From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!not-for-mail
From: Rob Browning <rlb@defaultvalue.org>
Newsgroups: gmane.emacs.bugs
Subject: bug#17428: Bug#747100: emacs23: Insecure use of temporary files in
	included lisp libraries/packages
Date: Tue, 06 May 2014 22:38:07 -0500
Message-ID: <87r4466yxs.fsf@trouble.defaultvalue.org>
References: <20140505143834.GA5032@steve.org.uk>
NNTP-Posting-Host: plane.gmane.org
Mime-Version: 1.0
Content-Type: text/plain
X-Trace: ger.gmane.org 1399433963 22985 80.91.229.3 (7 May 2014 03:39:23 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Wed, 7 May 2014 03:39:23 +0000 (UTC)
Cc: Steve Kemp <steve@steve.org.uk>, 747100@bugs.debian.org,
	747100-forwarded@bugs.debian.org
To: 17428@debbugs.gnu.org
Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Wed May 07 05:39:16 2014
Return-path: <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>
Envelope-to: geb-bug-gnu-emacs@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by plane.gmane.org with esmtp (Exim 4.69)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>)
	id 1WhshO-0007NN-TK
	for geb-bug-gnu-emacs@m.gmane.org; Wed, 07 May 2014 05:39:15 +0200
Original-Received: from localhost ([::1]:38339 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>)
	id 1WhshO-0002Ow-Es
	for geb-bug-gnu-emacs@m.gmane.org; Tue, 06 May 2014 23:39:14 -0400
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:33731)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1WhshH-0002Op-Kj
	for bug-gnu-emacs@gnu.org; Tue, 06 May 2014 23:39:12 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1WhshC-0005ii-NC
	for bug-gnu-emacs@gnu.org; Tue, 06 May 2014 23:39:07 -0400
Original-Received: from debbugs.gnu.org ([140.186.70.43]:36028)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1WhshC-0005id-Kf
	for bug-gnu-emacs@gnu.org; Tue, 06 May 2014 23:39:02 -0400
Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.80)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1WhshC-0006BJ-9u
	for bug-gnu-emacs@gnu.org; Tue, 06 May 2014 23:39:02 -0400
X-Loop: help-debbugs@gnu.org
Resent-From: Rob Browning <rlb@defaultvalue.org>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@gnu.org
Resent-Date: Wed, 07 May 2014 03:39:02 +0000
Resent-Message-ID: <handler.17428.B.139943391723715@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: report 17428
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: 
X-Debbugs-Original-To: bug-gnu-emacs@gnu.org
Original-Received: via spool by submit@debbugs.gnu.org id=B.139943391723715
	(code B ref -1); Wed, 07 May 2014 03:39:02 +0000
Original-Received: (at submit) by debbugs.gnu.org; 7 May 2014 03:38:37 +0000
Original-Received: from localhost ([127.0.0.1]:53379 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1Whsgm-0006AR-Rv
	for submit@debbugs.gnu.org; Tue, 06 May 2014 23:38:37 -0400
Original-Received: from eggs.gnu.org ([208.118.235.92]:60160)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <rlb@defaultvalue.org>) id 1Whsgl-0006AC-44
	for submit@debbugs.gnu.org; Tue, 06 May 2014 23:38:35 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <rlb@defaultvalue.org>) id 1Whsga-0005eT-VV
	for submit@debbugs.gnu.org; Tue, 06 May 2014 23:38:29 -0400
Original-Received: from lists.gnu.org ([2001:4830:134:3::11]:38404)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <rlb@defaultvalue.org>) id 1Whsga-0005eP-Sk
	for submit@debbugs.gnu.org; Tue, 06 May 2014 23:38:24 -0400
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:33639)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <rlb@defaultvalue.org>) id 1WhsgW-0002Mn-A8
	for bug-gnu-emacs@gnu.org; Tue, 06 May 2014 23:38:24 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <rlb@defaultvalue.org>) id 1WhsgN-0005b2-FY
	for bug-gnu-emacs@gnu.org; Tue, 06 May 2014 23:38:20 -0400
Original-Received: from defaultvalue.org ([70.85.129.156]:41688)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <rlb@defaultvalue.org>) id 1WhsgN-0005aX-AQ
	for bug-gnu-emacs@gnu.org; Tue, 06 May 2014 23:38:11 -0400
Original-Received: from trouble.defaultvalue.org (localhost [127.0.0.1])
	(Authenticated sender: rlb@defaultvalue.org)
	by defaultvalue.org (Postfix) with ESMTPSA id 1A27B205EF;
	Tue,  6 May 2014 22:38:09 -0500 (CDT)
Original-Received: by trouble.defaultvalue.org (Postfix, from userid 1000)
	id 32AEE14E0AD; Tue,  6 May 2014 22:38:07 -0500 (CDT)
In-Reply-To: <20140505143834.GA5032@steve.org.uk>
User-Agent: Notmuch/0.18~rc0 (http://notmuchmail.org) Emacs/24.3.1
	(x86_64-pc-linux-gnu)
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address
	(bad octet value).
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x
X-Received-From: 140.186.70.43
X-BeenThere: bug-gnu-emacs@gnu.org
List-Id: "Bug reports for GNU Emacs,
	the Swiss army knife of text editors" <bug-gnu-emacs.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-gnu-emacs>,
	<mailto:bug-gnu-emacs-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-gnu-emacs>
List-Post: <mailto:bug-gnu-emacs@gnu.org>
List-Help: <mailto:bug-gnu-emacs-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-gnu-emacs>,
	<mailto:bug-gnu-emacs-request@gnu.org?subject=subscribe>
Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org
Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org
Xref: news.gmane.org gmane.emacs.bugs:88721
Archived-At: <http://permalink.gmane.org/gmane.emacs.bugs/88721>

[If possible, please preserve the 747100-forwarded address in any replies.]

The following bug was recently filed against the emacs23 package, and
after some preliminary research, it appears that the security issues
mentioned may still apply to 24.3.  (Though it looks like the relevant
tramp file may now be tramp-sh.el).

Steve Kemp <steve@steve.org.uk> writes:

> Package: emacs23
> Version: 23.4+1-4
> Severity: important
>
> There are several tempfile-vulnerabilities present in the Emacs Lisp
> bundled and distributed with the emacs23 package.
>
> Here are four brief pointers to unsafe code:
>
> lisp/gnus/gnus-fun.el:
>   In the function `gnus-grab-cam-face` the file "/tmp/gnus.face.ppm" is
>  used, blindly allowing the existing file to be truncated, and symlinks
>  followed.
>
> lisp/emacs-lisp/find-gc.el:
>   In the function `trace-call-tree` there are some horrific invocations
>  of the csh, which manipulate the directory and symlinks beneath "/tmp/esrc".
>
> lisp/net/browse-url.el
>   In the function `browse-url-mosaic` the file "/tmp/Mosaic.$PID" is blindly
>  overwritten.  Suspect this whole function is obsolete though :)
>
> lisp/net/tramp.el
>   The function `tramp-uudecode`, a fallback if a real uudecoding binary
>  is not present, blindly uses "/tmp/tramp.$PID", truncating and removing
>  the file.
>
>
> I suspect that each should receive a CVE identifier.

-- 
Rob Browning
rlb @defaultvalue.org and @debian.org
GPG as of 2011-07-10 E6A9 DA3C C9FD 1FF8 C676 D2C4 C0F0 39E9 ED1B 597A
GPG as of 2002-11-03 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4