* bug#17428: Bug#747100: emacs23: Insecure use of temporary files in included lisp libraries/packages [not found] <20140505143834.GA5032@steve.org.uk> @ 2014-05-07 3:38 ` Rob Browning 2014-05-07 3:48 ` Glenn Morris ` (4 more replies) 0 siblings, 5 replies; 7+ messages in thread From: Rob Browning @ 2014-05-07 3:38 UTC (permalink / raw) To: 17428; +Cc: Steve Kemp, 747100, 747100-forwarded [If possible, please preserve the 747100-forwarded address in any replies.] The following bug was recently filed against the emacs23 package, and after some preliminary research, it appears that the security issues mentioned may still apply to 24.3. (Though it looks like the relevant tramp file may now be tramp-sh.el). Steve Kemp <steve@steve.org.uk> writes: > Package: emacs23 > Version: 23.4+1-4 > Severity: important > > There are several tempfile-vulnerabilities present in the Emacs Lisp > bundled and distributed with the emacs23 package. > > Here are four brief pointers to unsafe code: > > lisp/gnus/gnus-fun.el: > In the function `gnus-grab-cam-face` the file "/tmp/gnus.face.ppm" is > used, blindly allowing the existing file to be truncated, and symlinks > followed. > > lisp/emacs-lisp/find-gc.el: > In the function `trace-call-tree` there are some horrific invocations > of the csh, which manipulate the directory and symlinks beneath "/tmp/esrc". > > lisp/net/browse-url.el > In the function `browse-url-mosaic` the file "/tmp/Mosaic.$PID" is blindly > overwritten. Suspect this whole function is obsolete though :) > > lisp/net/tramp.el > The function `tramp-uudecode`, a fallback if a real uudecoding binary > is not present, blindly uses "/tmp/tramp.$PID", truncating and removing > the file. > > > I suspect that each should receive a CVE identifier. -- Rob Browning rlb @defaultvalue.org and @debian.org GPG as of 2011-07-10 E6A9 DA3C C9FD 1FF8 C676 D2C4 C0F0 39E9 ED1B 597A GPG as of 2002-11-03 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4 ^ permalink raw reply [flat|nested] 7+ messages in thread
* bug#17428: Bug#747100: emacs23: Insecure use of temporary files in included lisp libraries/packages 2014-05-07 3:38 ` bug#17428: Bug#747100: emacs23: Insecure use of temporary files in included lisp libraries/packages Rob Browning @ 2014-05-07 3:48 ` Glenn Morris 2014-05-08 9:02 ` Steve Kemp ` (3 subsequent siblings) 4 siblings, 0 replies; 7+ messages in thread From: Glenn Morris @ 2014-05-07 3:48 UTC (permalink / raw) To: Rob Browning; +Cc: Steve Kemp, 17428 >> lisp/gnus/gnus-fun.el: >> In the function `gnus-grab-cam-face` the file "/tmp/gnus.face.ppm" is >> used, blindly allowing the existing file to be truncated, and symlinks >> followed. http://lists.gnu.org/archive/html/emacs-diffs/2014-05/msg00055.html >> lisp/emacs-lisp/find-gc.el: >> In the function `trace-call-tree` there are some horrific invocations >> of the csh, which manipulate the directory and symlinks beneath "/tmp/esrc". http://lists.gnu.org/archive/html/emacs-diffs/2014-05/msg00056.html >> lisp/net/browse-url.el >> In the function `browse-url-mosaic` the file "/tmp/Mosaic.$PID" is blindly >> overwritten. Suspect this whole function is obsolete though :) Not an (Emacs) bug. http://lists.gnu.org/archive/html/emacs-diffs/2014-05/msg00057.html >> lisp/net/tramp.el >> The function `tramp-uudecode`, a fallback if a real uudecoding binary >> is not present, blindly uses "/tmp/tramp.$PID", truncating and removing >> the file. http://lists.gnu.org/archive/html/emacs-diffs/2014-05/msg00060.html ^ permalink raw reply [flat|nested] 7+ messages in thread
* bug#17428: Bug#747100: emacs23: Insecure use of temporary files in included lisp libraries/packages 2014-05-07 3:38 ` bug#17428: Bug#747100: emacs23: Insecure use of temporary files in included lisp libraries/packages Rob Browning 2014-05-07 3:48 ` Glenn Morris @ 2014-05-08 9:02 ` Steve Kemp 2014-05-08 9:03 ` Steve Kemp ` (2 subsequent siblings) 4 siblings, 0 replies; 7+ messages in thread From: Steve Kemp @ 2014-05-08 9:02 UTC (permalink / raw) To: 17428; +Cc: 747100 [-- Attachment #1: Type: text/plain, Size: 193 bytes --] These issues have now had several CVE identifiers associated with them, for future tracking: http://www.openwall.com/lists/oss-security/2014/03/14/5 Steve -- http://www.steve.org.uk/ ^ permalink raw reply [flat|nested] 7+ messages in thread
