GNU bug report logs - #29182
CVE-2017-1000383: umask and backup files

Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.

Package: emacs; Reported by: Glenn Morris <rgm@HIDDEN>; Keywords: wontfix security notabug; dated Mon, 6 Nov 2017 21:57:02 UTC; Maintainer for emacs is bug-gnu-emacs@HIDDEN.
Added tag(s) notabug and wontfix. Request was from Stefan Kangas <stefan@HIDDEN> to control <at> debbugs.gnu.org. Full text available.

Message received at 29182 <at> debbugs.gnu.org:


Received: (at 29182) by debbugs.gnu.org; 8 Oct 2019 09:25:15 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Oct 08 05:25:15 2019
Received: from localhost ([127.0.0.1]:49559 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1iHlk3-0002ex-8F
	for submit <at> debbugs.gnu.org; Tue, 08 Oct 2019 05:25:15 -0400
Received: from mail-pl1-f177.google.com ([209.85.214.177]:38069)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <stefankangas@HIDDEN>) id 1iHlk1-0002ef-Ct
 for 29182 <at> debbugs.gnu.org; Tue, 08 Oct 2019 05:25:13 -0400
Received: by mail-pl1-f177.google.com with SMTP id w8so8208914plq.5
 for <29182 <at> debbugs.gnu.org>; Tue, 08 Oct 2019 02:25:13 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc;
 bh=fT/kEhithfbg03bN/urF7Y0UC/FX2UkdzaVfMCMqUS0=;
 b=SjE34KjUCUp1Cmvq6HZRycaLJ0/Qg7POF+gx1ZbpUHgb8yFCbYF0D/UP9skBA+h6b+
 ARZloh3bq257bSLDtmV0+hdZRGCh0J5KJ1Sm0RclIo7eGJqrZdSGgba54CQAYAWuohED
 BdqqsgdAywkmTiMihGtR3iPYl9xba/O2u7mX5K2sdfs21AUTCGMEIFtalHIIGQ6j8SxZ
 LdG8SRSAE8p4iK0/l3/KXqYhUJyHu64mdQeHgqBMwEHL2fABoms/1k26B6jy8W9wKrox
 0cgAMvLfDf+YRZKzMOzepTAmFo04Cd+MA+NXa0SgTJahpEJsxU1YaZUGeCMvaeUS/TPr
 4PNw==
X-Gm-Message-State: APjAAAWCuHKVasaV/8LDgQ0r/XOCrnZYH7rYKqxB+b+6qEDxhNUkMVXg
 8L0AZqAQvTRyTA6izQaP18fesloo2UNd6NZ3w1w=
X-Google-Smtp-Source: APXvYqxTD35pHxLEKsNQbh1Uw/wnoYOXKphq8nM8KP2dQrjOKfN1tL1gGm6FrllCAjoL2loxjzbXaJD0/U1yiNRfHoM=
X-Received: by 2002:a17:902:326:: with SMTP id
 35mr35211578pld.128.1570526707149; 
 Tue, 08 Oct 2019 02:25:07 -0700 (PDT)
MIME-Version: 1.0
References: <CADwFkm=JSMFwMQ3uwQr3XO2hAoWo-b3dYLA84S_QFcOi6V2G-g@HIDDEN>
 <o5v9szg4ah.fsf@HIDDEN>
In-Reply-To: <o5v9szg4ah.fsf@HIDDEN>
From: Stefan Kangas <stefan@HIDDEN>
Date: Tue, 8 Oct 2019 11:24:55 +0200
Message-ID: <CADwFkm=D3q5so2bV8HRjjuCXBMDffKAPR+J+hYOrtENdg1eTPg@HIDDEN>
Subject: Re: bug#29182: CVE-2017-1000383: umask and backup files
To: Glenn Morris <rgm@HIDDEN>
Content-Type: text/plain; charset="UTF-8"
X-Spam-Score: 0.3 (/)
X-Debbugs-Envelope-To: 29182
Cc: 29182 <at> debbugs.gnu.org, Eli Zaretskii <eliz@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.7 (/)

Glenn Morris <rgm@HIDDEN> writes:

> It is a silly CVE, but IMO backups belong by default in a private
> subdirectory of user-emacs-directory (user-data-directory if such a
> thing existed).

