!124 fix CVE-2025-1244

From: @zppzhangpan 
Reviewed-by: @yanan-rock 
Signed-off-by: @yanan-rock

backport-0002-CVE-2022-48337.patch

@@ -0,0 +1,25 @@
+From ab998b90206733f2cd9b009dcdb8e5567834ed3b Mon Sep 17 00:00:00 2001
+From: Super User <root@localhost.localdomain>
+Date: Mon, 25 Sep 2023 14:32:05 +0800
+Subject: [PATCH] backport 0002 CVE-2022-48337
+
+---
+ lib-src/etags.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/lib-src/etags.c b/lib-src/etags.c
+index 5d0eed2..5399008 100644
+--- a/lib-src/etags.c
++++ b/lib-src/etags.c
+@@ -1680,6 +1680,8 @@ process_file_name (char *file, language *lang)
+           int buf_len = strlen (compr->command) + strlen ("  > ") + strlen (new_real_name) + strlen (new_tmp_name) + 1;
+           char *cmd = xmalloc (buf_len);
+           snprintf (cmd, buf_len, "%s %s > %s", compr->command, new_real_name, new_tmp_name);
++	  free (new_real_name);
++	  free (new_tmp_name);
+ #endif
+ 	  int tmp_errno;
+ 	  if (system (cmd) == -1)
+-- 
+2.41.0
+

backport-CVE-2024-30203-pre.patch

@@ -0,0 +1,33 @@
+From ccc188fcf98ad9166ee551fac9d94b2603c3a51b Mon Sep 17 00:00:00 2001
+From: Ihor Radchenko <yantar92@posteo.net>
+Date: Tue, 20 Feb 2024 12:43:51 +0300
+Subject: * lisp/files.el (untrusted-content): New variable.
+
+The new variable is to be used when buffer contents comes from untrusted
+source.
+---
+ lisp/files.el | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/lisp/files.el b/lisp/files.el
+index c0d26b2..5536af0 100644
+--- a/lisp/files.el
++++ b/lisp/files.el
+@@ -695,6 +695,14 @@ Also see the `permanently-enabled-local-variables' variable."
+ Some modes may wish to set this to nil to prevent directory-local
+ settings being applied, but still respect file-local ones.")
+ 
++(defvar-local untrusted-content nil
++  "Non-nil means that current buffer originated from an untrusted source.
++Email clients and some other modes may set this non-nil to mark the
++buffer contents as untrusted.
++
++This variable might be subject to change without notice.")
++(put 'untrusted-content 'permanent-local t)
++
+ ;; This is an odd variable IMO.
+ ;; You might wonder why it is needed, when we could just do:
+ ;; (set (make-local-variable 'enable-local-variables) nil)
+-- 
+cgit v1.1
+

backport-CVE-2024-30203.patch

@@ -0,0 +1,25 @@
+From 937b9042ad7426acdcca33e3d931d8f495bdd804 Mon Sep 17 00:00:00 2001
+From: Ihor Radchenko <yantar92@posteo.net>
+Date: Tue, 20 Feb 2024 12:44:30 +0300
+Subject: * lisp/gnus/mm-view.el (mm-display-inline-fontify): Mark contents
+ untrusted.
+
+---
+ lisp/gnus/mm-view.el | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/lisp/gnus/mm-view.el b/lisp/gnus/mm-view.el
+index 2e1261c..5f234e5 100644
+--- a/lisp/gnus/mm-view.el
++++ b/lisp/gnus/mm-view.el
+@@ -504,6 +504,7 @@ If MODE is not set, try to find mode automatically."
+ 	  (setq coding-system (mm-find-buffer-file-coding-system)))
+ 	(setq text (buffer-string))))
+     (with-temp-buffer
++      (setq untrusted-content t)
+       (buffer-disable-undo)
+       (mm-enable-multibyte)
+       (insert (cond ((eq charset 'gnus-decoded)
+-- 
+cgit v1.1
+

