CVE-2014-3421 CVE-2014-3422 CVE-2014-3423 CVE-2014-3424 (#1095587)

2014-05-20 09:56:48 +02:00 · 2014-05-20 09:56:48 +02:00 · c88b79f163
commit c88b79f163
parent c6ebceb62c
5 changed files with 252 additions and 6 deletions
--- a/emacs-CVE-2014-3421.patch
+++ b/emacs-CVE-2014-3421.patch
@ -0,0 +1,30 @@
+diff --git a/lisp/gnus/gnus-fun.el b/lisp/gnus/gnus-fun.el
+index 1c9b4ce..6d43d23 100644
+--- a/lisp/gnus/gnus-fun.el
+++ b/lisp/gnus/gnus-fun.el
+@@ -250,20 +250,21 @@ colors of the displayed X-Faces."
+   (interactive)
+   (shell-command "xawtv-remote snap ppm")
+   (let ((file nil)
+    (tempfile (make-temp-file "gnus-face-" nil "*.ppm"))
+ 	result)
+     (while (null (setq file (directory-files "/tftpboot/sparky/tmp"
+ 					     t "snap.*ppm")))
+       (sleep-for 1))
+     (setq file (car file))
+     (shell-command
+-     (format "pnmcut -left 110 -top 30 -width 144 -height 144 '%s' | pnmscale -width 48 -height 48 | ppmtopgm > /tmp/gnus.face.ppm"
+-	     file))
+     (format "pnmcut -left 110 -top 30 -width 144 -height 144 '%s' | pnmscale -width 48 -height 48 | ppmtopgm >> %s"
+	     file tempfile))
+     (let ((gnus-convert-image-to-face-command
+ 	   (format "cat '%%s' | ppmquant %%d | ppmchange %s | pnmtopng"
+ 		   (gnus-fun-ppm-change-string))))
+-      (setq result (gnus-face-from-file "/tmp/gnus.face.ppm")))
+      (setq result (gnus-face-from-file tempfile)))
+     (delete-file file)
+-    ;;(delete-file "/tmp/gnus.face.ppm")
+    ;;(delete-file tempfile)
+     result))
+ 
+ (defun gnus-fun-ppm-change-string ()
--- a/emacs-CVE-2014-3422.patch
+++ b/emacs-CVE-2014-3422.patch
@ -0,0 +1,119 @@
+diff --git a/lisp/emacs-lisp/find-gc.el b/lisp/emacs-lisp/find-gc.el
+index 82b3e94..6bdb09d 100644
+--- a/lisp/emacs-lisp/find-gc.el
+++ b/lisp/emacs-lisp/find-gc.el
+@@ -23,14 +23,15 @@
+ 
+ ;; Produce in find-gc-unsafe-list the set of all functions that may invoke GC.
+ ;; This expects the Emacs sources to live in find-gc-source-directory.
+-;; It creates a temporary working directory /tmp/esrc.
+ 
+ ;;; Code:
+ 
+ (defvar find-gc-unsafe-list nil
+   "The list of unsafe functions is placed here by `find-gc-unsafe'.")
+ 
+-(defvar find-gc-source-directory)
+(defvar find-gc-source-directory
+  (file-name-as-directory (expand-file-name "src" source-directory))
+  "Directory containing Emacs C sources.")
+ 
+ (defvar find-gc-subrs-callers nil
+   "Alist of users of subrs, from GC testing.
+@@ -59,14 +60,14 @@ Each entry has the form (FUNCTION . FUNCTIONS-IT-CALLS).")
+     "indent.c" "search.c" "regex.c" "undo.c"
+     "alloc.c" "data.c" "doc.c" "editfns.c"
+     "callint.c" "eval.c" "fns.c" "print.c" "lread.c"
+-    "abbrev.c" "syntax.c" "unexcoff.c"
+    "syntax.c" "unexcoff.c"
+     "bytecode.c" "process.c" "callproc.c" "doprnt.c"
+-    "x11term.c" "x11fns.c"))
+    "xterm.c" "x11fns.c"))
+ 
+ 
+ (defun find-gc-unsafe ()
+   "Return a list of unsafe functions--that is, which can call GC.