That's what I do, personally.  But it's not unproblematic to do that
by default, in my opinion.  What if I'm editing a file on an encrypted
filesystem, thinking that it's safe there, and Emacs silently saves a
copy of said file in my home directory on an unencrypted file system?

Best regards,
Stefan Kangas




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#29182; Package emacs. Full text available.

Message received at 29182 <at> debbugs.gnu.org:


Received: (at 29182) by debbugs.gnu.org; 8 Oct 2019 06:06:31 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Oct 08 02:06:31 2019
Received: from localhost ([127.0.0.1]:49370 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1iHidj-0006J3-67
	for submit <at> debbugs.gnu.org; Tue, 08 Oct 2019 02:06:31 -0400
Received: from eggs.gnu.org ([209.51.188.92]:60763)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <rgm@HIDDEN>) id 1iHidh-0006Ir-Cr
 for 29182 <at> debbugs.gnu.org; Tue, 08 Oct 2019 02:06:29 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e]:36343)
 by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <rgm@HIDDEN>)
 id 1iHidc-0002QP-AB; Tue, 08 Oct 2019 02:06:24 -0400
Received: from rgm by fencepost.gnu.org with local (Exim 4.82)
 (envelope-from <rgm@HIDDEN>)
 id 1iHidP-0008FN-Aj; Tue, 08 Oct 2019 02:06:14 -0400
From: Glenn Morris <rgm@HIDDEN>
To: Stefan Kangas <stefan@HIDDEN>
Subject: Re: bug#29182: CVE-2017-1000383: umask and backup files
References: <CADwFkm=JSMFwMQ3uwQr3XO2hAoWo-b3dYLA84S_QFcOi6V2G-g@HIDDEN>
X-Spook: John Kerry ANC Tuberculosis Nuevo Leon Plume Extremism
X-Ran: kw&X';dwQ!:`3=+rt'4d8NH;,YKvvp*?t-t|n`W0)z^orv0vV]]:!1E6TY_YiQQ[.'L25K
X-Hue: brightyellow
X-Debbugs-No-Ack: yes
X-Attribution: GM
Date: Tue, 08 Oct 2019 02:05:58 -0400
In-Reply-To: <CADwFkm=JSMFwMQ3uwQr3XO2hAoWo-b3dYLA84S_QFcOi6V2G-g@HIDDEN>
 (Stefan Kangas's message of "Sun, 6 Oct 2019 06:08:56 +0200")
Message-ID: <o5v9szg4ah.fsf@HIDDEN>
User-Agent: Gnus (www.gnus.org), GNU Emacs (www.gnu.org/software/emacs/)
MIME-Version: 1.0
Content-Type: text/plain
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 29182
Cc: 29182 <at> debbugs.gnu.org, Eli Zaretskii <eliz@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)


It is a silly CVE, but IMO backups belong by default in a private
subdirectory of user-emacs-directory (user-data-directory if such a
thing existed).




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#29182; Package emacs. Full text available.

Message received at 29182 <at> debbugs.gnu.org:


