Upstream patch for browse-url, bug 509830.emacs-24.3-patches-7emacs-23.4-patches-12

2 files changed, 59 insertions, 124 deletions

diff --git a/emacs/23.4/18_all_browse-url-no-mosaic.patch b/emacs/23.4/18_all_browse-url-no-mosaic.patch
deleted file mode 100644
index b6a8152..0000000
--- a/emacs/23.4/18_all_browse-url-no-mosaic.patch
+++ /dev/null
@@ -1,124 +0,0 @@
-Fix insecure use of temporary files.
-Gentoo patch: Remove obsolete browse-url-mosaic function completely.
-https://bugs.gentoo.org/509830
-CVE-2014-3423
-
---- emacs-23.4-orig/lisp/net/browse-url.el
-+++ emacs-23.4/lisp/net/browse-url.el
-@@ -40,7 +40,6 @@
- ;; browse-url-galeon                  Galeon      Don't know
- ;; browse-url-epiphany                Epiphany    Don't know
- ;; browse-url-netscape                Netscape    1.1b1
--;; browse-url-mosaic                  XMosaic/mMosaic <= 2.4
- ;; browse-url-cci                     XMosaic     2.5
- ;; browse-url-w3                      w3          0
- ;; browse-url-w3-gnudoit              w3 remotely
-@@ -82,11 +81,7 @@
- ;; include Chimera <URL:ftp://ftp.cs.unlv.edu/pub/chimera> and
- ;; <URL:http://www.unlv.edu/chimera/>, Arena
- ;; <URL:ftp://ftp.yggdrasil.com/pub/dist/web/arena> and Amaya
--;; <URL:ftp://ftp.w3.org/pub/amaya>.  mMosaic
--;; <URL:ftp://ftp.enst.fr/pub/mbone/mMosaic/>,
--;; <URL:http://www.enst.fr/~dauphin/mMosaic/> (with development
--;; support for Java applets and multicast) can be used like Mosaic by
--;; setting `browse-url-mosaic-program' appropriately.
-+;; <URL:ftp://ftp.w3.org/pub/amaya>.
- 
- ;; I [Denis Howe, not Dave Love] recommend Nelson Minar
- ;; <nelson@santafe.edu>'s excellent html-helper-mode.el for editing
-@@ -242,7 +237,6 @@
- 	  (function-item :tag "Galeon" :value  browse-url-galeon)
- 	  (function-item :tag "Epiphany" :value  browse-url-epiphany)
- 	  (function-item :tag "Netscape" :value  browse-url-netscape)
--	  (function-item :tag "Mosaic" :value  browse-url-mosaic)
- 	  (function-item :tag "Mosaic using CCI" :value  browse-url-cci)
- 	  (function-item :tag "Text browser in an xterm window"
- 			 :value browse-url-text-xterm)
-@@ -421,22 +415,6 @@
-   :type 'boolean
-   :group 'browse-url)
- 
--(defcustom browse-url-mosaic-program "xmosaic"
--  "The name by which to invoke Mosaic (or mMosaic)."
--  :type 'string
--  :version "20.3"
--  :group 'browse-url)
--
--(defcustom browse-url-mosaic-arguments nil
--  "A list of strings to pass to Mosaic as arguments."
--  :type '(repeat (string :tag "Argument"))
--  :group 'browse-url)
--
--(defcustom browse-url-mosaic-pidfile "~/.mosaicpid"
--  "The name of the pidfile created by Mosaic."
--  :type 'string
--  :group 'browse-url)
--
- (defcustom browse-url-filename-alist
-   `(("^/\\(ftp@\\|anonymous@\\)?\\([^:]+\\):/*" . "ftp://\\2/")
-     ;; The above loses the username to avoid the browser prompting for
-@@ -895,7 +873,6 @@
-     ((executable-find browse-url-galeon-program) 'browse-url-galeon)
-     ((executable-find browse-url-kde-program) 'browse-url-kde)
-     ((executable-find browse-url-netscape-program) 'browse-url-netscape)
--    ((executable-find browse-url-mosaic-program) 'browse-url-mosaic)
-     ((executable-find browse-url-xterm-program) 'browse-url-text-xterm)
-     ((locate-library "w3") 'browse-url-w3)
-     (t
-@@ -1212,56 +1189,6 @@
- 	      '("--newwin"))
- 	  (list "--raise" url))))
- 
--;; --- Mosaic ---
--
--;;;###autoload
--(defun browse-url-mosaic (url &optional new-window)
--  "Ask the XMosaic WWW browser to load URL.
--
--Default to the URL around or before point.  The strings in variable
--`browse-url-mosaic-arguments' are also passed to Mosaic and the
--program is invoked according to the variable
--`browse-url-mosaic-program'.
--
--When called interactively, if variable `browse-url-new-window-flag' is
--non-nil, load the document in a new Mosaic window, otherwise use a
--random existing one.  A non-nil interactive prefix argument reverses
--the effect of `browse-url-new-window-flag'.
