0,0 +1,78 @@ +From: TEC +Date: Sun, 7 Aug 2022 16:21:21 +0800 +Subject: org: Add "mark domain as safe" convenience action + +* lisp/org.el (org--confirm-resource-safe): Pick out domains from URLs, +and provide an option of marking that domain as safe. + +(cherry picked from commit 1ae801e9c86d5b150fd085230722e4dac550df30) +--- + lisp/org.el | 32 +++++++++++++++++++++++--------- + 1 file changed, 23 insertions(+), 9 deletions(-) + +diff --git a/lisp/org.el b/lisp/org.el +index ca9d723..c90c669 100644 +--- a/lisp/org.el ++++ b/lisp/org.el +@@ -4752,6 +4752,13 @@ returns non-nil if any of them match." + "Ask the user if URI should be considered safe, returning non-nil if so." + (unless noninteractive + (let ((current-file (and buffer-file-name (file-truename buffer-file-name))) ++ (domain (and (string-match ++ (rx (seq "http" (? "s") "://") ++ (optional (+ (not (any "@/\n"))) "@") ++ (optional "www.") ++ (one-or-more (not (any ":/?\n")))) ++ uri) ++ (match-string 0 uri))) + (buf (get-buffer-create "*Org Remote Resource*"))) + ;; Set up the contents of the *Org Remote Resource* buffer. + (with-current-buffer buf +@@ -4762,6 +4769,11 @@ returns non-nil if any of them match." + "Do you want to download this? You can type\n " + (propertize "!" 'face 'success) + " to download this resource, and permanantly mark it as safe.\n " ++ (if domain ++ (concat ++ (propertize "d" 'face 'success) ++ " to download this resource, and mark this domain as safe.\n ") ++ "") + (propertize "f" 'face 'success) + (if current-file + (concat +@@ -4779,8 +4791,8 @@ returns non-nil if any of them match." + ;; Display the buffer and read a choice. + (save-window-excursion + (pop-to-buffer buf) +- (let* ((exit-chars (append '(?y ?n ?! ?\s) (and current-file '(?f)))) +- (prompt (format "Please type y, n%s, or !%s: " ++ (let* ((exit-chars (append '(?y ?n ?! ?d ?\s) (and current-file '(?f)))) ++ (prompt (format "Please type y, n%s, d, or !%s: " + (if current-file ", f" "") + (if (< (line-number-at-pos (point-max)) + (window-body-height)) +@@ -4788,15 +4800,17 @@ returns non-nil if any of them match." + ", or C-v/M-v to scroll"))) + char) + (setq char (read-char-choice prompt exit-chars)) +- (when (memq char '(?! ?f)) ++ (when (memq char '(?! ?f ?d)) + (customize-push-and-save + 'org-safe-remote-resources +- (list (concat "\\`" +- (regexp-quote +- (if (and (= char ?f) current-file) +- (concat "file://" current-file) uri)) +- "\\'")))) +- (prog1 (memq char '(?! ?\s ?y ?f)) ++ (list (if (eq char ?d) ++ (concat "\\`" (regexp-quote domain) "\\(?:/\\|\\'\\)") ++ (concat "\\`" ++ (regexp-quote ++ (if (and (= char ?f) current-file) ++ (concat "file://" current-file) uri)) ++ "\\'"))))) ++ (prog1 (memq char '(?y ?n ?! ?d ?\s ?f)) + (quit-window t))))))) + + (defun org-extract-log-state-settings (x) diff -Nru org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_07.patch org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_07.patch --- org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_07.patch 1970-01-01 00:00:00.000000000 +0000 +++ org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_07.patch 2024-04-30 08:08:33.000000000 +0000 @@ -0,0 +1,34 @@ +From: TEC +Date: Tue, 30 Aug 2022 01:45:41 +0800 +Subject: org: Tweak styling of url in resource prompt + +* lisp/org.el (org--confirm-resource-safe): Style domain with a link, +and url with an underline. + +(cherry picked from commit 1061db94acf785f4b8f1140649e3857d52693115) +--- + lisp/org.el | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/lisp/org.el b/lisp/org.el +index c90c669..72ed4a9 100644 +--- a/lisp/org.el ++++ b/lisp/org.el +@@ -4772,13 +4772,15 @@ returns non-nil if any of them match." + (if domain + (concat + (propertize "d" 'face 'success) +- " to download this resource, and mark this domain as safe.