* bug#17428: Bug#747100: emacs23: Insecure use of temporary files in included lisp libraries/packages 2014-05-07 3:38 ` bug#17428: Bug#747100: emacs23: Insecure use of temporary files in included lisp libraries/packages Rob Browning 2014-05-07 3:48 ` Glenn Morris 2014-05-08 9:02 ` Steve Kemp @ 2014-05-08 9:03 ` Steve Kemp [not found] ` <1399539828.22874.0@ssh> 2014-05-08 16:34 ` Steve Kemp 4 siblings, 0 replies; 7+ messages in thread From: Steve Kemp @ 2014-05-08 9:03 UTC (permalink / raw) To: 17428; +Cc: 747100 [-- Attachment #1: Type: text/plain, Size: 151 bytes --] Clearly I'm an idiot, the correct link is this: http://www.openwall.com/lists/oss-security/2014/05/07/7 Steve -- http://www.steve.org.uk/ ^ permalink raw reply [flat|nested] 7+ messages in thread
[parent not found: <1399539828.22874.0@ssh>]
* bug#17428: emacs23: Insecure use of temporary files in included lisp libraries/packages [not found] ` <1399539828.22874.0@ssh> @ 2014-05-08 16:22 ` Glenn Morris 2014-05-08 18:14 ` Glenn Morris 0 siblings, 1 reply; 7+ messages in thread From: Glenn Morris @ 2014-05-08 16:22 UTC (permalink / raw) To: Steve Kemp; +Cc: 17428 Steve Kemp wrote: > http://www.openwall.com/lists/oss-security/2014/05/07/7 OK. For the record I don't think any of these issues are anything but trivial in practice, except possibly the tramp one. find-gc.el looked completely broken, I doubt anyone had used it in ~ a decade. I see they still want us to do something about the Mosaic one, sigh. So I will do something for that. Someone would have to actively configure their system to use mosaic, or have no other browser program installed except xmosaic, for this to even potentially be an issue. I see Mosaic got some CVEs out of this too. :) The gnus-fun one is some obscure thing to do with xawtv. Again I guess it doesn't have (m)any users, or doesn't even work any more, since it relies on files /tftpboot/sparky/tmp/snap.*ppm existing. But yes, they should all be fixed. ^ permalink raw reply [flat|nested] 7+ messages in thread
* bug#17428: emacs23: Insecure use of temporary files in included lisp libraries/packages 2014-05-08 16:22 ` bug#17428: " Glenn Morris @ 2014-05-08 18:14 ` Glenn Morris 0 siblings, 0 replies; 7+ messages in thread From: Glenn Morris @ 2014-05-08 18:14 UTC (permalink / raw) To: Steve Kemp; +Cc: 17428 I think this handles the Mosaic one: http://lists.gnu.org/archive/html/emacs-diffs/2014-05/msg00084.html All these things will be fixed in Emacs 24.3.91 pretest, Emacs 24.4 release. ^ permalink raw reply [flat|nested] 7+ messages in thread
* bug#17428: emacs23: Insecure use of temporary files in included lisp libraries/packages 2014-05-07 3:38 ` bug#17428: Bug#747100: emacs23: Insecure use of temporary files in included lisp libraries/packages Rob Browning ` (3 preceding siblings ...) [not found] ` <1399539828.22874.0@ssh> @ 2014-05-08 16:34 ` Steve Kemp 4 siblings, 0 replies; 7+ messages in thread From: Steve Kemp @ 2014-05-08 16:34 UTC (permalink / raw) To: Glenn Morris; +Cc: 17428 [-- Attachment #1: Type: text/plain, Size: 263 bytes --] > OK. For the record I don't think any of these issues are anything but > trivial in practice, except possibly the tramp one. > Agreed 100%. > I see Mosaic got some CVEs out of this too. :) Yeah, that was a surprise :) Steve -- http://www.steve.org.uk/ ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2014-05-08 18:14 UTC | newest] Thread overview: 7+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- [not found] <20140505143834.GA5032@steve.org.uk> 2014-05-07 3:38 ` bug#17428: Bug#747100: emacs23: Insecure use of temporary files in included lisp libraries/packages Rob Browning 2014-05-07 3:48 ` Glenn Morris 2014-05-08 9:02 ` Steve Kemp 2014-05-08 9:03 ` Steve Kemp [not found] ` <1399539828.22874.0@ssh> 2014-05-08 16:22 ` bug#17428: " Glenn Morris 2014-05-08 18:14 ` Glenn Morris 2014-05-08 16:34 ` Steve Kemp
Code repositories for project(s) associated with this public inbox https://git.savannah.gnu.org/cgit/emacs.git This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).