Bug#860965: unblock: emacs24/24.5+1-10

To: Debian Bug Tracking System <submit@bugs.debian.org>
Cc: Niels Thykier <niels@thykier.net>
Subject: Bug#860965: unblock: emacs24/24.5+1-10
From: Rob Browning <rlb@defaultvalue.org>
Date: Sat, 22 Apr 2017 14:57:17 -0500
Message-id: <[🔎] 87lgqstduq.fsf@trouble.defaultvalue.org>
Reply-to: Rob Browning <rlb@defaultvalue.org>, 860965@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package emacs24

This upload is intended to fix the openssl s_client issue, and to
address intermittent build failures that may be related to the
-no-pie/-nopie issue already addressed in emacs25.

diff -Nru emacs24-24.5+1/debian/.git-dpm emacs24-24.5+1/debian/.git-dpm
--- emacs24-24.5+1/debian/.git-dpm	2017-04-10 18:30:21.000000000 -0500
+++ emacs24-24.5+1/debian/.git-dpm	2017-04-22 12:32:14.000000000 -0500
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-d715dfdb5101dfbd1a83b2958ced6f3bd757ab92
-d715dfdb5101dfbd1a83b2958ced6f3bd757ab92
+088b2e039897fcf9e2eea00f580a2c5d87eba781
+088b2e039897fcf9e2eea00f580a2c5d87eba781
 62bc68f777c532a970566625e315d68bf0ab4eee
 62bc68f777c532a970566625e315d68bf0ab4eee
 emacs24_24.5+1.orig.tar.bz2
diff -Nru emacs24-24.5+1/debian/changelog emacs24-24.5+1/debian/changelog
--- emacs24-24.5+1/debian/changelog	2017-04-16 10:07:37.000000000 -0500
+++ emacs24-24.5+1/debian/changelog	2017-04-22 12:33:05.000000000 -0500
@@ -1,3 +1,22 @@
+emacs24 (24.5+1-10) unstable; urgency=medium
+
+  * Don't segfault if gcc expects -nopie instead of -no-pie.
+    Add 0027-Emacs-shouldn-t-segfault-when-gcc-expects-nopie.patch, a
+    backport from emacs25 (that closed #841551) to fix the problem.
+    Thanks to Lucas Nussbaum and Aaron M. Ucko for reporting the
+    problem, and Sven Joachim for tracking down the upstream patch.
+
+  * Don't offer/use openssl s_client by default: "s_client is a debug
+    tool, it does not set up a secure connection, it ignores all
+    errors and just continues.  It also doesn't do checks it should be
+    doing.  This is all documented behaviour." -- Kurt Roeckx
+    Add these patches to fix the problem:
+      0028-IMAP-connections-no-longer-use-openssl-s_client.patch
+      0029-openssl-s_client-is-no-longer-a-default-for-ssl-conn.patch
+    Thanks to Kurt Roeckx for reporting the issue. (Closes: #766397)
+
+ -- Rob Browning <rlb@defaultvalue.org>  Sat, 22 Apr 2017 12:33:05 -0500
+
 emacs24 (24.5+1-9) unstable; urgency=medium
 
   * Improve gnutls security.  Remove --insecure and specify a trustfile.
diff -Nru emacs24-24.5+1/debian/patches/0027-Emacs-shouldn-t-segfault-when-gcc-expects-nopie.patch emacs24-24.5+1/debian/patches/0027-Emacs-shouldn-t-segfault-when-gcc-expects-nopie.patch
--- emacs24-24.5+1/debian/patches/0027-Emacs-shouldn-t-segfault-when-gcc-expects-nopie.patch	1969-12-31 18:00:00.000000000 -0600
+++ emacs24-24.5+1/debian/patches/0027-Emacs-shouldn-t-segfault-when-gcc-expects-nopie.patch	2017-04-22 12:32:11.000000000 -0500
@@ -0,0 +1,56 @@
+From c91f2fca460e04c1d47ec1b5db1ca3b8130b95f8 Mon Sep 17 00:00:00 2001
+From: Paul Eggert <eggert@cs.ucla.edu>
+Date: Sun, 16 Oct 2016 16:25:47 -0700
+Subject: Emacs shouldn't segfault when gcc expects -nopie
+
+This upstream patch has been added:
+
+  Port to Ubuntu 16.10, which needs gcc -nopie
+
+  * configure.ac (emacs_cv_prog_cc_no_pie): Rename from
+  emacs_cv_prog_cc_nopie.  All usages changed.  Check for -no-pie in
+  preference to -nopie (Bug#24682).  Backport from master.
+
+Origin: upstream, commit: 99892eeec8990884ef38601f14038ec6dc227741
+Bug: https://debbugs.gnu.org/24682
+Bug-Debian: https://bugs.debian.org/841551
+---
+ configure.ac | 25 +++++++++++++++++++++++++
+ 1 file changed, 25 insertions(+)
+
+diff --git a/configure.ac b/configure.ac
+index 18387d84ec5..222b195a828 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -4918,6 +4918,31 @@ case "$opsys" in
+   *) LD_SWITCH_SYSTEM_TEMACS= ;;
+ esac
+ 
++# -no-pie or -nopie fixes a temacs segfault on Gentoo, OpenBSD,
++# Ubuntu, and other systems with "hardened" GCC configurations for
++# some reason (Bug#18784).  We don't know why this works, but not
++# segfaulting is better than segfaulting.  Use ac_c_werror_flag=yes
++# when trying the option, otherwise clang keeps warning that it does
++# not understand it, and pre-4.6 GCC has a similar problem
++# (Bug#20338).  Prefer -no-pie to -nopie, as -no-pie is the
++# spelling used by GCC 6.1.0 and later (Bug#24682).
++AC_CACHE_CHECK(
++  [for $CC option to disable position independent executables],
++  [emacs_cv_prog_cc_no_pie],
++  [emacs_save_c_werror_flag=$ac_c_werror_flag
++   emacs_save_LDFLAGS=$LDFLAGS
++   ac_c_werror_flag=yes
++   for emacs_cv_prog_cc_no_pie in -no-pie -nopie no; do
++     test $emacs_cv_prog_cc_no_pie = no && break
++     LDFLAGS="$emacs_save_LDFLAGS $emacs_cv_prog_cc_no_pie"
++     AC_LINK_IFELSE([AC_LANG_PROGRAM([], [])], [break])
++   done
++   ac_c_werror_flag=$emacs_save_c_werror_flag
++   LDFLAGS=$emacs_save_LDFLAGS])
++if test "$emacs_cv_prog_cc_no_pie" != no; then
++  LD_SWITCH_SYSTEM_TEMACS="$LD_SWITCH_SYSTEM_TEMACS $emacs_cv_prog_cc_no_pie"
++fi
++
+ if test x$ac_enable_profiling != x ; then
+   case $opsys in
+     *freebsd | gnu-linux) ;;
diff -Nru emacs24-24.5+1/debian/patches/0028-IMAP-connections-no-longer-use-openssl-s_client.patch emacs24-24.5+1/debian/patches/0028-IMAP-connections-no-longer-use-openssl-s_client.patch
--- emacs24-24.5+1/debian/patches/0028-IMAP-connections-no-longer-use-openssl-s_client.patch	1969-12-31 18:00:00.000000000 -0600
+++ emacs24-24.5+1/debian/patches/0028-IMAP-connections-no-longer-use-openssl-s_client.patch	2017-04-22 12:32:14.000000000 -0500
@@ -0,0 +1,136 @@
+From 3a79c1cf4e45ac6e160e31d7fe4b18d9b500583e Mon Sep 17 00:00:00 2001
+From: Lars Ingebrigtsen <larsi@gnus.org>
+Date: Sat, 26 Dec 2015 21:45:51 +0100
+Subject: IMAP connections no longer use openssl s_client
+
+`imap-ssl-program' has been removed, and imap.el uses the internal
+GnuTLS encryption functions if possible.
+
+Accomplished by incorporating this upstream patch:
+
+  Use built-in encryption in imap.el
+
+  * lisp/net/imap.el (imap-ssl-program): Remove (bug#21134).
+  (imap-starttls-open): Use open-network-stream instead of starttls.el.
+  (imap-tls-open): Use open-network-stream instead of tls.el.
+
+Origin: backport, commit:a2158f6c9af62f11533b2086596b755781d2e34f
+Bug: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=21134
+Bug-Debian: https://bugs.debian.org/766397
+Forwarded: not-needed
+---
+ lisp/net/imap.el | 63 ++++++++++++++++----------------------------------------
+ 1 file changed, 18 insertions(+), 45 deletions(-)
+
+diff --git a/lisp/net/imap.el b/lisp/net/imap.el
+index 3e5982398fd..b9a66871926 100644
+--- a/lisp/net/imap.el
++++ b/lisp/net/imap.el
+@@ -74,8 +74,7 @@
+ ;; imap.el supports RFC1730/2060/RFC3501 (IMAP4/IMAP4rev1).  The implemented
+ ;; IMAP extensions are RFC2195 (CRAM-MD5), RFC2086 (ACL), RFC2342
+ ;; (NAMESPACE), RFC2359 (UIDPLUS), the IMAP-part of RFC2595 (STARTTLS,
+-;; LOGINDISABLED) (with use of external library starttls.el and
+-;; program starttls), and the GSSAPI / Kerberos V4 sections of RFC1731
++;; LOGINDISABLED), and the GSSAPI / Kerberos V4 sections of RFC1731
+ ;; (with use of external program `imtest'), and RFC2971 (ID).  It also
+ ;; takes advantage of the UNSELECT extension in Cyrus IMAPD.
+ ;;
+@@ -140,8 +139,6 @@
+ (eval-and-compile
+   ;; For Emacs <22.2 and XEmacs.
+   (unless (fboundp 'declare-function) (defmacro declare-function (&rest _r)))
+-  (autoload 'starttls-open-stream "starttls")
+-  (autoload 'starttls-negotiate "starttls")
+   (autoload 'sasl-find-mechanism "sasl")
+   (autoload 'digest-md5-parse-digest-challenge "digest-md5")
+   (autoload 'digest-md5-digest-response "digest-md5")
+@@ -151,8 +148,7 @@
+   (autoload 'utf7-encode "utf7")
+   (autoload 'utf7-decode "utf7")
+   (autoload 'format-spec "format-spec")
+-  (autoload 'format-spec-make "format-spec")
+-  (autoload 'open-tls-stream "tls"))
++  (autoload 'format-spec-make "format-spec"))
+ 
+ ;; User variables.
+ 
+@@ -184,19 +180,6 @@ the list is tried until a successful connection is made."
+   :group 'imap
+   :type '(repeat string))
+ 
+-(defcustom imap-ssl-program '("openssl s_client -quiet -ssl3 -connect %s:%p"
+-			      "openssl s_client -quiet -ssl2 -connect %s:%p"
+-			      "s_client -quiet -ssl3 -connect %s:%p"
+-			      "s_client -quiet -ssl2 -connect %s:%p")
+-  "A string, or list of strings, containing commands for SSL connections.
+-Within a string, %s is replaced with the server address and %p with
+-port number on server.  The program should accept IMAP commands on
+-stdin and return responses to stdout.  Each entry in the list is tried
+-until a successful connection is made."
+-  :group 'imap
+-  :type '(choice string
+-		 (repeat string)))
+-
+ (defcustom imap-shell-program '("ssh %s imapd"
+ 				"rsh %s imapd"
+ 				"ssh %g ssh %s imapd"
+@@ -718,7 +701,8 @@ sure of changing the value of `foo'."
+   (let* ((port (or port imap-default-tls-port))
+ 	 (coding-system-for-read imap-coding-system-for-read)
+ 	 (coding-system-for-write imap-coding-system-for-write)
+-	 (process (open-tls-stream name buffer server port)))
++	 (process (open-network-stream name buffer server port
++                                       :type 'tls)))
+     (when process
+       (while (and (memq (process-status process) '(open run))
+ 		  ;; FIXME: Per the "blue moon" comment, the process/buffer
+@@ -803,34 +787,23 @@ sure of changing the value of `foo'."
