Date: Wed, 7 May 2014 09:48:44 +0100 From: Steve Kemp <steve@...ve.org.uk> To: oss-security@...ts.openwall.com Subject: CVE Request - Predictable temporary filenames in GNU Emacs I reported these bugs on the Debian tracker on Monday: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=747100 In brief some of the bundled Emacs Lisp uses predictable /tmpfile names insecurely: lisp/gnus/gnus-fun.el: In the function `gnus-grab-cam-face` the file "/tmp/gnus.face.ppm" is used, blindly allowing the existing file to be truncated, and symlinks followed. lisp/emacs-lisp/find-gc.el: In the function `trace-call-tree` there are some horrific invocations of the csh, which manipulate the directory and symlinks beneath "/tmp/esrc". lisp/net/tramp.el The function `tramp-uudecode`, a fallback if a real uudecoding binary is not present, blindly uses "/tmp/tramp.$PID", truncating and removing the file. All these have been fixed now, and the GNU bug report contains links to the commits that are appropriate: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=17428 Steve -- http://www.steve.org.uk/
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