\n ") ++ " to download this resource, and mark the domain (" ++ (propertize domain 'face '(:inherit org-link :weight normal)) ++ ") as safe.\n ") + "") + (propertize "f" 'face 'success) + (if current-file + (concat + " to download this resource, and permanantly mark all resources in " +- (propertize current-file 'face 'fixed-pitch-serif) ++ (propertize current-file 'face 'underline) + " as safe.\n ") + "") + (propertize "y" 'face 'warning) diff -Nru org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_08.patch org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_08.patch --- org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_08.patch 1970-01-01 00:00:00.000000000 +0000 +++ org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30203_CVE-2024-30204_08.patch 2024-04-30 08:08:33.000000000 +0000 @@ -0,0 +1,39 @@ +From: TEC +Date: Sat, 10 Dec 2022 21:38:21 +0800 +Subject: org: Use buffer-base-buffer in safe resource fns + +* lisp/org.el (org--confirm-resource-safe, org--safe-remote-resource-p): +Replace instances of buffer-file-name +with (buffer-file-name (buffer-base-buffer)) so these functions work in +indirect buffers. + +(cherry picked from commit 88329143c86b34195af68a8e5d5fd3d00a5dcae6) +--- + lisp/org.el | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/lisp/org.el b/lisp/org.el +index 72ed4a9..5a1fe84 100644 +--- a/lisp/org.el ++++ b/lisp/org.el +@@ -4739,8 +4739,8 @@ is available. This option applies only if FILE is a URL." + This checks every pattern in `org-safe-remote-resources', and + returns non-nil if any of them match." + (let ((uri-patterns org-safe-remote-resources) +- (file-uri (and buffer-file-name +- (concat "file://" (file-truename buffer-file-name)))) ++ (file-uri (and (buffer-file-name (buffer-base-buffer)) ++ (concat "file://" (file-truename (buffer-file-name (buffer-base-buffer)))))) + match-p) + (while (and (not match-p) uri-patterns) + (setq match-p (or (string-match-p (car uri-patterns) uri) +@@ -4751,7 +4751,8 @@ returns non-nil if any of them match." + (defun org--confirm-resource-safe (uri) + "Ask the user if URI should be considered safe, returning non-nil if so." + (unless noninteractive +- (let ((current-file (and buffer-file-name (file-truename buffer-file-name))) ++ (let ((current-file (and (buffer-file-name (buffer-base-buffer)) ++ (file-truename (buffer-file-name (buffer-base-buffer))))) + (domain (and (string-match + (rx (seq "http" (? "s") "://") + (optional (+ (not (any "@/\n"))) "@") diff -Nru org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30205_01.patch org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30205_01.patch --- org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30205_01.patch 1970-01-01 00:00:00.000000000 +0000 +++ org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30205_01.patch 2024-04-30 08:08:33.000000000 +0000 @@ -0,0 +1,34 @@ +From: Ihor Radchenko +Date: Tue, 20 Feb 2024 14:59:20 +0300 +Subject: org-file-contents: Consider all remote files unsafe + +* lisp/org/org.el (org-file-contents): When loading files, consider all +remote files (like TRAMP-fetched files) unsafe, in addition to URLs. + +(cherry picked from Emacs commit 2bc865ace050ff118db43f01457f95f95112b877) +--- + lisp/org.el | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/lisp/org.el b/lisp/org.el +index 5a1fe84..6ee63be 100644 +--- a/lisp/org.el ++++ b/lisp/org.el +@@ -4690,12 +4690,16 @@ from file or URL, and return nil. + If NOCACHE is non-nil, do a fresh fetch of FILE even if cached version + is available. This option applies only if FILE is a URL." + (let* ((is-url (org-file-url-p file)) ++ (is-remote (condition-case nil ++ (file-remote-p file) ++ ;; In case of error, be safe. ++ (t t))) + (cache (and is-url + (not nocache) + (gethash file org--file-cache)))) + (cond + (cache) +- (is-url ++ ((or is-url is-remote) + (if (org--should-fetch-remote-resource-p file) + (with-current-buffer (url-retrieve-synchronously file) + (goto-char (point-min)) diff -Nru org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30205_02.patch org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30205_02.patch --- org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30205_02.patch 1970-01-01 00:00:00.000000000 +0000 +++ org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30205_02.patch 2024-04-30 08:08:33.000000000 +0000 @@ -0,0 +1,28 @@ +From: Ihor Radchenko +Date: Fri, 23 Feb 2024 12:56:58 +0300 +Subject: org--confirm-resource-safe: Fix prompt when prompting in non-file + Org buffers + +* lisp/org/org.el (org--confirm-resource-safe): When called from +non-file buffer, do not put stray "f" in the prompt. + +(cherry picked from Emacs commit 7a5d7be52c5f0690ee47f30bfad973827261abf2) +--- + lisp/org.el | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lisp/org.el b/lisp/org.el +index 6ee63be..fbcef9a 100644 +--- a/lisp/org.el ++++ b/lisp/org.el +@@ -4781,9 +4781,9 @@ returns non-nil if any of them match." + (propertize domain 'face '(:inherit org-link :weight normal)) + ") as safe.\n ") + "") +- (propertize "f" 'face 'success) + (if current-file + (concat ++ (propertize "f" 'face 'success) + " to download this resource, and permanantly mark all resources in " + (propertize current-file 'face 'underline) + " as safe.\n ") diff -Nru org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30205_03.patch org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30205_03.patch --- org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30205_03.patch 1970-01-01 00:00:00.000000000 +0000 +++ org-mode-9.4.0+dfsg/debian/patches/CVE-2024-30205_03.patch 2024-04-30 08:08:33.000000000 +0000 @@ -0,0 +1,27 @@ +From: Ihor Radchenko +Date: Fri, 2 Feb 2024 20:59:41 +0100 +Subject: org: Fix security prompt for downloading remote resource + +* lisp/org.el (org--confirm-resource-safe): Do not assume that +resource is safe when user replies "n" (do not download). + +Reported-by: Max Nikulin +Link: https://orgmode.org/list/upj6uk$b7o$1@ciao.gmane.io +(cherry picked from Emacs commit e56f0ef51bfdd0e03e817670754bc813fb3702a2) +--- + lisp/org.el | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lisp/org.el b/lisp/org.el +index fbcef9a..07ae99f 100644 +--- a/lisp/org.el ++++ b/lisp/org.el +@@ -4817,7 +4817,7 @@ returns non-nil if any of them match." + (if (and (= char ?f) current-file) + (concat "file://" current-file) uri)) + "\\'"))))) +- (prog1 (memq char '(?y ?n ?! ?d ?\s ?f)) ++ (prog1 (memq char '(?y ?! ?d ?\s ?f)) + (quit-window t))))))) + + (defun org-extract-log-state-settings (x) diff -Nru org-mode-9.4.0+dfsg/debian/patches/series org-mode-9.4.0+dfsg/debian/patches/series --- org-mode-9.4.0+dfsg/debian/patches/series 2023-08-03 13:28:47.000000000 +0000 +++ org-mode-9.4.0+dfsg/debian/patches/series 2024-04-30 08:08:33.000000000 +0000 @@ -2,3 +2,14 @@ #20-links-unescaping.patch 30-local-mk.patch 0004-Org-Mode-vulnerability-CVE-2023-28617-is-fixed.patch +CVE-2024-30203_CVE-2024-30204_01.patch +CVE-2024-30203_CVE-2024-30204_02.patch +CVE-2024-30203_CVE-2024-30204_03.patch +CVE-2024-30203_CVE-2024-30204_04.patch +CVE-2024-30203_CVE-2024-30204_05.patch +CVE-2024-30203_CVE-2024-30204_06.patch +CVE-2024-30203_CVE-2024-30204_07.patch +CVE-2024-30203_CVE-2024-30204_08.patch +CVE-2024-30205_01.patch +CVE-2024-30205_02.patch +CVE-2024-30205_03.patch