From the emacs-30.1 announcement [0]: """ Emacs 30.1 includes security fixes for a shell injection vulnerability in man.el (CVE-2025-1244), and for arbitrary code execution with flymake (CVE-2024-53920). We recommend upgrading immediately. """ Of course, stabling 30.1 immediately isn't an option, so we need to figure out what fixes requiring backporting. [0] https://lists.gnu.org/archive/html/emacs-devel/2025-02/msg00997.html
man.el: https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=820f0793f0b46448928905552726c1f1b999062f flymake: seems to be the same as bug 945164 Did we have a bug for the man.el thing before?
flymake is indeed bug 945164. I'd typo'd the CVE number so didn't realise. Please use this bug for man.el (only). Sorry for the confusion.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/proj/emacs-patches.git/commit/?id=4c9563ef2b533375f3ea786ae76e1dca32eebb20 commit 4c9563ef2b533375f3ea786ae76e1dca32eebb20 Author: Ulrich Müller <ulm@gentoo.org> AuthorDate: 2025-02-24 05:21:55 +0000 Commit: Ulrich Müller <ulm@gentoo.org> CommitDate: 2025-02-24 05:21:55 +0000 Fix man.el shell injection vulnerability Bug: https://bugs.gentoo.org/950192 Signed-off-by: Ulrich Müller <ulm@gentoo.org> emacs/26.3/14_all_man.patch | 26 ++++++++++++++++++++++++++ emacs/27.2/15_all_man.patch | 26 ++++++++++++++++++++++++++ emacs/28.2/18_all_man.patch | 26 ++++++++++++++++++++++++++ emacs/29.4/06_all_man.patch | 26 ++++++++++++++++++++++++++ 4 files changed, 104 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/proj/emacs-patches.git/commit/?id=459b8434e99767632f1a410e7d3c4536f6bad452 commit 459b8434e99767632f1a410e7d3c4536f6bad452 Author: Ulrich Müller <ulm@gentoo.org> AuthorDate: 2025-02-24 05:21:55 +0000 Commit: Ulrich Müller <ulm@gentoo.org> CommitDate: 2025-02-24 19:39:51 +0000 Fix man.el shell injection vulnerability Bug: https://bugs.gentoo.org/950192 Signed-off-by: Ulrich Müller <ulm@gentoo.org> emacs/26.3/14_all_man.patch | 26 +++++++++++++++++++++++++ emacs/27.2/15_all_man.patch | 47 +++++++++++++++++++++++++++++++++++++++++++++ emacs/28.2/18_all_man.patch | 47 +++++++++++++++++++++++++++++++++++++++++++++ emacs/29.4/06_all_man.patch | 47 +++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 167 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=47f394193647eb7638f6740d4e5e47b9d6bff954 commit 47f394193647eb7638f6740d4e5e47b9d6bff954 Author: Ulrich Müller <ulm@gentoo.org> AuthorDate: 2025-02-25 18:52:41 +0000 Commit: Ulrich Müller <ulm@gentoo.org> CommitDate: 2025-02-25 18:58:15 +0000 app-editors/emacs: Fix flymake and man vulnerabilities Bug: https://bugs.gentoo.org/945164 Bug: https://bugs.gentoo.org/950192 Signed-off-by: Ulrich Müller <ulm@gentoo.org> app-editors/emacs/Manifest | 4 + app-editors/emacs/emacs-26.3-r22.ebuild | 377 +++++++++++++++++++ app-editors/emacs/emacs-27.2-r20.ebuild | 447 ++++++++++++++++++++++ app-editors/emacs/emacs-28.2-r16.ebuild | 558 +++++++++++++++++++++++++++ app-editors/emacs/emacs-29.4-r2.ebuild | 648 ++++++++++++++++++++++++++++++++ 5 files changed, 2034 insertions(+)