+-Also store it in `find-gc-unsafe'."
+Also store it in `find-gc-unsafe-list'."
+   (trace-call-tree nil)
+   (trace-use-tree)
+   (find-unsafe-funcs 'Fgarbage_collect)
+@@ -102,47 +103,38 @@ Also store it in `find-gc-unsafe'."
+ 
+ 
+ 
+-(defun trace-call-tree (&optional already-setup)
+(defun trace-call-tree (&optional ignored)
+   (message "Setting up directories...")
+-  (or already-setup
+-      (progn
+-	;; Gee, wouldn't a built-in "system" function be handy here.
+-	(call-process "csh" nil nil nil "-c" "rm -rf /tmp/esrc")
+-	(call-process "csh" nil nil nil "-c" "mkdir /tmp/esrc")
+-	(call-process "csh" nil nil nil "-c"
+-		      (format "ln -s %s/*.[ch] /tmp/esrc"
+-			      find-gc-source-directory))))
+-  (with-current-buffer (get-buffer-create "*Trace Call Tree*")
+-    (setq find-gc-subrs-called nil)
+-    (let ((case-fold-search nil)
+-	  (files find-gc-source-files)
+-	  name entry)
+-      (while files
+-	(message "Compiling %s..." (car files))
+-	(call-process "csh" nil nil nil "-c"
+-		      (format "gcc -dr -c /tmp/esrc/%s -o /dev/null"
+-			      (car files)))
+-	(erase-buffer)
+-	(insert-file-contents (concat "/tmp/esrc/" (car files) ".rtl"))
+-	(while (re-search-forward ";; Function \\|(call_insn " nil t)
+-	  (if (= (char-after (- (point) 3)) ?o)
+-	      (progn
+-		(looking-at "[a-zA-Z0-9_]+")
+-		(setq name (intern (buffer-substring (match-beginning 0)
+-						     (match-end 0))))
+-		(message "%s : %s" (car files) name)
+-		(setq entry (list name)
+-		      find-gc-subrs-called (cons entry find-gc-subrs-called)))
+-	    (if (looking-at ".*\n?.*\"\\([A-Za-z0-9_]+\\)\"")
+-		(progn
+-		  (setq name (intern (buffer-substring (match-beginning 1)
+-						       (match-end 1))))
+-		  (or (memq name (cdr entry))
+-		      (setcdr entry (cons name (cdr entry))))))))
+-	(delete-file (concat "/tmp/esrc/" (car files) ".rtl"))
+-	(setq files (cdr files)))))
+-)
+-
+  (setq find-gc-subrs-called nil)
+  (let ((case-fold-search nil)
+       (default-directory find-gc-source-directory)
+       (files find-gc-source-files)
+       name entry rtlfile)
+    (dolist (file files)
+      (message "Compiling %s..." file)
+      (call-process "gcc" nil nil nil "-I" "." "-I" "../lib"
+                   "-fdump-rtl-expand" "-o" null-device "-c" file)
+      (setq rtlfile
+           (file-expand-wildcards (format "%s.*.expand" file) t))
+      (if (/= 1 (length rtlfile))
+         (message "Error compiling `%s'?" file)
+       (with-temp-buffer
+         (insert-file-contents (setq rtlfile (car rtlfile)))
+         (delete-file rtlfile)
+         (while (re-search-forward ";; Function \\|(call_insn " nil t)
+           (if (= (char-after (- (point) 3)) ?o)
+            (progn
+                 (looking-at "[a-zA-Z0-9_]+")
+                 (setq name (intern (match-string 0)))
+                 (message "%s : %s" (car files) name)
+                 (setq entry (list name)
+                       find-gc-subrs-called
+                       (cons entry find-gc-subrs-called)))
+             (if (looking-at ".*\n?.*\"\\([A-Za-z0-9_]+\\)\"")
+                 (progn
+                   (setq name (intern (match-string 1)))
+                   (or (memq name (cdr entry))
+                       (setcdr entry (cons name (cdr entry)))))))))))))
+ 
+ (defun trace-use-tree ()
+   (setq find-gc-subrs-callers (mapcar 'list (mapcar 'car find-gc-subrs-called)))
--- a/emacs-CVE-2014-3423.patch
+++ b/emacs-CVE-2014-3423.patch
@ -0,0 +1,16 @@
+diff --git a/lisp/net/browse-url.el b/lisp/net/browse-url.el
+index 19e513a..1a28e26 100644
+--- a/lisp/net/browse-url.el
+++ b/lisp/net/browse-url.el
+@@ -1335,7 +1335,10 @@ used instead of `browse-url-new-window-flag'."
