- Add patch to fix RHBZ #578272 - security vulnerability with movemail
(CVE-2010-0825) - Use standard %patch macro to apply all patches to silent rpmlint warnings - Remove unnecessary buildroot tag - Remove explicit dependency on librsvg2 (but keep BuildRequires for librsvg2-devel) - Add properly versioned Provides for emacs(bin) - Remove long unneeded Obsoletes for emacs-leim - Fix summary for emacs-el - Use out of tree builds so that we can build multibple versions in the %build section - Remove checks for old version of Emacs in postrtrans
This commit is contained in:
parent
d34a4e6dd2
commit
94063cf9fb
100
emacs-23.1-movemail.patch
Normal file
100
emacs-23.1-movemail.patch
Normal file
@ -0,0 +1,100 @@
|
||||
diff -up emacs-23.1/lib-src/movemail.c.movemail emacs-23.1/lib-src/movemail.c
|
||||
--- emacs-23.1/lib-src/movemail.c.movemail 2010-03-31 19:18:05.611899443 +0200
|
||||
+++ emacs-23.1/lib-src/movemail.c 2010-03-31 19:24:29.738754553 +0200
|
||||
@@ -176,7 +176,9 @@ main (argc, argv)
|
||||
int nread;
|
||||
int status;
|
||||
int c, preserve_mail = 0;
|
||||
-
|
||||
+ uid_t real_gid, priv_gid;
|
||||
+ real_gid = getgid();
|
||||
+ priv_gid = getegid();
|
||||
#ifndef MAIL_USE_SYSTEM_LOCK
|
||||
struct stat st;
|
||||
long now;
|
||||
@@ -247,25 +249,6 @@ main (argc, argv)
|
||||
if (*outname == 0)
|
||||
fatal ("Destination file name is empty", 0, 0);
|
||||
|
||||
- /* Check access to output file. */
|
||||
- if (access (outname, F_OK) == 0 && access (outname, W_OK) != 0)
|
||||
- pfatal_with_name (outname);
|
||||
-
|
||||
- /* Also check that outname's directory is writable to the real uid. */
|
||||
- {
|
||||
- char *buf = (char *) xmalloc (strlen (outname) + 1);
|
||||
- char *p;
|
||||
- strcpy (buf, outname);
|
||||
- p = buf + strlen (buf);
|
||||
- while (p > buf && !IS_DIRECTORY_SEP (p[-1]))
|
||||
- *--p = 0;
|
||||
- if (p == buf)
|
||||
- *p++ = '.';
|
||||
- if (access (buf, W_OK) != 0)
|
||||
- pfatal_with_name (buf);
|
||||
- free (buf);
|
||||
- }
|
||||
-
|
||||
#ifdef MAIL_USE_POP
|
||||
if (!strncmp (inname, "po:", 3))
|
||||
{
|
||||
@@ -277,15 +260,11 @@ main (argc, argv)
|
||||
exit (status);
|
||||
}
|
||||
|
||||
- setuid (getuid ());
|
||||
+ if (setuid (getuid ()) < 0)
|
||||
+ fatal ("Failed to drop privileges", 0, 0);
|
||||
#endif /* MAIL_USE_POP */
|
||||
|
||||
#ifndef DISABLE_DIRECT_ACCESS
|
||||
-
|
||||
- /* Check access to input file. */
|
||||
- if (access (inname, R_OK | W_OK) != 0)
|
||||
- pfatal_with_name (inname);
|
||||
-
|
||||
#ifndef MAIL_USE_MMDF
|
||||
#ifndef MAIL_USE_SYSTEM_LOCK
|
||||
#ifdef MAIL_USE_MAILLOCK
|
||||
@@ -379,7 +358,8 @@ main (argc, argv)
|
||||
time_t touched_lock, now;
|
||||
#endif
|
||||
|
||||
- setuid (getuid ());
|
||||
+ if (setuid (getuid ()) < 0 || setegid (real_gid) < 0)
|
||||
+ fatal("Failed to drop privileges", 0, 0);
|
||||
|
||||
#ifndef MAIL_USE_MMDF
|
||||
#ifdef MAIL_USE_SYSTEM_LOCK
|
||||
@@ -405,6 +385,9 @@ main (argc, argv)
|
||||
if (outdesc < 0)
|
||||
pfatal_with_name (outname);
|
||||
|
||||
+ if (setegid (priv_gid) < 0)
|
||||
+ fatal("Failed to regain privileges", 0, 0);
|
||||
+
|
||||
/* This label exists so we can retry locking
|
||||
after a delay, if it got EAGAIN or EBUSY. */
|
||||
