Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20140507084844.GA32076@steve.org.uk>
Date: Wed, 7 May 2014 09:48:44 +0100
From: Steve Kemp <steve@...ve.org.uk>
To: oss-security@...ts.openwall.com
Subject: CVE Request - Predictable temporary filenames in GNU Emacs


  I reported these bugs on the Debian tracker on Monday:

       https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=747100

  In brief some of the bundled Emacs Lisp uses predictable
 /tmpfile names insecurely:


 lisp/gnus/gnus-fun.el:
   In the function `gnus-grab-cam-face` the file "/tmp/gnus.face.ppm" is
  used, blindly allowing the existing file to be truncated, and symlinks
  followed.

 lisp/emacs-lisp/find-gc.el:
   In the function `trace-call-tree` there are some horrific invocations
  of the csh, which manipulate the directory and symlinks beneath "/tmp/esrc".

 lisp/net/tramp.el
   The function `tramp-uudecode`, a fallback if a real uudecoding binary
  is not present, blindly uses "/tmp/tramp.$PID", truncating and removing
  the file.

   All these have been fixed now, and the GNU bug report contains
 links to the commits that are appropriate:

       http://debbugs.gnu.org/cgi/bugreport.cgi?bug=17428

Steve
-- 
http://www.steve.org.uk/

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.