aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorUlrich Müller <ulm@gentoo.org>2023-02-26 21:00:06 +0100
committerUlrich Müller <ulm@gentoo.org>2023-02-26 21:00:06 +0100
commitdfe3b5140502207cf64dc11b33c30da958822937 (patch)
treecdc8675a44b6b2018047deb540f1960b1aed66a5
parent28.3: Copy patchset from 28.2 (diff)
downloademacs-patches-dfe3b5140502207cf64dc11b33c30da958822937.tar.gz
emacs-patches-dfe3b5140502207cf64dc11b33c30da958822937.tar.bz2
emacs-patches-dfe3b5140502207cf64dc11b33c30da958822937.zip
This fixes command injection vulnerabilities in etags (CVE-2022-48337), ruby-mode (CVE-2022-48338), and htmlfontify (CVE-2022-48339) for Emacs slots 25, 26, 27, and 28. Note that Emacs 25 and 26 are not affected by the ruby-mode vulnerability because function ruby-find-library-file did not yet exist (and there is no call to the gem command in ruby-mode.el). Emacs 18 is not affected by either of them: It doesn't have ruby-mode and htmlfontify, and we no longer install the ctags and etags binaries. Bug: https://bugs.gentoo.org/897950 Signed-off-by: Ulrich Müller <ulm@gentoo.org>
-rw-r--r--emacs/25.3/05_all_etags-metachar.patch99
-rw-r--r--emacs/25.3/06_all_htmlfontify.patch22
-rw-r--r--emacs/26.3/05_all_etags-metachar.patch99
-rw-r--r--emacs/26.3/06_all_htmlfontify.patch22
-rw-r--r--emacs/27.2/05_all_etags-metachar.patch99
-rw-r--r--emacs/27.2/06_all_ruby-mode.patch22
-rw-r--r--emacs/27.2/07_all_htmlfontify.patch22
-rw-r--r--emacs/28.2/04_all_gnus-nnml.patch38
-rw-r--r--emacs/28.2/05_all_etags-metachar.patch99
-rw-r--r--emacs/28.2/06_all_ruby-mode.patch22
-rw-r--r--emacs/28.2/07_all_htmlfontify.patch22
11 files changed, 566 insertions, 0 deletions
diff --git a/emacs/25.3/05_all_etags-metachar.patch b/emacs/25.3/05_all_etags-metachar.patch
new file mode 100644
index 0000000..31ffc14
--- /dev/null
+++ b/emacs/25.3/05_all_etags-metachar.patch
@@ -0,0 +1,99 @@
+Fix etags local command injection vulnerability (CVE-2022-48337)
+Backported from emacs-28 branch
+https://bugs.gentoo.org/897950
+https://debbugs.gnu.org/59817
+
+commit e339926272a598bd9ee7e02989c1662b89e64cf0
+Author: Xi Lu <lx@shellcodes.org>
+Date: Tue Dec 6 15:42:40 2022 +0800
+
+ Fix etags local command injection vulnerability
+
+--- emacs-25.3/lib-src/etags.c
++++ emacs-25.3/lib-src/etags.c
+@@ -398,6 +398,7 @@
+ static void put_entries (node *);
+ static void clean_matched_file_tag (char const * const, char const * const);
+
++static char *escape_shell_arg_string (char *);
+ static void do_move_file (const char *, const char *);
+ static char *concat (const char *, const char *, const char *);
+ static char *skip_spaces (char *);
+@@ -1658,13 +1659,16 @@
+ else
+ {
+ #if MSDOS || defined (DOS_NT)
+- char *cmd1 = concat (compr->command, " \"", real_name);
+- char *cmd = concat (cmd1, "\" > ", tmp_name);
++ int buf_len = strlen (compr->command) + strlen (" \"\" > \"\"") + strlen (real_name) + strlen (tmp_name) + 1;
++ char *cmd = xmalloc (buf_len);
++ snprintf (cmd, buf_len, "%s \"%s\" > \"%s\"", compr->command, real_name, tmp_name);
+ #else
+- char *cmd1 = concat (compr->command, " '", real_name);
+- char *cmd = concat (cmd1, "' > ", tmp_name);
++ char *new_real_name = escape_shell_arg_string (real_name);
++ char *new_tmp_name = escape_shell_arg_string (tmp_name);
++ int buf_len = strlen (compr->command) + strlen (" > ") + strlen (new_real_name) + strlen (new_tmp_name) + 1;
++ char *cmd = xmalloc (buf_len);
++ snprintf (cmd, buf_len, "%s %s > %s", compr->command, new_real_name, new_tmp_name);
+ #endif
+- free (cmd1);
+ int tmp_errno;
+ if (system (cmd) == -1)
+ {
+@@ -6876,6 +6880,55 @@
+ return templt;
+ }
+
++/*
++ * Adds single quotes around a string, if found single quotes, escaped it.
