diff -u xemacs21-21.4.22/debian/control xemacs21-21.4.22/debian/control --- xemacs21-21.4.22/debian/control +++ xemacs21-21.4.22/debian/control @@ -1,7 +1,7 @@ Source: xemacs21 Section: editors Priority: optional -Maintainer: Ubuntu MOTU Developers +Maintainer: Ubuntu Developers XSBC-Original-Maintainer: OHURA Makoto Standards-Version: 3.8.4 Build-Depends: autotools-dev, texinfo, libcanna1g-dev, libwnn6-dev, libjpeg62-dev, libncurses5-dev, libpng12-dev, libtiff4-dev, zlib1g-dev, texi2html, debhelper (>> 5.0.0), libldap2-dev, libdb-dev, libpam0g-dev, libcompfaceg1-dev, libx11-dev, libxau-dev, libxext-dev, libxmu-dev, libxpm-dev, libxt-dev, xbitmaps, xcursor-themes, libxaw7-dev, autoconf2.13, libesd0-dev, dpatch (>= 1.11), libgpm-dev [!hurd-i386 !kfreebsd-i386 !kfreebsd-amd64] diff -u xemacs21-21.4.22/debian/control.in xemacs21-21.4.22/debian/control.in --- xemacs21-21.4.22/debian/control.in +++ xemacs21-21.4.22/debian/control.in @@ -1,7 +1,7 @@ Source: xemacs@MAJVERSION@ Section: editors Priority: optional -Maintainer: Ubuntu MOTU Developers +Maintainer: Ubuntu Developers XSBC-Original-Maintainer: OHURA Makoto Standards-Version: 3.8.4 Build-Depends: autotools-dev, texinfo, libcanna1g-dev, libwnn6-dev, libjpeg62-dev, libncurses5-dev, libpng12-dev, libtiff4-dev, zlib1g-dev, texi2html, debhelper (>> 5.0.0), libldap2-dev, libdb-dev, libpam0g-dev, libcompfaceg1-dev, libx11-dev, libxau-dev, libxext-dev, libxmu-dev, libxpm-dev, libxt-dev, xbitmaps, xcursor-themes, libxaw7-dev, autoconf2.13, libesd0-dev, dpatch (>= 1.11), libgpm-dev [!hurd-i386 !kfreebsd-i386 !kfreebsd-amd64] diff -u xemacs21-21.4.22/debian/changelog xemacs21-21.4.22/debian/changelog --- xemacs21-21.4.22/debian/changelog +++ xemacs21-21.4.22/debian/changelog @@ -1,3 +1,22 @@ +xemacs21 (21.4.22-3.1ubuntu1) maverick; urgency=low + + * Merge from debian unstable. (LP: #611931) Remaining changes: + - debian/patches/21_fix_maximation_bug.dpatch: + + Fix maximation issue, where xemacs21 meant to stay in an infinite loop + * debian/README.source: Fix lintian's warning patch-system-but-no-source-readme. + + -- Artur Rona Sat, 31 Jul 2010 03:51:25 +0200 + +xemacs21 (21.4.22-3.1) unstable; urgency=high + + * Non-maintainer upload by the Security Team. + * Fix race conditions in lib-src/movemail.c which may be exploited by + other users in the mail group to read/delete/modify mailboxes. + Ported patch from Dan Rosenberg to xemacs21 + (11_CVE-2010-0825.dpatch; Closes: #590303). + + -- Nico Golde Tue, 27 Jul 2010 14:27:11 +0200 + xemacs21 (21.4.22-3ubuntu1) maverick; urgency=low * Merge from debian unstable. Remaining changes: (LP: #467446) (LP: #583224) diff -u xemacs21-21.4.22/debian/patches/00list xemacs21-21.4.22/debian/patches/00list --- xemacs21-21.4.22/debian/patches/00list +++ xemacs21-21.4.22/debian/patches/00list @@ -14 +14,2 @@ -21_fix_maximation-bug.dpatch +11_CVE-2010-0825 +21_fix_maximation-bug only in patch2: unchanged: --- xemacs21-21.4.22.orig/debian/README.source +++ xemacs21-21.4.22/debian/README.source @@ -0,0 +1,38 @@ +This package uses dpatch to manage all modifications to the upstream +source. Changes are stored in the source package as diffs in +debian/patches and applied during the build. + +To get the fully patched source after unpacking the source package, cd +to the root level of the source package and run: + + debian/rules patch + +Removing a patch is as simple as removing its entry from the +debian/patches/00list file, and please also remove the patch file +itself. + +Creating a new patch is done with "dpatch-edit-patch patch XX_patchname" +where you should replace XX with a new number and patchname with a +descriptive shortname of the patch. You can then simply edit all the +files your patch wants to edit, and then simply "exit 0" from the shell +to actually create the patch file. + +To tweak