Received: (at 29182) by debbugs.gnu.org; 6 Oct 2019 13:17:34 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun Oct 06 09:17:34 2019
Received: from localhost ([127.0.0.1]:45813 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1iH6Pm-00017J-Eb
	for submit <at> debbugs.gnu.org; Sun, 06 Oct 2019 09:17:34 -0400
Received: from mail-io1-f44.google.com ([209.85.166.44]:44951)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <npostavs@HIDDEN>) id 1iH6Pk-000174-6v
 for 29182 <at> debbugs.gnu.org; Sun, 06 Oct 2019 09:17:32 -0400
Received: by mail-io1-f44.google.com with SMTP id w12so22933265iol.11
 for <29182 <at> debbugs.gnu.org>; Sun, 06 Oct 2019 06:17:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:cc:subject:references:date:in-reply-to:message-id
 :user-agent:mime-version;
 bh=shVmK+gQ4VQLxhp8j5ro7aET8lgUCxvv90jHAnq3q4s=;
 b=ihmgdM+vjkWR7lXb+g/vT0f6bT06ylgfKXmbPY/gbMlCBJU2DJZBYW2I70GodO7z5O
 gCpWx2qDRf/4ksSSnFzYJJ+0Q8bhbPxGi4pbDQEsoQN6XHAis98KQniBlXjN+9GOk50S
 1VsRKGJ36Ho7UDkYbiH4ZcljZqTpCwZcdszRu+3l52ryieBrG/uwf4MZ1ToeHHUgrCby
 YsDPUaJomIvMmtWInRwraw6wplMv0Xb4XKafC0YbxTJxBR2xJOif4pEyRtI1w/CaPsLL
 RVsYfpLaLtWsss+u0Sov7n3mVq0p/3r1szaquOgnvby33Pw8Wf8R2VzHQBUNOQf9cZ68
 /hfQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to
 :message-id:user-agent:mime-version;
 bh=shVmK+gQ4VQLxhp8j5ro7aET8lgUCxvv90jHAnq3q4s=;
 b=EhVHEvWqSc/sHQF9V9uKiKTfesFhSYd5BTZ3wcmwBDNDYamBKysQYs2HC8CayqFwZo
 hEtCq0NCAWeiaatSumshMejOPPSiLpuz3KpHfluHJx3Z+K0kL1YXxpPBNVtbXaJrKkm7
 fdXJ+Wtnt/pcOZQAEtsGA+zmY6OLjCE/Jyg9BWTWJDoAZjhg/2a/k/vkYqbvyI41+lkD
 pNyIs3ZJo4gF+tMokteG7XhsrlMks5qo+WyM4DrbShvGlUNuFo5Iz/nYDWmpWir1Eouj
 UXd6VjkWnYFXKoHGhnhfD9X830bQ+J1B3CV4Kv2iobBcTI60KW7Ts/ftFeGoZ8pgXTo+
 eVTQ==
X-Gm-Message-State: APjAAAXo66wftHwHnx5YPwLAnifOQsJu9LaX/70D30ramiYYrGQ45eQ6
 Ceh461+DwbUswAfPmtvasn6tB6n5
X-Google-Smtp-Source: APXvYqzqhLQJEvjjR6/5MqDebdBSnBM9DJkw/0VKRTplr1fCxnsW4vuU80ZpZDVBBRf4hWOE4TJhZA==
X-Received: by 2002:a92:40c2:: with SMTP id d63mr24355897ill.180.1570367846498; 
 Sun, 06 Oct 2019 06:17:26 -0700 (PDT)
Received: from minid (cbl-45-2-119-34.yyz.frontiernetworks.ca. [45.2.119.34])
 by smtp.gmail.com with ESMTPSA id
 q66sm5896627ili.69.2019.10.06.06.17.25
 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
 Sun, 06 Oct 2019 06:17:25 -0700 (PDT)
From: Noam Postavsky <npostavs@HIDDEN>
To: Stefan Kangas <stefan@HIDDEN>
Subject: Re: bug#29182: CVE-2017-1000383: umask and backup files
References: <v4lq7ysu5.fsf@HIDDEN>
 <CADwFkm=JSMFwMQ3uwQr3XO2hAoWo-b3dYLA84S_QFcOi6V2G-g@HIDDEN>
Date: Sun, 06 Oct 2019 09:17:25 -0400
In-Reply-To: <CADwFkm=JSMFwMQ3uwQr3XO2hAoWo-b3dYLA84S_QFcOi6V2G-g@HIDDEN>
 (Stefan Kangas's message of "Sun, 6 Oct 2019 06:08:56 +0200")
Message-ID: <878spy813u.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 29182
Cc: Glenn Morris <rgm@HIDDEN>, Eli Zaretskii <eliz@HIDDEN>,
 29182 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Stefan Kangas <stefan@HIDDEN> writes:

> PS. This CVE has the tag "withdrawn" in a Github repository which seems
> to be handled by the CVE team at MITRE.  Not sure what that means, if
> anything, but it seemed interesting enough to mention.
>
> https://github.com/CVEProject/cvelist/pull/19

I think it's just that specific pull request which has status
"withdrawn", because it accidentally lumps together unrelated commits.

The CVE file itself doesn't mention anything about "withdrawn".

https://github.com/CVEProject/cvelist/blob/master/2017/1000xxx/CVE-2017-1000383.json




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#29182; Package emacs. Full text available.