++ * Return a newly-allocated string.
++ *
++ * For example:
++ * escape_shell_arg_string("test.txt") => 'test.txt'
++ * escape_shell_arg_string("'test.txt") => ''\''test.txt'
++ */
++static char *
++escape_shell_arg_string (char *str)
++{
++ char *p = str;
++ int need_space = 2; /* ' at begin and end */
++
++ while (*p != '\0')
++ {
++ if (*p == '\'')
++ need_space += 4; /* ' to '\'', length is 4 */
++ else
++ need_space++;
++
++ p++;
++ }
++
++ char *new_str = xnew (need_space + 1, char);
++ new_str[0] = '\'';
++ new_str[need_space-1] = '\'';
++
++ int i = 1; /* skip first byte */
++ p = str;
++ while (*p != '\0')
++ {
++ new_str[i] = *p;
++ if (*p == '\'')
++ {
++ new_str[i+1] = '\\';
++ new_str[i+2] = '\'';
++ new_str[i+3] = '\'';
++ i += 3;
++ }
++
++ i++;
++ p++;
++ }
++
++ new_str[need_space] = '\0';
++ return new_str;
++}
++
+ static void
+ do_move_file(const char *src_file, const char *dst_file)
+ {
diff --git a/emacs/25.3/06_all_htmlfontify.patch b/emacs/25.3/06_all_htmlfontify.patch
new file mode 100644
index 0000000..6870c0b
--- /dev/null
+++ b/emacs/25.3/06_all_htmlfontify.patch
@@ -0,0 +1,22 @@
+Fix htmlfontify.el command injection vulnerability (CVE-2022-48339)
+Backported from emacs-28 branch
+https://bugs.gentoo.org/897950
+https://debbugs.gnu.org/60295
+
+commit 807d2d5b3a7cd1d0e3f7dd24de22770f54f5ae16
+Author: Xi Lu <lx@shellcodes.org>
+Date: Sat Dec 24 16:28:54 2022 +0800
+
+ Fix htmlfontify.el command injection vulnerability.
+
+--- emacs-25.3/lisp/htmlfontify.el
++++ emacs-25.3/lisp/htmlfontify.el
+@@ -1898,7 +1898,7 @@
+
+ (defun hfy-text-p (srcdir file)
+ "Is SRCDIR/FILE text? Uses `hfy-istext-command' to determine this."
