Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package emacs24 This upload is intended to fix the openssl s_client issue, and to address intermittent build failures that may be related to the -no-pie/-nopie issue already addressed in emacs25.
diff -Nru emacs24-24.5+1/debian/.git-dpm emacs24-24.5+1/debian/.git-dpm --- emacs24-24.5+1/debian/.git-dpm 2017-04-10 18:30:21.000000000 -0500 +++ emacs24-24.5+1/debian/.git-dpm 2017-04-22 12:32:14.000000000 -0500 @@ -1,6 +1,6 @@ # see git-dpm(1) from git-dpm package -d715dfdb5101dfbd1a83b2958ced6f3bd757ab92 -d715dfdb5101dfbd1a83b2958ced6f3bd757ab92 +088b2e039897fcf9e2eea00f580a2c5d87eba781 +088b2e039897fcf9e2eea00f580a2c5d87eba781 62bc68f777c532a970566625e315d68bf0ab4eee 62bc68f777c532a970566625e315d68bf0ab4eee emacs24_24.5+1.orig.tar.bz2 diff -Nru emacs24-24.5+1/debian/changelog emacs24-24.5+1/debian/changelog --- emacs24-24.5+1/debian/changelog 2017-04-16 10:07:37.000000000 -0500 +++ emacs24-24.5+1/debian/changelog 2017-04-22 12:33:05.000000000 -0500 @@ -1,3 +1,22 @@ +emacs24 (24.5+1-10) unstable; urgency=medium + + * Don't segfault if gcc expects -nopie instead of -no-pie. + Add 0027-Emacs-shouldn-t-segfault-when-gcc-expects-nopie.patch, a + backport from emacs25 (that closed #841551) to fix the problem. + Thanks to Lucas Nussbaum and Aaron M. Ucko for reporting the + problem, and Sven Joachim for tracking down the upstream patch. + + * Don't offer/use openssl s_client by default: "s_client is a debug + tool, it does not set up a secure connection, it ignores all + errors and just continues. It also doesn't do checks it should be + doing. This is all documented behaviour." -- Kurt Roeckx + Add these patches to fix the problem: + 0028-IMAP-connections-no-longer-use-openssl-s_client.patch + 0029-openssl-s_client-is-no-longer-a-default-for-ssl-conn.patch + Thanks to Kurt Roeckx for reporting the issue. (Closes: #766397) + + -- Rob Browning <r...@defaultvalue.org> Sat, 22 Apr 2017 12:33:05 -0500 + emacs24 (24.5+1-9) unstable; urgency=medium * Improve gnutls security. Remove --insecure and specify a trustfile. diff -Nru emacs24-24.5+1/debian/patches/0027-Emacs-shouldn-t-segfault-when-gcc-expects-nopie.patch emacs24-24.5+1/debian/patches/0027-Emacs-shouldn-t-segfault-when-gcc-expects-nopie.patch --- emacs24-24.5+1/debian/patches/0027-Emacs-shouldn-t-segfault-when-gcc-expects-nopie.patch 1969-12-31 18:00:00.000000000 -0600 +++ emacs24-24.5+1/debian/patches/0027-Emacs-shouldn-t-segfault-when-gcc-expects-nopie.patch 2017-04-22 12:32:11.000000000 -0500 @@ -0,0 +1,56 @@ +From c91f2fca460e04c1d47ec1b5db1ca3b8130b95f8 Mon Sep 17 00:00:00 2001 +From: Paul Eggert <egg...@cs.ucla.edu> +Date: Sun, 16 Oct 2016 16:25:47 -0700 +Subject: Emacs shouldn't segfault when gcc expects -nopie + +This upstream patch has been added: + + Port to Ubuntu 16.10, which needs gcc -nopie + + * configure.ac (emacs_cv_prog_cc_no_pie): Rename from + emacs_cv_prog_cc_nopie. All usages changed. Check for -no-pie in + preference to -nopie (Bug#24682). Backport from master. + +Origin: upstream, commit: 99892eeec8990884ef38601f14038ec6dc227741 +Bug: https://debbugs.gnu.org/24682 +Bug-Debian: https://bugs.debian.org/841551 +--- + configure.ac | 25 +++++++++++++++++++++++++ + 1 file changed, 25 insertions(+) + +diff --git a/configure.ac b/configure.ac +index 18387d84ec5..222b195a828 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -4918,6 +4918,31 @@ case "$opsys" in + *) LD_SWITCH_SYSTEM_TEMACS= ;; + esac + ++# -no-pie or -nopie fixes a temacs segfault on Gentoo, OpenBSD, ++# Ubuntu, and other systems with "hardened" GCC configurations for ++# some reason (Bug#18784). We don't know why this works, but not ++# segfaulting is better than segfaulting. Use ac_c_werror_flag=yes ++# when trying the option, otherwise clang keeps warning that it does ++# not understand it, and pre-4.6 GCC has a similar problem ++# (Bug#20338). Prefer -no-pie to -nopie, as -no-pie is the ++# spelling used by GCC 6.1.0 and later (Bug#24682). ++AC_CACHE_CHECK( ++ [for $CC option to disable position independent executables], ++ [emacs_cv_prog_cc_no_pie], ++ [emacs_save_c_werror_flag=$ac_c_werror_flag ++ emacs_save_LDFLAGS=$LDFLAGS ++ ac_c_werror_flag=yes ++ for emacs_cv_prog_cc_no_pie in -no-pie -nopie no; do ++ test $emacs_cv_prog_cc_no_pie = no && break ++ LDFLAGS="$emacs_save_LDFLAGS $emacs_cv_prog_cc_no_pie" ++ AC_LINK_IFELSE([AC_LANG_PROGRAM([], [])], [break]) ++ done ++ ac_c_werror_flag=$emacs_save_c_werror_flag ++ LDFLAGS=$emacs_save_LDFLAGS]) ++if test "$emacs_cv_prog_cc_no_pie" != no; then ++ LD_SWITCH_SYSTEM_TEMACS="$LD_SWITCH_SYSTEM_TEMACS $emacs_cv_prog_cc_no_pie" ++fi ++ + if test x$ac_enable_profiling != x ; then + case $opsys in + *freebsd | gnu-linux) ;; diff -Nru emacs24-24.5+1/debian/patches/0028-IMAP-connections-no-longer-use-openssl-s_client.patch emacs24-24.5+1/debian/patches/0028-IMAP-connections-no-longer-use-openssl-s_client.patch --- emacs24-24.5+1/debian/patches/0028-IMAP-connections-no-longer-use-openssl-s_client.patch 1969-12-31 18:00:00.000000000 -0600 +++ emacs24-24.5+1/debian/patches/0028-IMAP-connections-no-longer-use-openssl-s_client.patch 2017-04-22 12:32:14.000000000 -0500 @@ -0,0 +1,136 @@ +From 3a79c1cf4e45ac6e160e31d7fe4b18d9b500583e Mon Sep 17 00:00:00 2001 +From: Lars Ingebrigtsen <la...@gnus.org> +Date: Sat, 26 Dec 2015 21:45:51 +0100 +Subject: IMAP connections no longer use openssl s_client + +`imap-ssl-program' has been removed, and imap.el uses the internal +GnuTLS encryption functions if possible. + +Accomplished by incorporating this upstream patch: + + Use built-in encryption in imap.el + + * lisp/net/imap.el (imap-ssl-program): Remove (bug#21134). + (imap-starttls-open): Use open-network-stream instead of starttls.el. + (imap-tls-open): Use open-network-stream instead of tls.el. + +Origin: backport, commit:a2158f6c9af62f11533b2086596b755781d2e34f +Bug: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=21134 +Bug-Debian: https://bugs.debian.org/766397 +Forwarded: not-needed +--- + lisp/net/imap.el | 63 ++++++++++++++++---------------------------------------- + 1 file changed, 18 insertions(+), 45 deletions(-) + +diff --git a/lisp/net/imap.el b/lisp/net/imap.el +index 3e5982398fd..b9a66871926 100644 +--- a/lisp/net/imap.el ++++ b/lisp/net/imap.el +@@ -74,8 +74,7 @@ + ;; imap.el supports RFC1730/2060/RFC3501 (IMAP4/IMAP4rev1). The implemented + ;; IMAP extensions are RFC2195 (CRAM-MD5), RFC2086 (ACL), RFC2342 + ;; (NAMESPACE), RFC2359 (UIDPLUS), the IMAP-part of RFC2595 (STARTTLS, +-;; LOGINDISABLED) (with use of external library starttls.el and +-;; program starttls), and the GSSAPI / Kerberos V4 sections of RFC1731 ++;; LOGINDISABLED), and the GSSAPI / Kerberos V4 sections of RFC1731 + ;; (with use of external program `imtest'), and RFC2971 (ID). It also + ;; takes advantage of the UNSELECT extension in Cyrus IMAPD. + ;; +@@ -140,8 +139,6 @@ + (eval-and-compile + ;; For Emacs <22.2 and XEmacs. + (unless (fboundp 'declare-function) (defmacro declare-function (&rest _r))) +- (autoload 'starttls-open-stream "starttls") +- (autoload 'starttls-negotiate "starttls") + (autoload 'sasl-find-mechanism "sasl") + (autoload 'digest-md5-parse-digest-challenge "digest-md5") + (autoload 'digest-md5-digest-response "digest-md5") +@@ -151,8 +148,7 @@ + (autoload 'utf7-encode "utf7") + (autoload 'utf7-decode "utf7") + (autoload 'format-spec "format-spec") +- (autoload 'format-spec-make "format-spec") +- (autoload 'open-tls-stream "tls")) ++ (autoload 'format-spec-make "format-spec")) + + ;; User variables. + +@@ -184,19 +180,6 @@ the list is tried until a successful connection is made." + :group 'imap + :type '(repeat string)) + +-(defcustom imap-ssl-program '("openssl s_client -quiet -ssl3 -connect %s:%p" +- "openssl s_client -quiet -ssl2 -connect %s:%p" +- "s_client -quiet -ssl3 -connect %s:%p" +- "s_client -quiet -ssl2 -connect %s:%p") +- "A string, or list of strings, containing commands for SSL connections. +-Within a string, %s is replaced with the server address and %p with +-port number on server. The program should accept IMAP commands on +-stdin and return responses to stdout. Each entry in the list is tried +-until a successful connection is made." +- :group 'imap +- :type '(choice string +- (repeat string))) +- + (defcustom imap-shell-program '("ssh %s imapd" + "rsh %s imapd" + "ssh %g ssh %s imapd" +@@ -718,7 +701,8 @@ sure of changing the value of `foo'." + (let* ((port (or port imap-default-tls-port)) + (coding-system-for-read imap-coding-system-for-read) + (coding-system-for-write imap-coding-system-for-write) +- (process (open-tls-stream name buffer server port))) ++ (process (open-network-stream name buffer server port ++ :type 'tls))) + (when process + (while (and (memq (process-status process) '(open run)) + ;; FIXME: Per the "blue moon" comment, the process/buffer +@@ -803,34 +787,23 @@ sure of changing the value of `foo'." + (imap-capability 'STARTTLS buffer)) + + (defun imap-starttls-open (name buffer server port) ++ (message "imap: Connecting with STARTTLS...") + (let* ((port (or port imap-default-port)) + (coding-system-for-read imap-coding-system-for-read) + (coding-system-for-write imap-coding-system-for-write) +- (process (starttls-open-stream name buffer server port)) +- done tls-info) +- (message "imap: Connecting with STARTTLS...") +- (when process +- (while (and (memq (process-status process) '(open run)) +- (set-buffer buffer) ;; XXX "blue moon" nntp.el bug +- (goto-char (point-max)) +- (forward-line -1) +- (not (imap-parse-greeting))) +- (accept-process-output process 1) +- (sit-for 1)) +- (imap-send-command "STARTTLS") +- (while (and (memq (process-status process) '(open run)) +- (set-buffer buffer) ;; XXX "blue moon" nntp.el bug +- (goto-char (point-max)) +- (forward-line -1) +- (not (re-search-forward "[0-9]+ OK.*\r?\n" nil t))) +- (accept-process-output process 1) +- (sit-for 1)) +- (imap-log buffer) +- (when (and (setq tls-info (starttls-negotiate process)) +- (memq (process-status process) '(open run))) +- (setq done process))) +- (if (stringp tls-info) +- (message "imap: STARTTLS info: %s" tls-info)) ++ (process (open-network-stream ++ name buffer server port ++ :type 'starttls ++ :capability-command "1 CAPABILITY\r\n" ++ :always-query-capabilities t ++ :end-of-command "\r\n" ++ :success " OK " ++ :starttls-function ++ (lambda (capabilities) ++ (when (string-match-p "STARTTLS" capabilities) ++ "1 STARTTLS\r\n")))) ++ (done (and process ++ (memq (process-status process) '(open run))))) + (message "imap: Connecting with STARTTLS...%s" (if done "done" "failed")) + done)) + diff -Nru emacs24-24.5+1/debian/patches/0029-openssl-s_client-is-no-longer-a-default-for-ssl-conn.patch emacs24-24.5+1/debian/patches/0029-openssl-s_client-is-no-longer-a-default-for-ssl-conn.patch --- emacs24-24.5+1/debian/patches/0029-openssl-s_client-is-no-longer-a-default-for-ssl-conn.patch 1969-12-31 18:00:00.000000000 -0600 +++ emacs24-24.5+1/debian/patches/0029-openssl-s_client-is-no-longer-a-default-for-ssl-conn.patch 2017-04-22 12:32:14.000000000 -0500 @@ -0,0 +1,62 @@ +From 088b2e039897fcf9e2eea00f580a2c5d87eba781 Mon Sep 17 00:00:00 2001 +From: Rob Browning <r...