GNU bug report logs - #17416
insecure temp files in ob-screen.el

Previous Next

Packages: org-mode, emacs;

Reported by: Glenn Morris <rgm <at> gnu.org>

Date: Tue, 6 May 2014 04:15:01 UTC

Severity: important

Tags: security

Found in version 24.3.90

Fixed in version 24.3.91

Done: Glenn Morris <rgm <at> gnu.org>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 17416 in the body.
You can then email your comments to 17416 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to bug-gnu-emacs <at> gnu.org, emacs-orgmode <at> gnu.org:
bug#17416; Package emacs,org-mode. (Tue, 06 May 2014 04:15:02 GMT) Full text and rfc822 format available.

Message #3 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Glenn Morris <rgm <at> gnu.org>
To: submit <at> debbugs.gnu.org
Subject: insecure temp files in ob-screen.el
Date: Tue, 06 May 2014 00:14:36 -0400

Package: emacs,org-mode
Version: 24.3.90
Severity: important
Tags: security

org-babel-screen-session-write-temp-file and org-babel-screen-test seem
to use predictable temp-file names, which is a security issue. Using
`make-temp-file', or if the file names really need to be predictable,
something equivalent to `doc-view-make-safe-dir' (there should really be
a general utility function for this IMO) to first create a /tmp
subdirectory would avoid this.
Information forwarded to bug-gnu-emacs <at> gnu.org, emacs-orgmode <at> gnu.org:
bug#17416; Package emacs,org-mode. (Thu, 08 May 2014 01:16:02 GMT) Full text and rfc822 format available.

Message #6 received at 17416 <at> debbugs.gnu.org (full text, mbox):

From: Eric Schulte <schulte.eric <at> gmail.com>
To: Glenn Morris <rgm <at> gnu.org>
Cc: 17416 <at> debbugs.gnu.org
Subject: Re: [O] bug#17416: insecure temp files in ob-screen.el
Date: Wed, 07 May 2014 05:35:37 -0400

Glenn Morris <rgm <at> gnu.org> writes:

> Package: emacs,org-mode
> Version: 24.3.90
> Severity: important
> Tags: security
>
> org-babel-screen-session-write-temp-file and org-babel-screen-test seem
> to use predictable temp-file names, which is a security issue. Using
> `make-temp-file', or if the file names really need to be predictable,
> something equivalent to `doc-view-make-safe-dir' (there should really be
> a general utility function for this IMO) to first create a /tmp
> subdirectory would avoid this.
>

I just pushed up a fix for this issue.  Thanks,

-- 
Eric Schulte
https://cs.unm.edu/~eschulte
PGP: 0x614CA05D
Information forwarded to bug-gnu-emacs <at> gnu.org, emacs-orgmode <at> gnu.org:
bug#17416; Package emacs,org-mode. (Thu, 08 May 2014 07:05:02 GMT) Full text and rfc822 format available.

Message #9 received at 17416 <at> debbugs.gnu.org (full text, mbox):

From: Glenn Morris <rgm <at> gnu.org>
To: Eric Schulte <schulte.eric <at> gmail.com>
Cc: 17416 <at> debbugs.gnu.org
Subject: Re: [O] bug#17416: insecure temp files in ob-screen.el
Date: Thu, 08 May 2014 03:04:01 -0400

Eric Schulte wrote:

>> org-babel-screen-session-write-temp-file and org-babel-screen-test seem
>> to use predictable temp-file names, which is a security issue. Using
>> `make-temp-file', or if the file names really need to be predictable,
>> something equivalent to `doc-view-make-safe-dir' (there should really be
>> a general utility function for this IMO) to first create a /tmp
>> subdirectory would avoid this.
>
> I just pushed up a fix for this issue.  Thanks,

If you mean

http://orgmode.org/cgit.cgi/org-mode.git/commit/?id=fea672d30ef4701721c0d4aa70462760a6b21be7

then's there still org-babel-screen-test.

(These are definitely fixes that need merging into the emacs-24 branch.
IIUC this means they need to be in your maint branch?)
Information forwarded to bug-gnu-emacs <at> gnu.org, emacs-orgmode <at> gnu.org:
bug#17416; Package emacs,org-mode. (Thu, 08 May 2014 18:21:02 GMT) Full text and rfc822 format available.

Message #12 received at 17416 <at> debbugs.gnu.org (full text, mbox):

From: Eric Schulte <schulte.eric <at> gmail.com>
To: Glenn Morris <rgm <at> gnu.org>
Cc: 17416 <at> debbugs.gnu.org, Eric Schulte <schulte.eric <at> gmail.com>
Subject: Re: [O] bug#17416: insecure temp files in ob-screen.el
Date: Thu, 08 May 2014 12:20:23 -0600

Glenn Morris <rgm <at> gnu.org> writes:

> Eric Schulte wrote:
>
>>> org-babel-screen-session-write-temp-file and org-babel-screen-test seem
>>> to use predictable temp-file names, which is a security issue. Using
>>> `make-temp-file', or if the file names really need to be predictable,
>>> something equivalent to `doc-view-make-safe-dir' (there should really be
>>> a general utility function for this IMO) to first create a /tmp
>>> subdirectory would avoid this.
>>
>> I just pushed up a fix for this issue.  Thanks,
>
> If you mean
>
> http://orgmode.org/cgit.cgi/org-mode.git/commit/?id=fea672d30ef4701721c0d4aa70462760a6b21be7
>
> then's there still org-babel-screen-test.
>

Fixed.

>
> (These are definitely fixes that need merging into the emacs-24 branch.
> IIUC this means they need to be in your maint branch?)

Cherrypicked into maint.

Thanks,

-- 
Eric Schulte
https://cs.unm.edu/~eschulte
PGP: 0x614CA05D
bug marked as fixed in version 24.3.91, send any further explanations to 17416 <at> debbugs.gnu.org and Glenn Morris <rgm <at> gnu.org> Request was from Glenn Morris <rgm <at> gnu.org> to control <at> debbugs.gnu.org. (Mon, 12 May 2014 06:12:02 GMT) Full text and rfc822 format available.
bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Mon, 09 Jun 2014 11:24:03 GMT) Full text and rfc822 format available.
This bug report was last modified 10 years and 351 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.