+- (let* ((cmd (format hfy-istext-command (expand-file-name file srcdir)))
++ (let* ((cmd (format hfy-istext-command (shell-quote-argument (expand-file-name file srcdir))))
+ (rsp (shell-command-to-string cmd)))
+ (string-match "text" rsp)))
+
diff --git a/emacs/26.3/05_all_etags-metachar.patch b/emacs/26.3/05_all_etags-metachar.patch
new file mode 100644
index 0000000..b7cc07b
--- /dev/null
+++ b/emacs/26.3/05_all_etags-metachar.patch
@@ -0,0 +1,99 @@
+Fix etags local command injection vulnerability (CVE-2022-48337)
+Backported from emacs-28 branch
+https://bugs.gentoo.org/897950
+https://debbugs.gnu.org/59817
+
+commit e339926272a598bd9ee7e02989c1662b89e64cf0
+Author: Xi Lu <lx@shellcodes.org>
+Date: Tue Dec 6 15:42:40 2022 +0800
+
+ Fix etags local command injection vulnerability
+
+--- emacs-26.3/lib-src/etags.c
++++ emacs-26.3/lib-src/etags.c
+@@ -396,6 +396,7 @@
+ static void put_entries (node *);
+ static void clean_matched_file_tag (char const * const, char const * const);
+
++static char *escape_shell_arg_string (char *);
+ static void do_move_file (const char *, const char *);
+ static char *concat (const char *, const char *, const char *);
+ static char *skip_spaces (char *);
+@@ -1672,13 +1673,16 @@
+ else
+ {
+ #if MSDOS || defined (DOS_NT)
+- char *cmd1 = concat (compr->command, " \"", real_name);
+- char *cmd = concat (cmd1, "\" > ", tmp_name);
++ int buf_len = strlen (compr->command) + strlen (" \"\" > \"\"") + strlen (real_name) + strlen (tmp_name) + 1;
++ char *cmd = xmalloc (buf_len);
++ snprintf (cmd, buf_len, "%s \"%s\" > \"%s\"", compr->command, real_name, tmp_name);
+ #else
+- char *cmd1 = concat (compr->command, " '", real_name);
+- char *cmd = concat (cmd1, "' > ", tmp_name);
++ char *new_real_name = escape_shell_arg_string (real_name);
++ char *new_tmp_name = escape_shell_arg_string (tmp_name);
++ int buf_len = strlen (compr->command) + strlen (" > ") + strlen (new_real_name) + strlen (new_tmp_name) + 1;
++ char *cmd = xmalloc (buf_len);
++ snprintf (cmd, buf_len, "%s %s > %s", compr->command, new_real_name, new_tmp_name);
+ #endif
+- free (cmd1);
+ int tmp_errno;
+ if (system (cmd) == -1)
+ {
+@@ -7141,6 +7145,55 @@
+ return templt;
+ }
+
++/*
++ * Adds single quotes around a string, if found single quotes, escaped it.
++ * Return a newly-allocated string.
++ *
++ * For example:
++ * escape_shell_arg_string("test.txt") => 'test.txt'
++ * escape_shell_arg_string("'test.txt") => ''\''test.txt'
++ */
++static char *
++escape_shell_arg_string (char *str)
++{
++ char *p = str;
++ int need_space = 2; /* ' at begin and end */
++
++ while (*p != '\0')
++ {
++ if (*p == '\'')
++ need_space += 4; /* ' to '\'', length is 4 */
++ else
++ need_space++;
++
++ p++;
++ }
++
++ char *new_str = xnew (need_space + 1, char);
++ new_str[0] = '\'';
++ new_str[need_space-1] = '\'';
++
++ int i = 1; /* skip first byte */
++ p = str;
++ while (*p != '\0')
++ {
++ new_str[i] = *p;
++ if (*p == '\'')
++ {
++ new_str[i+1] = '\\';
++ new_str[i+2] = '\'';
++ new_str[i+3] = '\'';
++ i += 3;
++ }
++
++ i++;
++ p++;
++ }
++
++ new_str[need_space] = '\0';
++ return new_str;
++}
++
+ static void
+ do_move_file(const char *src_file, const char *dst_file)
+ {
diff --git a/emacs/26.3/06_all_htmlfontify.patch b/emacs/26.3/06_all_htmlfontify.patch
new file mode 100644
index 0000000..c19e662
--- /dev/null
+++ b/emacs/26.3/06_all_htmlfontify.patch
@@ -0,0 +1,22 @@
+Fix htmlfontify.el command injection vulnerability (CVE-2022-48339)
+Backported from emacs-28 branch
+https://bugs.gentoo.org/897950
+https://debbugs.gnu.org/60295
+
+commit 807d2d5b3a7cd1d0e3f7dd24de22770f54f5ae16
+Author: Xi Lu <lx@shellcodes.org>
+Date: Sat Dec 24 16:28:54 2022 +0800
+
+ Fix htmlfontify.el command injection vulnerability.
