Hello community, here is the log from the commit of package emacs for openSUSE:11.3 checked in at Wed May 11 15:06:43 CEST 2011.
-------- --- old-versions/11.3/all/emacs/emacs.changes 2010-05-20 12:44:58.000000000 +0200 +++ 11.3/emacs/emacs.changes 2011-05-11 12:32:35.000000000 +0200 @@ -1,0 +2,5 @@ +Wed May 11 10:29:44 UTC 2011 - [email protected] + +- Fix temporary file vulnerability (bnc#642787) + +------------------------------------------------------------------- Package does not exist at destination yet. Using Fallback old-versions/11.3/all/emacs Destination is old-versions/11.3/UPDATES/all/emacs calling whatdependson for 11.3-i586 New: ---- emacs-23.1-rst.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ emacs.spec ++++++ --- /var/tmp/diff_new_pack.Q6iCvk/_old 2011-05-11 15:06:03.000000000 +0200 +++ /var/tmp/diff_new_pack.Q6iCvk/_new 2011-05-11 15:06:03.000000000 +0200 @@ -1,7 +1,7 @@ # -# spec file for package emacs (Version 23.1) +# spec file for package emacs # -# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -25,7 +25,7 @@ License: GPLv2+ Group: Productivity/Editors/Emacs Version: 23.1 -Release: 14 +Release: 19.<RELEASE2> Obsoletes: ge_exec ge_site emac_nox emacmisc emacsbin emacsger emacs-url Mule-UCS emacs-calc erc Requires: emacs-info = %{version} Requires: emacs_program = %{version}-%{release} @@ -61,6 +61,7 @@ Patch19: emacs-23.1-fix_cpp.patch Patch20: emacs-23.1-gcc45.dif Patch21: emacs-23.1-png_sig_cmp.patch +Patch23: emacs-23.1-rst.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %global bug_345669 0 %{expand: %%global _exec_prefix %(type -p pkg-config &>/dev/null && pkg-config --variable prefix x11 || echo /usr/X11R6)} @@ -255,6 +256,7 @@ fi %patch20 -p0 -b .gcc45 %patch21 +%patch23 %build CC=gcc-4.3 ++++++ emacs-23.1-rst.patch ++++++ Description: Patch to fix temporary file vulnerability My approach is based on the premise that the make-temp-file function provided from Emacs 22 onwards is safe. So, I backport the method to the rst.el file, and bind it to the symbol rst--make-temp-file as follows: - If the Emacs version is less than 22, use this custom version. This works on Emacs 21, I tested it. - If the Emacs version is 22 or more, bind rst--make-temp-file to the make-temp-fil provided in the Emacs Lisp libraries. I don't see a solution for removing the temporary files, though. I am no expert on security or Emacs Lisp, but I hope this patch provides a start. Author: Kumar Appaiah <[email protected]> Addopted due bug bnc#642787 for emacs 23.1 by Werner Fink <[email protected]> --- rst.el | 48 ++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 46 insertions(+), 2 deletions(-) --- lisp/textmodes/rst.el +++ lisp/textmodes/rst.el 2010-10-06 09:50:28.779926181 +0000 @@ -3297,10 +3297,54 @@ or of the entire buffer, if the region i (defvar rst-pdf-program "xpdf" "Program used to preview PDF files.") +(if (> emacs-major-version 22) + (defalias 'rst--make-temp-file 'make-temp-file) + (defvar temporary-file-directory) + (defun rst--make-temp-file (prefix &optional dir-flag suffix) + "Create a temporary file. +The returned file name (created by appending some random characters at the end +of PREFIX, and expanding against `temporary-file-directory' if necessary), +is guaranteed to point to a newly created empty file. +You can then use `write-region' to write new data into the file. + +If DIR-FLAG is non-nil, create a new empty directory instead of a file. + +If SUFFIX is non-nil, add that at the end of the file name." + (let ((umask (default-file-modes)) + file) + (unwind-protect + (progn + ;; Create temp files with strict access rights. It's easy to + ;; loosen them later, whereas it's impossible to close the + ;; time-window of loose permissions otherwise. + (set-default-file-modes ?\700) + (while (condition-case () + (progn + (setq file + (make-temp-name + (if (zerop (length prefix)) + (file-name-as-directory + temporary-file-directory) + (expand-file-name prefix + temporary-file-directory)))) + (if suffix + (setq file (concat file suffix))) + (if dir-flag + (make-directory file) + (write-region "" nil file nil 'silent nil 'excl)) + nil) + (file-already-exists t)) + ;; the file was somehow created by someone else between + ;; `make-temp-name' and `write-region', let's try again. + nil) + file) + ;; Reset the umask. + (set-default-file-modes umask))))) + (defun rst-compile-pdf-preview () "Convert the document to a PDF file and launch a preview program." (interactive) - (let* ((tmp-filename "/tmp/out.pdf") + (let* ((tmp-filename (rst--make-temp-file "rst" nil ".pdf")) (command (format "rst2pdf.py %s %s && %s %s" buffer-file-name tmp-filename rst-pdf-program tmp-filename))) @@ -3315,7 +3359,7 @@ or of the entire buffer, if the region i (defun rst-compile-slides-preview () "Convert the document to an S5 slide presentation and launch a preview program." (interactive) - (let* ((tmp-filename "/tmp/slides.html") + (let* ((tmp-filename (rst--make-temp-file "rst" nil ".html")) (command (format "rst2s5.py %s %s && %s %s" buffer-file-name tmp-filename rst-slides-program tmp-filename))) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