--
--When called non-interactively, optional second argument NEW-WINDOW is
--used instead of `browse-url-new-window-flag'."
--  (interactive (browse-url-interactive-arg "Mosaic URL: "))
--  (let ((pidfile (expand-file-name browse-url-mosaic-pidfile))
--	pid)
--    (if (file-readable-p pidfile)
--	(save-excursion
--	  (find-file pidfile)
--	  (goto-char (point-min))
--	  (setq pid (read (current-buffer)))
--	  (kill-buffer nil)))
--    (if (and pid (zerop (signal-process pid 0))) ; Mosaic running
--	(save-excursion
--	  (find-file (format "/tmp/Mosaic.%d" pid))
--	  (erase-buffer)
--	  (insert (if (browse-url-maybe-new-window new-window)
--		      "newwin\n"
--		    "goto\n")
--		  url "\n")
--	  (save-buffer)
--	  (kill-buffer nil)
--	  ;; Send signal SIGUSR to Mosaic
--	  (message "Signaling Mosaic...")
--	  (signal-process pid 'SIGUSR1)
--	  ;; Or you could try:
--	  ;; (call-process "kill" nil 0 nil "-USR1" (int-to-string pid))
--	  (message "Signaling Mosaic...done")
--	  )
--      ;; Mosaic not running - start it
--      (message "Starting %s..." browse-url-mosaic-program)
--      (apply 'start-process "xmosaic" nil browse-url-mosaic-program
--	     (append browse-url-mosaic-arguments (list url)))
--      (message "Starting %s...done" browse-url-mosaic-program))))
--
- ;; --- Mosaic using CCI ---
- 
- ;;;###autoload
diff --git a/emacs/23.4/18_all_browse-url-tmpfile.patch b/emacs/23.4/18_all_browse-url-tmpfile.patch
new file mode 100644
index 0000000..ea62328
--- /dev/null
+++ b/emacs/23.4/18_all_browse-url-tmpfile.patch
@@ -0,0 +1,59 @@
+Fix insecure use of temporary files.
+Patch from upstream bzr, backported to Emacs 23.4.
+https://bugs.gentoo.org/509830
+CVE-2014-3423
+
+revno: 117087
+fixes bug: http://debbugs.gnu.org/17428
+committer: Glenn Morris <rgm@gnu.org>
+branch nick: emacs-24
+timestamp: Thu 2014-05-08 14:10:36 -0400
+message:
+  * browse-url.el (browse-url-mosaic): Be careful when writing /tmp/Mosaic.PID.
+
+--- emacs-23.4-orig/lisp/net/browse-url.el
++++ emacs-23.4/lisp/net/browse-url.el
+@@ -1234,28 +1234,26 @@
+   (let ((pidfile (expand-file-name browse-url-mosaic-pidfile))
+ 	pid)
+     (if (file-readable-p pidfile)
+-	(save-excursion
+-	  (find-file pidfile)
+-	  (goto-char (point-min))
+-	  (setq pid (read (current-buffer)))
+-	  (kill-buffer nil)))
+-    (if (and pid (zerop (signal-process pid 0))) ; Mosaic running
+-	(save-excursion
+-	  (find-file (format "/tmp/Mosaic.%d" pid))
+-	  (erase-buffer)
+-	  (insert (if (browse-url-maybe-new-window new-window)
+-		      "newwin\n"
+-		    "goto\n")
+-		  url "\n")
+-	  (save-buffer)
+-	  (kill-buffer nil)
++        (with-temp-buffer
++          (insert-file-contents pidfile)
++	  (setq pid (read (current-buffer)))))
++    (if (and (integerp pid) (zerop (signal-process pid 0))) ; Mosaic running
++        (progn
++          (with-temp-buffer
++            (insert (if (browse-url-maybe-new-window new-window)
++                        "newwin\n"
++                      "goto\n")
++                    url "\n")
++            (if (file-exists-p (setq pidfile (format "/tmp/Mosaic.%d" pid)))
++                (delete-file pidfile))
++            ;; http://debbugs.gnu.org/17428.  Use O_EXCL.
++            (write-region nil nil pidfile nil 'silent nil 'excl))
+ 	  ;; Send signal SIGUSR to Mosaic
+ 	  (message "Signaling Mosaic...")
+ 	  (signal-process pid 'SIGUSR1)
+ 	  ;; Or you could try:
+ 	  ;; (call-process "kill" nil 0 nil "-USR1" (int-to-string pid))
+-	  (message "Signaling Mosaic...done")
+-	  )
++	  (message "Signaling Mosaic...done"))
+       ;; Mosaic not running - start it
+       (message "Starting %s..." browse-url-mosaic-program)
+       (apply 'start-process "xmosaic" nil browse-url-mosaic-program