+
+--- emacs-26.3/lisp/htmlfontify.el
++++ emacs-26.3/lisp/htmlfontify.el
+@@ -1906,7 +1906,7 @@
+
+ (defun hfy-text-p (srcdir file)
+ "Is SRCDIR/FILE text? Uses `hfy-istext-command' to determine this."
+- (let* ((cmd (format hfy-istext-command (expand-file-name file srcdir)))
++ (let* ((cmd (format hfy-istext-command (shell-quote-argument (expand-file-name file srcdir))))
+ (rsp (shell-command-to-string cmd)))
+ (string-match "text" rsp)))
+
diff --git a/emacs/27.2/05_all_etags-metachar.patch b/emacs/27.2/05_all_etags-metachar.patch
new file mode 100644
index 0000000..8f3338e
--- /dev/null
+++ b/emacs/27.2/05_all_etags-metachar.patch
@@ -0,0 +1,99 @@
+Fix etags local command injection vulnerability (CVE-2022-48337)
+Backported from emacs-28 branch
+https://bugs.gentoo.org/897950
+https://debbugs.gnu.org/59817
+
+commit e339926272a598bd9ee7e02989c1662b89e64cf0
+Author: Xi Lu <lx@shellcodes.org>
+Date: Tue Dec 6 15:42:40 2022 +0800
+
+ Fix etags local command injection vulnerability
+
+--- emacs-27.2/lib-src/etags.c
++++ emacs-27.2/lib-src/etags.c
+@@ -398,6 +398,7 @@
+ static void put_entries (node *);
+ static void clean_matched_file_tag (char const * const, char const * const);
+
++static char *escape_shell_arg_string (char *);
+ static void do_move_file (const char *, const char *);
+ static char *concat (const char *, const char *, const char *);
+ static char *skip_spaces (char *);
+@@ -1670,13 +1671,16 @@
+ else
+ {
+ #if MSDOS || defined (DOS_NT)
+- char *cmd1 = concat (compr->command, " \"", real_name);
+- char *cmd = concat (cmd1, "\" > ", tmp_name);
++ int buf_len = strlen (compr->command) + strlen (" \"\" > \"\"") + strlen (real_name) + strlen (tmp_name) + 1;
++ char *cmd = xmalloc (buf_len);
++ snprintf (cmd, buf_len, "%s \"%s\" > \"%s\"", compr->command, real_name, tmp_name);
+ #else
+- char *cmd1 = concat (compr->command, " '", real_name);
+- char *cmd = concat (cmd1, "' > ", tmp_name);
++ char *new_real_name = escape_shell_arg_string (real_name);
++ char *new_tmp_name = escape_shell_arg_string (tmp_name);
++ int buf_len = strlen (compr->command) + strlen (" > ") + strlen (new_real_name) + strlen (new_tmp_name) + 1;
++ char *cmd = xmalloc (buf_len);
++ snprintf (cmd, buf_len, "%s %s > %s", compr->command, new_real_name, new_tmp_name);
+ #endif
+- free (cmd1);
+ int tmp_errno;
+ if (system (cmd) == -1)
+ {
+@@ -7124,6 +7128,55 @@
+ return templt;
+ }
+
++/*
++ * Adds single quotes around a string, if found single quotes, escaped it.
++ * Return a newly-allocated string.