Message received at 29182 <at> debbugs.gnu.org:


Received: (at 29182) by debbugs.gnu.org; 6 Oct 2019 04:09:15 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun Oct 06 00:09:15 2019
Received: from localhost ([127.0.0.1]:45432 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1iGxr9-0000cw-3o
	for submit <at> debbugs.gnu.org; Sun, 06 Oct 2019 00:09:15 -0400
Received: from mail-pf1-f178.google.com ([209.85.210.178]:36095)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <stefankangas@HIDDEN>) id 1iGxr7-0000ci-Bo
 for 29182 <at> debbugs.gnu.org; Sun, 06 Oct 2019 00:09:13 -0400
Received: by mail-pf1-f178.google.com with SMTP id y22so6366561pfr.3
 for <29182 <at> debbugs.gnu.org>; Sat, 05 Oct 2019 21:09:13 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc;
 bh=gPY709LRVnnB2LUnUMeWma54c/prouANsWdws8NxCX8=;
 b=UUw703iGErgfhl+aLjWczKlJdRqv+5wF1JOPCMejY0/JWH+nkHl1zfPphyRUF0qeJJ
 D4Z7ntgvGhwyJSmSCdXfzSjMpafwqNcYuitMsXnAbDFlChptg+hsrhiL1+8DZEegxaJE
 J1O14UbPlp9jCmMYptYvLruGMK6/ziUlE0aoALOPu0h1nZmi5BYMh95N8TCwqPHI40Yz
 HAlrxhy/QD+gbmKpZphWhYzQ0nLNhxvXOjHEFUhZOtG3THgCbIRvJEuwoTXH0Qo3kfZJ
 PC6o9C5v0yubjL9j++QdvEulhaDxBEm3pxeAjw8W25TpRq1zECgP6T/xBk+puHLsz5XM
 7YZg==
X-Gm-Message-State: APjAAAWwpYiYwMcjxWTgJSU1h/eGv0CwtIR4SB8WZzsbuoK4omjp24dP
 Fl9/XLeCLvE+iGaPrbCGd9gRV2+I+KPxUsrWG/OfPk/S
X-Google-Smtp-Source: APXvYqzCUjbrvaKYrL15Kz2+Ng/5nFur5XGNUs1bo6Q5VGve+RmDEB0WbShVHKUB+R7s8Y2+gDHNaNYyUr9LNqUqOKU=
X-Received: by 2002:a65:5802:: with SMTP id g2mr24937524pgr.333.1570334947352; 
 Sat, 05 Oct 2019 21:09:07 -0700 (PDT)
MIME-Version: 1.0
From: Stefan Kangas <stefan@HIDDEN>
Date: Sun, 6 Oct 2019 06:08:56 +0200
Message-ID: <CADwFkm=JSMFwMQ3uwQr3XO2hAoWo-b3dYLA84S_QFcOi6V2G-g@HIDDEN>
Subject: Re: bug#29182: CVE-2017-1000383: umask and backup files
To: Eli Zaretskii <eliz@HIDDEN>
Content-Type: text/plain; charset="UTF-8"
X-Spam-Score: 0.3 (/)
X-Debbugs-Envelope-To: 29182
Cc: Glenn Morris <rgm@HIDDEN>, 29182 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.7 (/)

Eli Zaretskii <eliz@HIDDEN> writes:

>> From: Glenn Morris <rgm@HIDDEN>
>> Date: Mon, 13 Nov 2017 17:04:55 -0500
>>
>> Rightly or wrong, distributions etc pay attention to CVEs, so I think
>> an official response from Emacs on this issue would be good.
>
> I'm not sure how should we provide an official response there.  The
> list there is mostly of issues with very old versions, and there's a
> reference to bug reports which were closed.  What else is needed?  And
> what's the procedure?

OK, so this is almost 2 years old now, but I've looked into it a bit.

This CVE has been rejected by at least Debian ("this CVE assignment is
nonsense"), Redhat (bug has status "CLOSED WONTFIX") and Gentoo (bug has
status "INVALID").

I think it's fair to say that we don't want to "fix" this, since it
should not really have been a CVE in the first place.

