commit: 07eb79ff7ef6b0637f89ed0cb9c69579e57878d1 Author: Ulrich Müller <ulm <AT> gentoo <DOT> org> AuthorDate: Fri May 9 06:04:09 2014 +0000 Commit: Ulrich Müller <ulm <AT> gentoo <DOT> org> CommitDate: Fri May 9 06:04:09 2014 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/emacs-tools.git;a=commit;h=07eb79ff
Upstream patch for browse-url, bug 509830. --- emacs/23.4/18_all_browse-url-no-mosaic.patch | 124 --------------------------- emacs/23.4/18_all_browse-url-tmpfile.patch | 59 +++++++++++++ emacs/24.3/07_all_browse-url-no-mosaic.patch | 124 --------------------------- emacs/24.3/07_all_browse-url-tmpfile.patch | 59 +++++++++++++ 4 files changed, 118 insertions(+), 248 deletions(-) diff --git a/emacs/23.4/18_all_browse-url-no-mosaic.patch b/emacs/23.4/18_all_browse-url-no-mosaic.patch deleted file mode 100644 index b6a8152..0000000 --- a/emacs/23.4/18_all_browse-url-no-mosaic.patch +++ /dev/null @@ -1,124 +0,0 @@ -Fix insecure use of temporary files. -Gentoo patch: Remove obsolete browse-url-mosaic function completely. -https://bugs.gentoo.org/509830 -CVE-2014-3423 - ---- emacs-23.4-orig/lisp/net/browse-url.el -+++ emacs-23.4/lisp/net/browse-url.el -@@ -40,7 +40,6 @@ - ;; browse-url-galeon Galeon Don't know - ;; browse-url-epiphany Epiphany Don't know - ;; browse-url-netscape Netscape 1.1b1 --;; browse-url-mosaic XMosaic/mMosaic <= 2.4 - ;; browse-url-cci XMosaic 2.5 - ;; browse-url-w3 w3 0 - ;; browse-url-w3-gnudoit w3 remotely -@@ -82,11 +81,7 @@ - ;; include Chimera <URL:ftp://ftp.cs.unlv.edu/pub/chimera> and - ;; <URL:http://www.unlv.edu/chimera/>, Arena - ;; <URL:ftp://ftp.yggdrasil.com/pub/dist/web/arena> and Amaya --;; <URL:ftp://ftp.w3.org/pub/amaya>. mMosaic --;; <URL:ftp://ftp.enst.fr/pub/mbone/mMosaic/>, --;; <URL:http://www.enst.fr/~dauphin/mMosaic/> (with development --;; support for Java applets and multicast) can be used like Mosaic by --;; setting `browse-url-mosaic-program' appropriately. -+;; <URL:ftp://ftp.w3.org/pub/amaya>. - - ;; I [Denis Howe, not Dave Love] recommend Nelson Minar - ;; <nel...@santafe.edu>'s excellent html-helper-mode.el for editing -@@ -242,7 +237,6 @@ - (function-item :tag "Galeon" :value browse-url-galeon) - (function-item :tag "Epiphany" :value browse-url-epiphany) - (function-item :tag "Netscape" :value browse-url-netscape) -- (function-item :tag "Mosaic" :value browse-url-mosaic) - (function-item :tag "Mosaic using CCI" :value browse-url-cci) - (function-item :tag "Text browser in an xterm window" - :value browse-url-text-xterm) -@@ -421,22 +415,6 @@ - :type 'boolean - :group 'browse-url) - --(defcustom browse-url-mosaic-program "xmosaic" -- "The name by which to invoke Mosaic (or mMosaic)." -- :type 'string -- :version "20.3" -- :group 'browse-url) -- --(defcustom browse-url-mosaic-arguments nil -- "A list of strings to pass to Mosaic as arguments." -- :type '(repeat (string :tag "Argument")) -- :group 'browse-url) -- --(defcustom browse-url-mosaic-pidfile "~/.mosaicpid" -- "The name of the pidfile created by Mosaic." -- :type 'string -- :group 'browse-url) -- - (defcustom browse-url-filename-alist - `(("^/\\(ftp@\\|anonymous@\\)?\\([^:]+\\):/*" . "ftp://\\2/";) - ;; The above loses the username to avoid the browser prompting for -@@ -895,7 +873,6 @@ - ((executable-find browse-url-galeon-program) 'browse-url-galeon) - ((executable-find browse-url-kde-program) 'browse-url-kde) - ((executable-find browse-url-netscape-program) 'browse-url-netscape) -- ((executable-find browse-url-mosaic-program) 'browse-url-mosaic) - ((executable-find browse-url-xterm-program) 'browse-url-text-xterm) - ((locate-library "w3") 'browse-url-w3) - (t -@@ -1212,56 +1189,6 @@ - '("--newwin")) - (list "--raise" url)))) - --;; --- Mosaic --- -- --;;;###autoload --(defun browse-url-mosaic (url &optional new-window) -- "Ask the XMosaic WWW browser to load URL. -- --Default to the URL around or before point. The strings in variable --`browse-url-mosaic-arguments' are also passed to Mosaic and the --program is invoked according to the variable --`browse-url-mosaic-program'. -- --When called interactively, if variable `browse-url-new-window-flag' is --non-nil, load the document in a new Mosaic window, otherwise use a --random existing one. A non-nil interactive prefix argument reverses --the effect of `browse-url-new-window-flag'. -- --When called non-interactively, optional second argument NEW-WINDOW is --used instead of `browse-url-new-window-flag'." -- (interactive (browse-url-interactive-arg "Mosaic URL: ")) -- (let ((pidfile (expand-file-name browse-url-mosaic-pidfile)) -- pid) -- (if (file-readable-p pidfile) -- (save-excursion -- (find-file pidfile) -- (goto-char (point-min)) -- (setq pid (read (current-buffer))) -- (kill-buffer nil))) -- (if (and pid (zerop (signal-process pid 0))) ; Mosaic running -- (save-excursion -- (find-file (format "/tmp/Mosaic.%d" pid)) -- (erase-buffer) -- (insert (if (browse-url-maybe-new-window new-window) -- "newwin\n" -- "goto\n") -- url "\n") -- (save-buffer) -- (kill-buffer nil) -- ;; Send signal SIGUSR to Mosaic -- (message "Signaling Mosaic...") -- (signal-process pid 'SIGUSR1) -- ;; Or you could try: -- ;; (call-process "kill" nil 0 nil "-USR1" (int-to-string pid)) -- (message "Signaling Mosaic...done") -- ) -- ;; Mosaic not running - start it -- (message "Starting %s..." browse-url-mosaic-program) -- (apply 'start-process "xmosaic" nil browse-url-mosaic-program -- (append browse-url-mosaic-arguments (list url))) -- (message "Starting %s...done" browse-url-mosaic-program)))) -- - ;; --- Mosaic using CCI --- - - ;;;###autoload diff --git a/emacs/23.4/18_all_browse-url-tmpfile.patch b/emacs/23.4/18_all_browse-url-tmpfile.patch new file mode 100644 index 0000000..ea62328 --- /dev/null +++ b/emacs/23.4/18_all_browse-url-tmpfile.patch @@ -0,0 +1,59 @@ +Fix insecure use of temporary files. +Patch from upstream bzr, backported to Emacs 23.4. +https://bugs.gentoo.org/509830 +CVE-2014-3423 + +revno: 117087 +fixes bug: http://debbugs.gnu.org/17428 +committer: Glenn Morris <r...@gnu.org> +branch nick: emacs-24 +timestamp: Thu 2014-05-08 14:10:36 -0400 +message: + * browse-url.el (browse-url-mosaic): Be careful when writing /tmp/Mosaic.PID. + +--- emacs-23.4-orig/lisp/net/browse-url.el ++++ emacs-23.4/lisp/net/browse-url.el +@@ -1234,28 +1234,26 @@ + (let ((pidfile (expand-file-name browse-url-mosaic-pidfile)) + pid) + (if (file-readable-p pidfile) +- (save-excursion +- (find-file pidfile) +- (goto-char (point-min)) +- (setq pid (read (current-buffer))) +- (kill-buffer nil))) +- (if (and pid (zerop (signal-process pid 0))) ; Mosaic running +- (save-excursion +- (find-file (format "/tmp/Mosaic.%d" pid)) +- (erase-buffer) +- (insert (if (browse-url-maybe-new-window new-window) +- "newwin\n" +- "goto\n") +- url "\n") +- (save-buffer) +- (kill-buffer nil) ++ (with-temp-buffer ++ (insert-file-contents pidfile) ++ (setq pid (read (current-buffer))))) ++ (if (and (integerp pid) (zerop (signal-process pid 0))) ; Mosaic running ++ (progn ++ (with-temp-buffer ++ (insert (if (browse-url-maybe-new-window new-window) ++ "newwin\n" ++ "goto\n") ++ url "\n") ++ (if (file-exists-p (setq pidfile (format "/tmp/Mosaic.