++ *
++ * For example:
++ * escape_shell_arg_string("test.txt") => 'test.txt'
++ * escape_shell_arg_string("'test.txt") => ''\''test.txt'
++ */
++static char *
++escape_shell_arg_string (char *str)
++{
++ char *p = str;
++ int need_space = 2; /* ' at begin and end */
++
++ while (*p != '\0')
++ {
++ if (*p == '\'')
++ need_space += 4; /* ' to '\'', length is 4 */
++ else
++ need_space++;
++
++ p++;
++ }
++
++ char *new_str = xnew (need_space + 1, char);
++ new_str[0] = '\'';
++ new_str[need_space-1] = '\'';
++
++ int i = 1; /* skip first byte */
++ p = str;
++ while (*p != '\0')
++ {
++ new_str[i] = *p;
++ if (*p == '\'')
++ {
++ new_str[i+1] = '\\';
++ new_str[i+2] = '\'';
++ new_str[i+3] = '\'';
++ i += 3;
++ }
++
++ i++;
++ p++;
++ }
++
++ new_str[need_space] = '\0';
++ return new_str;
++}
++
+ static void
+ do_move_file(const char *src_file, const char *dst_file)
+ {
diff --git a/emacs/27.2/06_all_ruby-mode.patch b/emacs/27.2/06_all_ruby-mode.patch
new file mode 100644
index 0000000..8537b02
--- /dev/null
+++ b/emacs/27.2/06_all_ruby-mode.patch
@@ -0,0 +1,22 @@
+Fix ruby-mode.el local command injection vulnerability (CVE-2022-48338)
+Backported from emacs-28 branch
+https://bugs.gentoo.org/897950
+https://debbugs.gnu.org/60268
+
+commit 22fb5ff5126dc8bb01edaa0252829d853afb284f
+Author: Xi Lu <lx@shellcodes.org>
+Date: Fri Dec 23 12:52:48 2022 +0800
+
+ Fix ruby-mode.el local command injection vulnerability (bug#60268)
+
+--- emacs-27.2/lisp/progmodes/ruby-mode.el
++++ emacs-27.2/lisp/progmodes/ruby-mode.el
+@@ -1820,7 +1820,7 @@
+ (setq feature-name (read-string "Feature name: " init))))
+ (let ((out
+ (substring
+- (shell-command-to-string (concat "gem which " feature-name))
++ (shell-command-to-string (concat "gem which " (shell-quote-argument feature-name)))
+ 0 -1)))
+ (if (string-match-p "\\`ERROR" out)
+ (user-error "%s" out)
diff --git a/emacs/27.2/07_all_htmlfontify.patch b/emacs/27.2/07_all_htmlfontify.patch
new file mode 100644
index 0000000..eb0b079
--- /dev/null
+++ b/emacs/27.2/07_all_htmlfontify.patch
@@ -0,0 +1,22 @@
+Fix htmlfontify.el command injection vulnerability (CVE-2022-48339)
+Backported from emacs-28 branch
+https://bugs.gentoo.org/897950
+https://debbugs.gnu.org/60295
+
+commit 807d2d5b3a7cd1d0e3f7dd24de22770f54f5ae16
+Author: Xi Lu <lx@shellcodes.org>
+Date: Sat Dec 24 16:28:54 2022 +0800
+
+ Fix htmlfontify.el command injection vulnerability.
+
+--- emacs-27.2/lisp/htmlfontify.el
++++ emacs-27.2/lisp/htmlfontify.el
+@@ -1912,7 +1912,7 @@
+
+ (defun hfy-text-p (srcdir file)
+ "Is SRCDIR/FILE text? Uses `hfy-istext-command' to determine this."
+- (let* ((cmd (format hfy-istext-command (expand-file-name file srcdir)))
++ (let* ((cmd (format hfy-istext-command (shell-quote-argument (expand-file-name file srcdir))))
+ (rsp (shell-command-to-string cmd)))
+ (string-match "text" rsp)))
+
diff --git a/emacs/28.2/04_all_gnus-nnml.patch b/emacs/28.2/04_all_gnus-nnml.patch
new file mode 100644
index 0000000..eed2058
--- /dev/null
+++ b/emacs/28.2/04_all_gnus-nnml.patch
@@ -0,0 +1,38 @@
+Fix denial-of-service issue in Gnus
+Patch from emacs-28 branch
+
+commit ae9bfed50dbf5043c0b47f20473ef43d8aeebebd
+Author: Eli Zaretskii <eliz@gnu.org>
+Date: Mon Dec 19 19:01:04 2022 +0200
+
+ Fix storing email into nnmail by Gnus
+
+--- a/lisp/gnus/nnml.el
++++ b/lisp/gnus/nnml.el
+@@ -775,17 +775,22 @@
+ (nnml--encode-headers headers)
+ headers))))
+
++;; RFC2047-encode Subject and From, but leave invalid headers unencoded.
