Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 216880
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Robert Buchholz <rbu@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
emacs-vcsdiff-tmp-race.patch emacs-vcsdiff-tmp-race.patch patch Robert Buchholz 2008-04-08 15:07 0000 831 bytes Details | Diff
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 216880 depends on: Show dependency tree
Bug 216880 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2008-04-08 15:05 0000 
Steve Grubb of Red Hat discovered that vcdiff script as shipped with Emacs
(confirmed in versions 20.7 to 22.1.50) uses temporary files insecurely,
which makes it possible for local attacker to conduct a symlink attack and
make the victim overwrite arbitrary file.

------- Comment #1 From Robert Buchholz 2008-04-08 15:07:14 0000 ------- 
This issues is under embargo until April, 11th. I don't think we need to
prestable this, but please prepare an ebuild to be committed on that date.

------- Comment #2 From Robert Buchholz 2008-04-08 15:07:43 0000 ------- 
Created an attachment (id=149105) [details]
emacs-vcsdiff-tmp-race.patch

------- Comment #3 From Ulrich Müller 2008-04-08 16:01:00 0000 ------- 
app-editors/xemacs is also affected.

------- Comment #4 From Hans de Graaff 2008-04-09 06:33:48 0000 ------- 
According to the documentation this file is only used with SCCS, so you have to
wonder how many people will still be bitten by this.

In any case I've prepared a patched xemacs-21.4.21-r1

------- Comment #5 From Ulrich Müller 2008-04-09 12:14:34 0000 ------- 
(In reply to comment #4)
> According to the documentation this file is only used with SCCS, so you have
> to wonder how many people will still be bitten by this.

Seems it is still used at Red Hat. ;-)

Anyhow, ebuilds for patched GNU Emacs 21 and 22 are ready.
Emacs 18 is not affected.

------- Comment #6 From Ulrich Müller 2008-04-11 14:00:39 0000 ------- 
Fixed versions for GNU Emacs committed:
   emacs-21.4-r15
   emacs-22.1-r4
   emacs-22.2-r1

I've committed 21.4-r15 and 22.1-r4 straight to stable, since there seems to be
no sensible way how arch teams could test vcdiff (we don't have SCCS, and
vcdiff doesn't work with dev-util/cssc).

Concerning comment 4, I'd like to propose that the severity is decreased to B3,
because only a tiny fraction of users will be affected by this issue.

------- Comment #7 From Hans de Graaff 2008-04-11 14:19:35 0000 ------- 
app-editors/xemacs-21.4.21-r1 is now in the tree, and based on Ulrich's
reasoning in comment 6 I've also committed straight to stable.

------- Comment #8 From Robert Buchholz 2008-04-11 14:45:37 0000 ------- 
It's a vote. Considering we have no way to use it, I'd consider it lower
priority than other vulnerabilities than othets of the same type. So, I'd go
over NO.

------- Comment #9 From Ulrich Müller 2008-04-13 10:49:46 0000 ------- 
The live ebuilds in app-editors/emacs-cvs (nothing stable there) still suffer
from this, and I am waiting for upstream fixing it.

Upstream has been informed of the issue, I suppose?

------- Comment #10 From Ulrich Müller 2008-04-19 08:24:55 0000 ------- 
(In reply to comment #9)
> The live ebuilds in app-editors/emacs-cvs (nothing stable there) still suffer
> from this, and I am waiting for upstream fixing it.

Fixed upstream:

2008-04-18  Steve Grubb  <sgrubb@redhat.com>  (tiny change)

        * vcdiff: Use mktemp (CVE-2008-1694).

------- Comment #11 From Peter Volkov 2008-04-21 08:24:30 0000 ------- 
Forgot to say, Fixed in release snapshot.

------- Comment #12 From Matthias Geerdsen 2008-04-29 13:09:36 0000 ------- 
thought I did already... but also voting no here
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug