diff --git a/.cvsignore b/.cvsignore index 11a8f06..2862644 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1 +1 @@ -emacs-23.1.94.tar.gz +emacs-23.1.96.tar.gz diff --git a/emacs-23.1-movemail.patch b/emacs-23.1-movemail.patch deleted file mode 100644 index 229d294..0000000 --- a/emacs-23.1-movemail.patch +++ /dev/null @@ -1,100 +0,0 @@ -diff -up emacs-23.1/lib-src/movemail.c.movemail emacs-23.1/lib-src/movemail.c ---- emacs-23.1/lib-src/movemail.c.movemail 2010-03-31 19:18:05.611899443 +0200 -+++ emacs-23.1/lib-src/movemail.c 2010-03-31 19:24:29.738754553 +0200 -@@ -176,7 +176,9 @@ main (argc, argv) - int nread; - int status; - int c, preserve_mail = 0; -- -+ uid_t real_gid, priv_gid; -+ real_gid = getgid(); -+ priv_gid = getegid(); - #ifndef MAIL_USE_SYSTEM_LOCK - struct stat st; - long now; -@@ -247,25 +249,6 @@ main (argc, argv) - if (*outname == 0) - fatal ("Destination file name is empty", 0, 0); - -- /* Check access to output file. */ -- if (access (outname, F_OK) == 0 && access (outname, W_OK) != 0) -- pfatal_with_name (outname); -- -- /* Also check that outname's directory is writable to the real uid. */ -- { -- char *buf = (char *) xmalloc (strlen (outname) + 1); -- char *p; -- strcpy (buf, outname); -- p = buf + strlen (buf); -- while (p > buf && !IS_DIRECTORY_SEP (p[-1])) -- *--p = 0; -- if (p == buf) -- *p++ = '.'; -- if (access (buf, W_OK) != 0) -- pfatal_with_name (buf); -- free (buf); -- } -- - #ifdef MAIL_USE_POP - if (!strncmp (inname, "po:", 3)) - { -@@ -277,15 +260,11 @@ main (argc, argv) - exit (status); - } - -- setuid (getuid ()); -+ if (setuid (getuid ()) < 0) -+ fatal ("Failed to drop privileges", 0, 0); - #endif /* MAIL_USE_POP */ - - #ifndef DISABLE_DIRECT_ACCESS -- -- /* Check access to input file. */ -- if (access (inname, R_OK | W_OK) != 0) -- pfatal_with_name (inname); -- - #ifndef MAIL_USE_MMDF - #ifndef MAIL_USE_SYSTEM_LOCK - #ifdef MAIL_USE_MAILLOCK -@@ -379,7 +358,8 @@ main (argc, argv) - time_t touched_lock, now; - #endif - -- setuid (getuid ()); -+ if (setuid (getuid ()) < 0 || setegid (real_gid) < 0) -+ fatal("Failed to drop privileges", 0, 0); - - #ifndef MAIL_USE_MMDF - #ifdef MAIL_USE_SYSTEM_LOCK -@@ -405,6 +385,9 @@ main (argc, argv) - if (outdesc < 0) - pfatal_with_name (outname); - -+ if (setegid (priv_gid) < 0) -+ fatal("Failed to regain privileges", 0, 0); -+ - /* This label exists so we can retry locking - after a delay, if it got EAGAIN or EBUSY. */ - retry_lock: -@@ -502,6 +485,10 @@ main (argc, argv) - if (close (outdesc) != 0) - pfatal_and_delete (outname); - -+ /* Prevent symlink attacks truncating other users' mailboxes */ -+ if (setegid (real_gid) < 0) -+ fatal("Failed to drop privileges", 0, 0); -+ - #ifdef MAIL_USE_SYSTEM_LOCK - if (! preserve_mail) - { -@@ -529,6 +516,10 @@ main (argc, argv) - } - #endif /* not MAIL_USE_SYSTEM_LOCK */ - -+ /* End of mailbox truncation */ -+ if (setegid (priv_gid) < 0) -+ fatal("Failed to regain privileges", 0, 0); -+ - #ifdef MAIL_USE_MAILLOCK - /* This has to occur in the child, i.e., in the process that - acquired the lock! */ diff --git a/emacs.spec b/emacs.spec index 375a91a..e24399e 100644 --- a/emacs.spec +++ b/emacs.spec @@ -3,8 +3,8 @@ Summary: GNU Emacs text editor Name: emacs Epoch: 1 -Version: 23.1.94 -Release: 6%{?dist} +Version: 23.1.96 +Release: 1%{?dist} License: GPLv3+ URL: http://www.gnu.org/software/emacs/ Group: Applications/Editors @@ -29,10 +29,6 @@ Patch2: po-mode-auto-replace-date-71264.patch Patch3: rpm-spec-mode-utc.patch Patch4: emacs-23.1-xdg.patch -# Fix https://bugzilla.redhat.com/show_bug.cgi?id=578272 -# CVE-2010-0825 -Patch5: emacs-23.1-movemail.patch - BuildRequires: atk-devel, cairo-devel, desktop-file-utils, freetype-devel, fontconfig-devel, dbus-devel, giflib-devel, glibc-devel, gtk2-devel, libpng-devel BuildRequires: libjpeg-devel, libtiff-devel, libX11-devel, libXau-devel, libXdmcp-devel, libXrender-devel, libXt-devel BuildRequires: libXpm-devel, ncurses-devel, xorg-x11-proto-devel, zlib-devel @@ -144,8 +140,6 @@ pushd site-lisp %patch3 -p0 popd -%patch5 -p1 - # we prefer our emacs.desktop file cp %SOURCE1 etc/emacs.desktop @@ -397,6 +391,10 @@ alternatives --install %{_bindir}/etags emacs.etags %{_bindir}/etags.emacs 80 \ %dir %{_datadir}/emacs/%{version} %changelog +* Tue Apr 20 2010 Karel Klic - 1:23.1.96-1 +- Updated to the newest prerelease +- Remove -movemail patch as it has been merged by upstream + * Thu Apr 1 2010 Jonathan G. Underwood - 1:23.1.94-6 - Add patch to fix RHBZ #578272 - security vulnerability with movemail (CVE-2010-0825) diff --git a/sources b/sources index 28707dc..4846e5a 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -cacd29cf682e0c2ac8635b86e1526f1b emacs-23.1.94.tar.gz +25b607668980a96f563ce6be12a6d353 emacs-23.1.96.tar.gz