retry_lock:
|
||||
@@ -502,6 +485,10 @@ main (argc, argv)
|
||||
if (close (outdesc) != 0)
|
||||
pfatal_and_delete (outname);
|
||||
|
||||
+ /* Prevent symlink attacks truncating other users' mailboxes */
|
||||
+ if (setegid (real_gid) < 0)
|
||||
+ fatal("Failed to drop privileges", 0, 0);
|
||||
+
|
||||
#ifdef MAIL_USE_SYSTEM_LOCK
|
||||
if (! preserve_mail)
|
||||
{
|
||||
@@ -529,6 +516,10 @@ main (argc, argv)
|
||||
}
|
||||
#endif /* not MAIL_USE_SYSTEM_LOCK */
|
||||
|
||||
+ /* End of mailbox truncation */
|
||||
+ if (setegid (priv_gid) < 0)
|
||||
+ fatal("Failed to regain privileges", 0, 0);
|
||||
+
|
||||
#ifdef MAIL_USE_MAILLOCK
|
||||
/* This has to occur in the child, i.e., in the process that
|
||||
acquired the lock! */
|
110
emacs.spec
110
emacs.spec
@ -4,7 +4,7 @@ Summary: GNU Emacs text editor
|
||||
Name: emacs
|
||||
Epoch: 1
|
||||
Version: 23.1.94
|
||||
Release: 1%{?dist}
|
||||
Release: 2%{?dist}
|
||||
License: GPLv3+
|
||||
URL: http://www.gnu.org/software/emacs/
|
||||
Group: Applications/Editors
|
||||
@ -29,7 +29,10 @@ Patch2: po-mode-auto-replace-date-71264.patch
|
||||
Patch3: rpm-spec-mode-utc.patch
|
||||
Patch4: emacs-23.1-xdg.patch
|
||||
|
||||
Buildroot: %{_tmppath}/%{name}-%{version}-root
|
||||
# Fix https://bugzilla.redhat.com/show_bug.cgi?id=578272
|
||||
# CVE-2010-0825
|
||||
Patch5: emacs-23.1-movemail.patch
|
||||
|
||||
BuildRequires: atk-devel, cairo-devel, desktop-file-utils, freetype-devel, fontconfig-devel, dbus-devel, giflib-devel, glibc-devel, gtk2-devel, libpng-devel
|
||||
BuildRequires: libjpeg-devel, libtiff-devel, libX11-devel, libXau-devel, libXdmcp-devel, libXrender-devel, libXt-devel
|
||||
BuildRequires: libXpm-devel, ncurses-devel, xorg-x11-proto-devel, zlib-devel
|
||||
@ -45,12 +48,12 @@ Requires: hunspell, aspell
|
||||
# bz#507852
|
||||
BuildRequires: librsvg2-devel, m17n-lib-devel, libotf-devel
|
||||
BuildRequires: alsa-lib-devel
|
||||
Requires: librsvg2
|
||||
|
||||
# Desktop integration
|
||||
BuildRequires: desktop-file-utils
|
||||
Requires: desktop-file-utils
|
||||
Conflicts: gettext < 0.10.40
|
||||
Provides: emacs(bin)
|
||||
Provides: emacs(bin) = %{epoch}:%{version}-%{release}
|
||||
# #516391
|
||||
Obsoletes: emacs-nxml-mode < 0.20041004-10
|
||||
Provides: emacs-nxml-mode = 0.20041004-10
|
||||
@ -88,7 +91,7 @@ This package provides an emacs binary with support for X windows.
|
||||
Summary: GNU Emacs text editor without X support
|
||||
Group: Applications/Editors
|
||||
Requires: emacs-common = %{epoch}:%{version}-%{release}
|
||||
Provides: emacs(bin)
|
||||
Provides: emacs(bin) = %{epoch}:%{version}-%{release}
|
||||
|
||||
%description nox
|
||||
Emacs is a powerful, customizable, self-documenting, modeless text
|
||||
@ -105,7 +108,6 @@ Group: Applications/Editors
|
||||
Requires(preun): %{_sbindir}/alternatives, /sbin/install-info, dev
|
||||
Requires(posttrans): %{_sbindir}/alternatives
|
||||
Requires(post): /sbin/install-info, dev
|
||||
Obsoletes: emacs-leim
|
||||
|
||||
%description common
|
||||
Emacs is a powerful, customizable, self-documenting, modeless text
|
||||
@ -116,7 +118,7 @@ without leaving the editor.
|
||||
This package contains all the common files needed by emacs or emacs-nox.
