[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#860965: marked as done (unblock: emacs24/24.5+1-10)



Your message dated Sun, 23 Apr 2017 05:57:00 +0000
with message-id <f3621372-f02d-b484-76f8-a73e0e149ced@thykier.net>
and subject line Re: Bug#860965: unblock: emacs24/24.5+1-10
has caused the Debian Bug report #860965,
regarding unblock: emacs24/24.5+1-10
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
860965: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860965
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package emacs24

This upload is intended to fix the openssl s_client issue, and to
address intermittent build failures that may be related to the
-no-pie/-nopie issue already addressed in emacs25.

diff -Nru emacs24-24.5+1/debian/.git-dpm emacs24-24.5+1/debian/.git-dpm
--- emacs24-24.5+1/debian/.git-dpm	2017-04-10 18:30:21.000000000 -0500
+++ emacs24-24.5+1/debian/.git-dpm	2017-04-22 12:32:14.000000000 -0500
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-d715dfdb5101dfbd1a83b2958ced6f3bd757ab92
-d715dfdb5101dfbd1a83b2958ced6f3bd757ab92
+088b2e039897fcf9e2eea00f580a2c5d87eba781
+088b2e039897fcf9e2eea00f580a2c5d87eba781
 62bc68f777c532a970566625e315d68bf0ab4eee
 62bc68f777c532a970566625e315d68bf0ab4eee
 emacs24_24.5+1.orig.tar.bz2
diff -Nru emacs24-24.5+1/debian/changelog emacs24-24.5+1/debian/changelog
--- emacs24-24.5+1/debian/changelog	2017-04-16 10:07:37.000000000 -0500
+++ emacs24-24.5+1/debian/changelog	2017-04-22 12:33:05.000000000 -0500
@@ -1,3 +1,22 @@
+emacs24 (24.5+1-10) unstable; urgency=medium
+
+  * Don't segfault if gcc expects -nopie instead of -no-pie.
+    Add 0027-Emacs-shouldn-t-segfault-when-gcc-expects-nopie.patch, a
+    backport from emacs25 (that closed #841551) to fix the problem.
+    Thanks to Lucas Nussbaum and Aaron M. Ucko for reporting the
+    problem, and Sven Joachim for tracking down the upstream patch.
+
+  * Don't offer/use openssl s_client by default: "s_client is a debug
+    tool, it does not set up a secure connection, it ignores all
+    errors and just continues.  It also doesn't do checks it should be
+    doing.  This is all documented behaviour." -- Kurt Roeckx
+    Add these patches to fix the problem:
+      0028-IMAP-connections-no-longer-use-openssl-s_client.patch
+      0029-openssl-s_client-is-no-longer-a-default-for-ssl-conn.patch
+    Thanks to Kurt Roeckx for reporting the issue. (Closes: #766397)
+
+ -- Rob Browning <rlb@defaultvalue.org>  Sat, 22 Apr 2017 12:33:05 -0500
+
 emacs24 (24.5+1-9) unstable; urgency=medium
 
