GNU bug report logs -
#29182
CVE-2017-1000383: umask and backup files
Previous Next
Reported by: Glenn Morris <rgm <at> gnu.org>
Date: Mon, 6 Nov 2017 21:57:02 UTC
Severity: normal
Tags: notabug, security, wontfix
Found in version 25.3
Done: Stefan Kangas <stefan <at> marxist.se>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 29182 in the body.
You can then email your comments to 29182 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-gnu-emacs <at> gnu.org
:
bug#29182
; Package
emacs
.
(Mon, 06 Nov 2017 21:57:02 GMT)
Full text and
rfc822 format available.
Message #3 received at submit <at> debbugs.gnu.org (full text, mbox):
Package: emacs
Version: 25.3
Tags: security
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000383
GNU Emacs version 25.3.1 (and other versions most likely) ignores umask
when creating a backup save file ("[ORIGINAL_FILENAME]~") resulting in
files that may be world readable or otherwise accessible in ways not
intended by the user running the emacs binary.
[I'm not sure why this apparently hasn't been reported here before now?]
Information forwarded
to
bug-gnu-emacs <at> gnu.org
:
bug#29182
; Package
emacs
.
(Tue, 07 Nov 2017 01:58:01 GMT)
Full text and
rfc822 format available.
Message #6 received at 29182 <at> debbugs.gnu.org (full text, mbox):
I think the actual complaint appears at http://seclists.org/oss-sec/2017/q4/159
and could be summarized as "if you create a file, then make your umask
more restrictive, then edit it with Emacs, the backup file inherits the
same permissions as the original file, not the more restrictive umask
permissions".
Eg:
umask 002
touch foo
ls -l foo # -> -rw-rw-r--
umask 007
emacs-25.3 -Q foo
make some changes and save
touch foo2
ls -l foo*
foo -rw-rw-r--.
foo~ -rw-rw-r--.
foo2 -rw-rw----.
(With backup-by-copying non-nil, the result is the same.)
I don't really know what my opinion of this issue is...
I imagine I would have made the same reply as
http://seclists.org/oss-sec/2017/q4/184
[Emacs] copies the permission from the file being edited. Although the
[backup] file is readable by others this does not leak any information
here, since the file being edited is already readable by others.
but this is dismissed with:
...it doesn't matter because a security assertion made via umask is
being violated, so it wins a CVE. Also for example if you later delete
that file and think you're safe the copy is still floating around
world readable. Or you have something indexing the files and ignoring
that file type, and the [~] gets indexed, and so on.
Anyway, you can probably find every shade of opinion on what to do about
this already expressed in that oss-sec thread or the related vim one.
I think I've found it useful many, many times that ~ files have the same
permissions as the originals.
Information forwarded
to
bug-gnu-emacs <at> gnu.org
:
bug#29182
; Package
emacs
.
(Tue, 07 Nov 2017 19:30:02 GMT)
Full text and
rfc822 format available.
Message #9 received at 29182 <at> debbugs.gnu.org (full text, mbox):
One solution is to put backup files in a single (private) location,
rather than alongside the original file. This is achievable in Emacs
with eg
(setq backup-directory-alist '(("\\`/[^/|:][^/|]*:")
("." . "<HOME>/.emacs.d/backups")))
where ~/.emacs.d/backups is created mode 700. I've used this in my
personal config for years.
A very brief search suggests that this seems to be what newer editors
(eg LibreOffice) do for backup files.
Information forwarded
to
bug-gnu-emacs <at> gnu.org
:
bug#29182
; Package
emacs
.
(Mon, 13 Nov 2017 22:06:02 GMT)
Full text and
rfc822 format available.
Message #12 received at 29182 <at> debbugs.gnu.org (full text, mbox):
Rightly or wrong, distributions etc pay attention to CVEs, so I think
an official response from Emacs on this issue would be good.
(My personal favourite is
https://security-tracker.debian.org/tracker/CVE-2017-1000383 )
Information forwarded
to
bug-gnu-emacs <at> gnu.org
:
bug#29182
; Package
emacs
.
(Tue, 14 Nov 2017 15:25:02 GMT)
Full text and
rfc822 format available.
Message #15 received at 29182 <at> debbugs.gnu.org (full text, mbox):
> From: Glenn Morris <rgm <at> gnu.org>
> Date: Mon, 13 Nov 2017 17:04:55 -0500
>
> Rightly or wrong, distributions etc pay attention to CVEs, so I think
> an official response from Emacs on this issue would be good.
I'm not sure how should we provide an official response there. The
list there is mostly of issues with very old versions, and there's a
reference to bug reports which were closed. What else is needed? And
what's the procedure?
Information forwarded
to
bug-gnu-emacs <at> gnu.org
:
bug#29182
; Package
emacs
.
(Sun, 06 Oct 2019 04:10:02 GMT)
Full text and
rfc822 format available.
Message #18 received at 29182 <at> debbugs.gnu.org (full text, mbox):
Eli Zaretskii <eliz <at> gnu.org> writes:
>> From: Glenn Morris <rgm <at> gnu.org>
>> Date: Mon, 13 Nov 2017 17:04:55 -0500
>>
>> Rightly or wrong, distributions etc pay attention to CVEs, so I think
>> an official response from Emacs on this issue would be good.
>
> I'm not sure how should we provide an official response there. The
> list there is mostly of issues with very old versions, and there's a
> reference to bug reports which were closed. What else is needed? And
> what's the procedure?
OK, so this is almost 2 years old now, but I've looked into it a bit.
This CVE has been rejected by at least Debian ("this CVE assignment is
nonsense"), Redhat (bug has status "CLOSED WONTFIX") and Gentoo (bug has
status "INVALID").
