194713 2007-10-04 14:38 0000 app-editors/emacs-cvs, app-emacs/tramp: mktemp insecure file creation (CVE-2007-5377) 2007-10-24 10:58:31 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All All RESOLVED FIXED http://lists.gnu.org/archive/html/emacs-devel/2007-10/msg00132.html B3? [glsa] SECURITY P2 minor --- 1 ulm@gentoo.org security@gentoo.org emacs@gentoo.org xemacs@gentoo.org ulm@gentoo.org 2007-10-04 14:38:21 0000 According to http://lists.gnu.org/archive/html/emacs-devel/2007-10/msg00132.html there might be a "temp file hole" in Emacs functions tramp-make-temp-file and tramp-make-tramp-temp-file. Affected ebuilds: =app-editors/emacs-cvs-22.1.50_p20070829 (CVS snapshot) =app-editors/emacs-cvs-23.0.0-r7 (live CVS, hardmasked) =app-editors/emacs-cvs-23.0.50 (live CVS) =app-emacs/tramp-2.1.10-r1 (stable) I have verified that app-editors/emacs and <app-emacs/tramp-2.1 are _not_ affected by the problem. fauli@gentoo.org 2007-10-04 15:05:35 0000 (In reply to comment #0) > =app-editors/emacs-cvs-22.1.50_p20070829 (CVS snapshot) Can be masked, we want it in the tree as reference because shortly after big changes were introduced into upstream's tree. Patch it? > =app-editors/emacs-cvs-23.0.0-r7 (live CVS, hardmasked) > =app-editors/emacs-cvs-23.0.50 (live CVS) Will regulate itself by upstream, we can do a revision bump to force users to upgrade. > =app-emacs/tramp-2.1.10-r1 (stable) Will be patched by us. > I have verified that app-editors/emacs and <app-emacs/tramp-2.1 are _not_ > affected by the problem. And you even filed it faster than me! Here I propose B3 as severity, because confidential information can leak. ulm@gentoo.org 2007-10-06 16:29:24 0000 Upstream has committed a patch to their CVS, and I have backported it to app-emacs/tramp-2.1.10 and app-editors/emacs-cvs-22.1.50_p20070829. I still have to do some more testing, but I hope I can commit new ebuilds for both this evening. ulm@gentoo.org 2007-10-06 18:02:06 0000 Current status: =app-editors/emacs-cvs-22.1.50_p20070829 fixed in -r1 =app-editors/emacs-cvs-23.0.0-r7 live CVS, not yet fixed, hardmasked =app-editors/emacs-cvs-23.0.50 live CVS, was fixed by upstream security team: asking you for advice, is a revbump needed here? =app-emacs/tramp-2.1.10-r1 fixed in -r2 Arch teams: Please stabilise app-emacs/tramp-2.1.10-r2 Test plan: <http://overlays.gentoo.org/proj/emacs/wiki/test%20plans> dertobi123@gentoo.org 2007-10-06 21:30:06 0000 (In reply to comment #3) > Arch teams: Please stabilise app-emacs/tramp-2.1.10-r2 > Test plan: <http://overlays.gentoo.org/proj/emacs/wiki/test%20plans> ppc stable fauli@gentoo.org 2007-10-06 21:52:41 0000 x86 stable armin76@gentoo.org 2007-10-09 17:32:33 0000 alpha/sparc stable kingtaco@gentoo.org 2007-10-11 07:31:25 0000 amd64 stable ulm@gentoo.org 2007-10-11 07:38:54 0000 app-emacs/tramp-2.1.10-r1 removed. Everything fixed (or hardmasked) now. aetius@gentoo.org 2007-10-11 21:35:31 0000 Your typical insecure temp file creation bug, I vote yes for GLSA. py@gentoo.org 2007-10-11 21:37:31 0000 voting yes too, and request filed. ulm@gentoo.org 2007-10-11 21:51:54 0000 Vulnerable versions: app-emacs-tramp <2.1.10-r2 Unaffected versions: app-emacs/tramp <2.1, >=2.1.10-r2 app-editors/emacs-cvs never had any stable version. py@gentoo.org 2007-10-20 21:24:53 0000 GLSA 200710-22 graaff@gentoo.org 2007-10-24 10:58:31 0000 Just to be explicit about this: app-xemacs/tramp-1.37 is based on tramp 2.0.55 and thus not affected by this bug. When a new version of app-xemacs/tramp is generated upstream we (=xemacs herd) should check that this is not based on a version that has this issue.