oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE Request - Predictable temporary filenames in GNU Emacs

From: Steve Kemp <steve () steve org uk>
Date: Wed, 7 May 2014 09:48:44 +0100

  I reported these bugs on the Debian tracker on Monday:

       https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=747100

  In brief some of the bundled Emacs Lisp uses predictable
 /tmpfile names insecurely:


 lisp/gnus/gnus-fun.el:
   In the function `gnus-grab-cam-face` the file "/tmp/gnus.face.ppm" is
  used, blindly allowing the existing file to be truncated, and symlinks
  followed.

 lisp/emacs-lisp/find-gc.el:
   In the function `trace-call-tree` there are some horrific invocations
  of the csh, which manipulate the directory and symlinks beneath "/tmp/esrc".

 lisp/net/tramp.el
   The function `tramp-uudecode`, a fallback if a real uudecoding binary
  is not present, blindly uses "/tmp/tramp.$PID", truncating and removing
  the file.

   All these have been fixed now, and the GNU bug report contains
 links to the commits that are appropriate:

       http://debbugs.gnu.org/cgi/bugreport.cgi?bug=17428

Steve
-- 
http://www.steve.org.uk/
Previous By Date Next
Previous By Thread Next

Current thread: