2 files changed, 39 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/emacs/emacs_29.1.bb b/meta-oe/recipes-support/emacs/emacs_29.1.bb
index f0666a41c4..abc99d3e08 100644
--- a/meta-oe/recipes-support/emacs/emacs_29.1.bb
+++ b/meta-oe/recipes-support/emacs/emacs_29.1.bb
@@ -8,6 +8,7 @@ SRC_URI = "https://ftp.gnu.org/pub/gnu/emacs/emacs-${PV}.tar.xz \
           file://0001-org-macro-set-templates-Prevent-code-evaluation.patch \
           file://0001-lisp-gnus-mm-view.el-mm-display-inline-fontify-Mark-.patch \
           file://0001-org-latex-preview-Add-protection-when-untrusted-cont.patch \
+           file://0001-org-file-contents-Consider-all-remote-files-unsafe.patch \
          "
 SRC_URI:append:class-target = " \
    file://use-emacs-native-tools-for-cross-compiling.patch \
diff --git a/meta-oe/recipes-support/emacs/files/0001-org-file-contents-Consider-all-remote-files-unsafe.patch b/meta-oe/recipes-support/emacs/files/0001-org-file-contents-Consider-all-remote-files-unsafe.patch
new file mode 100644
index 0000000000..7408f0e404
--- /dev/null
+++ b/meta-oe/recipes-support/emacs/files/0001-org-file-contents-Consider-all-remote-files-unsafe.patch
@@ -0,0 +1,38 @@
+From 3a3bc6df4295ff7d5ea7193dfe0492cd858e1664 Mon Sep 17 00:00:00 2001
+From: Ihor Radchenko <yantar92@posteo.net>
+Date: Tue, 20 Feb 2024 14:59:20 +0300
+Subject: [PATCH] org-file-contents: Consider all remote files unsafe
+* lisp/org/org.el (org-file-contents): When loading files, consider all
+remote files (like TRAMP-fetched files) unsafe, in addition to URLs.
+CVE: CVE-2024-30205
+Upstream-Status: Backport [https://cgit.git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-29&id=2bc865ace050ff118db43f01457f95f95112b877]
+Signed-off-by: Gyorgy Sarvari
+---
+ lisp/org/org.el | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+diff --git a/lisp/org/org.el b/lisp/org/org.el
+index ab58978..03140bd 100644
+--- a/lisp/org/org.el
+++ b/lisp/org/org.el
+@@ -4576,12 +4576,16 @@ from file or URL, and return nil.
+ If NOCACHE is non-nil, do a fresh fetch of FILE even if cached version
+ is available.  This option applies only if FILE is a URL."
+   (let* ((is-url (org-url-p file))
+         (is-remote (condition-case nil
+                        (file-remote-p file)
+                      ;; In case of error, be safe.
+                      (t t)))
+          (cache (and is-url
+                      (not nocache)
+                      (gethash file org--file-cache))))
+     (cond
+      (cache)
+-     (is-url
+     ((or is-url is-remote)
+       (if (org--should-fetch-remote-resource-p file)
+           (condition-case error
+               (with-current-buffer (url-retrieve-synchronously file)

diff --git a/meta-oe/recipes-support/emacs/emacs_29.1.bb b/meta-oe/recipes-support/emacs/emacs_29.1.bb index f0666a41c4..abc99d3e08 100644 --- a/meta-oe/recipes-support/emacs/emacs_29.1.bb +++ b/meta-oe/recipes-support/emacs/emacs_29.1.bb
@@ -8,6 +8,7 @@ SRC_URI = "https://ftp.gnu.org/pub/gnu/emacs/emacs-${PV}.tar.xz \
8	file://0001-org-macro-set-templates-Prevent-code-evaluation.patch \	8	file://0001-org-macro-set-templates-Prevent-code-evaluation.patch \
9	file://0001-lisp-gnus-mm-view.el-mm-display-inline-fontify-Mark-.patch \	9	file://0001-lisp-gnus-mm-view.el-mm-display-inline-fontify-Mark-.patch \
10	file://0001-org-latex-preview-Add-protection-when-untrusted-cont.patch \	10	file://0001-org-latex-preview-Add-protection-when-untrusted-cont.patch \
		11	file://0001-org-file-contents-Consider-all-remote-files-unsafe.patch \
11	"	12	"
12	SRC_URI:append:class-target = " \	13	SRC_URI:append:class-target = " \
13	file://use-emacs-native-tools-for-cross-compiling.patch \	14	file://use-emacs-native-tools-for-cross-compiling.patch \


diff --git a/meta-oe/recipes-support/emacs/files/0001-org-file-contents-Consider-all-remote-files-unsafe.patch b/meta-oe/recipes-support/emacs/files/0001-org-file-contents-Consider-all-remote-files-unsafe.patch new file mode 100644 index 0000000000..7408f0e404 --- /dev/null +++ b/meta-oe/recipes-support/emacs/files/0001-org-file-contents-Consider-all-remote-files-unsafe.patch
@@ -0,0 +1,38 @@
		1	From 3a3bc6df4295ff7d5ea7193dfe0492cd858e1664 Mon Sep 17 00:00:00 2001
		2	From: Ihor Radchenko <yantar92@posteo.net>
		3	Date: Tue, 20 Feb 2024 14:59:20 +0300
		4	Subject: [PATCH] org-file-contents: Consider all remote files unsafe
		5
		6	* lisp/org/org.el (org-file-contents): When loading files, consider all
		7	remote files (like TRAMP-fetched files) unsafe, in addition to URLs.
		8
		9	CVE: CVE-2024-30205
		10	Upstream-Status: Backport [https://cgit.git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-29&id=2bc865ace050ff118db43f01457f95f95112b877]
		11
		12	Signed-off-by: Gyorgy Sarvari
		13	---
		14	lisp/org/org.el \| 6 +++++-
		15	1 file changed, 5 insertions(+), 1 deletion(-)
		16
		17	diff --git a/lisp/org/org.el b/lisp/org/org.el
		18	index ab58978..03140bd 100644
		19	--- a/lisp/org/org.el
		20	+++ b/lisp/org/org.el
		21	@@ -4576,12 +4576,16 @@ from file or URL, and return nil.
		22	If NOCACHE is non-nil, do a fresh fetch of FILE even if cached version
		23	is available. This option applies only if FILE is a URL."
		24	(let* ((is-url (org-url-p file))
		25	+ (is-remote (condition-case nil
		26	+ (file-remote-p file)
		27	+ ;; In case of error, be safe.
		28	+ (t t)))
		29	(cache (and is-url
		30	(not nocache)
		31	(gethash file org--file-cache))))
		32	(cond
		33	(cache)
		34	- (is-url
		35	+ ((or is-url is-remote)
		36	(if (org--should-fetch-remote-resource-p file)
		37	(condition-case error
		38	(with-current-buffer (url-retrieve-synchronously file)