Bug 194713 - app-editors/emacs-cvs, app-emacs/tramp: mktemp insecure file creation (CVE-2007-5377)
Bug#: 194713 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: All Status: RESOLVED Severity: minor Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: ulm@gentoo.org
Component: Vulnerabilities
URL:  http://lists.gnu.org/archive/html/emacs-devel/2007-10/msg00132.html
Summary: app-editors/emacs-cvs, app-emacs/tramp: mktemp insecure file creation (CVE-2007-5377)
Keywords:  SECURITY
Status Whiteboard: B3? [glsa]
Opened: 2007-10-04 14:38 0000
Description:   Opened: 2007-10-04 14:38 0000 
According to
http://lists.gnu.org/archive/html/emacs-devel/2007-10/msg00132.html there might
be a "temp file hole" in Emacs functions tramp-make-temp-file and
tramp-make-tramp-temp-file.

Affected ebuilds:

   =app-editors/emacs-cvs-22.1.50_p20070829 (CVS snapshot)
   =app-editors/emacs-cvs-23.0.0-r7 (live CVS, hardmasked)
   =app-editors/emacs-cvs-23.0.50 (live CVS)
   =app-emacs/tramp-2.1.10-r1 (stable)

I have verified that app-editors/emacs and <app-emacs/tramp-2.1 are _not_
affected by the problem.

------- Comment #1 From Christian Faulhammer 2007-10-04 15:05:35 0000 ------- 
(In reply to comment #0)
>    =app-editors/emacs-cvs-22.1.50_p20070829 (CVS snapshot)

 Can be masked, we want it in the tree as reference because shortly after big
changes were introduced into upstream's tree.  Patch it?

>    =app-editors/emacs-cvs-23.0.0-r7 (live CVS, hardmasked)
>    =app-editors/emacs-cvs-23.0.50 (live CVS)

 Will regulate itself by upstream, we can do a revision bump to force users to
upgrade.

>    =app-emacs/tramp-2.1.10-r1 (stable)

 Will be patched by us.

> I have verified that app-editors/emacs and <app-emacs/tramp-2.1 are _not_
> affected by the problem.

 And you even filed it faster than me! 

Here I propose B3 as severity, because confidential information can leak.

------- Comment #2 From Ulrich Müller 2007-10-06 16:29:24 0000 ------- 
Upstream has committed a patch to their CVS, and I have backported it to
app-emacs/tramp-2.1.10 and app-editors/emacs-cvs-22.1.50_p20070829.

I still have to do some more testing, but I hope I can commit new ebuilds for
both this evening.

------- Comment #3 From Ulrich Müller 2007-10-06 18:02:06 0000 ------- 
Current status:

=app-editors/emacs-cvs-22.1.50_p20070829
   fixed in -r1

=app-editors/emacs-cvs-23.0.0-r7
   live CVS, not yet fixed, hardmasked

=app-editors/emacs-cvs-23.0.50
   live CVS, was fixed by upstream
   security team: asking you for advice, is a revbump needed here?

=app-emacs/tramp-2.1.10-r1
   fixed in -r2


Arch teams: Please stabilise app-emacs/tramp-2.1.10-r2
Test plan: <http://overlays.gentoo.org/proj/emacs/wiki/test%20plans>

------- Comment #4 From Tobias Scherbaum 2007-10-06 21:30:06 0000 ------- 
(In reply to comment #3)
> Arch teams: Please stabilise app-emacs/tramp-2.1.10-r2
> Test plan: <http://overlays.gentoo.org/proj/emacs/wiki/test%20plans>

ppc stable

------- Comment #5 From Christian Faulhammer 2007-10-06 21:52:41 0000 ------- 
x86 stable

------- Comment #6 From Raúl Porcel 2007-10-09 17:32:33 0000 ------- 
alpha/sparc stable

------- Comment #7 From Mike Doty 2007-10-11 07:31:25 0000 ------- 
amd64 stable

------- Comment #8 From Ulrich Müller 2007-10-11 07:38:54 0000 ------- 
app-emacs/tramp-2.1.10-r1 removed.
Everything fixed (or hardmasked) now.

------- Comment #9 From Matt Drew 2007-10-11 21:35:31 0000 ------- 
Your typical insecure temp file creation bug, I vote yes for GLSA.

------- Comment #10 From Pierre-Yves Rofes 2007-10-11 21:37:31 0000 ------- 
voting yes too, and request filed.

------- Comment #11 From Ulrich Müller 2007-10-11 21:51:54 0000 ------- 
Vulnerable versions:
app-emacs-tramp   <2.1.10-r2

Unaffected versions:
app-emacs/tramp   <2.1, >=2.1.10-r2

app-editors/emacs-cvs never had any stable version.

------- Comment #12 From Pierre-Yves Rofes 2007-10-20 21:24:53 0000 ------- 
GLSA 200710-22

------- Comment #13 From Hans de Graaff 2007-10-24 10:58:31 0000 ------- 
Just to be explicit about this: app-xemacs/tramp-1.37 is based on tramp 2.0.55
and thus not affected by this bug. When a new version of app-xemacs/tramp is
generated upstream we (=xemacs herd) should check that this is not based on a
version that has this issue.