From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Rob Browning Newsgroups: gmane.emacs.bugs Subject: bug#17428: Bug#747100: emacs23: Insecure use of temporary files in included lisp libraries/packages Date: Tue, 06 May 2014 22:38:07 -0500 Message-ID: <87r4466yxs.fsf@trouble.defaultvalue.org> References: <20140505143834.GA5032@steve.org.uk> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: ger.gmane.org 1399433963 22985 80.91.229.3 (7 May 2014 03:39:23 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Wed, 7 May 2014 03:39:23 +0000 (UTC) Cc: Steve Kemp , 747100@bugs.debian.org, 747100-forwarded@bugs.debian.org To: 17428@debbugs.gnu.org Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Wed May 07 05:39:16 2014 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1WhshO-0007NN-TK for geb-bug-gnu-emacs@m.gmane.org; Wed, 07 May 2014 05:39:15 +0200 Original-Received: from localhost ([::1]:38339 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WhshO-0002Ow-Es for geb-bug-gnu-emacs@m.gmane.org; Tue, 06 May 2014 23:39:14 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:33731) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WhshH-0002Op-Kj for bug-gnu-emacs@gnu.org; Tue, 06 May 2014 23:39:12 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1WhshC-0005ii-NC for bug-gnu-emacs@gnu.org; Tue, 06 May 2014 23:39:07 -0400 Original-Received: from debbugs.gnu.org ([140.186.70.43]:36028) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WhshC-0005id-Kf for bug-gnu-emacs@gnu.org; Tue, 06 May 2014 23:39:02 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.80) (envelope-from ) id 1WhshC-0006BJ-9u for bug-gnu-emacs@gnu.org; Tue, 06 May 2014 23:39:02 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Rob Browning Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Wed, 07 May 2014 03:39:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 17428 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: X-Debbugs-Original-To: bug-gnu-emacs@gnu.org Original-Received: via spool by submit@debbugs.gnu.org id=B.139943391723715 (code B ref -1); Wed, 07 May 2014 03:39:02 +0000 Original-Received: (at submit) by debbugs.gnu.org; 7 May 2014 03:38:37 +0000 Original-Received: from localhost ([127.0.0.1]:53379 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Whsgm-0006AR-Rv for submit@debbugs.gnu.org; Tue, 06 May 2014 23:38:37 -0400 Original-Received: from eggs.gnu.org ([208.118.235.92]:60160) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Whsgl-0006AC-44 for submit@debbugs.gnu.org; Tue, 06 May 2014 23:38:35 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Whsga-0005eT-VV for submit@debbugs.gnu.org; Tue, 06 May 2014 23:38:29 -0400 Original-Received: from lists.gnu.org ([2001:4830:134:3::11]:38404) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Whsga-0005eP-Sk for submit@debbugs.gnu.org; Tue, 06 May 2014 23:38:24 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:33639) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WhsgW-0002Mn-A8 for bug-gnu-emacs@gnu.org; Tue, 06 May 2014 23:38:24 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1WhsgN-0005b2-FY for bug-gnu-emacs@gnu.org; Tue, 06 May 2014 23:38:20 -0400 Original-Received: from defaultvalue.org ([70.85.129.156]:41688) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WhsgN-0005aX-AQ for bug-gnu-emacs@gnu.org; Tue, 06 May 2014 23:38:11 -0400 Original-Received: from trouble.defaultvalue.org (localhost [127.0.0.1]) (Authenticated sender: rlb@defaultvalue.org) by defaultvalue.org (Postfix) with ESMTPSA id 1A27B205EF; Tue, 6 May 2014 22:38:09 -0500 (CDT) Original-Received: by trouble.defaultvalue.org (Postfix, from userid 1000) id 32AEE14E0AD; Tue, 6 May 2014 22:38:07 -0500 (CDT) In-Reply-To: <20140505143834.GA5032@steve.org.uk> User-Agent: Notmuch/0.18~rc0 (http://notmuchmail.org) Emacs/24.3.1 (x86_64-pc-linux-gnu) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address (bad octet value). X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-Received-From: 140.186.70.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.bugs:88721 Archived-At: [If possible, please preserve the 747100-forwarded address in any replies.] The following bug was recently filed against the emacs23 package, and after some preliminary research, it appears that the security issues mentioned may still apply to 24.3. (Though it looks like the relevant tramp file may now be tramp-sh.el). Steve Kemp writes: > Package: emacs23 > Version: 23.4+1-4 > Severity: important > > There are several tempfile-vulnerabilities present in the Emacs Lisp > bundled and distributed with the emacs23 package. > > Here are four brief pointers to unsafe code: > > lisp/gnus/gnus-fun.el: > In the function `gnus-grab-cam-face` the file "/tmp/gnus.face.ppm" is > used, blindly allowing the existing file to be truncated, and symlinks > followed. > > lisp/emacs-lisp/find-gc.el: > In the function `trace-call-tree` there are some horrific invocations > of the csh, which manipulate the directory and symlinks beneath "/tmp/esrc". > > lisp/net/browse-url.el > In the function `browse-url-mosaic` the file "/tmp/Mosaic.$PID" is blindly > overwritten. Suspect this whole function is obsolete though :) > > lisp/net/tramp.el > The function `tramp-uudecode`, a fallback if a real uudecoding binary > is not present, blindly uses "/tmp/tramp.$PID", truncating and removing > the file. > > > I suspect that each should receive a CVE identifier. -- Rob Browning rlb @defaultvalue.org and @debian.org GPG as of 2011-07-10 E6A9 DA3C C9FD 1FF8 C676 D2C4 C0F0 39E9 ED1B 597A GPG as of 2002-11-03 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4