@defaultvalue.org> +Date: Sat, 22 Apr 2017 12:02:00 -0500 +Subject: openssl s_client is no longer a default for ssl connections + +"s_client is a debug tool, it does not set up a secure connection, it +ignores all errors and just continues. It also doesn't do checks it +should be doing. This is all documented behaviour." -- Kurt Roeckx + +Bug-Debian: https://bugs.debian.org/766397 +--- + lisp/net/tls.el | 15 +++++---------- + 1 file changed, 5 insertions(+), 10 deletions(-) + +diff --git a/lisp/net/tls.el b/lisp/net/tls.el +index 68a3ff6ae0a..287de40fa8d 100644 +--- a/lisp/net/tls.el ++++ b/lisp/net/tls.el +@@ -78,8 +78,7 @@ and `gnutls-cli' (version 2.0.1) output." + + (defcustom tls-program + '("gnutls-cli --x509cafile %t -p %p %h" +- "gnutls-cli --x509cafile %t -p %p %h --protocols ssl3" +- "openssl s_client -connect %h:%p -no_ssl2 -ign_eof") ++ "gnutls-cli --x509cafile %t -p %p %h --protocols ssl3") + "List of strings containing commands to start TLS stream to a host. + Each entry in the list is tried until a connection is successful. + %h is replaced with server hostname, %p with port to connect to. +@@ -93,20 +92,17 @@ successful negotiation." + '(choice + (const :tag "Default list of commands" + ("gnutls-cli --x509cafile %t -p %p %h" +- "gnutls-cli --x509cafile %t -p %p %h --protocols ssl3" +- "openssl s_client -CAfile %t -connect %h:%p -no_ssl2 -ign_eof")) ++ "gnutls-cli --x509cafile %t -p %p %h --protocols ssl3")) + (list :tag "Choose commands" + :value + ("gnutls-cli --x509cafile %t -p %p %h" +- "gnutls-cli --x509cafile %t -p %p %h --protocols ssl3" +- "openssl s_client -connect %h:%p -no_ssl2 -ign_eof") ++ "gnutls-cli --x509cafile %t -p %p %h --protocols ssl3") + (set :inline t + ;; FIXME: add brief `:tag "..."' descriptions. + ;; (repeat :inline t :tag "Other" (string)) + ;; No trust check: + (const "gnutls-cli --insecure -p %p %h") +- (const "gnutls-cli --insecure -p %p %h --protocols ssl3") +- (const "openssl s_client -connect %h:%p -no_ssl2 -ign_eof")) ++ (const "gnutls-cli --insecure -p %p %h --protocols ssl3")) + (repeat :inline t :tag "Other" (string))) + (list :tag "List of commands" + (repeat :tag "Command" (string)))) +@@ -137,8 +133,7 @@ consider trustworthy, e.g.: + + \(setq tls-program + '(\"gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt -p %p %h\" +- \"gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt -p %p %h --protocols ssl3\" +- \"openssl s_client -connect %h:%p -CAfile /etc/ssl/certs/ca-certificates.crt -no_ssl2 -ign_eof\"))" ++ \"gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt -p %p %h --protocols ssl3\"))" + :type '(choice (const :tag "Always" t) + (const :tag "Never" nil) + (const :tag "Ask" ask)) diff -Nru emacs24-24.5+1/debian/patches/series emacs24-24.5+1/debian/patches/series --- emacs24-24.5+1/debian/patches/series 2017-04-10 18:30:21.000000000 -0500 +++ emacs24-24.5+1/debian/patches/series 2017-04-22 12:32:14.000000000 -0500 @@ -24,3 +24,6 @@ 0024-Remove-insecure-from-gnutls-cli-invocation.patch 0025-Refactor-out-gnutls-trustfiles.patch 0026-Make-tls.el-use-trustfiles-by-default.patch +0027-Emacs-shouldn-t-segfault-when-gcc-expects-nopie.patch +0028-IMAP-connections-no-longer-use-openssl-s_client.patch +0029-openssl-s_client-is-no-longer-a-default-for-ssl-conn.patch
unblock emacs24/24.5+1-10 Thanks -- Rob Browning rlb @defaultvalue.org and @debian.org GPG as of 2011-07-10 E6A9 DA3C C9FD 1FF8 C676 D2C4 C0F0 39E9 ED1B 597A GPG as of 2002-11-03 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4