   * Improve gnutls security.  Remove --insecure and specify a trustfile.
diff -Nru emacs24-24.5+1/debian/patches/0027-Emacs-shouldn-t-segfault-when-gcc-expects-nopie.patch emacs24-24.5+1/debian/patches/0027-Emacs-shouldn-t-segfault-when-gcc-expects-nopie.patch
--- emacs24-24.5+1/debian/patches/0027-Emacs-shouldn-t-segfault-when-gcc-expects-nopie.patch	1969-12-31 18:00:00.000000000 -0600
+++ emacs24-24.5+1/debian/patches/0027-Emacs-shouldn-t-segfault-when-gcc-expects-nopie.patch	2017-04-22 12:32:11.000000000 -0500
@@ -0,0 +1,56 @@
+From c91f2fca460e04c1d47ec1b5db1ca3b8130b95f8 Mon Sep 17 00:00:00 2001
+From: Paul Eggert <eggert@cs.ucla.edu>
+Date: Sun, 16 Oct 2016 16:25:47 -0700
+Subject: Emacs shouldn't segfault when gcc expects -nopie
+
+This upstream patch has been added:
+
+  Port to Ubuntu 16.10, which needs gcc -nopie
+
+  * configure.ac (emacs_cv_prog_cc_no_pie): Rename from
+  emacs_cv_prog_cc_nopie.  All usages changed.  Check for -no-pie in
+  preference to -nopie (Bug#24682).  Backport from master.
+
+Origin: upstream, commit: 99892eeec8990884ef38601f14038ec6dc227741
+Bug: https://debbugs.gnu.org/24682
+Bug-Debian: https://bugs.debian.org/841551
+---
+ configure.ac | 25 +++++++++++++++++++++++++
+ 1 file changed, 25 insertions(+)
+
+diff --git a/configure.ac b/configure.ac
+index 18387d84ec5..222b195a828 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -4918,6 +4918,31 @@ case "$opsys" in
+   *) LD_SWITCH_SYSTEM_TEMACS= ;;
+ esac
+ 
++# -no-pie or -nopie fixes a temacs segfault on Gentoo, OpenBSD,
++# Ubuntu, and other systems with "hardened" GCC configurations for
++# some reason (Bug#18784).  We don't know why this works, but not
++# segfaulting is better than segfaulting.  Use ac_c_werror_flag=yes
++# when trying the option, otherwise clang keeps warning that it does
++# not understand it, and pre-4.6 GCC has a similar problem
++# (Bug#20338).  Prefer -no-pie to -nopie, as -no-pie is the
++# spelling used by GCC 6.1.0 and later (Bug#24682).
++AC_CACHE_CHECK(
++  [for $CC option to disable position independent executables],
++  [emacs_cv_prog_cc_no_pie],
++  [emacs_save_c_werror_flag=$ac_c_werror_flag
++   emacs_save_LDFLAGS=$LDFLAGS
++   ac_c_werror_flag=yes
++   for emacs_cv_prog_cc_no_pie in -no-pie -nopie no; do
++     test $emacs_cv_prog_cc_no_pie = no && break
++     LDFLAGS="$emacs_save_LDFLAGS $emacs_cv_prog_cc_no_pie"
++     AC_LINK_IFELSE([AC_LANG_PROGRAM([], [])], [break])
++   done
++   ac_c_werror_flag=$emacs_save_c_werror_flag
++   LDFLAGS=$emacs_save_LDFLAGS])
++if test "$emacs_cv_prog_cc_no_pie" != no; then
++  LD_SWITCH_SYSTEM_TEMACS="$LD_SWITCH_SYSTEM_TEMACS $emacs_cv_prog_cc_no_pie"
++fi
++
+ if test x$ac_enable_profiling != x ; then
+   case $opsys in
+     *freebsd | gnu-linux) ;;
diff -Nru emacs24-24.5+1/debian/patches/0028-IMAP-connections-no-longer-use-openssl-s_client.patch emacs24-24.5+1/debian/patches/0028-IMAP-connections-no-longer-use-openssl-s_client.patch
--- emacs24-24.5+1/debian/patches/0028-IMAP-connections-no-longer-use-openssl-s_client.patch	1969-12-31 18:00:00.000000000 -0600
+++ emacs24-24.5+1/debian/patches/0028-IMAP-connections-no-longer-use-openssl-s_client.patch	2017-04-22 12:32:14.000000000 -0500
@@ -0,0 +1,136 @@
+From 3a79c1cf4e45ac6e160e31d7fe4b18d9b500583e Mon Sep 17 00:00:00 2001
+From: Lars Ingebrigtsen <larsi@gnus.org>
+Date: Sat, 26 Dec 2015 21:45:51 +0100
+Subject: IMAP connections no longer use openssl s_client
+
