diff --git a/emacs-CVE-2014-3421.patch b/emacs-CVE-2014-3421.patch new file mode 100644 index 0000000..7d3ab40 --- /dev/null +++ b/emacs-CVE-2014-3421.patch @@ -0,0 +1,30 @@ +diff --git a/lisp/gnus/gnus-fun.el b/lisp/gnus/gnus-fun.el +index 1c9b4ce..6d43d23 100644 +--- a/lisp/gnus/gnus-fun.el ++++ b/lisp/gnus/gnus-fun.el +@@ -250,20 +250,21 @@ colors of the displayed X-Faces." + (interactive) + (shell-command "xawtv-remote snap ppm") + (let ((file nil) ++ (tempfile (make-temp-file "gnus-face-" nil "*.ppm")) + result) + (while (null (setq file (directory-files "/tftpboot/sparky/tmp" + t "snap.*ppm"))) + (sleep-for 1)) + (setq file (car file)) + (shell-command +- (format "pnmcut -left 110 -top 30 -width 144 -height 144 '%s' | pnmscale -width 48 -height 48 | ppmtopgm > /tmp/gnus.face.ppm" +- file)) ++ (format "pnmcut -left 110 -top 30 -width 144 -height 144 '%s' | pnmscale -width 48 -height 48 | ppmtopgm >> %s" ++ file tempfile)) + (let ((gnus-convert-image-to-face-command + (format "cat '%%s' | ppmquant %%d | ppmchange %s | pnmtopng" + (gnus-fun-ppm-change-string)))) +- (setq result (gnus-face-from-file "/tmp/gnus.face.ppm"))) ++ (setq result (gnus-face-from-file tempfile))) + (delete-file file) +- ;;(delete-file "/tmp/gnus.face.ppm") ++ ;;(delete-file tempfile) + result)) + + (defun gnus-fun-ppm-change-string () diff --git a/emacs-CVE-2014-3422.patch b/emacs-CVE-2014-3422.patch new file mode 100644 index 0000000..07c836f --- /dev/null +++ b/emacs-CVE-2014-3422.patch @@ -0,0 +1,119 @@ +diff --git a/lisp/emacs-lisp/find-gc.el b/lisp/emacs-lisp/find-gc.el +index 82b3e94..6bdb09d 100644 +--- a/lisp/emacs-lisp/find-gc.el ++++ b/lisp/emacs-lisp/find-gc.el +@@ -23,14 +23,15 @@ + + ;; Produce in find-gc-unsafe-list the set of all functions that may invoke GC. + ;; This expects the Emacs sources to live in find-gc-source-directory. +-;; It creates a temporary working directory /tmp/esrc. + + ;;; Code: + + (defvar find-gc-unsafe-list nil + "The list of unsafe functions is placed here by `find-gc-unsafe'.") + +-(defvar find-gc-source-directory) ++(defvar find-gc-source-directory ++ (file-name-as-directory (expand-file-name "src" source-directory)) ++ "Directory containing Emacs C sources.") + + (defvar find-gc-subrs-callers nil + "Alist of users of subrs, from GC testing. +@@ -59,14 +60,14 @@ Each entry has the form (FUNCTION . FUNCTIONS-IT-CALLS).") + "indent.c" "search.c" "regex.c" "undo.c" + "alloc.c" "data.c" "doc.c" "editfns.c" + "callint.c" "eval.c" "fns.c" "print.c" "lread.c" +- "abbrev.c" "syntax.c" "unexcoff.c" ++ "syntax.c" "unexcoff.c" + "bytecode.c" "process.c" "callproc.c" "doprnt.c" +- "x11term.c" "x11fns.c")) ++ "xterm.c" "x11fns.c")) + + + (defun find-gc-unsafe () + "Return a list of unsafe functions--that is, which can call GC. +-Also store it in `find-gc-unsafe'." ++Also store it in `find-gc-unsafe-list'." + (trace-call-tree nil) + (trace-use-tree) + (find-unsafe-funcs 'Fgarbage_collect) +@@ -102,47 +103,38 @@ Also store it in `find-gc-unsafe'." + + + +-(defun trace-call-tree (&optional already-setup) ++(defun trace-call-tree (&optional ignored) + (message "Setting up directories...") +- (or already-setup +- (progn +- ;; Gee, wouldn't a built-in "system" function be handy here. +- (call-process "csh" nil nil nil "-c" "rm -rf /tmp/esrc") +- (call-process "csh" nil nil nil "-c" "mkdir /tmp/esrc") +- (call-process "csh" nil nil nil "-c" +- (format "ln -s %s/*.