Fix insecure use of temporary files, bug 509830.emacs-24.3-patches-6emacs-23.4-patches-11

4 files changed, 384 insertions, 0 deletions

diff --git a/emacs/23.4/16_all_gnus-fun-tmpfile.patch b/emacs/23.4/16_all_gnus-fun-tmpfile.patch
new file mode 100644
index 0000000..18adf49
--- /dev/null
+++ b/emacs/23.4/16_all_gnus-fun-tmpfile.patch
@@ -0,0 +1,41 @@
+Fix insecure use of temporary files.
+Patch from upstream bzr, backported to Emacs 23.4.
+https://bugs.gentoo.org/509830
+CVE-2014-3421
+
+revno: 117066
+fixes bug: http://bugs.debian.org/747100
+committer: Glenn Morris <rgm@gnu.org>
+branch nick: emacs-24
+timestamp: Mon 2014-05-05 20:50:51 -0700
+message:
+  * gnus-fun.el (gnus-grab-cam-face): Do not use predictable temp-file name.
+
+--- emacs-23.4-orig/lisp/gnus/gnus-fun.el
++++ emacs-23.4/lisp/gnus/gnus-fun.el
+@@ -260,20 +260,21 @@
+   (interactive)
+   (shell-command "xawtv-remote snap ppm")
+   (let ((file nil)
++	(tempfile (make-temp-file "gnus-face-" nil ".ppm"))
+ 	result)
+     (while (null (setq file (directory-files "/tftpboot/sparky/tmp"
+ 					     t "snap.*ppm")))
+       (sleep-for 1))
+     (setq file (car file))
+     (shell-command
+-     (format "pnmcut -left 110 -top 30 -width 144 -height 144 '%s' | pnmscale -width 48 -height 48 | ppmtopgm > /tmp/gnus.face.ppm"
+-	     file))
++     (format "pnmcut -left 110 -top 30 -width 144 -height 144 '%s' | pnmscale -width 48 -height 48 | ppmtopgm >> %s"
++	     file tempfile))
+     (let ((gnus-convert-image-to-face-command
+ 	   (format "cat '%%s' | ppmquant %%d | ppmchange %s | pnmtopng"
+ 		   (gnus-fun-ppm-change-string))))
+-      (setq result (gnus-face-from-file "/tmp/gnus.face.ppm")))
++      (setq result (gnus-face-from-file tempfile)))
+     (delete-file file)
+-    ;;(delete-file "/tmp/gnus.face.ppm")
++    ;;(delete-file tempfile)    ; FIXME why are we not deleting it?!
+     result))
+ 
+ (defun gnus-fun-ppm-change-string ()
diff --git a/emacs/23.4/17_all_find-gc-tmpfile.patch b/emacs/23.4/17_all_find-gc-tmpfile.patch
new file mode 100644
index 0000000..3a7a719
--- /dev/null
+++ b/emacs/23.4/17_all_find-gc-tmpfile.patch
@@ -0,0 +1,135 @@
+Fix insecure use of temporary files.
+Patch from upstream bzr, backported to Emacs 23.4.
+https://bugs.gentoo.org/509830
+CVE-2014-3422
+
+revno: 117067
+fixes bug: http://bugs.debian.org/747100
+committer: Glenn Morris <rgm@gnu.org>
+branch nick: emacs-24
+timestamp: Mon 2014-05-05 20:53:31 -0700
+message:
+  find-gc.el misc fixes
+  
+  The whole file looks obsolete and/or broken.
+  
+  * lisp/emacs-lisp/find-gc.el (find-gc-source-directory): Give it a value.
+  (find-gc-source-files): Update some names.
+  (trace-call-tree): Simplify and update.  Avoid predictable temp-file names.
+
+--- emacs-23.4-orig/lisp/emacs-lisp/find-gc.el
++++ emacs-23.4/lisp/emacs-lisp/find-gc.el
+@@ -24,14 +24,15 @@
+ 
+ ;; Produce in find-gc-unsafe-list the set of all functions that may invoke GC.