|
||||
|
||||
%package el
|
||||
Summary: Emacs Lisp source files included with Emacs.
|
||||
Summary: Lisp source files included with GNU Emacs
|
||||
Group: Applications/Editors
|
||||
|
||||
%description el
|
||||
@ -130,19 +132,19 @@ Emacs packages or see some elisp examples.
|
||||
|
||||
%prep
|
||||
%setup -q
|
||||
|
||||
%patch0 -p1 -b .glibc-open-macro
|
||||
%patch4 -p1 -b .xdg
|
||||
|
||||
# install rest of site-lisp files
|
||||
( cd site-lisp
|
||||
cp %SOURCE7 %SOURCE9 %SOURCE10 %SOURCE14 .
|
||||
# rpm-spec-mode can use compilation-mode
|
||||
patch < %PATCH1
|
||||
# fix po-auto-replace-revision-date nil
|
||||
patch < %PATCH2
|
||||
# rpm-spec-mode: added rpm-change-log-uses-utc variable
|
||||
patch < %PATCH3
|
||||
)
|
||||
# Install site-lisp files
|
||||
cp %SOURCE7 %SOURCE9 %SOURCE10 %SOURCE14 site-lisp
|
||||
pushd site-lisp
|
||||
%patch1 -p0
|
||||
%patch2 -p0
|
||||
%patch3 -p0
|
||||
popd
|
||||
|
||||
%patch5 -p1
|
||||
|
||||
# we prefer our emacs.desktop file
|
||||
cp %SOURCE1 etc/emacs.desktop
|
||||
@ -177,20 +179,28 @@ export CFLAGS="-DMAIL_USE_LOCKF $RPM_OPT_FLAGS"
|
||||
|
||||
#we patch configure.in so we have to do this
|
||||
autoconf
|
||||
|
||||
# Build GTK+2 binary
|
||||
mkdir build-gtk && cd build-gtk
|
||||
ln -s ../configure .
|
||||
%configure --with-dbus --with-gif --with-jpeg --with-png --with-rsvg \
|
||||
--with-tiff --with-xft --with-xpm --with-x-toolkit=gtk
|
||||
--with-tiff --with-xft --with-xpm --with-x-toolkit=gtk
|
||||
make bootstrap
|
||||
%{setarch} make %{?_smp_mflags}
|
||||
cd ..
|
||||
|
||||
%__make bootstrap
|
||||
%{setarch} %__make %{?_smp_mflags}
|
||||
# Build binary without X support
|
||||
mkdir build-nox && cd build-nox
|
||||
ln -s ../configure .
|
||||
%configure --with-x=no
|
||||
%{setarch} make %{?_smp_mflags}
|
||||
cd ..
|
||||
|
||||
# remove versioned file so that we end up with .1 suffix and only one DOC file
|
||||
rm src/emacs-%{version}.*
|
||||
# Make sure patched lisp files get byte-compiled
|
||||
build-gtk/src/emacs %{bytecompargs} site-lisp/*.el
|
||||
|
||||
# make sure patched lisp files get byte-compiled
|
||||
TOPDIR=${PWD}
|
||||
${TOPDIR}/src/emacs %{bytecompargs} site-lisp/*.el
|
||||
|
||||
%__make %{?_smp_mflags} -C lisp updates
|
||||
# Remove versioned file so that we end up with .1 suffix and only one DOC file
|
||||
rm build-{gtk,nox}/src/emacs-%{version}.*
|
||||
|
||||
# Create pkgconfig file
|
||||
cat > emacs.pc << EOF
|
||||
@ -215,7 +225,9 @@ EOF
|
||||
%install
|
||||
rm -rf %{buildroot}
|
||||
|
||||
cd build-gtk
|
||||
make install INSTALL="%{__install} -p" DESTDIR=%{buildroot}
|
||||
cd ..