backport-CVE-2024-30204.patch

@@ -0,0 +1,57 @@
+From 6f9ea396f49cbe38c2173e0a72ba6af3e03b271c Mon Sep 17 00:00:00 2001
+From: Ihor Radchenko <yantar92@posteo.net>
+Date: Tue, 20 Feb 2024 12:47:24 +0300
+Subject: org-latex-preview: Add protection when `untrusted-content' is non-nil
+
+* lisp/org/org.el (org--latex-preview-when-risky): New variable
+controlling how to handle LaTeX previews in Org files from untrusted
+origin.
+(org-latex-preview): Consult `org--latex-preview-when-risky' before
+generating previews.
+
+This patch adds a layer of protection when LaTeX preview is requested
+for an email attachment, where `untrusted-content' is set to non-nil.
+---
+ lisp/org/org.el | 19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+
+diff --git a/lisp/org/org.el b/lisp/org/org.el
+index c75afbf..0f5d17d 100644
+--- a/lisp/org/org.el
++++ b/lisp/org/org.el
+@@ -1140,6 +1140,24 @@ the following lines anywhere in the buffer:
+   :package-version '(Org . "8.0")
+   :type 'boolean)
+ 
++(defvar untrusted-content) ; defined in files.el
++(defvar org--latex-preview-when-risky nil
++  "If non-nil, enable LaTeX preview in Org buffers from unsafe source.
++
++Some specially designed LaTeX code may generate huge pdf or log files
++that may exhaust disk space.
++
++This variable controls how to handle LaTeX preview when rendering LaTeX
++fragments that originate from incoming email messages.  It has no effect
++when Org mode is unable to determine the origin of the Org buffer.
++
++An Org buffer is considered to be from unsafe source when the
++variable `untrusted-content' has a non-nil value in the buffer.
++
++If this variable is non-nil, LaTeX previews are rendered unconditionally.
++
++This variable may be renamed or changed in the future.")
++
+ (defcustom org-insert-mode-line-in-empty-file nil
+   "Non-nil means insert the first line setting Org mode in empty files.
+ When the function `org-mode' is called interactively in an empty file, this
+@@ -15695,6 +15713,7 @@ fragments in the buffer."
+   (interactive "P")
+   (cond
+    ((not (display-graphic-p)) nil)
++   ((and untrusted-content (not org--latex-preview-when-risky)) nil)
+    ;; Clear whole buffer.
+    ((equal arg '(64))
+     (org-clear-latex-preview (point-min) (point-max))
+-- 
+cgit v1.1
+

backport-CVE-2024-30205.patch

@@ -0,0 +1,36 @@
+From 2bc865ace050ff118db43f01457f95f95112b877 Mon Sep 17 00:00:00 2001
+From: Ihor Radchenko <yantar92@posteo.net>
+Date: Tue, 20 Feb 2024 14:59:20 +0300
+Subject: org-file-contents: Consider all remote files unsafe
+
+* lisp/org/org.el (org-file-contents): When loading files, consider all
+remote files (like TRAMP-fetched files) unsafe, in addition to URLs.
+---
+ lisp/org/org.el | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/lisp/org/org.el b/lisp/org/org.el
+index 0f5d17d..76559c9 100644
+--- a/lisp/org/org.el
++++ b/lisp/org/org.el
+@@ -4576,12 +4576,16 @@ from file or URL, and return nil.
+ If NOCACHE is non-nil, do a fresh fetch of FILE even if cached version
+ is available.  This option applies only if FILE is a URL."
+   (let* ((is-url (org-file-url-p file))
++         (is-remote (condition-case nil
++                        (file-remote-p file)
++                      ;; In case of error, be safe.
++                      (t t)))
+          (cache (and is-url
+                      (not nocache)
+                      (gethash file org--file-cache))))
+     (cond
+      (cache)
+-     (is-url
++     ((or is-url is-remote)
+       (with-current-buffer (url-retrieve-synchronously file)
+ 	(goto-char (point-min))
+ 	;; Move point to after the url-retrieve header.
+-- 
+cgit v1.1
+

