merge trunk

author: Kenichi Handa 2010-04-07 15:08:27 +0900
committer: Kenichi Handa 2010-04-07 15:08:27 +0900
commit: 64e692b56e84153d45b2c46d833dce14243f7c69 (patch)
tree: db049db5995f5cfcba3db28dfeb305ef5e04157c /lib-src
parent: 86a366f4015868f03bc8399b412ea767e9337072 (diff)
parent: e59c4233e20bfb2b8b50c77a42023a2473405391 (diff)
download: emacs-64e692b56e84153d45b2c46d833dce14243f7c69.tar.gz
emacs-64e692b56e84153d45b2c46d833dce14243f7c69.zip
5 files changed, 61 insertions, 35 deletions
diff --git a/lib-src/ChangeLog b/lib-src/ChangeLog
index caa7f3cfc80..a68629d2393 100644
--- a/lib-src/ChangeLog
+++ b/lib-src/ChangeLog
@@ -1,3 +1,15 @@
+2010-04-03  Juanma Barranquero  <lekktu@gmail.com>
+        Add stubs for Windows, required after CVE-2010-0825 change.
+        * ntlib.c (getgid, getegid, setegid): New stubs.
+        * ntlib.h (getgid, getegid, setegid): Declare them.
+2010-04-02  Dan Rosenberg  <dan.j.rosenberg@gmail.com>  (tiny change)
+        * movemail.c (main): Check return values of setuid.  Avoid
+        possibility of symlink attack when movemail is setgid mail
+        (CVE-2010-0825).
 2010-03-19  Tetsurou Okazaki  <okazaki@be.to>  (tiny change)
        * Makefile.in (uninstall): Handle the case where archlibdir does
@@ -3942,7 +3954,7 @@
        (xmalloc, fatal, error): New functions.
        (delete_socket, handle_signals): New functions.
        (progname, socket_name): New variables.
-         [HAVE_SOCKETS] (main): Call handle_signals; set the new variables.
+        [HAVE_SOCKETS] (main): Call handle_signals; set the new variables.
 1996-09-01  Richard Stallman  <rms@ethanol.gnu.ai.mit.edu>
@@ -4715,9 +4727,9 @@
 1995-01-12  Francesco Potortì  (pot@cnuce.cnr.it)
        * etags.c (FILEPOS, GET_CHARNO, GET_FILEPOS, max, LINENO): Deleted.
-        (append_to_tagfile, typedefs, typedefs_and_cplusplus,
+        (append_to_tagfile, typedefs, typedefs_and_cplusplus)
-         constantypedefs, update, vgrind_style, no_warnings,
+        (constantypedefs, update, vgrind_style, no_warnings)
-         cxref_style, cplusplus, noindentypedefs): Were int, now logical.
+        (cxref_style, cplusplus, noindentypedefs): Were int, now logical.
        (permit_duplicates): Was a var, now a #define.
        (filename_lb): Was global, now local to main.
        (main): Open the tag file when in cxref mode.
@@ -4736,8 +4748,8 @@
        (TOKEN_SAVED_P, SAVE_TOKEN, RESTORE_TOKEN): Deleted.
        (C_entries): nameb and savenameb deleted.  Use dinamic allocation.
        (pfcnt): Deleted.  Users updated.
-        (getit, Asm_labels, Pascal_functions, L_getit, get_scheme,
+        (getit, Asm_labels, Pascal_functions, L_getit, get_scheme)
-         TEX_getit, prolog_getit): Use dinamic allocation for storing
+        (TEX_getit, prolog_getit): Use dinamic allocation for storing
        the tag instead of a fixed size buffer.
 1995-01-10  Richard Stallman  <rms@mole.gnu.ai.mit.edu>
@@ -6662,8 +6674,8 @@
 1990-01-19  David Lawrence  (tale@cocoa-puffs)
        * timer.c, getdate.y (new files) and Makefile:
-          Sub-process support for run-at-time in timer.el.
+        Sub-process support for run-at-time in timer.el.
-          Doesn't yet work correctly for USG.
+        Doesn't yet work correctly for USG.