+ ;; This expects the Emacs sources to live in find-gc-source-directory.
+-;; It creates a temporary working directory /tmp/esrc.
+ 
+ ;;; Code:
+ 
+ (defvar find-gc-unsafe-list nil
+   "The list of unsafe functions is placed here by `find-gc-unsafe'.")
+ 
+-(defvar find-gc-source-directory)
++(defvar find-gc-source-directory
++  (file-name-as-directory (expand-file-name "src" source-directory))
++  "Directory containing Emacs C sources.")
+ 
+ (defvar find-gc-subrs-callers nil
+   "Alist of users of subrs, from GC testing.
+@@ -60,14 +61,14 @@
+     "indent.c" "search.c" "regex.c" "undo.c"
+     "alloc.c" "data.c" "doc.c" "editfns.c"
+     "callint.c" "eval.c" "fns.c" "print.c" "lread.c"
+-    "abbrev.c" "syntax.c" "unexec.c"
++    "syntax.c" "unexec.c"
+     "bytecode.c" "process.c" "callproc.c" "doprnt.c"
+-    "x11term.c" "x11fns.c"))
++    "xterm.c" "xfns.c"))
+ 
+ 
+ (defun find-gc-unsafe ()
+   "Return a list of unsafe functions--that is, which can call GC.
+-Also store it in `find-gc-unsafe'."
++Also store it in `find-gc-unsafe-list'."
+   (trace-call-tree nil)
+   (trace-use-tree)
+   (find-unsafe-funcs 'Fgarbage_collect)
+@@ -103,47 +104,38 @@
+ 
+ 
+ 
+-(defun trace-call-tree (&optional already-setup)
++(defun trace-call-tree (&optional ignored)
+   (message "Setting up directories...")
+-  (or already-setup
+-      (progn
+-	;; Gee, wouldn't a built-in "system" function be handy here.
+-	(call-process "csh" nil nil nil "-c" "rm -rf /tmp/esrc")
+-	(call-process "csh" nil nil nil "-c" "mkdir /tmp/esrc")
+-	(call-process "csh" nil nil nil "-c"
+-		      (format "ln -s %s/*.[ch] /tmp/esrc"
+-			      find-gc-source-directory))))
+-  (with-current-buffer (get-buffer-create "*Trace Call Tree*")
+-    (setq find-gc-subrs-called nil)
+-    (let ((case-fold-search nil)
+-	  (files find-gc-source-files)
+-	  name entry)
+-      (while files
+-	(message "Compiling %s..." (car files))
+-	(call-process "csh" nil nil nil "-c"
+-		      (format "gcc -dr -c /tmp/esrc/%s -o /dev/null"
+-			      (car files)))
+-	(erase-buffer)
+-	(insert-file-contents (concat "/tmp/esrc/" (car files) ".rtl"))
+-	(while (re-search-forward ";; Function \\|(call_insn " nil t)
+-	  (if (= (char-after (- (point) 3)) ?o)
+-	      (progn
+-		(looking-at "[a-zA-Z0-9_]+")
+-		(setq name (intern (buffer-substring (match-beginning 0)
+-						     (match-end 0))))
+-		(message "%s : %s" (car files) name)
+-		(setq entry (list name)
+-		      find-gc-subrs-called (cons entry find-gc-subrs-called)))
+-	    (if (looking-at ".*\n?.*\"\\([A-Za-z0-9_]+\\)\"")
++  (setq find-gc-subrs-called nil)
++  (let ((case-fold-search nil)
++	(default-directory find-gc-source-directory)
++	(files find-gc-source-files)
++	name entry rtlfile)
++    (dolist (file files)
++      (message "Compiling %s..." file)
++      (call-process "gcc" nil nil nil "-I" "." "-I" "../lib"
++		    "-fdump-rtl-expand" "-o" null-device "-c" file)
++      (setq rtlfile
++	    (file-expand-wildcards (format "%s.*.expand" file) t))
++      (if (/= 1 (length rtlfile))
++	  (message "Error compiling `%s'?" file)
++	(with-temp-buffer
++	  (insert-file-contents (setq rtlfile (car rtlfile)))