backport-CVE-2024-39331.patch

@@ -0,0 +1,67 @@
+From c645e1d8205f0f0663ec4a2d27575b238c646c7c Mon Sep 17 00:00:00 2001
+From: Ihor Radchenko <yantar92@posteo.net>
+Date: Fri, 21 Jun 2024 15:45:25 +0200
+Subject: org-link-expand-abbrev: Do not evaluate arbitrary unsafe Elisp code
+
+* lisp/org/ol.el (org-link-expand-abbrev): Refuse expanding %(...)
+link abbrevs that specify unsafe function.  Instead, display a
+warning, and do not expand the abbrev.  Clear all the text properties
+from the returned link, to avoid any potential vulnerabilities caused
+by properties that may contain arbitrary Elisp.
+---
+ lisp/org/ol.el | 39 +++++++++++++++++++++++++++++----------
+ 1 file changed, 29 insertions(+), 10 deletions(-)
+
+diff --git a/lisp/org/ol.el b/lisp/org/ol.el
+index baed23b..3eb2010 100644
+--- a/lisp/org/ol.el
++++ b/lisp/org/ol.el
+@@ -925,16 +925,35 @@ Abbreviations are defined in `org-link-abbrev-alist'."
+       (if (not as)
+ 	  link
+ 	(setq rpl (cdr as))
+-	(cond
+-	 ((symbolp rpl) (funcall rpl tag))
+-	 ((string-match "%(\\([^)]+\\))" rpl)
+-	  (replace-match
+-	   (save-match-data
+-	     (funcall (intern-soft (match-string 1 rpl)) tag)) t t rpl))
+-	 ((string-match "%s" rpl) (replace-match (or tag "") t t rpl))
+-	 ((string-match "%h" rpl)
+-	  (replace-match (url-hexify-string (or tag "")) t t rpl))
+-	 (t (concat rpl tag)))))))
++        ;; Drop any potentially dangerous text properties like
++        ;; `modification-hooks' that may be used as an attack vector.
++        (substring-no-properties
++	 (cond
++	  ((symbolp rpl) (funcall rpl tag))
++	  ((string-match "%(\\([^)]+\\))" rpl)
++           (let ((rpl-fun-symbol (intern-soft (match-string 1 rpl))))
++             ;; Using `unsafep-function' is not quite enough because
++             ;; Emacs considers functions like `genenv' safe, while
++             ;; they can potentially be used to expose private system
++             ;; data to attacker if abbreviated link is clicked.
++             (if (or (eq t (get rpl-fun-symbol 'org-link-abbrev-safe))
++                     (eq t (get rpl-fun-symbol 'pure)))
++                 (replace-match
++	          (save-match-data
++	            (funcall (intern-soft (match-string 1 rpl)) tag))
++	          t t rpl)
++               (org-display-warning
++                (format "Disabling unsafe link abbrev: %s
++You may mark function safe via (put '%s 'org-link-abbrev-safe t)"
++                        rpl (match-string 1 rpl)))
++               (setq org-link-abbrev-alist-local (delete as org-link-abbrev-alist-local)
++                     org-link-abbrev-alist (delete as org-link-abbrev-alist))
++               link
++	       )))
++	  ((string-match "%s" rpl) (replace-match (or tag "") t t rpl))
++	  ((string-match "%h" rpl)
++	   (replace-match (url-hexify-string (or tag "")) t t rpl))
++	  (t (concat rpl tag))))))))
+ 
+ (defun org-link-open (link &optional arg)
+   "Open a link object LINK.
+-- 
+2.33.0
+

backport-CVE-2025-1244.patch

@@ -0,0 +1,61 @@
+From 820f0793f0b46448928905552726c1f1b999062f Mon Sep 17 00:00:00 2001
+From: Xi Lu <lx@shellcodes.org>
+Date: Tue, 10 Oct 2023 22:20:05 +0800
+Subject: Fix man.el shell injection vulnerability
+
+* lisp/man.el (Man-translate-references): Fix shell injection
+vulnerability.  (Bug#66390)
+* test/lisp/man-tests.el (man-tests-Man-translate-references): New
+test.
+
+Reference:https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=820f0793f0b46448928905552726c1f1b999062f
+Conflict:NA
+
+---
+ lisp/man.el            |  6 +++++-
+ test/lisp/man-tests.el | 12 ++++++++++++
+ 2 files changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/lisp/man.el b/lisp/man.el
+index 55cb938..d963964 100644
+--- a/lisp/man.el
++++ b/lisp/man.el
+@@ -761,7 +761,11 @@ and the `Man-section-translations-alist' variables)."
+       (setq name (match-string 2 ref)
+ 	    section (match-string 1 ref))))
+     (if (string= name "")
+-	ref				; Return the reference as is
++        ;; see Bug#66390
++	(mapconcat 'identity
++                   (mapcar #'shell-quote-argument
++                           (split-string ref "\\s-+"))
++                   " ")                 ; Return the reference as is
+       (if Man-downcase-section-letters-flag
+ 	  (setq section (downcase section)))
+       (while slist
+diff --git a/test/lisp/man-tests.el b/test/lisp/man-tests.el
+index 140482e..11f5f80 100644
+--- a/test/lisp/man-tests.el
++++ b/test/lisp/man-tests.el
+@@ -161,6 +161,18 @@ DESCRIPTION
+           (let ((button (button-at (match-beginning 0))))
+             (should (and button (eq 'Man-xref-header-file (button-type button))))))))))
+ 
++(ert-deftest man-tests-Man-translate-references ()
++  (should (equal (Man-translate-references "basename")
++                 "basename"))
++  (should (equal (Man-translate-references "basename(3)")
++                 "3 basename"))
++  (should (equal (Man-translate-references "basename(3v)")
++                 "3v basename"))
++  (should (equal (Man-translate-references ";id")
++                 "\\;id"))
++  (should (equal (Man-translate-references "-k basename")
++                 "-k basename")))
++
+ (provide 'man-tests)
+ 
+ ;;; man-tests.el ends here
+-- 
+cgit v1.1
+

