Bugtraq mailing list archives
Re: RUS-CERT Advisory 200004-01: GNU Emacs 20
From: glynn () SENSEI CO UK (Glynn Clements)
Date: Thu, 20 Apr 2000 04:47:33 +0100
Dan Harkless wrote:
RUS-CERT Advisory 200004-01: GNU Emacs 20As an XEmacs user, I would have liked to have seen one of the following statements: * These vulnerabilities only apply to GNU Emacs, not XEmacs. * We do not know if these vulnerabilities also apply to XEmacs. * These vulnerabilities apply to equally to GNU Emacs and XEmacs.
I guess that it would be option 2.
On the systems listed above, when a new subprocess is created using the builtin Lisp function start-process, Emacs doesn't set proper permissions for the slave PTY device.
On XEmacs, start-process only uses a pty if process-connection-type is "t", otherwise it uses (unnamed) pipes.
2. Unsafe creation of temporary files 2.1. Scope All Unix-like Emacs platforms on which public directories are used to store temporary files.
Recent versions of XEmacs honour $TMPDIR, so there shouldn't be any need to use public directories.
3.3. Problem Functions like read-passwd do not clear the the history of recently typed keys. In fact, there is no way to do that from Emacs Lisp.
Ditto for XEmacs. -- Glynn Clements <glynn () sensei co uk>
Current thread:
- Re: RUS-CERT Advisory 200004-01: GNU Emacs 20 Dan Harkless (Apr 19)
- Re: RUS-CERT Advisory 200004-01: GNU Emacs 20 Valdis.Kletnieks () VT EDU (Apr 19)
- Re: RUS-CERT Advisory 200004-01: GNU Emacs 20 Glynn Clements (Apr 19)
- <Possible follow-ups>
- Re: RUS-CERT Advisory 200004-01: GNU Emacs 20 Florian Weimer (Apr 20)