Date: Wed, 7 May 2014 09:48:44 +0100 From: Steve Kemp <steve@...ve.org.uk> To: oss-security@...ts.openwall.com Subject: CVE Request - Predictable temporary filenames in GNU Emacs I reported these bugs on the Debian tracker on Monday: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=747100 In brief some of the bundled Emacs Lisp uses predictable /tmpfile names insecurely: lisp/gnus/gnus-fun.el: In the function `gnus-grab-cam-face` the file "/tmp/gnus.face.ppm" is used, blindly allowing the existing file to be truncated, and symlinks followed. lisp/emacs-lisp/find-gc.el: In the function `trace-call-tree` there are some horrific invocations of the csh, which manipulate the directory and symlinks beneath "/tmp/esrc". lisp/net/tramp.el The function `tramp-uudecode`, a fallback if a real uudecoding binary is not present, blindly uses "/tmp/tramp.$PID", truncating and removing the file. All these have been fixed now, and the GNU bug report contains links to the commits that are appropriate: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=17428 Steve -- http://www.steve.org.uk/
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.