+   (imap-capability 'STARTTLS buffer))
+ 
+ (defun imap-starttls-open (name buffer server port)
++  (message "imap: Connecting with STARTTLS...")
+   (let* ((port (or port imap-default-port))
+ 	 (coding-system-for-read imap-coding-system-for-read)
+ 	 (coding-system-for-write imap-coding-system-for-write)
+-	 (process (starttls-open-stream name buffer server port))
+-	 done tls-info)
+-    (message "imap: Connecting with STARTTLS...")
+-    (when process
+-      (while (and (memq (process-status process) '(open run))
+-		  (set-buffer buffer) ;; XXX "blue moon" nntp.el bug
+-		  (goto-char (point-max))
+-		  (forward-line -1)
+-		  (not (imap-parse-greeting)))
+-	(accept-process-output process 1)
+-	(sit-for 1))
+-      (imap-send-command "STARTTLS")
+-      (while (and (memq (process-status process) '(open run))
+-		  (set-buffer buffer) ;; XXX "blue moon" nntp.el bug
+-		  (goto-char (point-max))
+-		  (forward-line -1)
+-		  (not (re-search-forward "[0-9]+ OK.*\r?\n" nil t)))
+-	(accept-process-output process 1)
+-	(sit-for 1))
+-      (imap-log buffer)
+-      (when (and (setq tls-info (starttls-negotiate process))
+-		 (memq (process-status process) '(open run)))
+-	(setq done process)))
+-    (if (stringp tls-info)
+-	(message "imap: STARTTLS info: %s" tls-info))
++	 (process (open-network-stream
++                   name buffer server port
++                   :type 'starttls
++                   :capability-command "1 CAPABILITY\r\n"
++                   :always-query-capabilities t
++                   :end-of-command "\r\n"
++                   :success " OK "
++                   :starttls-function
++                   (lambda (capabilities)
++                     (when (string-match-p "STARTTLS" capabilities)
++                       "1 STARTTLS\r\n"))))
++         (done (and process
++                    (memq (process-status process) '(open run)))))
+     (message "imap: Connecting with STARTTLS...%s" (if done "done" "failed"))
+     done))
+ 
diff -Nru emacs24-24.5+1/debian/patches/0029-openssl-s_client-is-no-longer-a-default-for-ssl-conn.patch emacs24-24.5+1/debian/patches/0029-openssl-s_client-is-no-longer-a-default-for-ssl-conn.patch
--- emacs24-24.5+1/debian/patches/0029-openssl-s_client-is-no-longer-a-default-for-ssl-conn.patch	1969-12-31 18:00:00.000000000 -0600
+++ emacs24-24.5+1/debian/patches/0029-openssl-s_client-is-no-longer-a-default-for-ssl-conn.patch	2017-04-22 12:32:14.000000000 -0500
@@ -0,0 +1,62 @@
+From 088b2e039897fcf9e2eea00f580a2c5d87eba781 Mon Sep 17 00:00:00 2001
+From: Rob Browning <rlb@defaultvalue.org>
+Date: Sat, 22 Apr 2017 12:02:00 -0500
+Subject: openssl s_client is no longer a default for ssl connections
+
+"s_client is a debug tool, it does not set up a secure connection, it
+ignores all errors and just continues.  It also doesn't do checks it
+should be doing.  This is all documented behaviour." -- Kurt Roeckx
+
+Bug-Debian: https://bugs.debian.org/766397
+---
+ lisp/net/tls.el | 15 +++++----------
+ 1 file changed, 5 insertions(+), 10 deletions(-)
+
+diff --git a/lisp/net/tls.el b/lisp/net/tls.el
+index 68a3ff6ae0a..287de40fa8d 100644
+--- a/lisp/net/tls.el
++++ b/lisp/net/tls.el
+@@ -78,8 +78,7 @@ and `gnutls-cli' (version 2.0.1) output."
+ 
+ (defcustom tls-program
+   '("gnutls-cli --x509cafile %t -p %p %h"
+-    "gnutls-cli --x509cafile %t -p %p %h --protocols ssl3"
+-    "openssl s_client -connect %h:%p -no_ssl2 -ign_eof")
++    "gnutls-cli --x509cafile %t -p %p %h --protocols ssl3")
+   "List of strings containing commands to start TLS stream to a host.