++	  (delete-file rtlfile)
++	  (while (re-search-forward ";; Function \\|(call_insn " nil t)
++	    (if (= (char-after (- (point) 3)) ?o)
+ 		(progn
+-		  (setq name (intern (buffer-substring (match-beginning 1)
+-						       (match-end 1))))
+-		  (or (memq name (cdr entry))
+-		      (setcdr entry (cons name (cdr entry))))))))
+-	(delete-file (concat "/tmp/esrc/" (car files) ".rtl"))
+-	(setq files (cdr files)))))
+-)
+-
++		  (looking-at "[a-zA-Z0-9_]+")
++		  (setq name (intern (match-string 0)))
++		  (message "%s : %s" (car files) name)
++		  (setq entry (list name)
++			find-gc-subrs-called
++			(cons entry find-gc-subrs-called)))
++	      (if (looking-at ".*\n?.*\"\\([A-Za-z0-9_]+\\)\"")
++		  (progn
++		    (setq name (intern (match-string 1)))
++		    (or (memq name (cdr entry))
++			(setcdr entry (cons name (cdr entry)))))))))))))
+ 
+ (defun trace-use-tree ()
+   (setq find-gc-subrs-callers (mapcar 'list (mapcar 'car find-gc-subrs-called)))
diff --git a/emacs/23.4/18_all_browse-url-no-mosaic.patch b/emacs/23.4/18_all_browse-url-no-mosaic.patch
new file mode 100644
index 0000000..b6a8152
--- /dev/null
+++ b/emacs/23.4/18_all_browse-url-no-mosaic.patch
@@ -0,0 +1,124 @@
+Fix insecure use of temporary files.
+Gentoo patch: Remove obsolete browse-url-mosaic function completely.
+https://bugs.gentoo.org/509830
+CVE-2014-3423
+
+--- emacs-23.4-orig/lisp/net/browse-url.el
++++ emacs-23.4/lisp/net/browse-url.el
+@@ -40,7 +40,6 @@
+ ;; browse-url-galeon                  Galeon      Don't know
+ ;; browse-url-epiphany                Epiphany    Don't know
+ ;; browse-url-netscape                Netscape    1.1b1
+-;; browse-url-mosaic                  XMosaic/mMosaic <= 2.4
+ ;; browse-url-cci                     XMosaic     2.5
+ ;; browse-url-w3                      w3          0
+ ;; browse-url-w3-gnudoit              w3 remotely
+@@ -82,11 +81,7 @@
+ ;; include Chimera <URL:ftp://ftp.cs.unlv.edu/pub/chimera> and
+ ;; <URL:http://www.unlv.edu/chimera/>, Arena
+ ;; <URL:ftp://ftp.yggdrasil.com/pub/dist/web/arena> and Amaya
+-;; <URL:ftp://ftp.w3.org/pub/amaya>.  mMosaic
+-;; <URL:ftp://ftp.enst.fr/pub/mbone/mMosaic/>,
+-;; <URL:http://www.enst.fr/~dauphin/mMosaic/> (with development
+-;; support for Java applets and multicast) can be used like Mosaic by
+-;; setting `browse-url-mosaic-program' appropriately.
++;; <URL:ftp://ftp.w3.org/pub/amaya>.
+ 
+ ;; I [Denis Howe, not Dave Love] recommend Nelson Minar
+ ;; <nelson@santafe.edu>'s excellent html-helper-mode.el for editing
+@@ -242,7 +237,6 @@
+ 	  (function-item :tag "Galeon" :value  browse-url-galeon)
+ 	  (function-item :tag "Epiphany" :value  browse-url-epiphany)
+ 	  (function-item :tag "Netscape" :value  browse-url-netscape)
+-	  (function-item :tag "Mosaic" :value  browse-url-mosaic)
+ 	  (function-item :tag "Mosaic using CCI" :value  browse-url-cci)
+ 	  (function-item :tag "Text browser in an xterm window"
+ 			 :value browse-url-text-xterm)
+@@ -421,22 +415,6 @@
+   :type 'boolean
+   :group 'browse-url)
+ 
+-(defcustom browse-url-mosaic-program "xmosaic"
+-  "The name by which to invoke Mosaic (or mMosaic)."
