From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Eric Schulte Newsgroups: gmane.emacs.bugs Subject: bug#17416: [O] bug#17416: insecure temp files in ob-screen.el Date: Wed, 07 May 2014 05:35:37 -0400 Message-ID: <87vbthm5pe.fsf__3936.66780223629$1399514615$gmane$org@gmail.com> References: <61ljbl1v.fsf@fencepost.gnu.org> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: ger.gmane.org 1399514615 31070 80.91.229.3 (8 May 2014 02:03:35 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Thu, 8 May 2014 02:03:35 +0000 (UTC) Cc: 17416@debbugs.gnu.org To: Glenn Morris Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Thu May 08 04:03:28 2014 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1WiDgF-0006jR-F1 for geb-bug-gnu-emacs@m.gmane.org; Thu, 08 May 2014 04:03:27 +0200 Original-Received: from localhost ([::1]:44243 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WiCxH-0005WX-HU for geb-bug-gnu-emacs@m.gmane.org; Wed, 07 May 2014 21:16:59 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:44187) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WiCwd-00050A-S3 for bug-gnu-emacs@gnu.org; Wed, 07 May 2014 21:16:25 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1WiCwY-0000MP-Ag for bug-gnu-emacs@gnu.org; Wed, 07 May 2014 21:16:19 -0400 Original-Received: from debbugs.gnu.org ([140.186.70.43]:37629) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WiCwN-0000KA-2g; Wed, 07 May 2014 21:16:03 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.80) (envelope-from ) id 1WiCwM-0007wW-Og; Wed, 07 May 2014 21:16:02 -0400 X-Loop: help-debbugs@gnu.org In-Reply-To: <61ljbl1v.fsf@fencepost.gnu.org> Resent-From: Eric Schulte Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org, emacs-orgmode@gnu.org Resent-Date: Thu, 08 May 2014 01:16:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 17416 X-GNU-PR-Package: emacs,org-mode X-GNU-PR-Keywords: security Original-Received: via spool by 17416-submit@debbugs.gnu.org id=B17416.139951174130479 (code B ref 17416); Thu, 08 May 2014 01:16:02 +0000 Original-Received: (at 17416) by debbugs.gnu.org; 8 May 2014 01:15:41 +0000 Original-Received: from localhost ([127.0.0.1]:54976 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1WiCw1-0007vW-7T for submit@debbugs.gnu.org; Wed, 07 May 2014 21:15:41 -0400 Original-Received: from mail-pd0-f172.google.com ([209.85.192.172]:46239) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1WiCvz-0007vI-Ax for 17416@debbugs.gnu.org; Wed, 07 May 2014 21:15:40 -0400 Original-Received: by mail-pd0-f172.google.com with SMTP id g10so1737590pdj.31 for <17416@debbugs.gnu.org>; Wed, 07 May 2014 18:15:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:cc:subject:date:references:message-id:user-agent :mime-version:content-type; bh=exyVjSkPrI8CHybSi3yXcsvae4QXS25aYQwkThtJ/H8=; b=VP6TbHAhmK3/UYhPgfqFlnj8UG6wKaVI40ec4JCyAgRMecvbj8U1wcxtH3Vx+7pNLW 7VPCY/at3z2HumNjlZblY+Oo1sSYs4soMlL5cO8tP9rtT//AzZ3g1+QeS9YuJXmE04PO g/7BL92ON7huTweG4/kXIAS4kyhXfzbvnSGqYaCOz167K+hh4MvdTv6qPM7az4hOgEVu X3Dxnrp8LXmz/OcqHJPXauZu9gQS1F6wO2vae1xZgZYXoTd7S4BBDvC0zyiQ9X3dT+wi k71BzmWoXvHP5YRXo0FCCXNLyxmFLKtY8NTsJAlQBB37QOQJg7JbNUP65oCaPFJy79xy 8rlg== X-Received: by 10.67.4.138 with SMTP id ce10mr1322543pad.12.1399511733355; Wed, 07 May 2014 18:15:33 -0700 (PDT) Original-Received: from bagel (c-174-56-50-60.hsd1.nm.comcast.net. [174.56.50.60]) by mx.google.com with ESMTPSA id yx3sm5463827pbb.6.2014.05.07.18.15.26 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 07 May 2014 18:15:32 -0700 (PDT) User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.4.50 (gnu/linux) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-Received-From: 140.186.70.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.bugs:88765 Archived-At: Glenn Morris writes: > Package: emacs,org-mode > Version: 24.3.90 > Severity: important > Tags: security > > org-babel-screen-session-write-temp-file and org-babel-screen-test seem > to use predictable temp-file names, which is a security issue. Using > `make-temp-file', or if the file names really need to be predictable, > something equivalent to `doc-view-make-safe-dir' (there should really be > a general utility function for this IMO) to first create a /tmp > subdirectory would avoid this. > I just pushed up a fix for this issue. Thanks, -- Eric Schulte https://cs.unm.edu/~eschulte PGP: 0x614CA05D