+`imap-ssl-program' has been removed, and imap.el uses the internal
+GnuTLS encryption functions if possible.
+
+Accomplished by incorporating this upstream patch:
+
+  Use built-in encryption in imap.el
+
+  * lisp/net/imap.el (imap-ssl-program): Remove (bug#21134).
+  (imap-starttls-open): Use open-network-stream instead of starttls.el.
+  (imap-tls-open): Use open-network-stream instead of tls.el.
+
+Origin: backport, commit:a2158f6c9af62f11533b2086596b755781d2e34f
+Bug: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=21134
+Bug-Debian: https://bugs.debian.org/766397
+Forwarded: not-needed
+---
+ lisp/net/imap.el | 63 ++++++++++++++++----------------------------------------
+ 1 file changed, 18 insertions(+), 45 deletions(-)
+
+diff --git a/lisp/net/imap.el b/lisp/net/imap.el
+index 3e5982398fd..b9a66871926 100644
+--- a/lisp/net/imap.el
++++ b/lisp/net/imap.el
+@@ -74,8 +74,7 @@
+ ;; imap.el supports RFC1730/2060/RFC3501 (IMAP4/IMAP4rev1).  The implemented
+ ;; IMAP extensions are RFC2195 (CRAM-MD5), RFC2086 (ACL), RFC2342
+ ;; (NAMESPACE), RFC2359 (UIDPLUS), the IMAP-part of RFC2595 (STARTTLS,
+-;; LOGINDISABLED) (with use of external library starttls.el and
+-;; program starttls), and the GSSAPI / Kerberos V4 sections of RFC1731
++;; LOGINDISABLED), and the GSSAPI / Kerberos V4 sections of RFC1731
+ ;; (with use of external program `imtest'), and RFC2971 (ID).  It also
+ ;; takes advantage of the UNSELECT extension in Cyrus IMAPD.
+ ;;
+@@ -140,8 +139,6 @@
+ (eval-and-compile
+   ;; For Emacs <22.2 and XEmacs.
+   (unless (fboundp 'declare-function) (defmacro declare-function (&rest _r)))
+-  (autoload 'starttls-open-stream "starttls")
+-  (autoload 'starttls-negotiate "starttls")
+   (autoload 'sasl-find-mechanism "sasl")
+   (autoload 'digest-md5-parse-digest-challenge "digest-md5")
+   (autoload 'digest-md5-digest-response "digest-md5")
+@@ -151,8 +148,7 @@
+   (autoload 'utf7-encode "utf7")
+   (autoload 'utf7-decode "utf7")
+   (autoload 'format-spec "format-spec")
+-  (autoload 'format-spec-make "format-spec")
+-  (autoload 'open-tls-stream "tls"))
++  (autoload 'format-spec-make "format-spec"))
+ 
+ ;; User variables.
+ 
+@@ -184,19 +180,6 @@ the list is tried until a successful connection is made."
+   :group 'imap
+   :type '(repeat string))
+ 
+-(defcustom imap-ssl-program '("openssl s_client -quiet -ssl3 -connect %s:%p"
+-			      "openssl s_client -quiet -ssl2 -connect %s:%p"
+-			      "s_client -quiet -ssl3 -connect %s:%p"
+-			      "s_client -quiet -ssl2 -connect %s:%p")
+-  "A string, or list of strings, containing commands for SSL connections.
+-Within a string, %s is replaced with the server address and %p with
+-port number on server.  The program should accept IMAP commands on
+-stdin and return responses to stdout.  Each entry in the list is tried
+-until a successful connection is made."
+-  :group 'imap
+-  :type '(choice string
+-		 (repeat string)))
+-
+ (defcustom imap-shell-program '("ssh %s imapd"
+ 				"rsh %s imapd"
+ 				"ssh %g ssh %s imapd"
+@@ -718,7 +701,8 @@ sure of changing the value of `foo'."
+   (let* ((port (or port imap-default-tls-port))
+ 	 (coding-system-for-read imap-coding-system-for-read)
+ 	 (coding-system-for-write imap-coding-system-for-write)
+-	 (process (open-tls-stream name buffer server port)))
++	 (process (open-network-stream name buffer server port
++                                       :type 'tls)))
+     (when process
+       (while (and (memq (process-status process) '(open run))
+ 		  ;; FIXME: Per the "blue moon" comment, the process/buffer
+@@ -803,34 +787,23 @@ sure of changing the value of `foo'."
+   (imap-capability 'STARTTLS buffer))
+ 
+ (defun imap-starttls-open (name buffer server port)
++  (message "imap: Connecting with STARTTLS...")
+   (let* ((port (or port imap-default-port))
+ 	 (coding-system-for-read imap-coding-system-for-read)
+ 	 (coding-system-for-write imap-coding-system-for-write)
+-	 (process (starttls-open-stream name buffer server port))
+-	 done tls-info)
+-    (message "imap: Connecting with STARTTLS...")
+-    (when process
+-      (while (and (memq (process-status process) '(open run))
+-		  (set-buffer buffer) ;; XXX "blue moon" nntp.el bug
+-		  (goto-char (point-max))
+-		  (forward-line -1)
+-		  (not (imap-parse-greeting)))
+-	(accept-process-output process 1)
+-	(sit-for 1))
+-      (imap-send-command "STARTTLS")
+-      (while (and (memq (process-status process) '(open run))
+-		  (set-buffer buffer) ;; XXX "blue moon" nntp.el bug
+-		  (goto-char (point-max))
+-		  (forward-line -1)
+-		  (not (re-search-forward "[0-9]+ OK.*\r?\n" nil t)))
+-	(accept-process-output process 1)
+-	(sit-for 1))
+-      (imap-log buffer)
+-      (when (and (setq tls-info (starttls-negotiate process))
+-		 (memq (process-status process) '(open run)))
+-	(setq done process)))
+-    (if (stringp tls-info)
+-	(message "imap: STARTTLS info: %s" tls-info))
++	 (process (open-network-stream
++                   name buffer server port
++                   :type 'starttls
++                   :capability-command "1 CAPABILITY\r\n"
++                   :always-query-capabilities t
++                   :end-of-command "\r\n"
++                   :success " OK "
++                   :starttls-function
++                   (lambda (capabilities)
++                     (when (string-match-p "STARTTLS" capabilities)
++                       "1 STARTTLS\r\n"))))
++         (done (and process
++                    (memq (process-status process) '(open run)))))
+     (message "imap: Connecting with STARTTLS...%s" (if done "done" "failed"))
+     done))
+ 
diff -Nru emacs24-24.5+1/debian/patches/0029-openssl-s_client-is-no-longer-a-default-for-ssl-conn.patch emacs24-24.5+1/debian/patches/0029-openssl-s_client-is-no-longer-a-default-for-ssl-conn.patch
--- emacs24-24.5+1/debian/patches/0029-openssl-s_client-is-no-longer-a-default-for-ssl-conn.patch	1969-12-31 18:00:00.000000000 -0600
+++ emacs24-24.5+1/debian/patches/0029-openssl-s_client-is-no-longer-a-default-for-ssl-conn.patch	2017-04-22 12:32:14.000000000 -0500
@@ -0,0 +1,62 @@
+From 088b2e039897fcf9e2eea00f580a2c5d87eba781 Mon Sep 17 00:00:00 2001
+From: Rob Browning <rlb@defaultvalue.org>
+Date: Sat, 22 Apr 2017 12:02:00 -0500
+Subject: openssl s_client is no longer a default for ssl connections
+
+"s_client is a debug tool, it does not set up a secure connection, it
+ignores all errors and just continues.  It also doesn't do checks it
+should be doing.  This is all documented behaviour." -- Kurt Roeckx
+
+Bug-Debian: https://bugs.debian.org/766397
+---
+ lisp/net/tls.el | 15 +++++----------
+ 1 file changed, 5 insertions(+), 10 deletions(-)
+
+diff --git a/lisp/net/tls.el b/lisp/net/tls.el
+index 68a3ff6ae0a..287de40fa8d 100644
+--- a/lisp/net/tls.el
++++ b/lisp/net/tls.el
+@@ -78,8 +78,7 @@ and `gnutls-cli' (version 2.0.1) output."