I suggest to do the following:

1. There is a CVE status called disputed.  We should try to acquire that
   status.  More information at:
   https://cve.mitre.org/about/faqs.html#disputed_signify_in_cve_entry

   It would be good if someone more senior than me tried to contact
   MITRE, who handles the CVE to see how that works.  AFAICT, the way to
   contact them is through this web form: https://cveform.mitre.org/

2. Tag this bug as wontfix.

If MITRE don't reply, or do nothing -- fine, we close the bug.  If they
do reply, or better yet add the status disputed -- good, it's there for
posterity.  We then close the bug.

Best regards,
Stefan Kangas

PS. This CVE has the tag "withdrawn" in a Github repository which seems
to be handled by the CVE team at MITRE.  Not sure what that means, if
anything, but it seemed interesting enough to mention.

https://github.com/CVEProject/cvelist/pull/19




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#29182; Package emacs. Full text available.

Message received at 29182 <at> debbugs.gnu.org:


Received: (at 29182) by debbugs.gnu.org; 14 Nov 2017 15:24:46 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Nov 14 10:24:46 2017
Received: from localhost ([127.0.0.1]:40324 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1eEd4v-0001Mm-V9
	for submit <at> debbugs.gnu.org; Tue, 14 Nov 2017 10:24:46 -0500
Received: from eggs.gnu.org ([208.118.235.92]:43043)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <eliz@HIDDEN>) id 1eEd4u-0001MZ-5w
 for 29182 <at> debbugs.gnu.org; Tue, 14 Nov 2017 10:24:44 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <eliz@HIDDEN>) id 1eEd4l-0008Du-Ne
 for 29182 <at> debbugs.gnu.org; Tue, 14 Nov 2017 10:24:38 -0500
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD
 autolearn=disabled version=3.3.2
Received: from fencepost.gnu.org ([2001:4830:134:3::e]:32950)
 by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <eliz@HIDDEN>)
 id 1eEd4l-0008Do-KS
 for 29182 <at> debbugs.gnu.org; Tue, 14 Nov 2017 10:24:35 -0500
Received: from [176.228.60.248] (port=3444 helo=home-c4e4a596f7)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <eliz@HIDDEN>)
 id 1eEd4k-00012d-QW; Tue, 14 Nov 2017 10:24:35 -0500
Date: Tue, 14 Nov 2017 17:24:45 +0200
Message-Id: <834lpwlw76.fsf@HIDDEN>
From: Eli Zaretskii <eliz@HIDDEN>
To: Glenn Morris <rgm@HIDDEN>
In-reply-to: <xtzi7p25tk.fsf@HIDDEN> (message from Glenn Morris on
 Mon, 13 Nov 2017 17:04:55 -0500)
Subject: Re: bug#29182: CVE-2017-1000383: umask and backup files
References: <v4lq7ysu5.fsf@HIDDEN>
 <6tefpag8ah.fsf@HIDDEN> <ovwp31sx9m.fsf@HIDDEN>
 <xtzi7p25tk.fsf@HIDDEN>
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 2001:4830:134:3::e
X-Spam-Score: -5.0 (-----)
X-Debbugs-Envelope-To: 29182
Cc: 29182 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Reply-To: Eli Zaretskii <eliz@HIDDEN>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -5.0 (-----)

> From: Glenn Morris <rgm@HIDDEN>
> Date: Mon, 13 Nov 2017 17:04:55 -0500
> 
> Rightly or wrong, distributions etc pay attention to CVEs, so I think
> an official response from Emacs on this issue would be good.

I'm not sure how should we provide an official response there.  The
list there is mostly of issues with very old versions, and there's a
reference to bug reports which were closed.  What else is needed?  And
what's the procedure?




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#29182; Package emacs. Full text available.