I think it's fair to say that we don't want to "fix" this, since it
should not really have been a CVE in the first place.
I suggest to do the following:
1. There is a CVE status called disputed. We should try to acquire that
status. More information at:
https://cve.mitre.org/about/faqs.html#disputed_signify_in_cve_entry
It would be good if someone more senior than me tried to contact
MITRE, who handles the CVE to see how that works. AFAICT, the way to
contact them is through this web form: https://cveform.mitre.org/
2. Tag this bug as wontfix.
If MITRE don't reply, or do nothing -- fine, we close the bug. If they
do reply, or better yet add the status disputed -- good, it's there for
posterity. We then close the bug.
Best regards,
Stefan Kangas
PS. This CVE has the tag "withdrawn" in a Github repository which seems
to be handled by the CVE team at MITRE. Not sure what that means, if
anything, but it seemed interesting enough to mention.
https://github.com/CVEProject/cvelist/pull/19
Information forwarded
to
bug-gnu-emacs <at> gnu.org
:
bug#29182
; Package
emacs
.
(Sun, 06 Oct 2019 13:18:02 GMT)
Full text and
rfc822 format available.
Message #21 received at 29182 <at> debbugs.gnu.org (full text, mbox):
Stefan Kangas <stefan <at> marxist.se> writes:
> PS. This CVE has the tag "withdrawn" in a Github repository which seems
> to be handled by the CVE team at MITRE. Not sure what that means, if
> anything, but it seemed interesting enough to mention.
>
> https://github.com/CVEProject/cvelist/pull/19
I think it's just that specific pull request which has status
"withdrawn", because it accidentally lumps together unrelated commits.
The CVE file itself doesn't mention anything about "withdrawn".
https://github.com/CVEProject/cvelist/blob/master/2017/1000xxx/CVE-2017-1000383.json
Information forwarded
to
bug-gnu-emacs <at> gnu.org
:
bug#29182
; Package
emacs
.
(Tue, 08 Oct 2019 06:07:01 GMT)
Full text and
rfc822 format available.
Message #24 received at 29182 <at> debbugs.gnu.org (full text, mbox):
It is a silly CVE, but IMO backups belong by default in a private
subdirectory of user-emacs-directory (user-data-directory if such a
thing existed).
Information forwarded
to
bug-gnu-emacs <at> gnu.org
:
bug#29182
; Package
emacs
.
(Tue, 08 Oct 2019 09:26:02 GMT)
Full text and
rfc822 format available.
Message #27 received at 29182 <at> debbugs.gnu.org (full text, mbox):
Glenn Morris <rgm <at> gnu.org> writes:
> It is a silly CVE, but IMO backups belong by default in a private
> subdirectory of user-emacs-directory (user-data-directory if such a
> thing existed).
That's what I do, personally. But it's not unproblematic to do that
by default, in my opinion. What if I'm editing a file on an encrypted
filesystem, thinking that it's safe there, and Emacs silently saves a
copy of said file in my home directory on an unencrypted file system?
Best regards,
Stefan Kangas
Added tag(s) notabug and wontfix.
Request was from
Stefan Kangas <stefan <at> marxist.se>
to
control <at> debbugs.gnu.org
.
(Sun, 19 Jan 2020 15:26:02 GMT)
Full text and
rfc822 format available.
Reply sent
to
Stefan Kangas <stefan <at> marxist.se>
:
You have taken responsibility.
(Mon, 10 Aug 2020 16:26:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Glenn Morris <rgm <at> gnu.org>
:
bug acknowledged by developer.
(Mon, 10 Aug 2020 16:26:02 GMT)
Full text and
rfc822 format available.
Message #34 received at 29182-done <at> debbugs.gnu.org (full text, mbox):
Stefan Kangas <stefan <at> marxist.se> writes:
> Eli Zaretskii <eliz <at> gnu.org> writes:
>
>>> From: Glenn Morris <rgm <at> gnu.org>
>>> Date: Mon, 13 Nov 2017 17:04:55 -0500
>>>
>>> Rightly or wrong, distributions etc pay attention to CVEs, so I think
>>> an official response from Emacs on this issue would be good.
>>
>> I'm not sure how should we provide an official response there. The
>> list there is mostly of issues with very old versions, and there's a
>> reference to bug reports which were closed. What else is needed? And
>> what's the procedure?
>
> OK, so this is almost 2 years old now, but I've looked into it a bit.
That was 44 weeks ago.
> This CVE has been rejected by at least Debian ("this CVE assignment is
> nonsense"), Redhat (bug has status "CLOSED WONTFIX") and Gentoo (bug has
> status "INVALID").
>
> I think it's fair to say that we don't want to "fix" this, since it
> should not really have been a CVE in the first place.
>
> I suggest to do the following:
>
> 1. There is a CVE status called disputed. We should try to acquire that
> status. More information at:
> https://cve.mitre.org/about/faqs.html#disputed_signify_in_cve_entry
>
> It would be good if someone more senior than me tried to contact
> MITRE, who handles the CVE to see how that works. AFAICT, the way to
> contact them is through this web form: https://cveform.mitre.org/
>
> 2. Tag this bug as wontfix.
>
> If MITRE don't reply, or do nothing -- fine, we close the bug. If they
> do reply, or better yet add the status disputed -- good, it's there for
> posterity. We then close the bug.
No one seemed interested in doing (1) and I've tagged the bug as
proposed in (2).
I'm therefore closing this bug report now.
Best regards,
Stefan Kangas
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org
.
(Tue, 08 Sep 2020 11:24:11 GMT)
Full text and
rfc822 format available.
This bug report was last modified 3 years and 230 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.