From: Stefan Kangas <stefan@marxist.se>
To: Eli Zaretskii <eliz@gnu.org>
Cc: 29182@debbugs.gnu.org
Subject: bug#29182: CVE-2017-1000383: umask and backup files
Date: Sun, 6 Oct 2019 06:08:56 +0200 [thread overview]
Message-ID: <CADwFkm=JSMFwMQ3uwQr3XO2hAoWo-b3dYLA84S_QFcOi6V2G-g@mail.gmail.com> (raw)
In-Reply-To: <v4lq7ysu5.fsf@fencepost.gnu.org>
Eli Zaretskii <eliz@gnu.org> writes:
>> From: Glenn Morris <rgm@gnu.org>
>> Date: Mon, 13 Nov 2017 17:04:55 -0500
>>
>> Rightly or wrong, distributions etc pay attention to CVEs, so I think
>> an official response from Emacs on this issue would be good.
>
> I'm not sure how should we provide an official response there. The
> list there is mostly of issues with very old versions, and there's a
> reference to bug reports which were closed. What else is needed? And
> what's the procedure?
OK, so this is almost 2 years old now, but I've looked into it a bit.
This CVE has been rejected by at least Debian ("this CVE assignment is
nonsense"), Redhat (bug has status "CLOSED WONTFIX") and Gentoo (bug has
status "INVALID").
I think it's fair to say that we don't want to "fix" this, since it
should not really have been a CVE in the first place.
I suggest to do the following:
1. There is a CVE status called disputed. We should try to acquire that
status. More information at:
https://cve.mitre.org/about/faqs.html#disputed_signify_in_cve_entry
It would be good if someone more senior than me tried to contact
MITRE, who handles the CVE to see how that works. AFAICT, the way to
contact them is through this web form: https://cveform.mitre.org/
2. Tag this bug as wontfix.
If MITRE don't reply, or do nothing -- fine, we close the bug. If they
do reply, or better yet add the status disputed -- good, it's there for
posterity. We then close the bug.
Best regards,
Stefan Kangas
PS. This CVE has the tag "withdrawn" in a Github repository which seems
to be handled by the CVE team at MITRE. Not sure what that means, if
anything, but it seemed interesting enough to mention.
https://github.com/CVEProject/cvelist/pull/19
next prev parent reply other threads:[~2019-10-06 4:08 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-06 21:56 bug#29182: CVE-2017-1000383: umask and backup files Glenn Morris
2017-11-07 1:57 ` Glenn Morris
2017-11-07 19:29 ` Glenn Morris
2017-11-13 22:04 ` Glenn Morris
2017-11-14 15:24 ` Eli Zaretskii
2019-10-06 4:08 ` Stefan Kangas [this message]
2019-10-06 13:17 ` Noam Postavsky
2019-10-08 6:05 ` Glenn Morris
2019-10-08 9:24 ` Stefan Kangas
2020-08-10 16:25 ` Stefan Kangas
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CADwFkm=JSMFwMQ3uwQr3XO2hAoWo-b3dYLA84S_QFcOi6V2G-g@mail.gmail.com' \
--to=stefan@marxist.se \
--cc=29182@debbugs.gnu.org \
--cc=eliz@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).