Message received at 29182 <at> debbugs.gnu.org:


Received: (at 29182) by debbugs.gnu.org; 13 Nov 2017 22:05:04 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Nov 13 17:05:04 2017
Received: from localhost ([127.0.0.1]:38991 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1eEMqm-0000vF-FA
	for submit <at> debbugs.gnu.org; Mon, 13 Nov 2017 17:05:04 -0500
Received: from eggs.gnu.org ([208.118.235.92]:54017)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <rgm@HIDDEN>) id 1eEMqj-0000uh-GF
 for 29182 <at> debbugs.gnu.org; Mon, 13 Nov 2017 17:05:01 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <rgm@HIDDEN>) id 1eEMqd-0008BH-Mx
 for 29182 <at> debbugs.gnu.org; Mon, 13 Nov 2017 17:04:56 -0500
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD
 autolearn=disabled version=3.3.2
Received: from fencepost.gnu.org ([2001:4830:134:3::e]:44876)
 by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <rgm@HIDDEN>)
 id 1eEMqd-0008BB-JQ
 for 29182 <at> debbugs.gnu.org; Mon, 13 Nov 2017 17:04:55 -0500
Received: from rgm by fencepost.gnu.org with local (Exim 4.82)
 (envelope-from <rgm@HIDDEN>)
 id 1eEMqd-0007fO-9J; Mon, 13 Nov 2017 17:04:55 -0500
From: Glenn Morris <rgm@HIDDEN>
To: 29182 <at> debbugs.gnu.org
Subject: Re: bug#29182: CVE-2017-1000383: umask and backup files
References: <v4lq7ysu5.fsf@HIDDEN>
 <6tefpag8ah.fsf@HIDDEN> <ovwp31sx9m.fsf@HIDDEN>
X-Spook: Brown out Cain and Abel Defcon Gangs Operation Iraqi
X-Ran: `xrft.5}^;^2J-|*X^8%qZm4|]*SG`_HRMw2od3'gzu:Cj^Y%PiWmoq}Ll"]Dohq;G_<p\
X-Hue: cyan
X-Debbugs-No-Ack: yes
X-Attribution: GM
Date: Mon, 13 Nov 2017 17:04:55 -0500
In-Reply-To: <ovwp31sx9m.fsf@HIDDEN> (Glenn Morris's message of
 "Tue, 07 Nov 2017 14:29:25 -0500")
Message-ID: <xtzi7p25tk.fsf@HIDDEN>
User-Agent: Gnus (www.gnus.org), GNU Emacs (www.gnu.org/software/emacs/)
MIME-Version: 1.0
Content-Type: text/plain
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 2001:4830:134:3::e
X-Spam-Score: -5.0 (-----)
X-Debbugs-Envelope-To: 29182
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -5.0 (-----)


Rightly or wrong, distributions etc pay attention to CVEs, so I think
an official response from Emacs on this issue would be good.

(My personal favourite is
https://security-tracker.debian.org/tracker/CVE-2017-1000383 )




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#29182; Package emacs. Full text available.

Message received at 29182 <at> debbugs.gnu.org:


Received: (at 29182) by debbugs.gnu.org; 7 Nov 2017 19:29:34 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Nov 07 14:29:34 2017
Received: from localhost ([127.0.0.1]:57025 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1eC9Z0-0005yf-Mk
	for submit <at> debbugs.gnu.org; Tue, 07 Nov 2017 14:29:34 -0500
Received: from eggs.gnu.org ([208.118.235.92]:50421)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <rgm@HIDDEN>) id 1eC9Yy-0005yN-0Z
 for 29182 <at> debbugs.gnu.org; Tue, 07 Nov 2017 14:29:32 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <rgm@HIDDEN>) id 1eC9Yr-0001U4-QF
 for 29182 <at> debbugs.gnu.org; Tue, 07 Nov 2017 14:29:26 -0500
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD
 autolearn=disabled version=3.3.2
Received: from fencepost.gnu.org ([2001:4830:134:3::e]:56938)
 by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <rgm@HIDDEN>)
 id 1eC9Yr-0001Tz-Mj
 for 29182 <at> debbugs.gnu.org; Tue, 07 Nov 2017 14:29:25 -0500
Received: from rgm by fencepost.gnu.org with local (Exim 4.82)
 (envelope-from <rgm@HIDDEN>)
 id 1eC9Yr-0001i4-9D; Tue, 07 Nov 2017 14:29:25 -0500
From: Glenn Morris <rgm@HIDDEN>
To: 29182 <at> debbugs.gnu.org
Subject: Re: bug#29182: CVE-2017-1000383: umask and backup files
References: <v4lq7ysu5.fsf@HIDDEN>
 <6tefpag8ah.fsf@HIDDEN>
X-Spook: Kennedy Ermes Attorney General Smallpox Smart Crowell
X-Ran: wP8JM:Pf\l^EF(q@|J5iNwYoA|bPDr,z'=GbhCv!QVgbizj_iK~spt~Y"3'5TT/_G@?Zty
X-Hue: cyan
X-Debbugs-No-Ack: yes
X-Attribution: GM
Date: Tue, 07 Nov 2017 14:29:25 -0500
In-Reply-To: <6tefpag8ah.fsf@HIDDEN> (Glenn Morris's message of
 "Mon, 06 Nov 2017 20:57:26 -0500")
Message-ID: <ovwp31sx9m.fsf@HIDDEN>
User-Agent: Gnus (www.gnus.org), GNU Emacs (www.gnu.org/software/emacs/)
MIME-Version: 1.0
Content-Type: text/plain
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 2001:4830:134:3::e
X-Spam-Score: -5.0 (-----)
X-Debbugs-Envelope-To: 29182
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -5.0 (-----)