[ch] /tmp/esrc" +- find-gc-source-directory)))) +- (with-current-buffer (get-buffer-create "*Trace Call Tree*") +- (setq find-gc-subrs-called nil) +- (let ((case-fold-search nil) +- (files find-gc-source-files) +- name entry) +- (while files +- (message "Compiling %s..." (car files)) +- (call-process "csh" nil nil nil "-c" +- (format "gcc -dr -c /tmp/esrc/%s -o /dev/null" +- (car files))) +- (erase-buffer) +- (insert-file-contents (concat "/tmp/esrc/" (car files) ".rtl")) +- (while (re-search-forward ";; Function \\|(call_insn " nil t) +- (if (= (char-after (- (point) 3)) ?o) +- (progn +- (looking-at "[a-zA-Z0-9_]+") +- (setq name (intern (buffer-substring (match-beginning 0) +- (match-end 0)))) +- (message "%s : %s" (car files) name) +- (setq entry (list name) +- find-gc-subrs-called (cons entry find-gc-subrs-called))) +- (if (looking-at ".*\n?.*\"\\([A-Za-z0-9_]+\\)\"") +- (progn +- (setq name (intern (buffer-substring (match-beginning 1) +- (match-end 1)))) +- (or (memq name (cdr entry)) +- (setcdr entry (cons name (cdr entry)))))))) +- (delete-file (concat "/tmp/esrc/" (car files) ".rtl")) +- (setq files (cdr files))))) +-) +- ++ (setq find-gc-subrs-called nil) ++ (let ((case-fold-search nil) ++ (default-directory find-gc-source-directory) ++ (files find-gc-source-files) ++ name entry rtlfile) ++ (dolist (file files) ++ (message "Compiling %s..." file) ++ (call-process "gcc" nil nil nil "-I" "." "-I" "../lib" ++ "-fdump-rtl-expand" "-o" null-device "-c" file) ++ (setq rtlfile ++ (file-expand-wildcards (format "%s.*.expand" file) t)) ++ (if (/= 1 (length rtlfile)) ++ (message "Error compiling `%s'?" file) ++ (with-temp-buffer ++ (insert-file-contents (setq rtlfile (car rtlfile))) ++ (delete-file rtlfile) ++ (while (re-search-forward ";; Function \\|(call_insn " nil t) ++ (if (= (char-after (- (point) 3)) ?o) ++ (progn ++ (looking-at "[a-zA-Z0-9_]+") ++ (setq name (intern (match-string 0))) ++ (message "%s : %s" (car files) name) ++ (setq entry (list name) ++ find-gc-subrs-called ++ (cons entry find-gc-subrs-called))) ++ (if (looking-at ".*\n?.*\"\\([A-Za-z0-9_]+\\)\"") ++ (progn ++ (setq name (intern (match-string 1))) ++ (or (memq name (cdr entry)) ++ (setcdr entry (cons name (cdr entry))))))))))))) + + (defun trace-use-tree () + (setq find-gc-subrs-callers (mapcar 'list (mapcar 'car find-gc-subrs-called))) diff --git a/emacs-CVE-2014-3423.patch b/emacs-CVE-2014-3423.patch new file mode 100644 index 0000000..2251fca --- /dev/null +++ b/emacs-CVE-2014-3423.patch @@ -0,0 +1,16 @@ +diff --git a/lisp/net/browse-url.el b/lisp/net/browse-url.el +index 19e513a..1a28e26 100644 +--- a/lisp/net/browse-url.el ++++ b/lisp/net/browse-url.el +@@ -1335,7 +1335,10 @@ used instead of `browse-url-new-window-flag'." + (kill-buffer nil))) + (if (and pid (zerop (signal-process pid 0))) ; Mosaic running + (save-excursion +- (find-file (format "/tmp/Mosaic.%d" pid)) ++ ;; This is a predictable temp-file name, which is bad, ++ ;; but it is what Mosaic uses/used. ++ ;; So it's not Emacs's problem. http://bugs.debian.org/747100 ++ (find-file (format "/tmp/Mosaic.%d" pid)) + (erase-buffer) + (insert (if (browse-url-maybe-new-window new-window) + "newwin\n" diff --git a/emacs-CVE-2014-3424.patch b/emacs-CVE-2014-3424.patch new file mode 100644 index 0000000..a9b6480 --- /dev/null +++ b/emacs-CVE-2014-3424.patch @@ -0,0 +1,70 @@ +diff --git a/lisp/net/tramp-sh.el b/lisp/net/tramp-sh.el +index 29a6344..f6c6710 100644 +--- a/lisp/net/tramp-sh.el ++++ b/lisp/net/tramp-sh.el +@@ -605,9 +605,9 @@ This list is used for copying/renaming with out-of-band methods. + See `tramp-actions-before-shell' for more info.") + + (defconst tramp-uudecode +- "(echo begin 600 /tmp/tramp.$$; tail +2) | uudecode +-cat /tmp/tramp.$$ +-rm -f /tmp/tramp.