Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 7 May 2014 09:48:44 +0100
From: Steve Kemp <steve@...ve.org.uk>
To: oss-security@...ts.openwall.com
Subject: CVE Request - Predictable temporary filenames in GNU Emacs


  I reported these bugs on the Debian tracker on Monday:

       https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=747100

  In brief some of the bundled Emacs Lisp uses predictable
 /tmpfile names insecurely:


 lisp/gnus/gnus-fun.el:
   In the function `gnus-grab-cam-face` the file "/tmp/gnus.face.ppm" is
  used, blindly allowing the existing file to be truncated, and symlinks
  followed.

 lisp/emacs-lisp/find-gc.el:
   In the function `trace-call-tree` there are some horrific invocations
  of the csh, which manipulate the directory and symlinks beneath "/tmp/esrc".

 lisp/net/tramp.el
   The function `tramp-uudecode`, a fallback if a real uudecoding binary
  is not present, blindly uses "/tmp/tramp.$PID", truncating and removing
  the file.

   All these have been fixed now, and the GNU bug report contains
 links to the commits that are appropriate:

       http://debbugs.gnu.org/cgi/bugreport.cgi?bug=17428

Steve
-- 
http://www.steve.org.uk/

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