an already existing patch, call "dpatch-edit-patch XX_patchname" +and replace XX_patchname with the actual filename from debian/patches +you want to use. + +To clean up afterwards again, "debian/rules unpatch" will do the +work for you - or you can of course choose to call +"fakeroot debian/rules clean" all together. + + +--- + +this documentation is part of dpatch package, and may be used by +packages using dpatch to comply with policy on README.source. This +documentation is meant to be useful to users who are not proficient in +dpatch in doing work with dpatch-based packages. Please send any +improvements to the BTS of dpatch package. + +original text by Gerfried Fuchs, edited by Junichi Uekawa +10 Aug 2008. only in patch2: unchanged: --- xemacs21-21.4.22.orig/debian/patches/11_CVE-2010-0825.dpatch +++ xemacs21-21.4.22/debian/patches/11_CVE-2010-0825.dpatch @@ -0,0 +1,119 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 11_CVE-2010-0825.dpatch by Nico Golde +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: No description. + +@DPATCH@ +diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' xemacs21-21.4.22~/lib-src/movemail.c xemacs21-21.4.22/lib-src/movemail.c +--- xemacs21-21.4.22~/lib-src/movemail.c 2010-07-27 14:25:02.000000000 +0200 ++++ xemacs21-21.4.22/lib-src/movemail.c 2010-07-27 14:26:06.000000000 +0200 +@@ -214,7 +214,11 @@ + #ifndef DISABLE_DIRECT_ACCESS + int indesc, outdesc; + int nread; ++ uid_t real_gid, priv_gid; + int status; ++ ++ real_gid = getgid(); ++ priv_gid = getegid(); + #endif + + int lock_method = DEFAULT_LOCKING; +@@ -312,26 +316,6 @@ + if (*outname == 0) + fatal ("Destination file name is empty", 0); + +- VERBOSE(("checking access to output file\n")); +- /* Check access to output file. */ +- if (access (outname, F_OK) == 0 && access (outname, W_OK) != 0) +- pfatal_with_name (outname); +- +- /* Also check that outname's directory is writable to the real uid. */ +- { +- char *buf = (char *) xmalloc (strlen (outname) + 1); +- char *cp; +- strcpy (buf, outname); +- cp = buf + strlen (buf); +- while (cp > buf && !IS_DIRECTORY_SEP (cp[-1])) +- *--cp = 0; +- if (cp == buf) +- *cp++ = '.'; +- if (access (buf, W_OK) != 0) +- pfatal_with_name (buf); +- free (buf); +- } +- + #ifdef MAIL_USE_POP + if (!strncmp (inname, "po:", 3)) + { +@@ -340,20 +324,17 @@ + } + + #ifndef WIN32_NATIVE +- setuid (getuid ()); ++ if ( setuid (getuid ()) < 0 ) ++ fatal ("Failed to drop privileges", 0); + #endif + #endif /* MAIL_USE_POP */ + + #ifndef DISABLE_DIRECT_ACCESS + +- /* Check access to input file. */ +- if (access (inname, R_OK | W_OK) != 0) +- pfatal_with_name (inname); +- +- + if (fork () == 0) + { +- setuid (getuid ()); ++ if ( setuid (getuid ()) < 0 || setegid (real_gid) < 0 ) ++ fatal("Failed to drop privileges", 0); + + VERBOSE(("opening input file\n")); + +@@ -398,6 +379,9 @@ + if (outdesc < 0) + pfatal_with_name (outname); + ++ if ( setegid(priv_gid) < 0 ) ++ fatal("Failed to regain privileges", 0); ++ + VERBOSE(("locking input file\n")); + + switch (lock_method) +@@ -454,6 +438,10 @@ + if (close (outdesc) != 0) + pfatal_and_delete (outname); + ++ /* Prevent symlink attacks truncating other users' mailboxes */ ++ if ( setegid (real_gid) < 0 ) ++ fatal("Failed to drop privileges", 0); ++ + VERBOSE(("deleting or truncating input file\n")); + + switch (lock_method) +@@ -464,7 +452,11 @@ + #ifdef HAVE_FTRUNCATE + ftruncate (indesc, 0L); + #else +- close (open (inname, O_CREAT | O_TRUNC | O_RDWR, 0666)); ++ int indesc2 = open (inname, O_CREAT | O_TRUNC | O_RDWR, 0666); ++ if ( indesc2 < 0 ) ++ pfatal_with_name (inname) ++ ++ close (indesc2); + #endif + close (indesc); + break; +@@ -478,6 +470,10 @@ + break; + } + ++ /* End of mailbox truncation */ ++ if ( setegid(priv_gid) < 0 ) ++ fatal("Failed to regain privileges", 0); ++ + exit (0); + } +