+-  :type 'string
+-  :version "20.3"
+-  :group 'browse-url)
+-
+-(defcustom browse-url-mosaic-arguments nil
+-  "A list of strings to pass to Mosaic as arguments."
+-  :type '(repeat (string :tag "Argument"))
+-  :group 'browse-url)
+-
+-(defcustom browse-url-mosaic-pidfile "~/.mosaicpid"
+-  "The name of the pidfile created by Mosaic."
+-  :type 'string
+-  :group 'browse-url)
+-
+ (defcustom browse-url-filename-alist
+   `(("^/\\(ftp@\\|anonymous@\\)?\\([^:]+\\):/*" . "ftp://\\2/")
+     ;; The above loses the username to avoid the browser prompting for
+@@ -895,7 +873,6 @@
+     ((executable-find browse-url-galeon-program) 'browse-url-galeon)
+     ((executable-find browse-url-kde-program) 'browse-url-kde)
+     ((executable-find browse-url-netscape-program) 'browse-url-netscape)
+-    ((executable-find browse-url-mosaic-program) 'browse-url-mosaic)
+     ((executable-find browse-url-xterm-program) 'browse-url-text-xterm)
+     ((locate-library "w3") 'browse-url-w3)
+     (t
+@@ -1212,56 +1189,6 @@
+ 	      '("--newwin"))
+ 	  (list "--raise" url))))
+ 
+-;; --- Mosaic ---
+-
+-;;;###autoload
+-(defun browse-url-mosaic (url &optional new-window)
+-  "Ask the XMosaic WWW browser to load URL.
+-
+-Default to the URL around or before point.  The strings in variable
+-`browse-url-mosaic-arguments' are also passed to Mosaic and the
+-program is invoked according to the variable
+-`browse-url-mosaic-program'.
+-
+-When called interactively, if variable `browse-url-new-window-flag' is
+-non-nil, load the document in a new Mosaic window, otherwise use a
+-random existing one.  A non-nil interactive prefix argument reverses
+-the effect of `browse-url-new-window-flag'.
+-
+-When called non-interactively, optional second argument NEW-WINDOW is
+-used instead of `browse-url-new-window-flag'."
+-  (interactive (browse-url-interactive-arg "Mosaic URL: "))
+-  (let ((pidfile (expand-file-name browse-url-mosaic-pidfile))
+-	pid)
+-    (if (file-readable-p pidfile)
+-	(save-excursion
+-	  (find-file pidfile)
+-	  (goto-char (point-min))
+-	  (setq pid (read (current-buffer)))
+-	  (kill-buffer nil)))
+-    (if (and pid (zerop (signal-process pid 0))) ; Mosaic running
+-	(save-excursion
+-	  (find-file (format "/tmp/Mosaic.%d" pid))
+-	  (erase-buffer)
+-	  (insert (if (browse-url-maybe-new-window new-window)
+-		      "newwin\n"
+-		    "goto\n")
+-		  url "\n")
+-	  (save-buffer)
+-	  (kill-buffer nil)
+-	  ;; Send signal SIGUSR to Mosaic
+-	  (message "Signaling Mosaic...")
+-	  (signal-process pid 'SIGUSR1)
+-	  ;; Or you could try:
+-	  ;; (call-process "kill" nil 0 nil "-USR1" (int-to-string pid))
+-	  (message "Signaling Mosaic...done")
+-	  )
+-      ;; Mosaic not running - start it
+-      (message "Starting %s..." browse-url-mosaic-program)
+-      (apply 'start-process "xmosaic" nil browse-url-mosaic-program
+-	     (append browse-url-mosaic-arguments (list url)))
+-      (message "Starting %s...done" browse-url-mosaic-program))))
+-
+ ;; --- Mosaic using CCI ---
+ 
+ ;;;###autoload
diff --git a/emacs/23.4/19_all_tramp-tmpfile.patch b/emacs/23.4/19_all_tramp-tmpfile.patch
new file mode 100644
index 0000000..9eda3f9
--- /dev/null
+++ b/emacs/23.4/19_all_tramp-tmpfile.patch
@@ -0,0 +1,84 @@
+Fix insecure use of temporary files.
