From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!not-for-mail
From: Glenn Morris <rgm@gnu.org>
Newsgroups: gmane.emacs.bugs
Subject: bug#17428: emacs23: Insecure use of temporary files in included lisp
	libraries/packages
Date: Thu, 08 May 2014 12:22:38 -0400
Message-ID: <jm7g5wqlyp.fsf_-_@fencepost.gnu.org>
References: <87r4466yxs.fsf@trouble.defaultvalue.org> <1399539828.22874.0@ssh>
NNTP-Posting-Host: plane.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Trace: ger.gmane.org 1399566197 12247 80.91.229.3 (8 May 2014 16:23:17 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Thu, 8 May 2014 16:23:17 +0000 (UTC)
Cc: 17428@debbugs.gnu.org
To: Steve Kemp <steve@steve.org.uk>
Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Thu May 08 18:23:11 2014
Return-path: <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>
Envelope-to: geb-bug-gnu-emacs@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by plane.gmane.org with esmtp (Exim 4.69)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>)
	id 1WiR6F-0000vq-4u
	for geb-bug-gnu-emacs@m.gmane.org; Thu, 08 May 2014 18:23:11 +0200
Original-Received: from localhost ([::1]:48278 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>)
	id 1WiR6E-0000oO-K3
	for geb-bug-gnu-emacs@m.gmane.org; Thu, 08 May 2014 12:23:10 -0400
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:48128)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1WiR6A-0000o4-72
	for bug-gnu-emacs@gnu.org; Thu, 08 May 2014 12:23:07 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1WiR66-0003oe-5m
	for bug-gnu-emacs@gnu.org; Thu, 08 May 2014 12:23:06 -0400
Original-Received: from debbugs.gnu.org ([140.186.70.43]:38833)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1WiR66-0003oZ-2I
	for bug-gnu-emacs@gnu.org; Thu, 08 May 2014 12:23:02 -0400
Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.80)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1WiR65-0000TD-OG
	for bug-gnu-emacs@gnu.org; Thu, 08 May 2014 12:23:01 -0400
X-Loop: help-debbugs@gnu.org
Resent-From: Glenn Morris <rgm@gnu.org>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@gnu.org
Resent-Date: Thu, 08 May 2014 16:23:01 +0000
Resent-Message-ID: <handler.17428.B17428.13995661611761@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 17428
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: 
Original-Received: via spool by 17428-submit@debbugs.gnu.org id=B17428.13995661611761
	(code B ref 17428); Thu, 08 May 2014 16:23:01 +0000
Original-Received: (at 17428) by debbugs.gnu.org; 8 May 2014 16:22:41 +0000
Original-Received: from localhost ([127.0.0.1]:56184 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1WiR5l-0000SL-Bh
	for submit@debbugs.gnu.org; Thu, 08 May 2014 12:22:41 -0400
Original-Received: from fencepost.gnu.org ([208.118.235.10]:54578 ident=Debian-exim)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <rgm@gnu.org>) id 1WiR5j-0000SD-Eg
	for 17428@debbugs.gnu.org; Thu, 08 May 2014 12:22:40 -0400
Original-Received: from rgm by fencepost.gnu.org with local (Exim 4.71)
	(envelope-from <rgm@gnu.org>)
	id 1WiR5i-0004pS-BS; Thu, 08 May 2014 12:22:38 -0400
X-Spook: Vickie Weaver RSA Leitrim military ANZUS MD2 Hugo Chavez
X-Ran: ?PBv@E2"V`yMsk&+k]6OB5d#9Eq$DUrm<l"(2wS2^!J7r8MFS:Ox^Wk~@{%X!_w78!rGjd
X-Hue: red
X-Attribution: GM
In-Reply-To: <1399539828.22874.0@ssh> (Steve Kemp's message of "Thu, 08 May
	2014 10:03:48 +0100")
User-Agent: Gnus (www.gnus.org), GNU Emacs (www.gnu.org/software/emacs/)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x
X-Received-From: 140.186.70.43
X-BeenThere: bug-gnu-emacs@gnu.org
List-Id: "Bug reports for GNU Emacs,
	the Swiss army knife of text editors" <bug-gnu-emacs.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-gnu-emacs>,
	<mailto:bug-gnu-emacs-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-gnu-emacs>
List-Post: <mailto:bug-gnu-emacs@gnu.org>
List-Help: <mailto:bug-gnu-emacs-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-gnu-emacs>,
	<mailto:bug-gnu-emacs-request@gnu.org?subject=subscribe>
Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org
Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org
Xref: news.gmane.org gmane.emacs.bugs:88780
Archived-At: <http://permalink.gmane.org/gmane.emacs.bugs/88780>

Steve Kemp wrote:

>         http://www.openwall.com/lists/oss-security/2014/05/07/7

OK. For the record I don't think any of these issues are anything but
trivial in practice, except possibly the tramp one.

find-gc.el looked completely broken, I doubt anyone had used it in ~ a
decade.

I see they still want us to do something about the Mosaic one, sigh.
So I will do something for that. Someone would have to actively
configure their system to use mosaic, or have no other browser program
installed except xmosaic, for this to even potentially be an issue.

I see Mosaic got some CVEs out of this too. :)

The gnus-fun one is some obscure thing to do with xawtv. Again I guess
it doesn't have (m)any users, or doesn't even work any more, since it
relies on files /tftpboot/sparky/tmp/snap.*ppm existing.

But yes, they should all be fixed.