 1990-01-10  Jim Kingdon  (kingdon@pogo)
diff --git a/lib-src/makefile.w32-in b/lib-src/makefile.w32-in
index b59273ef33d..131cca7fdd7 100644
--- a/lib-src/makefile.w32-in
+++ b/lib-src/makefile.w32-in
@@ -22,7 +22,7 @@ ALL = make-docfile hexl ctags etags movemail ebrowse sorted-doc digest-doc emacs
 .PHONY: $(ALL)
-VERSION         = 23.1.94
+VERSION         = 23.1.95
 LOCAL_FLAGS     = -DWINDOWSNT -DDOS_NT -DSTDC_HEADERS=1 -DNO_LDAV=1 \
                  -DNO_ARCHIVES=1 -DHAVE_CONFIG_H=1 -I../nt/inc \
diff --git a/lib-src/movemail.c b/lib-src/movemail.c
index e0eb4d48b89..ae51df3d39c 100644
--- a/lib-src/movemail.c
+++ b/lib-src/movemail.c
@@ -197,6 +197,9 @@ main (argc, argv)
 # define ARGSTR "p"
 #endif /* MAIL_USE_POP */
+  uid_t real_gid = getgid();
+  uid_t priv_gid = getegid();
 #ifdef WINDOWSNT
  /* Ensure all file i/o is in binary mode. */
  _fmode = _O_BINARY;
@@ -247,25 +250,6 @@ main (argc, argv)
  if (*outname == 0)
    fatal ("Destination file name is empty", 0, 0);
-  /* Check access to output file.  */
-  if (access (outname, F_OK) == 0 && access (outname, W_OK) != 0)
-    pfatal_with_name (outname);
-  /* Also check that outname's directory is writable to the real uid.  */
-  {
-    char *buf = (char *) xmalloc (strlen (outname) + 1);
-    char *p;
-    strcpy (buf, outname);
-    p = buf + strlen (buf);
-    while (p > buf && !IS_DIRECTORY_SEP (p[-1]))
-      *--p = 0;
-    if (p == buf)
-      *p++ = '.';
-    if (access (buf, W_OK) != 0)
-      pfatal_with_name (buf);
-    free (buf);
-  }
 #ifdef MAIL_USE_POP
  if (!strncmp (inname, "po:", 3))
    {
@@ -277,15 +261,12 @@ main (argc, argv)
      exit (status);
    }
-  setuid (getuid ());
+  if (setuid (getuid ()) < 0)
+    fatal ("Failed to drop privileges", 0, 0);
 #endif /* MAIL_USE_POP */
 #ifndef DISABLE_DIRECT_ACCESS
-  /* Check access to input file.  */
-  if (access (inname, R_OK | W_OK) != 0)
-    pfatal_with_name (inname);
 #ifndef MAIL_USE_MMDF
 #ifndef MAIL_USE_SYSTEM_LOCK
 #ifdef MAIL_USE_MAILLOCK
@@ -379,7 +360,8 @@ main (argc, argv)
      time_t touched_lock, now;
 #endif
-      setuid (getuid ());
+      if (setuid (getuid ()) < 0 || setegid (real_gid) < 0)
+        fatal ("Failed to drop privileges", 0, 0);
 #ifndef MAIL_USE_MMDF
 #ifdef MAIL_USE_SYSTEM_LOCK
@@ -405,6 +387,9 @@ main (argc, argv)
      if (outdesc < 0)
        pfatal_with_name (outname);
+      if (setegid (priv_gid) < 0)
+        fatal ("Failed to regain privileges", 0, 0);
      /* This label exists so we can retry locking
         after a delay, if it got EAGAIN or EBUSY.  */
    retry_lock:
@@ -498,6 +483,10 @@ main (argc, argv)
        pfatal_and_delete (outname);
 #endif
+      /* Prevent symlink attacks truncating other users' mailboxes */
+      if (setegid (real_gid) < 0)
+        fatal ("Failed to drop privileges", 0, 0);
      /* Check to make sure no errors before we zap the inbox.  */
      if (close (outdesc) != 0)
        pfatal_and_delete (outname);
@@ -529,6 +518,10 @@ main (argc, argv)
        }
 #endif /* not MAIL_USE_SYSTEM_LOCK */
+      /* End of mailbox truncation */
+      if (setegid (priv_gid) < 0)
+        fatal ("Failed to regain privileges", 0, 0);
 #ifdef MAIL_USE_MAILLOCK
      /* This has to occur in the child, i.e., in the process that
         acquired the lock! */
diff --git a/lib-src/ntlib.c b/lib-src/ntlib.c
index ae10caecd22..c815f32d51d 100644
--- a/lib-src/ntlib.c
+++ b/lib-src/ntlib.c
@@ -125,12 +125,30 @@ getuid ()
  return 0;
 }
+unsigned
+getgid ()
+{
+  return 0;
+}
+unsigned
+getegid ()
+{
+  return 0;
+}
 int
 setuid (unsigned uid)
 {
  return 0;
 }
+int
+setegid (unsigned gid)
+{
+  return 0;
+}
 struct passwd *
 getpwuid (unsigned uid)
 {
diff --git a/lib-src/ntlib.h b/lib-src/ntlib.h
index 70b99d7a779..ab1e7ba2866 100644
--- a/lib-src/ntlib.h
+++ b/lib-src/ntlib.h
@@ -36,7 +36,10 @@ int getppid(void);
 char * getlogin ();
 char * cuserid (char * s);
 unsigned getuid ();
+unsigned getegid ();
+unsigned getgid ();
 int setuid (unsigned uid);
+int setegid (unsigned gid);
 char * getpass (const char * prompt);
 int fchown (int fd, unsigned uid, unsigned gid);
author	Kenichi Handa	2010-04-07 15:08:27 +0900
committer	Kenichi Handa	2010-04-07 15:08:27 +0900
commit	64e692b56e84153d45b2c46d833dce14243f7c69 (patch)
tree	db049db5995f5cfcba3db28dfeb305ef5e04157c /lib-src
parent	86a366f4015868f03bc8399b412ea767e9337072 (diff)
parent	e59c4233e20bfb2b8b50c77a42023a2473405391 (diff)
download	emacs-64e692b56e84153d45b2c46d833dce14243f7c69.tar.gz emacs-64e692b56e84153d45b2c46d833dce14243f7c69.zip