Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 7 May 2014 15:35:56 -0400 (EDT)
Subject: Re: CVE Request - Predictable temporary filenames in GNU Emacs

Hash: SHA1


The reports are about unrelated Emacs Lisp files that are bundled with
GNU Emacs. In situations such as this, the various files with
vulnerable code were, almost certainly, first introduced in different
GNU Emacs versions. Thus, the issues in each file have separate CVE
IDs based on the different earliest version of GNU Emacs that is
affected. We don't necessarily provide details of what these versions
are as part of the CVE assignment process or even the CVE publication
process. However, for example,
says "file gnus-fun.el was initially added on branch gnus-5_10-branch"
suggesting early 2000s, whereas the Mosaic support in browse-url.el is
obviously from the 1990s.

All of the files allow symlink attacks, and that is the scope of each
Emacs CVE assignment. If anyone was interested in CVE IDs for
unrelated Emacs vulnerabilities (e.g., if the find-gc.el "horrific
invocations" problem allows injection of commands into csh command
lines), those IDs would need to be assigned separately, even if the
issues were fixed as a side effect of the current patch.

>> lisp/gnus/gnus-fun.el:
>>   In the function `gnus-grab-cam-face` the file "/tmp/gnus.face.ppm" is
>>  used, blindly allowing the existing file to be truncated, and symlinks
>>  followed.


Use CVE-2014-3421.

>> lisp/emacs-lisp/find-gc.el:
>>   In the function `trace-call-tree` there are some horrific invocations
>>  of the csh, which manipulate the directory and symlinks beneath "/tmp/esrc".


Use CVE-2014-3422.

>> lisp/net/browse-url.el
>>   In the function `browse-url-mosaic` the file "/tmp/Mosaic.$PID" is blindly
>>  overwritten.  Suspect this whole function is obsolete though :)

> Not an (Emacs) bug.


> +         ;; This is a predictable temp-file name, which is bad,
> +         ;; but it is what Mosaic uses/used.
> +         ;; So it's not Emacs's problem.

We didn't quite understand the reasoning here. Mosaic reads the
/tmp/Mosaic.##### file. This doesn't seem to imply that Emacs is
entitled to write "newwin" and "goto" records into that file without
considering that it might be a symlink. Even if not all symlink
attacks could be prevented, one might want a countermeasure against
the easiest attacks. Alternatively, writing to /tmp/Mosaic.##### could
perhaps just be removed, on the basis that the threat is more
realistic than is actual use of Mosaic. (The threat model is that
someone's home directory has a .mosaicpid file left over from the
1990s, and that PID happens to be in use.)

Use CVE-2014-3423 for the Emacs vulnerability associated with a
symlink attack against a /tmp/Mosaic.##### file (this is similar to

CVE IDs for Mosaic are presumably not too useful at this point, but it
seems best to assign the most obvious ones, so that we are not blaming
Emacs for the entirety of the problem. From the Mosaic CHANGES file:

   From 2.0 to 2.1
   Remote control users and script writers take note: control filename
   changed from /tmp/ to /tmp/ This
   is the final such change, forever.

CVE-2014-3425: Mosaic 2.0 allows local users to cause a denial of
service ("remote control" outage) by creating a /tmp/ file
for every possible PID.

CVE-2014-3426: Mosaic 2.1 allows local users to cause a denial of
service ("remote control" outage) by creating a /tmp/ file
for every possible PID.

>> lisp/net/tramp.el
>>   The function `tramp-uudecode`, a fallback if a real uudecoding binary
>>  is not present, blindly uses "/tmp/tramp.$PID", truncating and removing
>>  the file.


Use CVE-2014-3424.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through ]
Version: GnuPG v1.4.14 (SunOS)


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.