Date: Wed, 7 May 2014 15:35:56 -0400 (EDT) From: cve-assign@...re.org To: steve@...ve.org.uk Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE Request - Predictable temporary filenames in GNU Emacs -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > http://debbugs.gnu.org/cgi/bugreport.cgi?bug=17428#8 The reports are about unrelated Emacs Lisp files that are bundled with GNU Emacs. In situations such as this, the various files with vulnerable code were, almost certainly, first introduced in different GNU Emacs versions. Thus, the issues in each file have separate CVE IDs based on the different earliest version of GNU Emacs that is affected. We don't necessarily provide details of what these versions are as part of the CVE assignment process or even the CVE publication process. However, for example, http://cvs.savannah.gnu.org/viewvc/emacs/emacs/lisp/gnus/gnus-fun.el says "file gnus-fun.el was initially added on branch gnus-5_10-branch" suggesting early 2000s, whereas the Mosaic support in browse-url.el is obviously from the 1990s. All of the files allow symlink attacks, and that is the scope of each Emacs CVE assignment. If anyone was interested in CVE IDs for unrelated Emacs vulnerabilities (e.g., if the find-gc.el "horrific invocations" problem allows injection of commands into csh command lines), those IDs would need to be assigned separately, even if the issues were fixed as a side effect of the current patch. >> lisp/gnus/gnus-fun.el: >> In the function `gnus-grab-cam-face` the file "/tmp/gnus.face.ppm" is >> used, blindly allowing the existing file to be truncated, and symlinks >> followed. > http://lists.gnu.org/archive/html/emacs-diffs/2014-05/msg00055.html Use CVE-2014-3421. >> lisp/emacs-lisp/find-gc.el: >> In the function `trace-call-tree` there are some horrific invocations >> of the csh, which manipulate the directory and symlinks beneath "/tmp/esrc". > http://lists.gnu.org/archive/html/emacs-diffs/2014-05/msg00056.html Use CVE-2014-3422. >> lisp/net/browse-url.el >> In the function `browse-url-mosaic` the file "/tmp/Mosaic.$PID" is blindly >> overwritten. Suspect this whole function is obsolete though :) > Not an (Emacs) bug. > http://lists.gnu.org/archive/html/emacs-diffs/2014-05/msg00057.html > + ;; This is a predictable temp-file name, which is bad, > + ;; but it is what Mosaic uses/used. > + ;; So it's not Emacs's problem. http://bugs.debian.org/747100 We didn't quite understand the reasoning here. Mosaic reads the /tmp/Mosaic.##### file. This doesn't seem to imply that Emacs is entitled to write "newwin" and "goto" records into that file without considering that it might be a symlink. Even if not all symlink attacks could be prevented, one might want a countermeasure against the easiest attacks. Alternatively, writing to /tmp/Mosaic.##### could perhaps just be removed, on the basis that the threat is more realistic than is actual use of Mosaic. (The threat model is that someone's home directory has a .mosaicpid file left over from the 1990s, and that PID happens to be in use.) Use CVE-2014-3423 for the Emacs vulnerability associated with a symlink attack against a /tmp/Mosaic.##### file (this is similar to CVE-2008-4994). CVE IDs for Mosaic are presumably not too useful at this point, but it seems best to assign the most obvious ones, so that we are not blaming Emacs for the entirety of the problem. From the Mosaic CHANGES file: From 2.0 to 2.1 Remote control users and script writers take note: control filename changed from /tmp/xmosaic.pid to /tmp/Mosaic.pid. This is the final such change, forever. CVE-2014-3425: Mosaic 2.0 allows local users to cause a denial of service ("remote control" outage) by creating a /tmp/xmosaic.pid file for every possible PID. CVE-2014-3426: Mosaic 2.1 allows local users to cause a denial of service ("remote control" outage) by creating a /tmp/Mosaic.pid file for every possible PID. >> lisp/net/tramp.el >> The function `tramp-uudecode`, a fallback if a real uudecoding binary >> is not present, blindly uses "/tmp/tramp.$PID", truncating and removing >> the file. > http://lists.gnu.org/archive/html/emacs-diffs/2014-05/msg00060.html Use CVE-2014-3424. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJTaopdAAoJEKllVAevmvmsZQcIALFr9HW1w7EilWkopoNA/zf0 un2ayYlwdtm3LXJVitmfubYobJsoL+U7XogBAkLxo8XgQEBG47lD2k0jIwKJmJeU 26vsmE47OKmT4uTG8DTB5q6mK3+OoZ5s+ysLEfC7vj4wqfoEF2TVhZvYH6EkA17f V4SdYU9GkRUNT/yL854+LehOZEg9fuSjpRPHsdUOkz/WLei7HUynoV+QANO+Tb/c C3dvPTjtp07zhHQd+CdKKilYQttDBlwgIalt1oflvJ0Nc7ve77dnbkfnuFJbrcyl yJnecaewhd9RvP2cnvVh4lBl04ols6NrrQbVtlQ4DQsW2+VRDD8E5lrSAuoFAbI= =9lO/ -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.