* bug#29182: CVE-2017-1000383: umask and backup files
@ 2017-11-06 21:56 Glenn Morris
2017-11-07 1:57 ` Glenn Morris
2019-10-06 4:08 ` Stefan Kangas
0 siblings, 2 replies; 10+ messages in thread
From: Glenn Morris @ 2017-11-06 21:56 UTC (permalink / raw)
To: 29182
Package: emacs
Version: 25.3
Tags: security
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000383
GNU Emacs version 25.3.1 (and other versions most likely) ignores umask
when creating a backup save file ("[ORIGINAL_FILENAME]~") resulting in
files that may be world readable or otherwise accessible in ways not
intended by the user running the emacs binary.
[I'm not sure why this apparently hasn't been reported here before now?]
^ permalink raw reply [flat|nested] 10+ messages in thread* bug#29182: CVE-2017-1000383: umask and backup files 2017-11-06 21:56 bug#29182: CVE-2017-1000383: umask and backup files Glenn Morris @ 2017-11-07 1:57 ` Glenn Morris 2017-11-07 19:29 ` Glenn Morris 2019-10-06 4:08 ` Stefan Kangas 1 sibling, 1 reply; 10+ messages in thread From: Glenn Morris @ 2017-11-07 1:57 UTC (permalink / raw) To: 29182 I think the actual complaint appears at http://seclists.org/oss-sec/2017/q4/159 and could be summarized as "if you create a file, then make your umask more restrictive, then edit it with Emacs, the backup file inherits the same permissions as the original file, not the more restrictive umask permissions". Eg: umask 002 touch foo ls -l foo # -> -rw-rw-r-- umask 007 emacs-25.3 -Q foo make some changes and save touch foo2 ls -l foo* foo -rw-rw-r--. foo~ -rw-rw-r--. foo2 -rw-rw----. (With backup-by-copying non-nil, the result is the same.) I don't really know what my opinion of this issue is... I imagine I would have made the same reply as http://seclists.org/oss-sec/2017/q4/184 [Emacs] copies the permission from the file being edited. Although the [backup] file is readable by others this does not leak any information here, since the file being edited is already readable by others. but this is dismissed with: ...it doesn't matter because a security assertion made via umask is being violated, so it wins a CVE. Also for example if you later delete that file and think you're safe the copy is still floating around world readable. Or you have something indexing the files and ignoring that file type, and the [~] gets indexed, and so on. Anyway, you can probably find every shade of opinion on what to do about this already expressed in that oss-sec thread or the related vim one. I think I've found it useful many, many times that ~ files have the same permissions as the originals. ^ permalink raw reply [flat|nested] 10+ messages in thread
* bug#29182: CVE-2017-1000383: umask and backup files 2017-11-07 1:57 ` Glenn Morris @ 2017-11-07 19:29 ` Glenn Morris 2017-11-13 22:04 ` Glenn Morris 0 siblings, 1 reply; 10+ messages in thread From: Glenn Morris @ 2017-11-07 19:29 UTC (permalink / raw) To: 29182 One solution is to put backup files in a single (private) location, rather than alongside the original file. This is achievable in Emacs with eg (setq backup-directory-alist '(("\\`/[^/|:][^/|]*:") ("." . "<HOME>/.emacs.d/backups"))) where ~/.emacs.d/backups is created mode 700. I've used this in my personal config for years. A very brief search suggests that this seems to be what newer editors (eg LibreOffice) do for backup files. ^ permalink raw reply [flat|nested] 10+ messages in thread
* bug#29182: CVE-2017-1000383: umask and backup files 2017-11-07 19:29 ` Glenn Morris @ 2017-11-13 22:04 ` Glenn Morris 2017-11-14 15:24 ` Eli Zaretskii 0 siblings, 1 reply; 10+ messages in thread From: Glenn Morris @ 2017-11-13 22:04 UTC (permalink / raw) To: 29182 Rightly or wrong, distributions etc pay attention to CVEs, so I think an official response from Emacs on this issue would be good. (My personal favourite is https://security-tracker.debian.org/tracker/CVE-2017-1000383 ) ^ permalink raw reply [flat|nested] 10+ messages in thread
