From: Stefan Kangas <stefan@marxist.se>
To: Eli Zaretskii <eliz@gnu.org>
Cc: Glenn Morris <rgm@gnu.org>, 29182-done@debbugs.gnu.org
Subject: bug#29182: CVE-2017-1000383: umask and backup files
Date: Mon, 10 Aug 2020 09:25:39 -0700 [thread overview]
Message-ID: <CADwFkm=gFVrPN0bTGB9jp52gCwGEtEMGVPEcBpbD3_LnQKC2QQ@mail.gmail.com> (raw)
In-Reply-To: <CADwFkm=JSMFwMQ3uwQr3XO2hAoWo-b3dYLA84S_QFcOi6V2G-g@mail.gmail.com> (Stefan Kangas's message of "Sun, 6 Oct 2019 06:08:56 +0200")
Stefan Kangas <stefan@marxist.se> writes:
> Eli Zaretskii <eliz@gnu.org> writes:
>
>>> From: Glenn Morris <rgm@gnu.org>
>>> Date: Mon, 13 Nov 2017 17:04:55 -0500
>>>
>>> Rightly or wrong, distributions etc pay attention to CVEs, so I think
>>> an official response from Emacs on this issue would be good.
>>
>> I'm not sure how should we provide an official response there. The
>> list there is mostly of issues with very old versions, and there's a
>> reference to bug reports which were closed. What else is needed? And
>> what's the procedure?
>
> OK, so this is almost 2 years old now, but I've looked into it a bit.
That was 44 weeks ago.
> This CVE has been rejected by at least Debian ("this CVE assignment is
> nonsense"), Redhat (bug has status "CLOSED WONTFIX") and Gentoo (bug has
> status "INVALID").
>
> I think it's fair to say that we don't want to "fix" this, since it
> should not really have been a CVE in the first place.
>
> I suggest to do the following:
>
> 1. There is a CVE status called disputed. We should try to acquire that
> status. More information at:
> https://cve.mitre.org/about/faqs.html#disputed_signify_in_cve_entry
>
> It would be good if someone more senior than me tried to contact
> MITRE, who handles the CVE to see how that works. AFAICT, the way to
> contact them is through this web form: https://cveform.mitre.org/
>
> 2. Tag this bug as wontfix.
>
> If MITRE don't reply, or do nothing -- fine, we close the bug. If they
> do reply, or better yet add the status disputed -- good, it's there for
> posterity. We then close the bug.
No one seemed interested in doing (1) and I've tagged the bug as
proposed in (2).
I'm therefore closing this bug report now.
Best regards,
Stefan Kangas
prev parent reply other threads:[~2020-08-10 16:25 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-06 21:56 bug#29182: CVE-2017-1000383: umask and backup files Glenn Morris
2017-11-07 1:57 ` Glenn Morris
2017-11-07 19:29 ` Glenn Morris
2017-11-13 22:04 ` Glenn Morris
2017-11-14 15:24 ` Eli Zaretskii
2019-10-06 4:08 ` Stefan Kangas
2019-10-06 13:17 ` Noam Postavsky
2019-10-08 6:05 ` Glenn Morris
2019-10-08 9:24 ` Stefan Kangas
2020-08-10 16:25 ` Stefan Kangas [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CADwFkm=gFVrPN0bTGB9jp52gCwGEtEMGVPEcBpbD3_LnQKC2QQ@mail.gmail.com' \
--to=stefan@marxist.se \
--cc=29182-done@debbugs.gnu.org \
--cc=eliz@gnu.org \
--cc=rgm@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).