From: Rob Browning <rlb@defaultvalue.org>
To: 17428@debbugs.gnu.org
Cc: Steve Kemp <steve@steve.org.uk>,
747100@bugs.debian.org, 747100-forwarded@bugs.debian.org
Subject: bug#17428: Bug#747100: emacs23: Insecure use of temporary files in included lisp libraries/packages
Date: Tue, 06 May 2014 22:38:07 -0500 [thread overview]
Message-ID: <87r4466yxs.fsf@trouble.defaultvalue.org> (raw)
In-Reply-To: <20140505143834.GA5032@steve.org.uk>
[If possible, please preserve the 747100-forwarded address in any replies.]
The following bug was recently filed against the emacs23 package, and
after some preliminary research, it appears that the security issues
mentioned may still apply to 24.3. (Though it looks like the relevant
tramp file may now be tramp-sh.el).
Steve Kemp <steve@steve.org.uk> writes:
> Package: emacs23
> Version: 23.4+1-4
> Severity: important
>
> There are several tempfile-vulnerabilities present in the Emacs Lisp
> bundled and distributed with the emacs23 package.
>
> Here are four brief pointers to unsafe code:
>
> lisp/gnus/gnus-fun.el:
> In the function `gnus-grab-cam-face` the file "/tmp/gnus.face.ppm" is
> used, blindly allowing the existing file to be truncated, and symlinks
> followed.
>
> lisp/emacs-lisp/find-gc.el:
> In the function `trace-call-tree` there are some horrific invocations
> of the csh, which manipulate the directory and symlinks beneath "/tmp/esrc".
>
> lisp/net/browse-url.el
> In the function `browse-url-mosaic` the file "/tmp/Mosaic.$PID" is blindly
> overwritten. Suspect this whole function is obsolete though :)
>
> lisp/net/tramp.el
> The function `tramp-uudecode`, a fallback if a real uudecoding binary
> is not present, blindly uses "/tmp/tramp.$PID", truncating and removing
> the file.
>
>
> I suspect that each should receive a CVE identifier.
--
Rob Browning
rlb @defaultvalue.org and @debian.org
GPG as of 2011-07-10 E6A9 DA3C C9FD 1FF8 C676 D2C4 C0F0 39E9 ED1B 597A
GPG as of 2002-11-03 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4
next parent reply other threads:[~2014-05-07 3:38 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20140505143834.GA5032@steve.org.uk>
2014-05-07 3:38 ` Rob Browning [this message]
2014-05-07 3:48 ` bug#17428: Bug#747100: emacs23: Insecure use of temporary files in included lisp libraries/packages Glenn Morris
2014-05-08 9:02 ` Steve Kemp
2014-05-08 9:03 ` Steve Kemp
[not found] ` <1399539828.22874.0@ssh>
2014-05-08 16:22 ` bug#17428: " Glenn Morris
2014-05-08 18:14 ` Glenn Morris
2014-05-08 16:34 ` Steve Kemp
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87r4466yxs.fsf@trouble.defaultvalue.org \
--to=rlb@defaultvalue.org \
--cc=17428@debbugs.gnu.org \
--cc=747100-forwarded@bugs.debian.org \
--cc=747100@bugs.debian.org \
--cc=steve@steve.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/emacs.git
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.