2 files changed, 21 insertions, 20 deletions

diff --git a/lisp/ChangeLog b/lisp/ChangeLog
index 333bc7fcf90..a09dd63a34f 100644
--- a/lisp/ChangeLog
+++ b/lisp/ChangeLog
@@ -1,3 +1,9 @@
+2014-05-08  Glenn Morris  <rgm@gnu.org>
+
+	* net/browse-url.el (browse-url-mosaic):
+	Be careful when writing /tmp/Mosaic.PID.  (Bug#17428)
+	This is CVE-2014-3423.
+
 2014-05-08  Stefan Monnier  <monnier@iro.umontreal.ca>
 
 	* xt-mouse.el: Drop spurious/oddly shaped events (bug#17378).
diff --git a/lisp/net/browse-url.el b/lisp/net/browse-url.el
index 4364490f431..80dffb3fa4a 100644
--- a/lisp/net/browse-url.el
+++ b/lisp/net/browse-url.el
@@ -1333,31 +1333,26 @@ used instead of `browse-url-new-window-flag'."
   (let ((pidfile (expand-file-name browse-url-mosaic-pidfile))
 	pid)
     (if (file-readable-p pidfile)
-	(save-excursion
-	  (find-file pidfile)
-	  (goto-char (point-min))
-	  (setq pid (read (current-buffer)))
-	  (kill-buffer nil)))
-    (if (and pid (zerop (signal-process pid 0))) ; Mosaic running
-	(save-excursion
-	  ;; This is a predictable temp-file name, which is bad,
-	  ;; but it is what Mosaic uses/used.
-	  ;; So it's not Emacs's problem.  http://bugs.debian.org/747100
-	  (find-file (format "/tmp/Mosaic.%d" pid))
-	  (erase-buffer)
-	  (insert (if (browse-url-maybe-new-window new-window)
-		      "newwin\n"
-		    "goto\n")
-		  url "\n")
-	  (save-buffer)
-	  (kill-buffer nil)
+        (with-temp-buffer
+          (insert-file-contents pidfile)
+	  (setq pid (read (current-buffer)))))
+    (if (and (integerp pid) (zerop (signal-process pid 0))) ; Mosaic running
+        (progn
+          (with-temp-buffer
+            (insert (if (browse-url-maybe-new-window new-window)
+                        "newwin\n"
+                      "goto\n")
+                    url "\n")
+            (if (file-exists-p (setq pidfile (format "/tmp/Mosaic.%d" pid)))
+                (delete-file pidfile))
+            ;; http://debbugs.gnu.org/17428.  Use O_EXCL.
+            (write-region nil nil pidfile nil 'silent nil 'excl))
 	  ;; Send signal SIGUSR to Mosaic
 	  (message "Signaling Mosaic...")
 	  (signal-process pid 'SIGUSR1)
 	  ;; Or you could try:
 	  ;; (call-process "kill" nil 0 nil "-USR1" (int-to-string pid))
-	  (message "Signaling Mosaic...done")
-	  )
+	  (message "Signaling Mosaic...done"))
       ;; Mosaic not running - start it
       (message "Starting %s..." browse-url-mosaic-program)
       (apply 'start-process "xmosaic" nil browse-url-mosaic-program