From 804d032685d4c69a0030b81cff9dc646b3b44991 Mon Sep 17 00:00:00 2001
From: Ihor Radchenko <yantar92@posteo.net>
Date: Sun, 7 Jan 2024 12:25:20 +0100
Subject: [PATCH 1/2] Update version number for the 9.6.16 release

---
 lisp/org.el | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lisp/org.el b/lisp/org.el
index 3075729d0..2b3cf275b 100644
--- a/lisp/org.el
+++ b/lisp/org.el
@@ -9,7 +9,7 @@
 ;; URL: https://orgmode.org
 ;; Package-Requires: ((emacs "26.1"))
 
-;; Version: 9.6.15
+;; Version: 9.6.16
 
 ;; This file is part of GNU Emacs.
 ;;

From bc3caa8f90d215e63852d5795a1c0209a6d20cc8 Mon Sep 17 00:00:00 2001
From: Ihor Radchenko <yantar92@posteo.net>
Date: Thu, 11 Jan 2024 13:04:23 +0100
Subject: [PATCH 2/2] org-man-open: Fix shell expansion vulnerability (Emacs
 bug#66390)

* lisp/ol-man.el (org-man-open): Work around Emacs bug#66390.
Implement fix on org side before Emacs commit that fixes the bug.

Link: https://yhetil.org/emacs-bugs/CADwFkmnTMsOM+z0x8FGPGguMtoD9hLrNt9YfbaJ08KPNKW3EbQ@mail.gmail.com/
---
 lisp/ol-man.el | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/lisp/ol-man.el b/lisp/ol-man.el
index b6cada1b3..d801f59d8 100644
--- a/lisp/ol-man.el
+++ b/lisp/ol-man.el
@@ -39,13 +39,27 @@
   :group 'org-link
   :type '(choice (const man) (const woman)))
 
+(declare-function Man-translate-references "man" (ref))
 (defun org-man-open (path _)
   "Visit the manpage on PATH.
 PATH should be a topic that can be thrown at the man command.
 If PATH contains extra ::STRING which will use `occur' to search
 matched strings in man buffer."
+  (require 'man) ; For `Man-translate-references'
   (string-match "\\(.*?\\)\\(?:::\\(.*\\)\\)?$" path)
   (let* ((command (match-string 1 path))
+         ;; FIXME: Remove after we drop Emacs 29 support.
+         ;; Working around security bug #66390.
+         (command (if (org-man-store-link (equal (Man-translate-references ";id") "\\;id"))
+                      ;; We are on Emacs that properly escapes man
+                      ;; command args (see Emacs commit 820f0793f0b).
+                      command
+                    ;; Older Emacs without the fix - escape the
+                    ;; arguments ourselves.
+                    (mapconcat 'identity
+                               (mapcar #'shell-quote-argument
+                                       (split-string command "\\s-+"))
+                               " ")))
          (search (match-string 2 path))
          (buffer (funcall org-man-command command)))
     (when search