+ (defun nnml--encode-headers (headers)
+ (let ((subject (mail-header-subject headers))
+ (rfc2047-encoding-type 'mime))
+ (unless (string-match "\\`[[:ascii:]]*\\'" subject)
+- (setf (mail-header-subject headers)
+- (mail-encode-encoded-word-string subject t))))
++ (let ((encoded-subject
++ (ignore-errors (mail-encode-encoded-word-string subject t))))
++ (if encoded-subject
++ (setf (mail-header-subject headers) encoded-subject)))))
+ (let ((from (mail-header-from headers))
+ (rfc2047-encoding-type 'address-mime))
+ (unless (string-match "\\`[[:ascii:]]*\\'" from)
+- (setf (mail-header-from headers)
+- (rfc2047-encode-string from t)))))
++ (let ((encoded-from
++ (ignore-errors (rfc2047-encode-string from t))))
++ (if encoded-from
++ (setf (mail-header-from headers) encoded-from))))))
+
+ (defun nnml-get-nov-buffer (group &optional incrementalp)
+ (let ((buffer (gnus-get-buffer-create
diff --git a/emacs/28.2/05_all_etags-metachar.patch b/emacs/28.2/05_all_etags-metachar.patch
new file mode 100644
index 0000000..9371c17
--- /dev/null
+++ b/emacs/28.2/05_all_etags-metachar.patch
@@ -0,0 +1,99 @@
+Fix etags local command injection vulnerability (CVE-2022-48337)
+Patch from emacs-28 branch
+https://bugs.gentoo.org/897950
+https://debbugs.gnu.org/59817
+
+commit e339926272a598bd9ee7e02989c1662b89e64cf0
+Author: Xi Lu <lx@shellcodes.org>
+Date: Tue Dec 6 15:42:40 2022 +0800
+
+ Fix etags local command injection vulnerability
+
+--- a/lib-src/etags.c
++++ b/lib-src/etags.c
+@@ -408,6 +408,7 @@
+ static void put_entries (node *);
+ static void clean_matched_file_tag (char const * const, char const * const);
+
++static char *escape_shell_arg_string (char *);
+ static void do_move_file (const char *, const char *);
+ static char *concat (const char *, const char *, const char *);
+ static char *skip_spaces (char *);
+@@ -1704,13 +1705,16 @@
+ else
+ {
+ #if MSDOS || defined (DOS_NT)
+- char *cmd1 = concat (compr->command, " \"", real_name);
+- char *cmd = concat (cmd1, "\" > ", tmp_name);
++ int buf_len = strlen (compr->command) + strlen (" \"\" > \"\"") + strlen (real_name) + strlen (tmp_name) + 1;
++ char *cmd = xmalloc (buf_len);
++ snprintf (cmd, buf_len, "%s \"%s\" > \"%s\"", compr->command, real_name, tmp_name);
+ #else
+- char *cmd1 = concat (compr->command, " '", real_name);
+- char *cmd = concat (cmd1, "' > ", tmp_name);
++ char *new_real_name = escape_shell_arg_string (real_name);
++ char *new_tmp_name = escape_shell_arg_string (tmp_name);
++ int buf_len = strlen (compr->command) + strlen (" > ") + strlen (new_real_name) + strlen (new_tmp_name) + 1;
++ char *cmd = xmalloc (buf_len);
++ snprintf (cmd, buf_len, "%s %s > %s", compr->command, new_real_name, new_tmp_name);
+ #endif
+- free (cmd1);
+ inf = (system (cmd) == -1
+ ? NULL
+ : fopen (tmp_name, "r" FOPEN_BINARY));
+@@ -7689,6 +7693,55 @@
+ return templt;
+ }
+
++/*
++ * Adds single quotes around a string, if found single quotes, escaped it.