+Patch from upstream bzr, backported to Emacs 23.4.
+https://bugs.gentoo.org/509830
+CVE-2014-3424
+
+revno: 117071
+committer: Michael Albinus <michael.albinus@gmx.de>
+branch nick: emacs-24
+timestamp: Tue 2014-05-06 11:51:05 +0200
+message:
+  Fix Bug#17415.
+  
+  * net/tramp-sh.el (tramp-uudecode): Replace the hard-coded temporary
+  file name by a format specifier.
+  (tramp-remote-coding-commands): Enhance docstring.
+  (tramp-find-inline-encoding): Replace "%t" by a temporary file name.
+
+--- emacs-23.4-orig/lisp/net/tramp.el
++++ emacs-23.4/lisp/net/tramp.el
+@@ -1687,9 +1687,9 @@
+   "Remote host for this *tramp* buffer.")
+ 
+ (defconst tramp-uudecode
+-  "(echo begin 600 /tmp/tramp.$$; tail +2) | uudecode
+-cat /tmp/tramp.$$
+-rm -f /tmp/tramp.$$"
++  "(echo begin 600 %t; tail -n +2) | uudecode
++cat %t
++rm -f %t"
+   "Shell function to implement `uudecode' to standard output.
+ Many systems support `uudecode -o /dev/stdout' or `uudecode -o -'
+ for this or `uudecode -p', but some systems don't, and for them
+@@ -7173,7 +7173,7 @@
+ 
+ \(FORMAT ENCODING DECODING\)
+ 
+-FORMAT is  symbol describing the encoding/decoding format.  It can be
++FORMAT is a symbol describing the encoding/decoding format.  It can be
+ `b64' for base64 encoding, `uu' for uu encoding, or `pack' for simple packing.
+ 
+ ENCODING and DECODING can be strings, giving commands, or symbols,
+@@ -7220,9 +7220,11 @@
+ specifier is not present, the input should be read from standard
+ input.
+ 
+-If they are variables, this variable is a string containing a Perl
+-implementation for this functionality.  This Perl program will be transferred
+-to the remote host, and it is available as shell function with the same name.")
++If they are variables, this variable is a string containing a
++Perl or Shell implementation for this functionality.  This
++program will be transferred to the remote host, and it is
++available as shell function with the same name.  A \"%t\" format
++specifier in the variable value denotes a temporary file.")
+ 
+ (defun tramp-find-inline-encoding (vec)
+   "Find an inline transfer encoding that works.
+@@ -7286,10 +7288,25 @@
+ 		    (throw 'wont-work-remote nil))
+ 
+ 		  (when (not (stringp rem-dec))
+-		    (let ((name (symbol-name rem-dec)))
++		    (let ((name (symbol-name rem-dec))
++			  (value (symbol-value rem-dec))
++			  tmpfile)
+ 		      (while (string-match (regexp-quote "-") name)
+ 			(setq name (replace-match "_" nil t name)))
+-		      (tramp-maybe-send-script vec (symbol-value rem-dec) name)
++		      (when (string-match "%t" value)
++			(setq tmpfile
++			      (make-temp-name
++			       (expand-file-name
++				tramp-temp-name-prefix
++				(tramp-get-remote-tmpdir vec)))
++			      value
++			      (format-spec
++			       value
++			       (format-spec-make
++				?t
++				(tramp-file-name-handler
++				 'file-remote-p tmpfile 'localname)))))
++		      (tramp-maybe-send-script vec value name)
+ 		      (setq rem-dec name)))
+ 		  (tramp-message
+ 		   vec 5