One solution is to put backup files in a single (private) location,
rather than alongside the original file. This is achievable in Emacs
with eg

(setq backup-directory-alist '(("\\`/[^/|:][^/|]*:")
   ("." . "<HOME>/.emacs.d/backups")))

where ~/.emacs.d/backups is created mode 700. I've used this in my
personal config for years.

A very brief search suggests that this seems to be what newer editors
(eg LibreOffice) do for backup files.




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#29182; Package emacs. Full text available.

Message received at 29182 <at> debbugs.gnu.org:


Received: (at 29182) by debbugs.gnu.org; 7 Nov 2017 01:57:35 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Nov 06 20:57:34 2017
Received: from localhost ([127.0.0.1]:54973 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1eBt8w-0007Md-MZ
	for submit <at> debbugs.gnu.org; Mon, 06 Nov 2017 20:57:34 -0500
Received: from eggs.gnu.org ([208.118.235.92]:53959)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <rgm@HIDDEN>) id 1eBt8v-0007MQ-J0
 for 29182 <at> debbugs.gnu.org; Mon, 06 Nov 2017 20:57:33 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <rgm@HIDDEN>) id 1eBt8p-0006RR-Dw
 for 29182 <at> debbugs.gnu.org; Mon, 06 Nov 2017 20:57:28 -0500
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-0.0 required=5.0 tests=BAYES_40,RP_MATCHES_RCVD
 autolearn=disabled version=3.3.2
Received: from fencepost.gnu.org ([2001:4830:134:3::e]:60013)
 by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <rgm@HIDDEN>)
 id 1eBt8p-0006RN-B2
 for 29182 <at> debbugs.gnu.org; Mon, 06 Nov 2017 20:57:27 -0500
Received: from rgm by fencepost.gnu.org with local (Exim 4.82)
 (envelope-from <rgm@HIDDEN>)
 id 1eBt8o-0002nw-Re; Mon, 06 Nov 2017 20:57:26 -0500
From: Glenn Morris <rgm@HIDDEN>
To: 29182 <at> debbugs.gnu.org
Subject: Re: bug#29182: CVE-2017-1000383: umask and backup files
References: <v4lq7ysu5.fsf@HIDDEN>
X-Spook: Whitehouse National preparedness Plume Saddam Hussein
X-Ran: hH%;FiTg>&`AWr-((zW8[<C]N^'aA~U#8qWKHB8rE<(^n$9v&'$(#uzLO4[i1`]ec*@Ier
X-Hue: blue
X-Debbugs-No-Ack: yes
X-Attribution: GM
Date: Mon, 06 Nov 2017 20:57:26 -0500
In-Reply-To: <v4lq7ysu5.fsf@HIDDEN> (Glenn Morris's message of
 "Mon, 06 Nov 2017 16:56:18 -0500")
Message-ID: <6tefpag8ah.fsf@HIDDEN>
User-Agent: Gnus (www.gnus.org), GNU Emacs (www.gnu.org/software/emacs/)
MIME-Version: 1.0
Content-Type: text/plain
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 2001:4830:134:3::e
X-Spam-Score: -5.0 (-----)
X-Debbugs-Envelope-To: 29182
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -5.0 (-----)


I think the actual complaint appears at http://seclists.org/oss-sec/2017/q4/159
and could be summarized as "if you create a file, then make your umask
more restrictive, then edit it with Emacs, the backup file inherits the
same permissions as the original file, not the more restrictive umask
permissions".