+ Each entry in the list is tried until a connection is successful.
+ %h is replaced with server hostname, %p with port to connect to.
+@@ -93,20 +92,17 @@ successful negotiation."
+   '(choice
+     (const :tag "Default list of commands"
+ 	   ("gnutls-cli --x509cafile %t -p %p %h"
+-	    "gnutls-cli --x509cafile %t -p %p %h --protocols ssl3"
+-	    "openssl s_client -CAfile %t -connect %h:%p -no_ssl2 -ign_eof"))
++	    "gnutls-cli --x509cafile %t -p %p %h --protocols ssl3"))
+     (list :tag "Choose commands"
+ 	  :value
+ 	  ("gnutls-cli --x509cafile %t -p %p %h"
+-	   "gnutls-cli --x509cafile %t -p %p %h --protocols ssl3"
+-	   "openssl s_client -connect %h:%p -no_ssl2 -ign_eof")
++	   "gnutls-cli --x509cafile %t -p %p %h --protocols ssl3")
+ 	  (set :inline t
+ 	       ;; FIXME: add brief `:tag "..."' descriptions.
+ 	       ;; (repeat :inline t :tag "Other" (string))
+ 	       ;; No trust check:
+ 	       (const "gnutls-cli --insecure -p %p %h")
+-	       (const "gnutls-cli --insecure -p %p %h --protocols ssl3")
+-	       (const "openssl s_client -connect %h:%p -no_ssl2 -ign_eof"))
++	       (const "gnutls-cli --insecure -p %p %h --protocols ssl3"))
+ 	  (repeat :inline t :tag "Other" (string)))
+     (list :tag "List of commands"
+ 	  (repeat :tag "Command" (string))))
+@@ -137,8 +133,7 @@ consider trustworthy, e.g.:
+ 
+ \(setq tls-program
+       '(\"gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt -p %p %h\"
+-	\"gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt -p %p %h --protocols ssl3\"
+-	\"openssl s_client -connect %h:%p -CAfile /etc/ssl/certs/ca-certificates.crt -no_ssl2 -ign_eof\"))"
++	\"gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt -p %p %h --protocols ssl3\"))"
+   :type '(choice (const :tag "Always" t)
+ 		 (const :tag "Never" nil)
+ 		 (const :tag "Ask" ask))
diff -Nru emacs24-24.5+1/debian/patches/series emacs24-24.5+1/debian/patches/series
--- emacs24-24.5+1/debian/patches/series	2017-04-10 18:30:21.000000000 -0500
+++ emacs24-24.5+1/debian/patches/series	2017-04-22 12:32:14.000000000 -0500
@@ -24,3 +24,6 @@
 0024-Remove-insecure-from-gnutls-cli-invocation.patch
 0025-Refactor-out-gnutls-trustfiles.patch
 0026-Make-tls.el-use-trustfiles-by-default.patch
+0027-Emacs-shouldn-t-segfault-when-gcc-expects-nopie.patch
+0028-IMAP-connections-no-longer-use-openssl-s_client.patch
+0029-openssl-s_client-is-no-longer-a-default-for-ssl-conn.patch

unblock emacs24/24.5+1-10

Thanks
-- 
Rob Browning
rlb @defaultvalue.org and @debian.org
GPG as of 2011-07-10 E6A9 DA3C C9FD 1FF8 C676 D2C4 C0F0 39E9 ED1B 597A
GPG as of 2002-11-03 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4

Reply to:

Follow-Ups:
- Bug#860965: marked as done (unblock: emacs24/24.5+1-10)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#859306: unblock: django-anymail/0.8-2
Next by Date: Re: Stable update request: kernel changes to fix PIE with large stack
Previous by thread: Bug#860964: marked as done (unblock: astroquery/0.3.4+dfsg-3)
Next by thread: Bug#860965: marked as done (unblock: emacs24/24.5+1-10)
Index(es):
- Date
- Thread