From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail
From: Stefan Kangas <stefan@marxist.se>
Newsgroups: gmane.emacs.bugs
Subject: bug#29182: CVE-2017-1000383: umask and backup files
Date: Mon, 10 Aug 2020 09:25:39 -0700
Message-ID: <CADwFkm=gFVrPN0bTGB9jp52gCwGEtEMGVPEcBpbD3_LnQKC2QQ@mail.gmail.com>
References: <v4lq7ysu5.fsf@fencepost.gnu.org>
 <CADwFkm=JSMFwMQ3uwQr3XO2hAoWo-b3dYLA84S_QFcOi6V2G-g@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214";
	logging-data="19310"; mail-complaints-to="usenet@ciao.gmane.io"
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.0.50 (gnu/linux)
Cc: Glenn Morris <rgm@gnu.org>, 29182-done@debbugs.gnu.org
To: Eli Zaretskii <eliz@gnu.org>
Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Mon Aug 10 18:26:13 2020
Return-path: <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>
Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org
Original-Received: from lists.gnu.org ([209.51.188.17])
	by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>)
	id 1k5Acn-0004r0-AE
	for geb-bug-gnu-emacs@m.gmane-mx.org; Mon, 10 Aug 2020 18:26:13 +0200
Original-Received: from localhost ([::1]:33148 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>)
	id 1k5Acm-0006zn-BL
	for geb-bug-gnu-emacs@m.gmane-mx.org; Mon, 10 Aug 2020 12:26:12 -0400
Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:35006)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1k5Acd-0006wO-80
 for bug-gnu-emacs@gnu.org; Mon, 10 Aug 2020 12:26:03 -0400
Original-Received: from debbugs.gnu.org ([209.51.188.43]:54012)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1k5Acc-000632-Ut
 for bug-gnu-emacs@gnu.org; Mon, 10 Aug 2020 12:26:02 -0400
Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1k5Acc-0001Ly-R9
 for bug-gnu-emacs@gnu.org; Mon, 10 Aug 2020 12:26:02 -0400
Resent-From: Stefan Kangas <stefan@marxist.se>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-To: bug-gnu-emacs@gnu.org
Resent-Date: Mon, 10 Aug 2020 16:26:02 +0000
Resent-Message-ID: <handler.29182.D29182.15970767455159.done@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: cc-closed 29182
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: wontfix security notabug
Mail-Followup-To: 29182@debbugs.gnu.org, stefan@marxist.se, rgm@gnu.org
Original-Received: via spool by 29182-done@debbugs.gnu.org id=D29182.15970767455159
 (code D ref 29182); Mon, 10 Aug 2020 16:26:02 +0000
Original-Received: (at 29182-done) by debbugs.gnu.org; 10 Aug 2020 16:25:45 +0000
Original-Received: from localhost ([127.0.0.1]:37321 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1k5AcL-0001L9-Lx
 for submit@debbugs.gnu.org; Mon, 10 Aug 2020 12:25:45 -0400
Original-Received: from mail-yb1-f196.google.com ([209.85.219.196]:33020)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <stefankangas@gmail.com>) id 1k5AcL-0001Km-0W
 for 29182-done@debbugs.gnu.org; Mon, 10 Aug 2020 12:25:45 -0400
Original-Received: by mail-yb1-f196.google.com with SMTP id p191so5462481ybg.0
 for <29182-done@debbugs.gnu.org>; Mon, 10 Aug 2020 09:25:44 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:in-reply-to:references:user-agent
 :mime-version:date:message-id:subject:to:cc;
 bh=8oX/xyNicr6puAlB1z2qU7NK2vU0OzYSJFhpeQN/hJ8=;
 b=ET92FPMELsVkR+0XzDZAPfuV/AwpUWOw9WkhQLcEfQu6nsCVL+IO6y2Dm2BeDltx64
 v35rwxAXJuZq+DwMqAdkaTJE6JwyYWCzEZ+c2aGnsKH25n1ujYHlBCiqGx/P/rP6rvdb
 /tv3CnLzQgKwno9m252DTDDP3kHbQJK/KdRhHO+SZmhudcInDRwWYeBo6YaH5m66XJMY
 gD7wALQ1SM+mlBNPur2LItRS0VNCSbk3CBXBSTZviewCBR9t/tglpwooKqW1iZzxsmFX
 QehA66nRjWdVF8o7hNynnQ85E51o0OglEMdRCa+HmZ2MpvNJQYCJCzaszXz+nFTZl0Hi
 vkFw==
X-Gm-Message-State: AOAM530m0Qm7XozGaHN5C1soSz5sd9s1OXSycWMYrFgSDz7bF3F9gVUk
 WjYPbZQniG87Y71jCR+qXZqd0mk32HlzrlEZOos=
X-Google-Smtp-Source: ABdhPJxAmYRpRYApxMN69Yl7LZAiOpTJ/PDccHL5Eobie5F4y9RFridsf5WnzlmpM8scUAXwnUy5KWAtbC8tVQl9iG0=
X-Received: by 2002:a25:4609:: with SMTP id t9mr39248104yba.231.1597076739464; 
 Mon, 10 Aug 2020 09:25:39 -0700 (PDT)
Original-Received: from 753933720722 named unknown by gmailapi.google.com with
 HTTPREST; Mon, 10 Aug 2020 09:25:39 -0700
In-Reply-To: <CADwFkm=JSMFwMQ3uwQr3XO2hAoWo-b3dYLA84S_QFcOi6V2G-g@mail.gmail.com>
 (Stefan Kangas's message of "Sun, 6 Oct 2019 06:08:56 +0200")
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: bug-gnu-emacs@gnu.org
List-Id: "Bug reports for GNU Emacs,
 the Swiss army knife of text editors" <bug-gnu-emacs.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-gnu-emacs>,
 <mailto:bug-gnu-emacs-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/bug-gnu-emacs>
List-Post: <mailto:bug-gnu-emacs@gnu.org>
List-Help: <mailto:bug-gnu-emacs-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-gnu-emacs>,
 <mailto:bug-gnu-emacs-request@gnu.org?subject=subscribe>
Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org
Original-Sender: "bug-gnu-emacs"
 <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>
Xref: news.gmane.io gmane.emacs.bugs:184556
Archived-At: <http://permalink.gmane.org/gmane.emacs.bugs/184556>