$$" ++ "(echo begin 600 %t; tail +2) | uudecode ++cat %t ++rm -f %t" + "Shell function to implement `uudecode' to standard output. + Many systems support `uudecode -o /dev/stdout' or `uudecode -o -' + for this or `uudecode -p', but some systems don't, and for them +@@ -3938,7 +3938,7 @@ Each item is a list that looks like this: + + \(FORMAT ENCODING DECODING [TEST]\) + +-FORMAT is symbol describing the encoding/decoding format. It can be ++FORMAT is a symbol describing the encoding/decoding format. It can be + `b64' for base64 encoding, `uu' for uu encoding, or `pack' for simple packing. + + ENCODING and DECODING can be strings, giving commands, or symbols, +@@ -3948,9 +3948,11 @@ filename will be put into the command line at that spot. If the + specifier is not present, the input should be read from standard + input. + +-If they are variables, this variable is a string containing a Perl +-implementation for this functionality. This Perl program will be transferred +-to the remote host, and it is available as shell function with the same name. ++If they are variables, this variable is a string containing a ++Perl or Shell implementation for this functionality. This ++program will be transferred to the remote host, and it is ++available as shell function with the same name. A \"%t\" format ++specifier in the variable value denotes a temporary file + + The optional TEST command can be used for further tests, whether + ENCODING and DECODING are applicable.") +@@ -4025,10 +4027,25 @@ Goes through the list `tramp-local-coding-commands' and + (throw 'wont-work-remote nil)) + + (when (not (stringp rem-dec)) +- (let ((name (symbol-name rem-dec))) ++ (let ((name (symbol-name rem-dec)) ++ (value (symbol-value rem-dec)) ++ tmpfile) + (while (string-match (regexp-quote "-") name) +- (setq name (replace-match "_" nil t name))) +- (tramp-maybe-send-script vec (symbol-value rem-dec) name) ++ (setq name (replace-match "_" nil t name))) ++ (when (string-match "%t" value) ++ (setq tmpfile ++ (make-temp-name ++ (expand-file-name ++ tramp-temp-name-prefix ++ (tramp-get-remote-tmpdir vec))) ++ value ++ (format-spec ++ value ++ (format-spec-make ++ ?t ++ (tramp-file-name-handler ++ 'file-remote-p tmpfile 'localname))))) ++ (tramp-maybe-send-script vec value name) + (setq rem-dec name))) + (tramp-message + vec 5 diff --git a/emacs.spec b/emacs.spec index f00ce6f..5f35bc2 100644 --- a/emacs.spec +++ b/emacs.spec @@ -3,7 +3,7 @@ Summary: GNU Emacs text editor Name: emacs Epoch: 1 Version: 24.3 -Release: 16%{?dist} +Release: 17%{?dist} License: GPLv3+ URL: http://www.gnu.org/software/emacs/ Group: Applications/Editors @@ -32,9 +32,14 @@ Patch14: emacs-maximized.patch # Fix for default PDF viewer bug #971162 Patch15: emacs-pdf-default.patch # Fix for emacs bug #13460. -Patch100: emacs-24.3-hunspell.patch +Patch16: emacs-24.3-hunspell.patch # Fix for emacs bug #827033 -Patch101: emacs-24.3-hunspell.2.patch +Patch17: emacs-24.3-hunspell.2.patch +# Several CVE fixes +Patch18: emacs-CVE-2014-3421.patch +Patch19: emacs-CVE-2014-3422.patch +Patch20: emacs-CVE-2014-3423.patch +Patch21: emacs-CVE-2014-3424.patch BuildRequires: atk-devel cairo-devel freetype-devel fontconfig-devel dbus-devel giflib-devel glibc-devel libpng-devel BuildRequires: libjpeg-devel libtiff-devel libX11-devel libXau-devel libXdmcp-devel libXrender-devel libXt-devel @@ -177,9 +182,12 @@ packages that add functionality to Emacs. %patch13 -p1 -b .help-update.patch %patch14 -p1 -b .maximized.patch %patch15 -p1 -b .pdf-default.patch - -%patch100 -p1 -b .hunspell -%patch101 -p1 -b .hunspell.2 +%patch16 -p1 -b .hunspell +%patch17 -p1 -b .hunspell.2 +%patch18 -p1 -b .CVE-2014-3421.patch +%patch19 -p1 -b .CVE-2014-3422.patch +%patch20 -p1 -b .CVE-2014-3423.patch +%patch21 -p1 -b .CVE-2014-3424.patch # We prefer our emacs.desktop file cp %SOURCE1 etc/emacs.desktop @@ -462,6 +470,9 @@ update-desktop-database &> /dev/null || : %dir %{_datadir}/emacs/site-lisp/site-start.d %changelog +* Tue May 20 2014 Petr Hracek - 1:24.3-17 +- CVE-2014-3421 CVE-2014-3422 CVE-2014-3423 CVE-2014-3424 (#1095587) + * Thu Apr 17 2014 Petr Hracek - 1:24.3-16 - Info files are not installed (#1062792)