From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED.blaine.gmane.org!not-for-mail From: Stefan Kangas Newsgroups: gmane.emacs.bugs Subject: bug#29182: CVE-2017-1000383: umask and backup files Date: Sun, 6 Oct 2019 06:08:56 +0200 Message-ID: References: Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Injection-Info: blaine.gmane.org; posting-host="blaine.gmane.org:195.159.176.226"; logging-data="114601"; mail-complaints-to="usenet@blaine.gmane.org" Cc: 29182@debbugs.gnu.org To: Eli Zaretskii Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Sun Oct 06 06:10:12 2019 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([209.51.188.17]) by blaine.gmane.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1iGxs3-000Te2-6u for geb-bug-gnu-emacs@m.gmane.org; Sun, 06 Oct 2019 06:10:12 +0200 Original-Received: from localhost ([::1]:60060 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iGxs1-0001vT-BX for geb-bug-gnu-emacs@m.gmane.org; Sun, 06 Oct 2019 00:10:09 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:51962) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iGxrv-0001vH-DH for bug-gnu-emacs@gnu.org; Sun, 06 Oct 2019 00:10:04 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1iGxru-0004Qz-Bk for bug-gnu-emacs@gnu.org; Sun, 06 Oct 2019 00:10:03 -0400 Original-Received: from debbugs.gnu.org ([209.51.188.43]:36612) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1iGxru-0004Qp-8w for bug-gnu-emacs@gnu.org; Sun, 06 Oct 2019 00:10:02 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1iGxru-0000e4-2x for bug-gnu-emacs@gnu.org; Sun, 06 Oct 2019 00:10:02 -0400 X-Loop: help-debbugs@gnu.org In-Reply-To: Resent-From: Stefan Kangas Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Sun, 06 Oct 2019 04:10:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 29182 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: security Original-Received: via spool by 29182-submit@debbugs.gnu.org id=B29182.15703349552418 (code B ref 29182); Sun, 06 Oct 2019 04:10:02 +0000 Original-Received: (at 29182) by debbugs.gnu.org; 6 Oct 2019 04:09:15 +0000 Original-Received: from localhost ([127.0.0.1]:45432 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iGxr9-0000cw-3o for submit@debbugs.gnu.org; Sun, 06 Oct 2019 00:09:15 -0400 Original-Received: from mail-pf1-f178.google.com ([209.85.210.178]:36095) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iGxr7-0000ci-Bo for 29182@debbugs.gnu.org; Sun, 06 Oct 2019 00:09:13 -0400 Original-Received: by mail-pf1-f178.google.com with SMTP id y22so6366561pfr.3 for <29182@debbugs.gnu.org>; Sat, 05 Oct 2019 21:09:13 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=gPY709LRVnnB2LUnUMeWma54c/prouANsWdws8NxCX8=; b=UUw703iGErgfhl+aLjWczKlJdRqv+5wF1JOPCMejY0/JWH+nkHl1zfPphyRUF0qeJJ D4Z7ntgvGhwyJSmSCdXfzSjMpafwqNcYuitMsXnAbDFlChptg+hsrhiL1+8DZEegxaJE J1O14UbPlp9jCmMYptYvLruGMK6/ziUlE0aoALOPu0h1nZmi5BYMh95N8TCwqPHI40Yz HAlrxhy/QD+gbmKpZphWhYzQ0nLNhxvXOjHEFUhZOtG3THgCbIRvJEuwoTXH0Qo3kfZJ PC6o9C5v0yubjL9j++QdvEulhaDxBEm3pxeAjw8W25TpRq1zECgP6T/xBk+puHLsz5XM 7YZg== X-Gm-Message-State: APjAAAWwpYiYwMcjxWTgJSU1h/eGv0CwtIR4SB8WZzsbuoK4omjp24dP Fl9/XLeCLvE+iGaPrbCGd9gRV2+I+KPxUsrWG/OfPk/S X-Google-Smtp-Source: APXvYqzCUjbrvaKYrL15Kz2+Ng/5nFur5XGNUs1bo6Q5VGve+RmDEB0WbShVHKUB+R7s8Y2+gDHNaNYyUr9LNqUqOKU= X-Received: by 2002:a65:5802:: with SMTP id g2mr24937524pgr.333.1570334947352; Sat, 05 Oct 2019 21:09:07 -0700 (PDT) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 209.51.188.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.org gmane.emacs.bugs:168413 Archived-At: Eli Zaretskii writes: >> From: Glenn Morris >> Date: Mon, 13 Nov 2017 17:04:55 -0500 >> >> Rightly or wrong, distributions etc pay attention to CVEs, so I think >> an official response from Emacs on this issue would be good. > > I'm not sure how should we provide an official response there. The > list there is mostly of issues with very old versions, and there's a > reference to bug reports which were closed. What else is needed? And > what's the procedure? OK, so this is almost 2 years old now, but I've looked into it a bit. This CVE has been rejected by at least Debian ("this CVE assignment is nonsense"), Redhat (bug has status "CLOSED WONTFIX") and Gentoo (bug has status "INVALID"). I think it's fair to say that we don't want to "fix" this, since it should not really have been a CVE in the first place. I suggest to do the following: 1. There is a CVE status called disputed. We should try to acquire that status. More information at: https://cve.mitre.org/about/faqs.html#disputed_signify_in_cve_entry It would be good if someone more senior than me tried to contact MITRE, who handles the CVE to see how that works. AFAICT, the way to contact them is through this web form: https://cveform.mitre.org/ 2. Tag this bug as wontfix. If MITRE don't reply, or do nothing -- fine, we close the bug. If they do reply, or better yet add the status disputed -- good, it's there for posterity. We then close the bug. Best regards, Stefan Kangas PS. This CVE has the tag "withdrawn" in a Github repository which seems to be handled by the CVE team at MITRE. Not sure what that means, if anything, but it seemed interesting enough to mention. https://github.com/CVEProject/cvelist/pull/19