oss-sec mailing list archives
Re: CVE Request - Predictable temporary filenames in GNU Emacs
From: cve-assign () mitre org
Date: Wed, 7 May 2014 15:35:56 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
http://debbugs.gnu.org/cgi/bugreport.cgi?bug=17428#8
The reports are about unrelated Emacs Lisp files that are bundled with GNU Emacs. In situations such as this, the various files with vulnerable code were, almost certainly, first introduced in different GNU Emacs versions. Thus, the issues in each file have separate CVE IDs based on the different earliest version of GNU Emacs that is affected. We don't necessarily provide details of what these versions are as part of the CVE assignment process or even the CVE publication process. However, for example, http://cvs.savannah.gnu.org/viewvc/emacs/emacs/lisp/gnus/gnus-fun.el says "file gnus-fun.el was initially added on branch gnus-5_10-branch" suggesting early 2000s, whereas the Mosaic support in browse-url.el is obviously from the 1990s. All of the files allow symlink attacks, and that is the scope of each Emacs CVE assignment. If anyone was interested in CVE IDs for unrelated Emacs vulnerabilities (e.g., if the find-gc.el "horrific invocations" problem allows injection of commands into csh command lines), those IDs would need to be assigned separately, even if the issues were fixed as a side effect of the current patch.
lisp/gnus/gnus-fun.el: In the function `gnus-grab-cam-face` the file "/tmp/gnus.face.ppm" is used, blindly allowing the existing file to be truncated, and symlinks followed.
http://lists.gnu.org/archive/html/emacs-diffs/2014-05/msg00055.html
Use CVE-2014-3421.
lisp/emacs-lisp/find-gc.el: In the function `trace-call-tree` there are some horrific invocations of the csh, which manipulate the directory and symlinks beneath "/tmp/esrc".
http://lists.gnu.org/archive/html/emacs-diffs/2014-05/msg00056.html
Use CVE-2014-3422.
lisp/net/browse-url.el In the function `browse-url-mosaic` the file "/tmp/Mosaic.$PID" is blindly overwritten. Suspect this whole function is obsolete though :)
Not an (Emacs) bug.
http://lists.gnu.org/archive/html/emacs-diffs/2014-05/msg00057.html
+ ;; This is a predictable temp-file name, which is bad, + ;; but it is what Mosaic uses/used. + ;; So it's not Emacs's problem. http://bugs.debian.org/747100
We didn't quite understand the reasoning here. Mosaic reads the /tmp/Mosaic.##### file. This doesn't seem to imply that Emacs is entitled to write "newwin" and "goto" records into that file without considering that it might be a symlink. Even if not all symlink attacks could be prevented, one might want a countermeasure against the easiest attacks. Alternatively, writing to /tmp/Mosaic.##### could perhaps just be removed, on the basis that the threat is more realistic than is actual use of Mosaic. (The threat model is that someone's home directory has a .mosaicpid file left over from the 1990s, and that PID happens to be in use.) Use CVE-2014-3423 for the Emacs vulnerability associated with a symlink attack against a /tmp/Mosaic.##### file (this is similar to CVE-2008-4994). CVE IDs for Mosaic are presumably not too useful at this point, but it seems best to assign the most obvious ones, so that we are not blaming Emacs for the entirety of the problem. From the Mosaic CHANGES file: From 2.0 to 2.1 Remote control users and script writers take note: control filename changed from /tmp/xmosaic.pid to /tmp/Mosaic.pid. This is the final such change, forever. CVE-2014-3425: Mosaic 2.0 allows local users to cause a denial of service ("remote control" outage) by creating a /tmp/xmosaic.pid file for every possible PID. CVE-2014-3426: Mosaic 2.1 allows local users to cause a denial of service ("remote control" outage) by creating a /tmp/Mosaic.pid file for every possible PID.
lisp/net/tramp.el The function `tramp-uudecode`, a fallback if a real uudecoding binary is not present, blindly uses "/tmp/tramp.$PID", truncating and removing the file.
http://lists.gnu.org/archive/html/emacs-diffs/2014-05/msg00060.html
Use CVE-2014-3424. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJTaopdAAoJEKllVAevmvmsZQcIALFr9HW1w7EilWkopoNA/zf0 un2ayYlwdtm3LXJVitmfubYobJsoL+U7XogBAkLxo8XgQEBG47lD2k0jIwKJmJeU 26vsmE47OKmT4uTG8DTB5q6mK3+OoZ5s+ysLEfC7vj4wqfoEF2TVhZvYH6EkA17f V4SdYU9GkRUNT/yL854+LehOZEg9fuSjpRPHsdUOkz/WLei7HUynoV+QANO+Tb/c C3dvPTjtp07zhHQd+CdKKilYQttDBlwgIalt1oflvJ0Nc7ve77dnbkfnuFJbrcyl yJnecaewhd9RvP2cnvVh4lBl04ols6NrrQbVtlQ4DQsW2+VRDD8E5lrSAuoFAbI= =9lO/ -----END PGP SIGNATURE-----
Current thread:
- CVE Request - Predictable temporary filenames in GNU Emacs Steve Kemp (May 07)
- Re: CVE Request - Predictable temporary filenames in GNU Emacs cve-assign (May 07)