%d" pid))) ++ (delete-file pidfile)) ++ ;; http://debbugs.gnu.org/17428. Use O_EXCL. ++ (write-region nil nil pidfile nil 'silent nil 'excl)) + ;; Send signal SIGUSR to Mosaic + (message "Signaling Mosaic...") + (signal-process pid 'SIGUSR1) + ;; Or you could try: + ;; (call-process "kill" nil 0 nil "-USR1" (int-to-string pid)) +- (message "Signaling Mosaic...done") +- ) ++ (message "Signaling Mosaic...done")) + ;; Mosaic not running - start it + (message "Starting %s..." browse-url-mosaic-program) + (apply 'start-process "xmosaic" nil browse-url-mosaic-program diff --git a/emacs/24.3/07_all_browse-url-no-mosaic.patch b/emacs/24.3/07_all_browse-url-no-mosaic.patch deleted file mode 100644 index 3ccab76..0000000 --- a/emacs/24.3/07_all_browse-url-no-mosaic.patch +++ /dev/null @@ -1,124 +0,0 @@ -Fix insecure use of temporary files. -Gentoo patch: Remove obsolete browse-url-mosaic function completely. -https://bugs.gentoo.org/509830 -CVE-2014-3423 - ---- emacs-24.3-orig/lisp/net/browse-url.el -+++ emacs-24.3/lisp/net/browse-url.el -@@ -40,7 +40,6 @@ - ;; browse-url-galeon Galeon Don't know - ;; browse-url-epiphany Epiphany Don't know - ;; browse-url-netscape Netscape 1.1b1 --;; browse-url-mosaic XMosaic/mMosaic <= 2.4 - ;; browse-url-cci XMosaic 2.5 - ;; browse-url-w3 w3 0 - ;; browse-url-w3-gnudoit w3 remotely -@@ -83,11 +82,7 @@ - ;; include Chimera <URL:ftp://ftp.cs.unlv.edu/pub/chimera> and - ;; <URL:http://www.unlv.edu/chimera/>, Arena - ;; <URL:ftp://ftp.yggdrasil.com/pub/dist/web/arena> and Amaya --;; <URL:ftp://ftp.w3.org/pub/amaya>. mMosaic --;; <URL:ftp://ftp.enst.fr/pub/mbone/mMosaic/>, --;; <URL:http://www.enst.fr/~dauphin/mMosaic/> (with development --;; support for Java applets and multicast) can be used like Mosaic by --;; setting `browse-url-mosaic-program' appropriately. -+;; <URL:ftp://ftp.w3.org/pub/amaya>. - - ;; I [Denis Howe, not Dave Love] recommend Nelson Minar - ;; <nel...@santafe.edu>'s excellent html-helper-mode.el for editing -@@ -233,7 +228,6 @@ - (function-item :tag "Galeon" :value browse-url-galeon) - (function-item :tag "Epiphany" :value browse-url-epiphany) - (function-item :tag "Netscape" :value browse-url-netscape) -- (function-item :tag "Mosaic" :value browse-url-mosaic) - (function-item :tag "Mosaic using CCI" :value browse-url-cci) - (function-item :tag "Text browser in an xterm window" - :value browse-url-text-xterm) -@@ -442,22 +436,6 @@ - :type 'boolean - :group 'browse-url) - --(defcustom browse-url-mosaic-program "xmosaic" -- "The name by which to invoke Mosaic (or mMosaic)." -- :type 'string -- :version "20.3" -- :group 'browse-url) -- --(defcustom browse-url-mosaic-arguments nil -- "A list of strings to pass to Mosaic as arguments." -- :type '(repeat (string :tag "Argument")) -- :group 'browse-url) -- --(defcustom browse-url-mosaic-pidfile "~/.mosaicpid" -- "The name of the pidfile created by Mosaic." -- :type 'string -- :group 'browse-url) -- - (defcustom browse-url-filename-alist - `(("^/\\(ftp@\\|anonymous@\\)?\\([^:]+\\):/*" . "ftp://\\2/";) - ;; The above loses the username to avoid the browser prompting for -@@ -927,7 +905,6 @@ - ((executable-find browse-url-galeon-program) 'browse-url-galeon) - ((executable-find browse-url-kde-program) 'browse-url-kde) - ((executable-find browse-url-netscape-program) 'browse-url-netscape) -- ((executable-find browse-url-mosaic-program) 'browse-url-mosaic) - ((executable-find browse-url-xterm-program) 'browse-url-text-xterm) - ((locate-library "w3") 'browse-url-w3) - (t -@@ -1306,56 +1283,6 @@ - '("--newwin")) - (list "--raise" url)))) - --;; --- Mosaic --- -- --;;;###autoload --(defun browse-url-mosaic (url &optional new-window) -- "Ask the XMosaic WWW browser to load URL. -- --Default to the URL around or before point. The strings in variable --`browse-url-mosaic-arguments' are also passed to Mosaic and the --program is invoked according to the variable --`browse-url-mosaic-program'. -- --When called interactively, if variable `browse-url-new-window-flag' is --non-nil, load the document in a new Mosaic window, otherwise use a --random existing one. A non-nil interactive prefix argument reverses --the effect of `browse-url-new-window-flag'. -- --When called non-interactively, optional second argument NEW-WINDOW is --used instead of `browse-url-new-window-flag'." -- (interactive (browse-url-interactive-arg "Mosaic URL: ")) -- (let ((pidfile (expand-file-name browse-url-mosaic-pidfile)) -- pid) -- (if (file-readable-p pidfile) -- (save-excursion -- (find-file pidfile) -- (goto-char (point-min)) -- (setq pid (read (current-buffer))) -- (kill-buffer nil))) -- (if (and pid (zerop (signal-process pid 0))) ; Mosaic running -- (save-excursion -- (find-file (format "/tmp/Mosaic.%d" pid)) -- (erase-buffer) -- (insert (if (browse-url-maybe-new-window new-window) -- "newwin\n" -- "goto\n") -- url "\n") -- (save-buffer) -- (kill-buffer nil) -- ;; Send signal SIGUSR to Mosaic -- (message "Signaling Mosaic...") -- (signal-process pid 'SIGUSR1) -- ;; Or you could try: -- ;; (call-process "kill" nil 0 nil "-USR1" (int-to-string pid)) -- (message "Signaling Mosaic...done") -- ) -- ;; Mosaic not running - start it -- (message "Starting %s..." browse-url-mosaic-program) -- (apply 'start-process "xmosaic" nil browse-url-mosaic-program -- (append browse-url-mosaic-arguments (list url))) -- (message "Starting %s...done" browse-url-mosaic-program)))) -- - ;; --- Mosaic using CCI --- - - ;;;###autoload diff --git a/emacs/24.3/07_all_browse-url-tmpfile.patch b/emacs/24.3/07_all_browse-url-tmpfile.patch new file mode 100644 index 0000000..b0a0fe4 --- /dev/null +++ b/emacs/24.3/07_all_browse-url-tmpfile.patch @@ -0,0 +1,59 @@ +Fix insecure use of temporary files. +Patch from upstream bzr, backported to Emacs 24.3. +https://bugs.gentoo.org/509830 +CVE-2014-3423 + +revno: 117087 +fixes bug: http://debbugs.gnu.org/17428 +committer: Glenn Morris <r...@gnu.org> +branch nick: emacs-24 +timestamp: Thu 2014-05-08 14:10:36 -0400 +message: + * browse-url.el (browse-url-mosaic): Be careful when writing /tmp/Mosaic.PID. + +--- emacs-24.3-orig/lisp/net/browse-url.el ++++ emacs-24.3/lisp/net/browse-url.el +@@ -1328,28 +1328,26 @@ + (let ((pidfile (expand-file-name browse-url-mosaic-pidfile)) + pid) + (if (file-readable-p pidfile) +- (save-excursion +- (find-file pidfile) +- (goto-char (point-min)) +- (setq pid (read (current-buffer))) +- (kill-buffer nil))) +- (if (and pid (zerop (signal-process pid 0))) ; Mosaic running +- (save-excursion +- (find-file (format "/tmp/Mosaic.%d" pid)) +- (erase-buffer) +- (insert (if (browse-url-maybe-new-window new-window) +- "newwin\n" +- "goto\n") +- url "\n") +- (save-buffer) +- (kill-buffer nil) ++ (with-temp-buffer ++ (insert-file-contents pidfile) ++ (setq pid (read (current-buffer))))) ++ (if (and (integerp pid) (zerop (signal-process pid 0))) ; Mosaic running ++ (progn ++ (with-temp-buffer ++ (insert (if (browse-url-maybe-new-window new-window) ++ "newwin\n" ++ "goto\n") ++ url "\n") ++ (if (file-exists-p (setq pidfile (format "/tmp/Mosaic.%d" pid))) ++ (delete-file pidfile)) ++ ;; http://debbugs.gnu.org/17428. Use O_EXCL. ++ (write-region nil nil pidfile nil 'silent nil 'excl)) + ;; Send signal SIGUSR to Mosaic + (message "Signaling Mosaic...") + (signal-process pid 'SIGUSR1) + ;; Or you could try: + ;; (call-process "kill" nil 0 nil "-USR1" (int-to-string pid)) +- (message "Signaling Mosaic...done") +- ) ++ (message "Signaling Mosaic...done")) + ;; Mosaic not running - start it + (message "Starting %s..." browse-url-mosaic-program) + (apply 'start-process "xmosaic" nil browse-url-mosaic-program
