pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/trunk]: pkgsrc/editors/emacs Fix two emacs vulnerabilities:



details:   https://anonhg.NetBSD.org/pkgsrc/rev/3a3ff72ec22b
branches:  trunk
changeset: 541998:3a3ff72ec22b
user:      tonnerre <tonnerre%pkgsrc.org@localhost>
date:      Tue Apr 29 12:54:56 2008 +0000

description:
Fix two emacs vulnerabilities:
 - Fix unsafe handling of local variables iin hack-local-variables
   (CVE-2007-5795).
 - Prevent symlink attack on arbitrary files using the temp files vcdiff
   generates (CVE-2008-1694).

diffstat:

 editors/emacs/Makefile         |   6 +++---
 editors/emacs/distinfo         |   4 +++-
 editors/emacs/patches/patch-ac |  15 +++++++++++++++
 editors/emacs/patches/patch-af |  37 +++++++++++++++++++++++++++++++++++++
 4 files changed, 58 insertions(+), 4 deletions(-)

diffs (104 lines):

diff -r 282012698c21 -r 3a3ff72ec22b editors/emacs/Makefile
--- a/editors/emacs/Makefile    Tue Apr 29 12:35:33 2008 +0000
+++ b/editors/emacs/Makefile    Tue Apr 29 12:54:56 2008 +0000
@@ -1,10 +1,10 @@
-# $NetBSD: Makefile,v 1.107 2008/04/25 16:35:32 jlam Exp $
+# $NetBSD: Makefile,v 1.108 2008/04/29 12:54:56 tonnerre Exp $
 
 PKGNAME?=      ${DISTNAME}
 COMMENT?=      GNU editing macros (editor)
 
 DISTNAME=      emacs-22.1
-PKGREVISION=   2
+PKGREVISION=   3
 CATEGORIES=    editors
 MASTER_SITES=  ${MASTER_SITE_GNU:=emacs/}
 
@@ -18,7 +18,7 @@
 
 PKG_DESTDIR_SUPPORT=   user-destdir
 
-USE_TOOLS+=            gmake gzip perl:run pkg-config
+USE_TOOLS+=            gmake gzip mktemp:run perl:run pkg-config
 GNU_CONFIGURE=         yes
 INFO_FILES=            # PLIST
 
diff -r 282012698c21 -r 3a3ff72ec22b editors/emacs/distinfo
--- a/editors/emacs/distinfo    Tue Apr 29 12:35:33 2008 +0000
+++ b/editors/emacs/distinfo    Tue Apr 29 12:54:56 2008 +0000
@@ -1,12 +1,14 @@
-$NetBSD: distinfo,v 1.35 2007/06/11 13:57:16 markd Exp $
+$NetBSD: distinfo,v 1.36 2008/04/29 12:54:56 tonnerre Exp $
 
 SHA1 (emacs-22.1.tar.gz) = 327664173eabe5db49d4e7e4a4b1794577af902e
 RMD160 (emacs-22.1.tar.gz) = da5360871db8b1d473ff7f0b0937ee6c278c0b19
 Size (emacs-22.1.tar.gz) = 38172226 bytes
 SHA1 (patch-aa) = d7ae318f2140dbd8f796bfcbb48f299fe6bf2d81
 SHA1 (patch-ab) = 0e022290d305fd73ab7aa633f955fca10ac70799
+SHA1 (patch-ac) = 1fc45d38f879c2ae7287bc7f7a9cb868e2db74d8
 SHA1 (patch-ad) = 39a11bc214ae3d2f9d634c30b196a46d473ab92f
 SHA1 (patch-ae) = 30a31df58bbcae854ded212ad42bde5b855a7318
+SHA1 (patch-af) = 9b2b8c5dfe1b2dc9ca76587cdb323272f8cb103e
 SHA1 (patch-aj) = 7707c5f8bb57bbacbd1d3c6f37a34916baacc363
 SHA1 (patch-ak) = ef0bf533754e5392c419c251aac8278b5e90b438
 SHA1 (patch-am) = 4e068210bcbea638d143bd9fb566795636d77b35
diff -r 282012698c21 -r 3a3ff72ec22b editors/emacs/patches/patch-ac
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/editors/emacs/patches/patch-ac    Tue Apr 29 12:54:56 2008 +0000
@@ -0,0 +1,15 @@
+$NetBSD: patch-ac,v 1.16 2008/04/29 12:54:56 tonnerre Exp $
+
+--- lisp/files.el.orig 2007-05-25 13:43:31.000000000 +0100
++++ lisp/files.el      2008-04-29 12:41:52.000000000 +0100
+@@ -2736,8 +2736,8 @@
+               ;; If caller wants only the safe variables,
+               ;; install only them.
+               (dolist (elt result)
+-                (unless (or (memq (car elt) unsafe-vars)
+-                            (memq (car elt) risky-vars))
++                (unless (or (member elt unsafe-vars)
++                            (member elt risky-vars))
+                   (hack-one-local-variable (car elt) (cdr elt))))
+             ;; Query, except in the case where all are known safe
+             ;; if the user wants no quuery in that case.
diff -r 282012698c21 -r 3a3ff72ec22b editors/emacs/patches/patch-af
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/editors/emacs/patches/patch-af    Tue Apr 29 12:54:56 2008 +0000
@@ -0,0 +1,37 @@
+$NetBSD: patch-af,v 1.11 2008/04/29 12:54:56 tonnerre Exp $
+
+--- lib-src/vcdiff.orig        2007-01-21 04:49:26.000000000 +0000
++++ lib-src/vcdiff     2008-04-29 12:48:03.000000000 +0100
+@@ -4,13 +4,13 @@
+ # This version is more compatible with rcsdiff(1).
+ #
+ # Copyright (C) 1992, 1993, 1995, 1997, 2001, 2002, 2003, 2004,
+-#               2005, 2006, 2007 Free Software Foundation, Inc.
++#               2005, 2006, 2007, 2008 Free Software Foundation, Inc.
+ #
+ # This file is part of GNU Emacs.
+ #
+ # GNU Emacs is free software; you can redistribute it and/or modify
+ # it under the terms of the GNU General Public License as published by
+-# the Free Software Foundation; either version 2, or (at your option)
++# the Free Software Foundation; either version 3, or (at your option)
+ # any later version.
+ #
+ # GNU Emacs is distributed in the hope that it will be useful,
+@@ -84,14 +84,14 @@
+       case $f in
+       s.* | */s.*)
+               if
+-                      rev1=/tmp/geta$$
++                      rev1=`mktemp /tmp/geta.XXXXXXXX`
+                       get -s -p -k $sid1 "$f" > $rev1 &&
+                       case $sid2 in
+                       '')
+                               workfile=`expr " /$f" : '.*/s.\(.*\)'`
+                               ;;
+                       *)
+-                              rev2=/tmp/getb$$
++                              rev2=`mktemp /tmp/getb.XXXXXXXX`
+                               get -s -p -k $sid2 "$f" > $rev2
+                               workfile=$rev2
+                       esac



Home | Main Index | Thread Index | Old Index