+ 	  (kill-buffer nil)))
+     (if (and pid (zerop (signal-process pid 0))) ; Mosaic running
+ 	(save-excursion
+-	  (find-file (format "/tmp/Mosaic.%d" pid))
+         ;; This is a predictable temp-file name, which is bad,
+         ;; but it is what Mosaic uses/used.
+         ;; So it's not Emacs's problem.  http://bugs.debian.org/747100
+         (find-file (format "/tmp/Mosaic.%d" pid))
+ 	  (erase-buffer)
+ 	  (insert (if (browse-url-maybe-new-window new-window)
+ 		      "newwin\n"
--- a/emacs-CVE-2014-3424.patch
+++ b/emacs-CVE-2014-3424.patch
@ -0,0 +1,70 @@
+diff --git a/lisp/net/tramp-sh.el b/lisp/net/tramp-sh.el
+index 29a6344..f6c6710 100644
+--- a/lisp/net/tramp-sh.el
+++ b/lisp/net/tramp-sh.el
+@@ -605,9 +605,9 @@ This list is used for copying/renaming with out-of-band methods.
+ See `tramp-actions-before-shell' for more info.")
+ 
+ (defconst tramp-uudecode
+-  "(echo begin 600 /tmp/tramp.$$; tail +2) | uudecode
+-cat /tmp/tramp.$$
+-rm -f /tmp/tramp.$$"
+  "(echo begin 600 %t; tail +2) | uudecode
+cat %t
+rm -f %t"
+   "Shell function to implement `uudecode' to standard output.
+ Many systems support `uudecode -o /dev/stdout' or `uudecode -o -'
+ for this or `uudecode -p', but some systems don't, and for them
+@@ -3938,7 +3938,7 @@ Each item is a list that looks like this:
+ 
+ \(FORMAT ENCODING DECODING [TEST]\)
+ 
+-FORMAT is  symbol describing the encoding/decoding format.  It can be
+FORMAT is a symbol describing the encoding/decoding format.  It can be
+ `b64' for base64 encoding, `uu' for uu encoding, or `pack' for simple packing.
+ 
+ ENCODING and DECODING can be strings, giving commands, or symbols,
+@@ -3948,9 +3948,11 @@ filename will be put into the command line at that spot.  If the
+ specifier is not present, the input should be read from standard
+ input.
+ 
+-If they are variables, this variable is a string containing a Perl
+-implementation for this functionality.  This Perl program will be transferred
+-to the remote host, and it is available as shell function with the same name.
+If they are variables, this variable is a string containing a
+Perl or Shell implementation for this functionality.  This
+program will be transferred to the remote host, and it is
+available as shell function with the same name. A \"%t\" format
+specifier in the variable value denotes a temporary file
+ 
+ The optional TEST command can be used for further tests, whether
+ ENCODING and DECODING are applicable.")
