Steve Grubb of Red Hat discovered that vcdiff script as shipped with Emacs (confirmed in versions 20.7 to 22.1.50) uses temporary files insecurely, which makes it possible for local attacker to conduct a symlink attack and make the victim overwrite arbitrary file.
This issues is under embargo until April, 11th. I don't think we need to prestable this, but please prepare an ebuild to be committed on that date.
Created attachment 149105 [details, diff] emacs-vcsdiff-tmp-race.patch
app-editors/xemacs is also affected.
According to the documentation this file is only used with SCCS, so you have to wonder how many people will still be bitten by this. In any case I've prepared a patched xemacs-21.4.21-r1
(In reply to comment #4) > According to the documentation this file is only used with SCCS, so you have > to wonder how many people will still be bitten by this. Seems it is still used at Red Hat. ;-) Anyhow, ebuilds for patched GNU Emacs 21 and 22 are ready. Emacs 18 is not affected.
Fixed versions for GNU Emacs committed: emacs-21.4-r15 emacs-22.1-r4 emacs-22.2-r1 I've committed 21.4-r15 and 22.1-r4 straight to stable, since there seems to be no sensible way how arch teams could test vcdiff (we don't have SCCS, and vcdiff doesn't work with dev-util/cssc). Concerning comment 4, I'd like to propose that the severity is decreased to B3, because only a tiny fraction of users will be affected by this issue.
app-editors/xemacs-21.4.21-r1 is now in the tree, and based on Ulrich's reasoning in comment 6 I've also committed straight to stable.
It's a vote. Considering we have no way to use it, I'd consider it lower priority than other vulnerabilities than othets of the same type. So, I'd go over NO.
The live ebuilds in app-editors/emacs-cvs (nothing stable there) still suffer from this, and I am waiting for upstream fixing it. Upstream has been informed of the issue, I suppose?
(In reply to comment #9) > The live ebuilds in app-editors/emacs-cvs (nothing stable there) still suffer > from this, and I am waiting for upstream fixing it. Fixed upstream: 2008-04-18 Steve Grubb <sgrubb@redhat.com> (tiny change) * vcdiff: Use mktemp (CVE-2008-1694).
Forgot to say, Fixed in release snapshot.
thought I did already... but also voting no here