* bug#29182: CVE-2017-1000383: umask and backup files 2017-11-13 22:04 ` Glenn Morris @ 2017-11-14 15:24 ` Eli Zaretskii 0 siblings, 0 replies; 10+ messages in thread From: Eli Zaretskii @ 2017-11-14 15:24 UTC (permalink / raw) To: Glenn Morris; +Cc: 29182 > From: Glenn Morris <rgm@gnu.org> > Date: Mon, 13 Nov 2017 17:04:55 -0500 > > Rightly or wrong, distributions etc pay attention to CVEs, so I think > an official response from Emacs on this issue would be good. I'm not sure how should we provide an official response there. The list there is mostly of issues with very old versions, and there's a reference to bug reports which were closed. What else is needed? And what's the procedure? ^ permalink raw reply [flat|nested] 10+ messages in thread
* bug#29182: CVE-2017-1000383: umask and backup files 2017-11-06 21:56 bug#29182: CVE-2017-1000383: umask and backup files Glenn Morris 2017-11-07 1:57 ` Glenn Morris @ 2019-10-06 4:08 ` Stefan Kangas 2019-10-06 13:17 ` Noam Postavsky ` (2 more replies) 1 sibling, 3 replies; 10+ messages in thread From: Stefan Kangas @ 2019-10-06 4:08 UTC (permalink / raw) To: Eli Zaretskii; +Cc: 29182 Eli Zaretskii <eliz@gnu.org> writes: >> From: Glenn Morris <rgm@gnu.org> >> Date: Mon, 13 Nov 2017 17:04:55 -0500 >> >> Rightly or wrong, distributions etc pay attention to CVEs, so I think >> an official response from Emacs on this issue would be good. > > I'm not sure how should we provide an official response there. The > list there is mostly of issues with very old versions, and there's a > reference to bug reports which were closed. What else is needed? And > what's the procedure? OK, so this is almost 2 years old now, but I've looked into it a bit. This CVE has been rejected by at least Debian ("this CVE assignment is nonsense"), Redhat (bug has status "CLOSED WONTFIX") and Gentoo (bug has status "INVALID"). I think it's fair to say that we don't want to "fix" this, since it should not really have been a CVE in the first place. I suggest to do the following: 1. There is a CVE status called disputed. We should try to acquire that status. More information at: https://cve.mitre.org/about/faqs.html#disputed_signify_in_cve_entry It would be good if someone more senior than me tried to contact MITRE, who handles the CVE to see how that works. AFAICT, the way to contact them is through this web form: https://cveform.mitre.org/ 2. Tag this bug as wontfix. If MITRE don't reply, or do nothing -- fine, we close the bug. If they do reply, or better yet add the status disputed -- good, it's there for posterity. We then close the bug. Best regards, Stefan Kangas PS. This CVE has the tag "withdrawn" in a Github repository which seems to be handled by the CVE team at MITRE. Not sure what that means, if anything, but it seemed interesting enough to mention. https://github.com/CVEProject/cvelist/pull/19 ^ permalink raw reply [flat|nested] 10+ messages in thread
* bug#29182: CVE-2017-1000383: umask and backup files 2019-10-06 4:08 ` Stefan Kangas @ 2019-10-06 13:17 ` Noam Postavsky 2019-10-08 6:05 ` Glenn Morris 2020-08-10 16:25 ` Stefan Kangas 2 siblings, 0 replies; 10+ messages in thread From: Noam Postavsky @ 2019-10-06 13:17 UTC (permalink / raw) To: Stefan Kangas; +Cc: 29182 Stefan Kangas <stefan@marxist.se> writes: > PS. This CVE has the tag "withdrawn" in a Github repository which seems > to be handled by the CVE team at MITRE. Not sure what that means, if > anything, but it seemed interesting enough to mention. > > https://github.com/CVEProject/cvelist/pull/19 I think it's just that specific pull request which has status "withdrawn", because it accidentally lumps together unrelated commits. The CVE file itself doesn't mention anything about "withdrawn". https://github.com/CVEProject/cvelist/blob/master/2017/1000xxx/CVE-2017-1000383.json ^ permalink raw reply [flat|nested] 10+ messages in thread