emacs-deal-taboo-words.patch

@@ -0,0 +1,41 @@
+From 771140a936b4cadf793e42c6637c5d7ec44b4d03 Mon Sep 17 00:00:00 2001
+From: yeah_wang <wangye70@huawei.com>
+Date: Thu, 8 Apr 2021 16:07:05 +0800
+Subject: [PATCH] emacs-deal-taboo-words.patch
+
+---
+ etc/publicsuffix.txt   | 4 ----
+ lisp/mail/mail-extr.el | 1 -
+ 2 files changed, 5 deletions(-)
+
+diff --git a/etc/publicsuffix.txt b/etc/publicsuffix.txt
+index ee0269c..b8652be 100644
+--- a/etc/publicsuffix.txt
++++ b/etc/publicsuffix.txt
+@@ -6164,11 +6164,7 @@ mil.tr
+ k12.tr
+ edu.tr
+ kep.tr
+-
+-// Used by Northern Cyprus
+ nc.tr
+-
+-// Used by government agencies of Northern Cyprus
+ gov.nc.tr
+ 
+ // travel : http://en.wikipedia.org/wiki/.travel
+diff --git a/lisp/mail/mail-extr.el b/lisp/mail/mail-extr.el
+index f1a455d..077774e 100644
+--- a/lisp/mail/mail-extr.el
++++ b/lisp/mail/mail-extr.el
+@@ -1932,7 +1932,6 @@ place.  It affects how `mail-extract-address-components' works."
+        ("ec" "Ecuador"		"The Republic of %s")
+        ("ee" "Estonia")
+        ("eg" "Egypt"		"The Arab Republic of %s")
+-       ("eh" "Western Sahara")
+        ("er" "Eritrea")
+        ("es" "Spain"		"The Kingdom of %s")
+        ("et" "Ethiopia")
+-- 
+2.27.0
+

emacs.spec

@@ -4,7 +4,7 @@
 Name:          emacs
 Epoch:         1
 Version:       27.1
-Release:       9
+Release:       15
 Summary:       An extensible GNU text editor
 License:       GPLv3+ and CC0-1.0
 URL:           http://www.gnu.org/software/emacs
@@ -25,6 +25,15 @@ Patch6001:     backport-CVE-2022-48337.patch
 Patch6002:     backport-CVE-2022-48338.patch
 Patch6003:     backport-CVE-2022-48339.patch
 Patch6004:     backport-CVE-2023-28617.patch
+Patch6005:     backport-0002-CVE-2022-48337.patch
+Patch6006:     backport-CVE-2024-30203-pre.patch
+Patch6007:     backport-CVE-2024-30203.patch
+Patch6008:     backport-CVE-2024-30204.patch
+Patch6009:     backport-CVE-2024-30205.patch
+Patch6010:     backport-CVE-2024-39331.patch
+Patch6011:     backport-CVE-2025-1244.patch
+
+Patch9000:     emacs-deal-taboo-words.patch
 
 BuildRequires: gcc atk-devel cairo-devel freetype-devel fontconfig-devel dbus-devel giflib-devel
 BuildRequires: glibc-devel zlib-devel gnutls-devel libselinux-devel GConf2-devel alsa-lib-devel
@@ -402,15 +411,33 @@ fi
 %{_mandir}/*/*
 
 %changelog
-* Fri Mar 24 2023 zhangpan <zhangpan103@h-partners.com> - 1:27.1-9
+* Thu Feb 13 2025 zhangpan <zhangpan103@h-partners.com> - 1:27.1-15
+- fix CVE-2025-1244
+
+* Tue Jul 02 2024 zhangpan <zhangpan103@h-partners.com> - 1:27.1-14
+- fix CVE-2024-39331
+
+* Mon Apr 01 2024 lingsheng <lingsheng1@h-partners.com> - 1:27.1-13
+- fix CVE-2024-30203 CVE-2024-30204 CVE-2024-30205
+
+* Mon Sep 25 2023 leeffo <liweiganga@uniontech.com> - 1:27.1-12
+- fix CVE-2022-48337
+
+* Fri Mar 24 2023 zhangpan <zhangpan103@h-partners.com> - 1:27.1-11
 - fix CVE-2023-28617
 
-* Thu Feb 23 2023 zhangpan <zhangpan103@h-partners.com> - 1:27.1-8
+* Thu Feb 23 2023 zhangpan <zhangpan103@h-partners.com> - 1:27.1-10
 - fix CVE-2022-48337 CVE-2022-48338 CVE-2022-48339
 
-* Thu Dec 01 2022 wangkerong <wangkerong@h-partners.com> - 1:27.1-7
+* Thu Dec 01 2022 wangkerong <wangkerong@h-partners.com> - 1:27.1-9
 - fix CVE-2022-45939
 
+* Fri Mar 25 2022 xingxing <xingxing9@h-partners.com> - 1:27.1-8
+- modify patch message
+
+* Fri Mar 25 2022 xingxing <xingxing9@h-partners.com> - 1:27.1-7
+- round self-developed-patch
+
 * Mon Aug 9 2021 yangcheng <yangcheng87@huawei.com> - 1:27.1-6
 - fixed the upgrade error caused by the info file in the emacs-common software package being repackaged