+@@ -4025,10 +4027,25 @@ Goes through the list `tramp-local-coding-commands' and
+ 		    (throw 'wont-work-remote nil))
+ 
+ 		  (when (not (stringp rem-dec))
+-		    (let ((name (symbol-name rem-dec)))
+		    (let ((name (symbol-name rem-dec))
+                  (value (symbol-value rem-dec))
+                  tmpfile)
+ 		      (while (string-match (regexp-quote "-") name)
+-			(setq name (replace-match "_" nil t name)))
+-		      (tramp-maybe-send-script vec (symbol-value rem-dec) name)
+		        (setq name (replace-match "_" nil t name)))
+                (when (string-match "%t" value)
+                    (setq tmpfile
+                         (make-temp-name
+                          (expand-file-name
+                           tramp-temp-name-prefix
+                           (tramp-get-remote-tmpdir vec)))
+                         value
+                         (format-spec
+                          value
+                          (format-spec-make
+                           ?t
+                           (tramp-file-name-handler
+                            'file-remote-p tmpfile 'localname)))))
+                (tramp-maybe-send-script vec value name)
+ 		      (setq rem-dec name)))
+ 		  (tramp-message
+ 		   vec 5
--- a/emacs.spec
+++ b/emacs.spec
@ -3,7 +3,7 @@ Summary: GNU Emacs text editor
 Name: emacs
 Epoch: 1
 Version: 24.3
-Release: 16%{?dist}
+Release: 17%{?dist}
 License: GPLv3+
 URL: http://www.gnu.org/software/emacs/
 Group: Applications/Editors
@ -32,9 +32,14 @@ Patch14: emacs-maximized.patch
 # Fix for default PDF viewer bug #971162
 Patch15: emacs-pdf-default.patch
 # Fix for emacs bug #13460.
-Patch100: emacs-24.3-hunspell.patch
+Patch16: emacs-24.3-hunspell.patch
 # Fix for emacs bug #827033
-Patch101: emacs-24.3-hunspell.2.patch
+Patch17: emacs-24.3-hunspell.2.patch
+# Several CVE fixes
+Patch18: emacs-CVE-2014-3421.patch
+Patch19: emacs-CVE-2014-3422.patch
+Patch20: emacs-CVE-2014-3423.patch
+Patch21: emacs-CVE-2014-3424.patch

 BuildRequires: atk-devel cairo-devel freetype-devel fontconfig-devel dbus-devel giflib-devel glibc-devel libpng-devel
 BuildRequires: libjpeg-devel libtiff-devel libX11-devel libXau-devel libXdmcp-devel libXrender-devel libXt-devel
@ -177,9 +182,12 @@ packages that add functionality to Emacs.
 %patch13 -p1 -b .help-update.patch
 %patch14 -p1 -b .maximized.patch
 %patch15 -p1 -b .pdf-default.patch
-
-%patch100 -p1 -b .hunspell
-%patch101 -p1 -b .hunspell.2
+%patch16 -p1 -b .hunspell
+%patch17 -p1 -b .hunspell.2
+%patch18 -p1 -b .CVE-2014-3421.patch
+%patch19 -p1 -b .CVE-2014-3422.patch
+%patch20 -p1 -b .CVE-2014-3423.patch
+%patch21 -p1 -b .CVE-2014-3424.patch

 # We prefer our emacs.desktop file
 cp %SOURCE1 etc/emacs.desktop
@ -462,6 +470,9 @@ update-desktop-database &> /dev/null || :
 %dir %{_datadir}/emacs/site-lisp/site-start.d

 %changelog
+* Tue May 20 2014 Petr Hracek <phracek@redhat.com> - 1:24.3-17
+- CVE-2014-3421 CVE-2014-3422 CVE-2014-3423 CVE-2014-3424 (#1095587)
+
 * Thu Apr 17 2014 Petr Hracek <phracek@redhat.com> - 1:24.3-16
 - Info files are not installed (#1062792)