* bug#29182: CVE-2017-1000383: umask and backup files 2019-10-06 4:08 ` Stefan Kangas 2019-10-06 13:17 ` Noam Postavsky @ 2019-10-08 6:05 ` Glenn Morris 2019-10-08 9:24 ` Stefan Kangas 2020-08-10 16:25 ` Stefan Kangas 2 siblings, 1 reply; 10+ messages in thread From: Glenn Morris @ 2019-10-08 6:05 UTC (permalink / raw) To: Stefan Kangas; +Cc: 29182 It is a silly CVE, but IMO backups belong by default in a private subdirectory of user-emacs-directory (user-data-directory if such a thing existed). ^ permalink raw reply [flat|nested] 10+ messages in thread
* bug#29182: CVE-2017-1000383: umask and backup files 2019-10-08 6:05 ` Glenn Morris @ 2019-10-08 9:24 ` Stefan Kangas 0 siblings, 0 replies; 10+ messages in thread From: Stefan Kangas @ 2019-10-08 9:24 UTC (permalink / raw) To: Glenn Morris; +Cc: 29182 Glenn Morris <rgm@gnu.org> writes: > It is a silly CVE, but IMO backups belong by default in a private > subdirectory of user-emacs-directory (user-data-directory if such a > thing existed). That's what I do, personally. But it's not unproblematic to do that by default, in my opinion. What if I'm editing a file on an encrypted filesystem, thinking that it's safe there, and Emacs silently saves a copy of said file in my home directory on an unencrypted file system? Best regards, Stefan Kangas ^ permalink raw reply [flat|nested] 10+ messages in thread
* bug#29182: CVE-2017-1000383: umask and backup files 2019-10-06 4:08 ` Stefan Kangas 2019-10-06 13:17 ` Noam Postavsky 2019-10-08 6:05 ` Glenn Morris @ 2020-08-10 16:25 ` Stefan Kangas 2 siblings, 0 replies; 10+ messages in thread From: Stefan Kangas @ 2020-08-10 16:25 UTC (permalink / raw) To: Eli Zaretskii; +Cc: Glenn Morris, 29182-done Stefan Kangas <stefan@marxist.se> writes: > Eli Zaretskii <eliz@gnu.org> writes: > >>> From: Glenn Morris <rgm@gnu.org> >>> Date: Mon, 13 Nov 2017 17:04:55 -0500 >>> >>> Rightly or wrong, distributions etc pay attention to CVEs, so I think >>> an official response from Emacs on this issue would be good. >> >> I'm not sure how should we provide an official response there. The >> list there is mostly of issues with very old versions, and there's a >> reference to bug reports which were closed. What else is needed? And >> what's the procedure? > > OK, so this is almost 2 years old now, but I've looked into it a bit. That was 44 weeks ago. > This CVE has been rejected by at least Debian ("this CVE assignment is > nonsense"), Redhat (bug has status "CLOSED WONTFIX") and Gentoo (bug has > status "INVALID"). > > I think it's fair to say that we don't want to "fix" this, since it > should not really have been a CVE in the first place. > > I suggest to do the following: > > 1. There is a CVE status called disputed. We should try to acquire that > status. More information at: > https://cve.mitre.org/about/faqs.html#disputed_signify_in_cve_entry > > It would be good if someone more senior than me tried to contact > MITRE, who handles the CVE to see how that works. AFAICT, the way to > contact them is through this web form: https://cveform.mitre.org/ > > 2. Tag this bug as wontfix. > > If MITRE don't reply, or do nothing -- fine, we close the bug. If they > do reply, or better yet add the status disputed -- good, it's there for > posterity. We then close the bug. No one seemed interested in doing (1) and I've tagged the bug as proposed in (2). I'm therefore closing this bug report now. Best regards, Stefan Kangas ^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2020-08-10 16:25 UTC | newest] Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2017-11-06 21:56 bug#29182: CVE-2017-1000383: umask and backup files Glenn Morris 2017-11-07 1:57 ` Glenn Morris 2017-11-07 19:29 ` Glenn Morris 2017-11-13 22:04 ` Glenn Morris 2017-11-14 15:24 ` Eli Zaretskii 2019-10-06 4:08 ` Stefan Kangas 2019-10-06 13:17 ` Noam Postavsky 2019-10-08 6:05 ` Glenn Morris 2019-10-08 9:24 ` Stefan Kangas 2020-08-10 16:25 ` Stefan Kangas
Code repositories for project(s) associated with this public inbox https://git.savannah.gnu.org/cgit/emacs.git This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).