diff --git a/emacs-29.1.tar.xz b/emacs-29.4.tar.xz similarity index 79% rename from emacs-29.1.tar.xz rename to emacs-29.4.tar.xz index 9323da9c97f2193679eb14956be8d524391c67fa..80f6e6ed88e68fafd466df11ed0785d883abf9dc 100644 Binary files a/emacs-29.1.tar.xz and b/emacs-29.4.tar.xz differ diff --git a/emacs.spec b/emacs.spec index 95c44b277dba2af9782dc62449419ee11d5d899a..a2d38cedc10676db64feb0e2509cd4f8c5125f3b 100644 --- a/emacs.spec +++ b/emacs.spec @@ -1,11 +1,11 @@ -%define anolis_release 2 +%define anolis_release 1 %global _hardened_build 1 # This file is encoded in UTF-8. -*- coding: utf-8 -*- Summary: GNU Emacs text editor Name: emacs Epoch: 1 -Version: 29.1 +Version: 29.4 Release: %{anolis_release}%{?dist} License: GPL-3.0-or-later AND CC0-1.0 URL: http://www.gnu.org/software/emacs/ @@ -19,9 +19,6 @@ Patch1: emacs-spellchecker.patch Patch2: emacs-system-crypto-policies.patch Patch3: emacs-libdir-vs-systemd.patch -#https://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-29.4&id=c645e1d8205f0f0663ec4a2d27575b238c646c7c -Patch4: fix-cve-2024-39331.patch - BuildRequires: gcc BuildRequires: atk-devel BuildRequires: cairo-devel @@ -514,6 +511,10 @@ desktop-file-validate %{buildroot}/%{_datadir}/applications/*.desktop %{_includedir}/emacs-module.h %changelog +* Fri Nov 08 2024 mgb01105731 - 1:29.4-1 +- update to 29.4 +- fix CVE-2024-30202 CVE-2024-30203 CVE-2024-30204 CVE-2024-30205 + * Fri Aug 02 2024 yangxinyu - 1:29.1-2 - fix the CVE-2024-39331 diff --git a/fix-cve-2024-39331.patch b/fix-cve-2024-39331.patch deleted file mode 100644 index 218b5ca3db0d86994efed7fa7cb4d3fd66d88b76..0000000000000000000000000000000000000000 --- a/fix-cve-2024-39331.patch +++ /dev/null @@ -1,63 +0,0 @@ -From de0635bc37915cb47f7d8e565c03f3a585029905 Mon Sep 17 00:00:00 2001 -From: Yang_X_Y -Date: Fri, 2 Aug 2024 14:29:28 +0800 -Subject: [PATCH] fix-cve-2024-39331 - ---- - lisp/org/ol.el | 40 +++++++++++++++++++++++++++++----------- - 1 file changed, 29 insertions(+), 11 deletions(-) - -diff --git a/lisp/org/ol.el b/lisp/org/ol.el -index 9ad191c..0b990c4 100644 ---- a/lisp/org/ol.el -+++ b/lisp/org/ol.el -@@ -1063,17 +1063,35 @@ Abbreviations are defined in `org-link-abbrev-alist'." - (if (not as) - link - (setq rpl (cdr as)) -- (cond -- ((symbolp rpl) (funcall rpl tag)) -- ((string-match "%(\\([^)]+\\))" rpl) -- (replace-match -- (save-match-data -- (funcall (intern-soft (match-string 1 rpl)) tag)) -- t t rpl)) -- ((string-match "%s" rpl) (replace-match (or tag "") t t rpl)) -- ((string-match "%h" rpl) -- (replace-match (url-hexify-string (or tag "")) t t rpl)) -- (t (concat rpl tag))))))) -+ ;; Drop any potentially dangerous text properties like -+ ;; `modification-hooks' that may be used as an attack vector. -+ (substring-no-properties -+ (cond -+ ((symbolp rpl) (funcall rpl tag)) -+ ((string-match "%(\\([^)]+\\))" rpl) -+ (let ((rpl-fun-symbol (intern-soft (match-string 1 rpl)))) -+ ;; Using `unsafep-function' is not quite enough because -+ ;; Emacs considers functions like `genenv' safe, while -+ ;; they can potentially be used to expose private system -+ ;; data to attacker if abbreviated link is clicked. -+ (if (or (eq t (get rpl-fun-symbol 'org-link-abbrev-safe)) -+ (eq t (get rpl-fun-symbol 'pure))) -+ (replace-match -+ (save-match-data -+ (funcall (intern-soft (match-string 1 rpl)) tag)) -+ t t rpl) -+ (org-display-warning -+ (format "Disabling unsafe link abbrev: %s -+ You may mark function safe via (put '%s 'org-link-abbrev-safe t)" -+ rpl (match-string 1 rpl))) -+ (setq org-link-abbrev-alist-local (delete as org-link-abbrev-alist-local) -+ org-link-abbrev-alist (delete as org-link-abbrev-alist)) -+ link -+ ))) -+ ((string-match "%s" rpl) (replace-match (or tag "") t t rpl)) -+ ((string-match "%h" rpl) -+ (replace-match (url-hexify-string (or tag "")) t t rpl)) -+ (t (concat rpl tag)))))))) - - (defun org-link-open (link &optional arg) - "Open a link object LINK. --- -2.33.0 -