--- /dev/null
--- /dev/null
++From 6e82b5fbe2761d479f1fec96fb3d4afee12b9d67 Mon Sep 17 00:00:00 2001
++From: Glenn Morris <rgm@gnu.org>
++Date: Thu, 8 May 2014 14:10:36 -0400
++Subject: Insecure file handling in browse-url-mosaic has been fixed
++ (CVE-2014-3423)
++
++Applied upstream patch to fix
++https://security-tracker.debian.org/tracker/CVE-2014-3423
++
++ * browse-url.el (browse-url-mosaic): Be careful when writing /tmp/Mosaic.PID.
++ This is CVE-2014-3423.
++
++Origin: upstream, commit: r117087, 25147805fa875f23495904785e6df61f9d426c13
++Added-by: Rob Browning <rlb@defaultvalue.org>
++Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=748140
++---
++ lisp/ChangeLog | 6 ++++++
++ lisp/net/browse-url.el | 32 +++++++++++++++-----------------
++ 2 files changed, 21 insertions(+), 17 deletions(-)
++
++diff --git a/lisp/ChangeLog b/lisp/ChangeLog
++index b5f5d26..01b4a02 100644
++--- a/lisp/ChangeLog
+++++ b/lisp/ChangeLog
++@@ -1,3 +1,9 @@
+++2014-05-08 Glenn Morris <rgm@gnu.org>
+++
+++ * net/browse-url.el (browse-url-mosaic):
+++ Be careful when writing /tmp/Mosaic.PID. (Bug#17428)
+++ This is CVE-2014-3423.
+++
++ 2014-05-06 Michael Albinus <michael.albinus@gmx.de>
++
++ * net/tramp-sh.el (tramp-remote-process-environment): Remove
++diff --git a/lisp/net/browse-url.el b/lisp/net/browse-url.el
++index 19e513a..b8b2fde 100644
++--- a/lisp/net/browse-url.el
+++++ b/lisp/net/browse-url.el
++@@ -1328,28 +1328,26 @@ used instead of `browse-url-new-window-flag'."
++ (let ((pidfile (expand-file-name browse-url-mosaic-pidfile))
++ pid)
++ (if (file-readable-p pidfile)
++- (save-excursion
++- (find-file pidfile)
++- (goto-char (point-min))
++- (setq pid (read (current-buffer)))
++- (kill-buffer nil)))
++- (if (and pid (zerop (signal-process pid 0))) ; Mosaic running
++- (save-excursion
++- (find-file (format "/tmp/Mosaic.%d" pid))
++- (erase-buffer)
++- (insert (if (browse-url-maybe-new-window new-window)
++- "newwin\n"
++- "goto\n")
++- url "\n")
++- (save-buffer)
++- (kill-buffer nil)
+++ (with-temp-buffer
+++ (insert-file-contents pidfile)
+++ (setq pid (read (current-buffer)))))
+++ (if (and (integerp pid) (zerop (signal-process pid 0))) ; Mosaic running
+++ (progn
+++ (with-temp-buffer
+++ (insert (if (browse-url-maybe-new-window new-window)
+++ "newwin\n"
+++ "goto\n")
+++ url "\n")
+++ (if (file-exists-p (setq pidfile (format "/tmp/Mosaic.%d" pid)))
+++ (delete-file pidfile))
+++ ;; http://debbugs.gnu.org/17428. Use O_EXCL.
+++ (write-region nil nil pidfile nil 'silent nil 'excl))
++ ;; Send signal SIGUSR to Mosaic
++ (message "Signaling Mosaic...")
++ (signal-process pid 'SIGUSR1)
++ ;; Or you could try:
++ ;; (call-process "kill" nil 0 nil "-USR1" (int-to-string pid))
++- (message "Signaling Mosaic...done")
++- )
+++ (message "Signaling Mosaic...done"))
++ ;; Mosaic not running - start it
++ (message "Starting %s..." browse-url-mosaic-program)
++ (apply 'start-process "xmosaic" nil browse-url-mosaic-program
--- /dev/null
+0001-Prefer-usr-share-info-emacs-24-over-usr-share-info.patch
+0002-Run-debian-startup-and-set-debian-emacs-flavor.patch
+0003-Remove-files-that-appear-to-be-incompatible-with-the.patch
+0004-Adjust-documentation-references-for-Debian.patch
+0005-Modify-the-output-of-version-to-indicate-Debian-modi.patch
+0006-Look-for-NEWS-in-order-to-find-etc-rather-than-GNU.patch
+0007-Invoke-the-correct-xmlstarlet-executable-on-Debian-s.patch
+0008-Emacs-should-no-longer-hang-at-startup-on-kFreeBSD.patch
+0009-Emacs-should-no-longer-hang-at-startup-on-kFreeBSD.patch
+0010-Emacs-should-now-build-correctly-on-GNU-Hurd.patch
+0011-Gnus-should-no-longer-use-a-predictable-temp-file-na.patch
+0012-Security-issues-in-find-gc.el-have-been-fixed-CVE-20.patch
+0013-Security-issues-in-tramp-have-been-fixed-CVE-2014-34.patch
++0014-Insecure-file-handling-in-browse-url-mosaic-has-been.patch
projects / emacs.git / commitdiff