Overview

File CVE-2022-48339.patch of Package emacs.37474

From 807d2d5b3a7cd1d0e3f7dd24de22770f54f5ae16 Mon Sep 17 00:00:00 2001
From: Xi Lu <lx@shellcodes.org>
Date: Sat, 24 Dec 2022 16:28:54 +0800
Subject: [PATCH] Fix htmlfontify.el command injection vulnerability.

* lisp/htmlfontify.el (hfy-text-p): Fix command injection
vulnerability.  (Bug#60295)

(cherry picked from commit 1b4dc4691c1f87fc970fbe568b43869a15ad0d4c)
---
 lisp/htmlfontify.el |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- lisp/htmlfontify.el
+++ lisp/htmlfontify.el	2023-02-21 09:29:25.659392628 +0000
@@ -1898,7 +1898,7 @@ Hardly bombproof, but good enough in the
 
 (defun hfy-text-p (srcdir file)
   "Is SRCDIR/FILE text?  Uses `hfy-istext-command' to determine this."
-  (let* ((cmd (format hfy-istext-command (expand-file-name file srcdir)))
+  (let* ((cmd (format hfy-istext-command (shell-quote-argument (expand-file-name file srcdir))))
          (rsp (shell-command-to-string    cmd)))
     (string-match "text" rsp)))
openSUSE Build Service is sponsored by
Places