From mboxrd@z Thu Jan 1 00:00:00 1970 Path: quimby.gnus.org!not-for-mail From: Colin Walters Newsgroups: gmane.emacs.devel Subject: many packages write to `temporary-file-directory' insecurely Date: 28 Feb 2002 20:15:51 -0500 Message-ID: <1014945351.23435.102.camel@space-ghost> NNTP-Posting-Host: quimby2.netfonds.no Mime-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Trace: quimby2.netfonds.no 1014945953 24401 195.204.10.66 (1 Mar 2002 01:25:53 GMT) X-Complaints-To: usenet@quimby2.netfonds.no NNTP-Posting-Date: 1 Mar 2002 01:25:53 GMT Original-Received: from fencepost.gnu.org ([199.232.76.164]) by quimby2.netfonds.no with esmtp (Exim 3.12 #1 (Debian)) id 16gbo0-0006LN-00 for ; Fri, 01 Mar 2002 02:25:52 +0100 Original-Received: from localhost ([127.0.0.1] helo=fencepost.gnu.org) by fencepost.gnu.org with esmtp (Exim 3.33 #1 (Debian)) id 16gbjS-0000y6-00; Thu, 28 Feb 2002 20:21:10 -0500 Original-Received: from monk.debian.net ([216.185.54.61] helo=monk.verbum.org) by fencepost.gnu.org with esmtp (Exim 3.33 #1 (Debian)) id 16gbil-0000v2-00 for ; Thu, 28 Feb 2002 20:20:27 -0500 Original-Received: from space-ghost.verbum.private (freedom.cis.ohio-state.edu [164.107.60.183]) (using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)) (Client CN "space-ghost.verbum.org", Issuer "monk.verbum.org" (verified OK)) by monk.verbum.org (Postfix (Debian/GNU)) with ESMTP id C364E74000B1 for ; Thu, 28 Feb 2002 20:20:12 -0500 (EST) Original-Received: by space-ghost.verbum.private (Postfix (Debian/GNU), from userid 1000) id 820518946DC; Thu, 28 Feb 2002 20:15:52 -0500 (EST) Original-To: emacs-devel@gnu.org X-Mailer: Evolution/1.0 (Preview Release) Errors-To: emacs-devel-admin@gnu.org X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.0.5 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: Emacs development discussions. List-Unsubscribe: , List-Archive: Xref: quimby.gnus.org gmane.emacs.devel:1657 X-Report-Spam: http://spam.gmane.org/gmane.emacs.devel:1657 Hi, I discovered a security problem with M-x snake, and a number of other packages. For example, snake writes "snake-scores" to `temporary-file-directory' (which defaults to /tmp on my system). If an attacker creates a symlink /tmp/snake-scores -> /home/luser/.bashrc, and "luser" later runs M-x snake, then their .bashrc will be happily overwritten with their snake scores. Try it. After a quick grep through the Emacs source, terminal.el looks like it does something similar in the function `te-create-terminfo'. And eshell appears to use `make-temp-name' insecurely in the function `eshell-parse-variable-ref'., although it is difficult to follow the code. And there are a number of others that I haven't investigated too closely. Calc was creating a temporary gnuplot file insecurely; I've just fixed it. These all *must* be fixed. I gather that there have been reports about this problem in the past, and this was the reason `make-temp-file' was introduced to replace `make-temp-name'. If you maintain a package that creates temporary files, please make sure you are using `make-temp-file'! _______________________________________________ Emacs-devel mailing list Emacs-devel@gnu.org http://mail.gnu.org/mailman/listinfo/emacs-devel