Eg:
umask 002
touch foo
ls -l foo #   -> -rw-rw-r--
umask 007
emacs-25.3 -Q foo
 make some changes and save
touch foo2
ls -l foo*
 foo  -rw-rw-r--.
 foo~ -rw-rw-r--.
 foo2 -rw-rw----.

(With backup-by-copying non-nil, the result is the same.)

I don't really know what my opinion of this issue is...
I imagine I would have made the same reply as
http://seclists.org/oss-sec/2017/q4/184

 [Emacs] copies the permission from the file being edited. Although the
 [backup] file is readable by others this does not leak any information
 here, since the file being edited is already readable by others.

but this is dismissed with:

  ...it doesn't matter because a security assertion made via umask is
  being violated, so it wins a CVE. Also for example if you later delete
  that file and think you're safe the copy is still floating around
  world readable. Or you have something indexing the files and ignoring
  that file type, and the [~] gets indexed, and so on.

Anyway, you can probably find every shade of opinion on what to do about
this already expressed in that oss-sec thread or the related vim one.

I think I've found it useful many, many times that ~ files have the same
permissions as the originals.





Information forwarded to bug-gnu-emacs@HIDDEN:
bug#29182; Package emacs. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 6 Nov 2017 21:56:28 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Nov 06 16:56:28 2017
Received: from localhost ([127.0.0.1]:54718 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1eBpNc-0000EJ-KX
	for submit <at> debbugs.gnu.org; Mon, 06 Nov 2017 16:56:28 -0500
Received: from eggs.gnu.org ([208.118.235.92]:60992)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <rgm@HIDDEN>) id 1eBpNa-0000E7-SV
 for submit <at> debbugs.gnu.org; Mon, 06 Nov 2017 16:56:27 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <rgm@HIDDEN>) id 1eBpNU-0001Db-Fw
 for submit <at> debbugs.gnu.org; Mon, 06 Nov 2017 16:56:21 -0500
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD
 autolearn=disabled version=3.3.2
Received: from fencepost.gnu.org ([2001:4830:134:3::e]:52850)
 by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <rgm@HIDDEN>)
 id 1eBpNU-0001DX-C8
 for submit <at> debbugs.gnu.org; Mon, 06 Nov 2017 16:56:20 -0500
Received: from rgm by fencepost.gnu.org with local (Exim 4.82)
 (envelope-from <rgm@HIDDEN>)
 id 1eBpNS-00012y-Hv; Mon, 06 Nov 2017 16:56:18 -0500
From: Glenn Morris <rgm@HIDDEN>
To: submit <at> debbugs.gnu.org
Subject: CVE-2017-1000383: umask and backup files
X-Spook: Trafficking CNCIS ARPA Nationalist supercomputer Brown
X-Ran: a$FnS_F/U`WxT3>:j()&ySm.cAg}w4Y5{C"dH$~]e<xMB6g9Pv9mB?C+D2+d+5:y_}evy&
X-Hue: black
X-Debbugs-No-Ack: yes
X-Attribution: GM
Date: Mon, 06 Nov 2017 16:56:18 -0500
Message-ID: <v4lq7ysu5.fsf@HIDDEN>
User-Agent: Gnus (www.gnus.org), GNU Emacs (www.gnu.org/software/emacs/)
MIME-Version: 1.0
Content-Type: text/plain
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 2001:4830:134:3::e
X-Spam-Score: -5.0 (-----)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -5.0 (-----)

Package: emacs
Version: 25.3
Tags: security

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000383

  GNU Emacs version 25.3.1 (and other versions most likely) ignores umask
  when creating a backup save file ("[ORIGINAL_FILENAME]~") resulting in
  files that may be world readable or otherwise accessible in ways not
  intended by the user running the emacs binary.

[I'm not sure why this apparently hasn't been reported here before now?]




Report forwarded to bug-gnu-emacs@HIDDEN:
bug#29182; Package emacs. Full text available.
Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Last modified: Sun, 19 Jan 2020 15:30:02 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.