|
||||
|
||||
# let alternatives manage the symlink
|
||||
rm %{buildroot}%{_bindir}/emacs
|
||||
@ -224,14 +236,8 @@ rm %{buildroot}%{_bindir}/emacs
|
||||
gunzip %{buildroot}%{_datadir}/emacs/%{version}/lisp/jka-compr.el.gz
|
||||
gunzip %{buildroot}%{_datadir}/emacs/%{version}/lisp/jka-cmpr-hook.el.gz
|
||||
|
||||
# rebuild without X support
|
||||
# remove the versioned binary with X support so that we end up with .1 suffix for emacs-nox too
|
||||
rm src/emacs-%{version}.*
|
||||
%configure --without-x
|
||||
%__make %{?_smp_mflags}
|
||||
|
||||
# install the emacs without X
|
||||
install -p -m 0755 src/emacs-%{version}.1 %{buildroot}%{_bindir}/emacs-%{version}-nox
|
||||
install -p -m 0755 build-nox/src/emacs %{buildroot}%{_bindir}/emacs-%{version}-nox
|
||||
|
||||
# make sure movemail isn't setgid
|
||||
chmod 755 %{buildroot}%{emacs_libexecdir}/movemail
|
||||
@ -322,32 +328,12 @@ fi
|
||||
alternatives --remove emacs %{_bindir}/emacs-%{version} || :
|
||||
|
||||
%posttrans
|
||||
#check if there is "remainder" old version, which was not deleted
|
||||
# the check can be removed for Fedora 14, as the bug it handled was
|
||||
# present only in some old Emacs package version
|
||||
if alternatives --display emacs > /dev/null; then
|
||||
VER=$(alternatives --display emacs | sed -ne 's/.*emacs-\([0-9\.]\+\).*/\1/p' | head -1)
|
||||
if [ ${VER} != %{version} ]; then
|
||||
alternatives --remove emacs %{_bindir}/emacs-${VER} || :
|
||||
fi
|
||||
fi
|
||||
#end check
|
||||
alternatives --install %{_bindir}/emacs emacs %{_bindir}/emacs-%{version} 80 || :
|
||||
|
||||
%preun nox
|
||||
alternatives --remove emacs %{_bindir}/emacs-%{version}-nox || :
|
||||
|
||||
%posttrans nox
|
||||
#check if there is "remainder" old version, which was not deleted
|
||||
# the check can be removed for Fedora 14, as the bug it handled was
|
||||
# present only in some old Emacs package version
|
||||
if alternatives --display emacs > /dev/null; then
|
||||
VER=$(alternatives --display emacs | sed -ne 's/.*emacs-\([0-9\.]\+\).*/\1/p' | head -1)
|
||||
if [ ${VER} != %{version} ]; then
|
||||
alternatives --remove emacs %{_bindir}/emacs-${VER}-nox || :
|
||||
fi
|
||||
fi
|
||||
#end check
|
||||
alternatives --install %{_bindir}/emacs emacs %{_bindir}/emacs-%{version}-nox 70 || :
|
||||
|
||||
%post common
|
||||
@ -411,6 +397,20 @@ alternatives --install %{_bindir}/etags emacs.etags %{_bindir}/etags.emacs 80 \
|
||||
%dir %{_datadir}/emacs/%{version}
|
||||
|
||||
%changelog
|
||||
* Thu Apr 1 2010 Jonathan G. Underwood <jonathan.underwood@gmail.com> - 1:23.1.94-2
|
||||
- Add patch to fix RHBZ #578272 - security vulnerability with movemail
|
||||
(CVE-2010-0825)
|
||||
- Use standard %%patch macro to apply all patches to silent rpmlint warnings
|
||||
- Remove unnecessary buildroot tag
|
||||
- Remove explicit dependency on librsvg2 (but keep BuildRequires for
|
||||
librsvg2-devel)
|
||||
- Add properly versioned Provides for emacs(bin)
|
||||
- Remove long unneeded Obsoletes for emacs-leim
|
||||
- Fix summary for emacs-el
|
||||
- Use out of tree builds so that we can build multibple versions in the
|
||||
%%build section
|
||||
- Remove checks for old version of Emacs in postrtrans
|
||||
|
||||
* Mon Mar 22 2010 Karel Klic <kklic@redhat.com> - 1:23.1.94-1
|
||||
- Update to 23.2 pretest version
|
||||
- Removed patches applied by upstream
|
||||
@ -783,7 +783,7 @@ alternatives --install %{_bindir}/etags emacs.etags %{_bindir}/etags.emacs 80 \
|
||||
emacs-21-personality-linux32-101818.patch from cvs (Jan Djärv)
|
||||
which also turns off address randomization during dumping (Masatake Yamato)
|
||||
- no longer need to pass SETARCH to make on i386 (#160814)
|
||||
- move ownership of %%{_datadir}/emacs/ and %%{_datadir}/emacs/%{version}/
|
||||
- move ownership of %%{_datadir}/emacs/ and %%{_datadir}/emacs/%%{version}/
|
||||
from emacs to emacs-el and emacs-leim subpackages
|
||||
- don't build tramp html and dvi documentation
|
||||
- drop src/config.in part of bzero-and-have-stdlib.dpatch to avoid
|
||||
|
Loading…
Reference in New Issue
Block a user