From d92b503807d9889a27efdf75fe01a5c3192b36fb Mon Sep 17 00:00:00 2001
From: Jonathan G. Underwood <jgu@fedoraproject.org>
Date: Apr 01 2010 13:31:05 +0000
Subject: - Add patch to fix RHBZ #578272 - security vulnerability with movemail

    (CVE-2010-0825)

---

diff --git a/emacs-23.1-movemail.patch b/emacs-23.1-movemail.patch
new file mode 100644
index 0000000..229d294
--- /dev/null
+++ b/emacs-23.1-movemail.patch
@@ -0,0 +1,100 @@
+diff -up emacs-23.1/lib-src/movemail.c.movemail emacs-23.1/lib-src/movemail.c
+--- emacs-23.1/lib-src/movemail.c.movemail	2010-03-31 19:18:05.611899443 +0200
++++ emacs-23.1/lib-src/movemail.c	2010-03-31 19:24:29.738754553 +0200
+@@ -176,7 +176,9 @@ main (argc, argv)
+   int nread;
+   int status;
+   int c, preserve_mail = 0;
+-
++  uid_t real_gid, priv_gid;
++  real_gid = getgid();
++  priv_gid = getegid();
+ #ifndef MAIL_USE_SYSTEM_LOCK
+   struct stat st;
+   long now;
+@@ -247,25 +249,6 @@ main (argc, argv)
+   if (*outname == 0)
+     fatal ("Destination file name is empty", 0, 0);
+ 
+-  /* Check access to output file.  */
+-  if (access (outname, F_OK) == 0 && access (outname, W_OK) != 0)
+-    pfatal_with_name (outname);
+-
+-  /* Also check that outname's directory is writable to the real uid.  */
+-  {
+-    char *buf = (char *) xmalloc (strlen (outname) + 1);
+-    char *p;
+-    strcpy (buf, outname);
+-    p = buf + strlen (buf);
+-    while (p > buf && !IS_DIRECTORY_SEP (p[-1]))
+-      *--p = 0;
+-    if (p == buf)
+-      *p++ = '.';
+-    if (access (buf, W_OK) != 0)
+-      pfatal_with_name (buf);
+-    free (buf);
+-  }
+-
+ #ifdef MAIL_USE_POP
+   if (!strncmp (inname, "po:", 3))
+     {
+@@ -277,15 +260,11 @@ main (argc, argv)
+       exit (status);
+     }
+ 
+-  setuid (getuid ());
++  if (setuid (getuid ()) < 0)
++    fatal ("Failed to drop privileges", 0, 0);
+ #endif /* MAIL_USE_POP */
+ 
+ #ifndef DISABLE_DIRECT_ACCESS
+-
+-  /* Check access to input file.  */
+-  if (access (inname, R_OK | W_OK) != 0)
+-    pfatal_with_name (inname);
+-
+ #ifndef MAIL_USE_MMDF
+ #ifndef MAIL_USE_SYSTEM_LOCK
+ #ifdef MAIL_USE_MAILLOCK
+@@ -379,7 +358,8 @@ main (argc, argv)
+       time_t touched_lock, now;
+ #endif
+ 
+-      setuid (getuid ());
++      if (setuid (getuid ()) < 0 || setegid (real_gid) < 0)
++	fatal("Failed to drop privileges", 0, 0);
+ 
+ #ifndef MAIL_USE_MMDF
+ #ifdef MAIL_USE_SYSTEM_LOCK
+@@ -405,6 +385,9 @@ main (argc, argv)
+       if (outdesc < 0)
+ 	pfatal_with_name (outname);
+ 
++      if (setegid (priv_gid) < 0)
++        fatal("Failed to regain privileges", 0, 0);
++
+       /* This label exists so we can retry locking
+ 	 after a delay, if it got EAGAIN or EBUSY.  */
+     retry_lock:
+@@ -502,6 +485,10 @@ main (argc, argv)
+       if (close (outdesc) != 0)
+ 	pfatal_and_delete (outname);
+ 
++      /* Prevent symlink attacks truncating other users' mailboxes */
++      if (setegid (real_gid) < 0)
++	fatal("Failed to drop privileges", 0, 0);
++
+ #ifdef MAIL_USE_SYSTEM_LOCK
+       if (! preserve_mail)
+ 	{
+@@ -529,6 +516,10 @@ main (argc, argv)
+ 	}
+ #endif /* not MAIL_USE_SYSTEM_LOCK */
+ 
++      /* End of mailbox truncation */
++      if (setegid (priv_gid) < 0)
++	fatal("Failed to regain privileges", 0, 0);
++
+ #ifdef MAIL_USE_MAILLOCK
+       /* This has to occur in the child, i.e., in the process that
+          acquired the lock! */
diff --git a/emacs.spec b/emacs.spec
index ced3745..c6c7f02 100644
--- a/emacs.spec
+++ b/emacs.spec
@@ -4,7 +4,7 @@ Summary: GNU Emacs text editor
 Name: emacs
 Epoch: 1
 Version: 23.1
-Release: 20%{?dist}
+Release: 21%{?dist}
 License: GPLv3+
 URL: http://www.gnu.org/software/emacs/
 Group: Applications/Editors
@@ -49,6 +49,10 @@ Patch11: emacs-23.1-hexl-mode.patch
 # http://bazaar.launchpad.net/~vcs-imports/emacs/trunk/revision/98299
 Patch12: emacs-23.1-nxml.patch
 
+# Fix https://bugzilla.redhat.com/show_bug.cgi?id=578272
+# CVE-2010-0825
+Patch13: emacs-23.1-movemail.patch
+
 Buildroot: %{_tmppath}/%{name}-%{version}-root
 BuildRequires: atk-devel, cairo-devel, desktop-file-utils, freetype-devel, fontconfig-devel, dbus-devel, giflib-devel, glibc-devel, gtk2-devel, libpng-devel
 BuildRequires: libjpeg-devel, libtiff-devel, libX11-devel, libXau-devel, libXdmcp-devel, libXrender-devel, libXt-devel
@@ -151,6 +155,7 @@ Emacs packages or see some elisp examples.
 %patch10 -p1 -b .fontdpi
 %patch11 -p0
 %patch12 -p0
+%patch13 -p1
 
 # install rest of site-lisp files
 ( cd site-lisp
@@ -422,6 +427,10 @@ alternatives --install %{_bindir}/etags emacs.etags %{_bindir}/etags.emacs 80 \
 %dir %{_datadir}/emacs/%{version}
 
 %changelog
+* Thu Apr  1 2010 Jonathan G. Underwood <jonathan.underwood@gmail.com> - 1:23.1-21
+- Add patch to fix RHBZ #578272 - security vulnerability with movemail
+  (CVE-2010-0825) 
+
 * Tue Mar 30 2010 Jonathan G. Underwood <jonathan.underwood@gmail.com> - 1:23.1-20
 - Add fix for BZ 553346