Stefan Kangas <stefan@marxist.se> writes:

> Eli Zaretskii <eliz@gnu.org> writes:
>
>>> From: Glenn Morris <rgm@gnu.org>
>>> Date: Mon, 13 Nov 2017 17:04:55 -0500
>>>
>>> Rightly or wrong, distributions etc pay attention to CVEs, so I think
>>> an official response from Emacs on this issue would be good.
>>
>> I'm not sure how should we provide an official response there.  The
>> list there is mostly of issues with very old versions, and there's a
>> reference to bug reports which were closed.  What else is needed?  And
>> what's the procedure?
>
> OK, so this is almost 2 years old now, but I've looked into it a bit.

That was 44 weeks ago.

> This CVE has been rejected by at least Debian ("this CVE assignment is
> nonsense"), Redhat (bug has status "CLOSED WONTFIX") and Gentoo (bug has
> status "INVALID").
>
> I think it's fair to say that we don't want to "fix" this, since it
> should not really have been a CVE in the first place.
>
> I suggest to do the following:
>
> 1. There is a CVE status called disputed.  We should try to acquire that
>    status.  More information at:
>    https://cve.mitre.org/about/faqs.html#disputed_signify_in_cve_entry
>
>    It would be good if someone more senior than me tried to contact
>    MITRE, who handles the CVE to see how that works.  AFAICT, the way to
>    contact them is through this web form: https://cveform.mitre.org/
>
> 2. Tag this bug as wontfix.
>
> If MITRE don't reply, or do nothing -- fine, we close the bug.  If they
> do reply, or better yet add the status disputed -- good, it's there for
> posterity.  We then close the bug.

No one seemed interested in doing (1) and I've tagged the bug as
proposed in (2).

I'm therefore closing this bug report now.

Best regards,
Stefan Kangas