++ * Return a newly-allocated string.
++ *
++ * For example:
++ * escape_shell_arg_string("test.txt") => 'test.txt'
++ * escape_shell_arg_string("'test.txt") => ''\''test.txt'
++ */
++static char *
++escape_shell_arg_string (char *str)
++{
++ char *p = str;
++ int need_space = 2; /* ' at begin and end */
++
++ while (*p != '\0')
++ {
++ if (*p == '\'')
++ need_space += 4; /* ' to '\'', length is 4 */
++ else
++ need_space++;
++
++ p++;
++ }
++
++ char *new_str = xnew (need_space + 1, char);
++ new_str[0] = '\'';
++ new_str[need_space-1] = '\'';
++
++ int i = 1; /* skip first byte */
++ p = str;
++ while (*p != '\0')
++ {
++ new_str[i] = *p;
++ if (*p == '\'')
++ {
++ new_str[i+1] = '\\';
++ new_str[i+2] = '\'';
++ new_str[i+3] = '\'';
++ i += 3;
++ }
++
++ i++;
++ p++;
++ }
++
++ new_str[need_space] = '\0';
++ return new_str;
++}
++
+ static void
+ do_move_file(const char *src_file, const char *dst_file)
+ {
diff --git a/emacs/28.2/06_all_ruby-mode.patch b/emacs/28.2/06_all_ruby-mode.patch
new file mode 100644
index 0000000..6b1b054
--- /dev/null
+++ b/emacs/28.2/06_all_ruby-mode.patch
@@ -0,0 +1,22 @@
+Fix ruby-mode.el local command injection vulnerability (CVE-2022-48338)
+Patch from emacs-28 branch
+https://bugs.gentoo.org/897950
+https://debbugs.gnu.org/60268
+
+commit 22fb5ff5126dc8bb01edaa0252829d853afb284f
+Author: Xi Lu <lx@shellcodes.org>
+Date: Fri Dec 23 12:52:48 2022 +0800
+
+ Fix ruby-mode.el local command injection vulnerability (bug#60268)
+
+--- a/lisp/progmodes/ruby-mode.el
++++ b/lisp/progmodes/ruby-mode.el
+@@ -1819,7 +1819,7 @@
+ (setq feature-name (read-string "Feature name: " init))))
+ (let ((out
+ (substring
+- (shell-command-to-string (concat "gem which " feature-name))
++ (shell-command-to-string (concat "gem which " (shell-quote-argument feature-name)))
+ 0 -1)))
+ (if (string-match-p "\\`ERROR" out)
+ (user-error "%s" out)
diff --git a/emacs/28.2/07_all_htmlfontify.patch b/emacs/28.2/07_all_htmlfontify.patch
new file mode 100644
index 0000000..acfccc5
--- /dev/null
+++ b/emacs/28.2/07_all_htmlfontify.patch
@@ -0,0 +1,22 @@
+Fix htmlfontify.el command injection vulnerability (CVE-2022-48339)
+Patch from emacs-28 branch
+https://bugs.gentoo.org/897950
+https://debbugs.gnu.org/60295
+
+commit 807d2d5b3a7cd1d0e3f7dd24de22770f54f5ae16
+Author: Xi Lu <lx@shellcodes.org>
+Date: Sat Dec 24 16:28:54 2022 +0800
+
+ Fix htmlfontify.el command injection vulnerability.
+
+--- a/lisp/htmlfontify.el
++++ b/lisp/htmlfontify.el
+@@ -1882,7 +1882,7 @@
+
+ (defun hfy-text-p (srcdir file)
+ "Is SRCDIR/FILE text? Use `hfy-istext-command' to determine this."
+- (let* ((cmd (format hfy-istext-command (expand-file-name file srcdir)))
++ (let* ((cmd (format hfy-istext-command (shell-quote-argument (expand-file-name file srcdir))))
+ (rsp (shell-command-to-string cmd)))
+ (string-match "text" rsp)))
+