1 new commit in mail-lib: https://bitbucket.org/xemacs/mail-lib/commits/7e8e2d49c4aa/ Changeset: 7e8e2d49c4aa User: matsl Date: 2014-05-21 15:09:26 Summary: Remove security issue with tempfiles and Mosaic 2014-05-20 Mats Lidell <matsl(a)xemacs.org&gt; * browse-url.el (browse-url-mosaic): Upstream security issue. Be careful when writing /tmp/Mosaic.PID. (http://bugs.debian.org/747100) Patch by Glenn Morris. Affected #: 2 files diff -r f66940da6de24e6f5dda562ab83d95e1c1fcbecf -r 7e8e2d49c4aa6348e2125023fc7e42d9cc9affb9 ChangeLog --- a/ChangeLog +++ b/ChangeLog ＠＠ -1,3 +1,9 ＠＠ +2014-05-20 Mats Lidell <matsl(a)xemacs.org&gt; + + * browse-url.el (browse-url-mosaic): Upstream security issue. Be + careful when writing /tmp/Mosaic.PID. + (http://bugs.debian.org/747100) Patch by Glenn Morris. + 2014-05-15 Norbert Koch <viteno(a)xemacs.org&gt; * Makefile (VERSION): XEmacs package 1.82 released. diff -r f66940da6de24e6f5dda562ab83d95e1c1fcbecf -r 7e8e2d49c4aa6348e2125023fc7e42d9cc9affb9 browse-url.el --- a/browse-url.el +++ b/browse-url.el ＠＠ -1354,28 +1354,26 ＠＠ (let ((pidfile (expand-file-name browse-url-mosaic-pidfile)) pid) (if (file-readable-p pidfile) - (save-excursion - (find-file pidfile) - (goto-char (point-min)) - (setq pid (read (current-buffer))) - (kill-buffer nil))) - (if (and pid (zerop (signal-process pid 0))) ; Mosaic running - (save-excursion - (find-file (format "/tmp/Mosaic.%d" pid)) - (erase-buffer) - (insert (if (browse-url-maybe-new-window new-window) - "newwin\n" - "goto\n") - url "\n") - (save-buffer) - (kill-buffer nil) + (with-temp-buffer + (insert-file-contents pidfile) + (setq pid (read (current-buffer))))) + (if (and (integerp pid) (zerop (signal-process pid 0))) ; Mosaic running + (progn + (with-temp-buffer + (insert (if (browse-url-maybe-new-window new-window) + "newwin\n" + "goto\n") + url "\n") + (if (file-exists-p (setq pidfile (format "/tmp/Mosaic.%d" pid))) + (delete-file pidfile)) + ;; http://debbugs.gnu.org/17428. Use O_EXCL. + (write-region nil nil pidfile nil 'silent nil 'excl)) ;; Send signal SIGUSR to Mosaic (message "Signalling Mosaic...") (signal-process pid 'SIGUSR1) ;; Or you could try: ;; (call-process "kill" nil 0 nil "-USR1" (int-to-string pid)) - (message "Signalling Mosaic...done") - ) + (message "Signalling Mosaic...done")) ;; Mosaic not running - start it (message "Starting Mosaic...") (apply 'start-process "xmosaic" nil browse-url-mosaic-program Repository URL: https://bitbucket.org/xemacs/mail-lib/ -- This is a commit notification from bitbucket.org. You are receiving this because you have the service enabled, addressing the recipient of this email. _______________________________________________ XEmacs-Patches mailing list XEmacs-Patches(a)xemacs.org http://lists.xemacs.org/mailman/listinfo/xemacs-patches