Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 7 May 2014 15:35:56 -0400 (EDT)
From: cve-assign@...re.org
To: steve@...ve.org.uk
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE Request - Predictable temporary filenames in GNU Emacs

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> http://debbugs.gnu.org/cgi/bugreport.cgi?bug=17428#8

The reports are about unrelated Emacs Lisp files that are bundled with
GNU Emacs. In situations such as this, the various files with
vulnerable code were, almost certainly, first introduced in different
GNU Emacs versions. Thus, the issues in each file have separate CVE
IDs based on the different earliest version of GNU Emacs that is
affected. We don't necessarily provide details of what these versions
are as part of the CVE assignment process or even the CVE publication
process. However, for example,
http://cvs.savannah.gnu.org/viewvc/emacs/emacs/lisp/gnus/gnus-fun.el
says "file gnus-fun.el was initially added on branch gnus-5_10-branch"
suggesting early 2000s, whereas the Mosaic support in browse-url.el is
obviously from the 1990s.

All of the files allow symlink attacks, and that is the scope of each
Emacs CVE assignment. If anyone was interested in CVE IDs for
unrelated Emacs vulnerabilities (e.g., if the find-gc.el "horrific
invocations" problem allows injection of commands into csh command
lines), those IDs would need to be assigned separately, even if the
issues were fixed as a side effect of the current patch.


>> lisp/gnus/gnus-fun.el:
>>   In the function `gnus-grab-cam-face` the file "/tmp/gnus.face.ppm" is
>>  used, blindly allowing the existing file to be truncated, and symlinks
>>  followed.

> http://lists.gnu.org/archive/html/emacs-diffs/2014-05/msg00055.html

Use CVE-2014-3421.


>> lisp/emacs-lisp/find-gc.el:
>>   In the function `trace-call-tree` there are some horrific invocations
>>  of the csh, which manipulate the directory and symlinks beneath "/tmp/esrc".

> http://lists.gnu.org/archive/html/emacs-diffs/2014-05/msg00056.html

Use CVE-2014-3422.


>> lisp/net/browse-url.el
>>   In the function `browse-url-mosaic` the file "/tmp/Mosaic.$PID" is blindly
>>  overwritten.  Suspect this whole function is obsolete though :)

> Not an (Emacs) bug.

> http://lists.gnu.org/archive/html/emacs-diffs/2014-05/msg00057.html

> +         ;; This is a predictable temp-file name, which is bad,
> +         ;; but it is what Mosaic uses/used.
> +         ;; So it's not Emacs's problem.  http://bugs.debian.org/747100

We didn't quite understand the reasoning here. Mosaic reads the
/tmp/Mosaic.##### file. This doesn't seem to imply that Emacs is
entitled to write "newwin" and "goto" records into that file without
considering that it might be a symlink. Even if not all symlink
attacks could be prevented, one might want a countermeasure against
the easiest attacks. Alternatively, writing to /tmp/Mosaic.##### could
perhaps just be removed, on the basis that the threat is more
realistic than is actual use of Mosaic. (The threat model is that
someone's home directory has a .mosaicpid file left over from the
1990s, and that PID happens to be in use.)

Use CVE-2014-3423 for the Emacs vulnerability associated with a
symlink attack against a /tmp/Mosaic.##### file (this is similar to
CVE-2008-4994).

CVE IDs for Mosaic are presumably not too useful at this point, but it
seems best to assign the most obvious ones, so that we are not blaming
Emacs for the entirety of the problem. From the Mosaic CHANGES file:

   From 2.0 to 2.1
   Remote control users and script writers take note: control filename
   changed from /tmp/xmosaic.pid to /tmp/Mosaic.pid. This
   is the final such change, forever.

CVE-2014-3425: Mosaic 2.0 allows local users to cause a denial of
service ("remote control" outage) by creating a /tmp/xmosaic.pid file
for every possible PID.

CVE-2014-3426: Mosaic 2.1 allows local users to cause a denial of
service ("remote control" outage) by creating a /tmp/Mosaic.pid file
for every possible PID.


>> lisp/net/tramp.el
>>   The function `tramp-uudecode`, a fallback if a real uudecoding binary
>>  is not present, blindly uses "/tmp/tramp.$PID", truncating and removing
>>  the file.

> http://lists.gnu.org/archive/html/emacs-diffs/2014-05/msg00060.html

Use CVE-2014-3424.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJTaopdAAoJEKllVAevmvmsZQcIALFr9HW1w7EilWkopoNA/zf0
un2ayYlwdtm3LXJVitmfubYobJsoL+U7XogBAkLxo8XgQEBG47lD2k0jIwKJmJeU
26vsmE47OKmT4uTG8DTB5q6mK3+OoZ5s+ysLEfC7vj4wqfoEF2TVhZvYH6EkA17f
V4SdYU9GkRUNT/yL854+LehOZEg9fuSjpRPHsdUOkz/WLei7HUynoV+QANO+Tb/c
C3dvPTjtp07zhHQd+CdKKilYQttDBlwgIalt1oflvJ0Nc7ve77dnbkfnuFJbrcyl
yJnecaewhd9RvP2cnvVh4lBl04ols6NrrQbVtlQ4DQsW2+VRDD8E5lrSAuoFAbI=
=9lO/
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