GNU bug report logs -
#17428
Bug#747100: emacs23: Insecure use of temporary files in included lisp libraries/packages
Previous Next
Reported by: Rob Browning <rlb <at> defaultvalue.org>
Date: Wed, 7 May 2014 03:39:02 UTC
Severity: normal
Fixed in version 24.3.91
Done: Glenn Morris <rgm <at> gnu.org>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 17428 in the body.
You can then email your comments to 17428 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-gnu-emacs <at> gnu.org
:
bug#17428
; Package
emacs
.
(Wed, 07 May 2014 03:39:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Rob Browning <rlb <at> defaultvalue.org>
:
New bug report received and forwarded. Copy sent to
bug-gnu-emacs <at> gnu.org
.
(Wed, 07 May 2014 03:39:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
[If possible, please preserve the 747100-forwarded address in any replies.]
The following bug was recently filed against the emacs23 package, and
after some preliminary research, it appears that the security issues
mentioned may still apply to 24.3. (Though it looks like the relevant
tramp file may now be tramp-sh.el).
Steve Kemp <steve <at> steve.org.uk> writes:
> Package: emacs23
> Version: 23.4+1-4
> Severity: important
>
> There are several tempfile-vulnerabilities present in the Emacs Lisp
> bundled and distributed with the emacs23 package.
>
> Here are four brief pointers to unsafe code:
>
> lisp/gnus/gnus-fun.el:
> In the function `gnus-grab-cam-face` the file "/tmp/gnus.face.ppm" is
> used, blindly allowing the existing file to be truncated, and symlinks
> followed.
>
> lisp/emacs-lisp/find-gc.el:
> In the function `trace-call-tree` there are some horrific invocations
> of the csh, which manipulate the directory and symlinks beneath "/tmp/esrc".
>
> lisp/net/browse-url.el
> In the function `browse-url-mosaic` the file "/tmp/Mosaic.$PID" is blindly
> overwritten. Suspect this whole function is obsolete though :)
>
> lisp/net/tramp.el
> The function `tramp-uudecode`, a fallback if a real uudecoding binary
> is not present, blindly uses "/tmp/tramp.$PID", truncating and removing
> the file.
>
>
> I suspect that each should receive a CVE identifier.
--
Rob Browning
rlb @defaultvalue.org and @debian.org
GPG as of 2011-07-10 E6A9 DA3C C9FD 1FF8 C676 D2C4 C0F0 39E9 ED1B 597A
GPG as of 2002-11-03 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4
Information forwarded
to
bug-gnu-emacs <at> gnu.org
:
bug#17428
; Package
emacs
.
(Wed, 07 May 2014 03:49:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 17428 <at> debbugs.gnu.org (full text, mbox):
>> lisp/gnus/gnus-fun.el:
>> In the function `gnus-grab-cam-face` the file "/tmp/gnus.face.ppm" is
>> used, blindly allowing the existing file to be truncated, and symlinks
>> followed.
http://lists.gnu.org/archive/html/emacs-diffs/2014-05/msg00055.html
>> lisp/emacs-lisp/find-gc.el:
>> In the function `trace-call-tree` there are some horrific invocations
>> of the csh, which manipulate the directory and symlinks beneath "/tmp/esrc".
http://lists.gnu.org/archive/html/emacs-diffs/2014-05/msg00056.html
>> lisp/net/browse-url.el
>> In the function `browse-url-mosaic` the file "/tmp/Mosaic.$PID" is blindly
>> overwritten. Suspect this whole function is obsolete though :)
Not an (Emacs) bug.
http://lists.gnu.org/archive/html/emacs-diffs/2014-05/msg00057.html
>> lisp/net/tramp.el
>> The function `tramp-uudecode`, a fallback if a real uudecoding binary
>> is not present, blindly uses "/tmp/tramp.$PID", truncating and removing
>> the file.
http://lists.gnu.org/archive/html/emacs-diffs/2014-05/msg00060.html
bug marked as fixed in version 24.3.91, send any further explanations to
17428 <at> debbugs.gnu.org and Rob Browning <rlb <at> defaultvalue.org>
Request was from
Glenn Morris <rgm <at> gnu.org>
to
control <at> debbugs.gnu.org
.
(Wed, 07 May 2014 03:50:02 GMT)
Full text and
rfc822 format available.
Information forwarded
to
bug-gnu-emacs <at> gnu.org
:
bug#17428
; Package
emacs
.
(Thu, 08 May 2014 16:04:02 GMT)
Full text and
rfc822 format available.
Message #13 received at 17428 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
These issues have now had several CVE identifiers
associated with them, for future tracking:
http://www.openwall.com/lists/oss-security/2014/03/14/5
Steve
--
http://www.steve.org.uk/
Information forwarded
to
bug-gnu-emacs <at> gnu.org
:
bug#17428
; Package
emacs
.
(Thu, 08 May 2014 16:04:03 GMT)
Full text and
rfc822 format available.
Message #16 received at 17428 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Clearly I'm an idiot, the correct link is this:
http://www.openwall.com/lists/oss-security/2014/05/07/7
Steve
--
http://www.steve.org.uk/
Information forwarded
to
bug-gnu-emacs <at> gnu.org
:
bug#17428
; Package
emacs
.
(Thu, 08 May 2014 16:23:01 GMT)
Full text and
rfc822 format available.
Message #19 received at 17428 <at> debbugs.gnu.org (full text, mbox):
Steve Kemp wrote:
> http://www.openwall.com/lists/oss-security/2014/05/07/7
OK. For the record I don't think any of these issues are anything but
trivial in practice, except possibly the tramp one.
find-gc.el looked completely broken, I doubt anyone had used it in ~ a
decade.
I see they still want us to do something about the Mosaic one, sigh.
So I will do something for that. Someone would have to actively
configure their system to use mosaic, or have no other browser program
installed except xmosaic, for this to even potentially be an issue.
I see Mosaic got some CVEs out of this too. :)
The gnus-fun one is some obscure thing to do with xawtv. Again I guess
it doesn't have (m)any users, or doesn't even work any more, since it
relies on files /tftpboot/sparky/tmp/snap.*ppm existing.
But yes, they should all be fixed.
Information forwarded
to
bug-gnu-emacs <at> gnu.org
:
bug#17428
; Package
emacs
.
(Thu, 08 May 2014 16:36:02 GMT)
Full text and
rfc822 format available.
Message #22 received at 17428 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
> OK. For the record I don't think any of these issues are anything but
> trivial in practice, except possibly the tramp one.
>
Agreed 100%.
> I see Mosaic got some CVEs out of this too. :)
Yeah, that was a surprise :)
Steve
--
http://www.steve.org.uk/
Information forwarded
to
bug-gnu-emacs <at> gnu.org
:
bug#17428
; Package
emacs
.
(Thu, 08 May 2014 18:15:01 GMT)
Full text and
rfc822 format available.
Message #25 received at 17428 <at> debbugs.gnu.org (full text, mbox):
I think this handles the Mosaic one:
http://lists.gnu.org/archive/html/emacs-diffs/2014-05/msg00084.html
All these things will be fixed in Emacs 24.3.91 pretest,
Emacs 24.4 release.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org
.
(Fri, 06 Jun 2014 11:24:04 GMT)
Full text and
rfc822 format available.
This bug report was last modified 10 years and 205 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.