+ 
+ (defcustom tls-program
+   '("gnutls-cli --x509cafile %t -p %p %h"
+-    "gnutls-cli --x509cafile %t -p %p %h --protocols ssl3"
+-    "openssl s_client -connect %h:%p -no_ssl2 -ign_eof")
++    "gnutls-cli --x509cafile %t -p %p %h --protocols ssl3")
+   "List of strings containing commands to start TLS stream to a host.
+ Each entry in the list is tried until a connection is successful.
+ %h is replaced with server hostname, %p with port to connect to.
+@@ -93,20 +92,17 @@ successful negotiation."
+   '(choice
+     (const :tag "Default list of commands"
+ 	   ("gnutls-cli --x509cafile %t -p %p %h"
+-	    "gnutls-cli --x509cafile %t -p %p %h --protocols ssl3"
+-	    "openssl s_client -CAfile %t -connect %h:%p -no_ssl2 -ign_eof"))
++	    "gnutls-cli --x509cafile %t -p %p %h --protocols ssl3"))
+     (list :tag "Choose commands"
+ 	  :value
+ 	  ("gnutls-cli --x509cafile %t -p %p %h"
+-	   "gnutls-cli --x509cafile %t -p %p %h --protocols ssl3"
+-	   "openssl s_client -connect %h:%p -no_ssl2 -ign_eof")
++	   "gnutls-cli --x509cafile %t -p %p %h --protocols ssl3")
+ 	  (set :inline t
+ 	       ;; FIXME: add brief `:tag "..."' descriptions.
+ 	       ;; (repeat :inline t :tag "Other" (string))
+ 	       ;; No trust check:
+ 	       (const "gnutls-cli --insecure -p %p %h")
+-	       (const "gnutls-cli --insecure -p %p %h --protocols ssl3")
+-	       (const "openssl s_client -connect %h:%p -no_ssl2 -ign_eof"))
++	       (const "gnutls-cli --insecure -p %p %h --protocols ssl3"))
+ 	  (repeat :inline t :tag "Other" (string)))
+     (list :tag "List of commands"
+ 	  (repeat :tag "Command" (string))))
+@@ -137,8 +133,7 @@ consider trustworthy, e.g.:
+ 
+ \(setq tls-program
+       '(\"gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt -p %p %h\"
+-	\"gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt -p %p %h --protocols ssl3\"
+-	\"openssl s_client -connect %h:%p -CAfile /etc/ssl/certs/ca-certificates.crt -no_ssl2 -ign_eof\"))"
++	\"gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt -p %p %h --protocols ssl3\"))"
+   :type '(choice (const :tag "Always" t)
+ 		 (const :tag "Never" nil)
+ 		 (const :tag "Ask" ask))
diff -Nru emacs24-24.5+1/debian/patches/series emacs24-24.5+1/debian/patches/series
--- emacs24-24.5+1/debian/patches/series	2017-04-10 18:30:21.000000000 -0500
+++ emacs24-24.5+1/debian/patches/series	2017-04-22 12:32:14.000000000 -0500
@@ -24,3 +24,6 @@
 0024-Remove-insecure-from-gnutls-cli-invocation.patch
 0025-Refactor-out-gnutls-trustfiles.patch
 0026-Make-tls.el-use-trustfiles-by-default.patch
+0027-Emacs-shouldn-t-segfault-when-gcc-expects-nopie.patch
+0028-IMAP-connections-no-longer-use-openssl-s_client.patch
+0029-openssl-s_client-is-no-longer-a-default-for-ssl-conn.patch
unblock emacs24/24.5+1-10

Thanks
-- 
Rob Browning
rlb @defaultvalue.org and @debian.org
GPG as of 2011-07-10 E6A9 DA3C C9FD 1FF8 C676 D2C4 C0F0 39E9 ED1B 597A
GPG as of 2002-11-03 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4

--- End Message ---
--- Begin Message ---
Rob Browning:
> 
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> Please unblock package emacs24
> 
> This upload is intended to fix the openssl s_client issue, and to
> address intermittent build failures that may be related to the
> -no-pie/-nopie issue already addressed in emacs25.
> 
> 
> 
> 
> unblock emacs24/24.5+1-10
> 
> Thanks
> 

Unblocked, thanks. :)

~Niels

--- End Message ---

Reply to: