From ${URL} : Steve Kemp discovered multiple temporary file handling issues in Emacs. A local attacker could use these flaws to perform symbolic link attacks against users running Emacs. Original report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=747100 CVE-2014-3421 was assigned to the issue in lisp/gnus/gnus-fun.el Upstream fix: http://lists.gnu.org/archive/html/emacs-diffs/2014-05/msg00055.html CVE-2014-3422 was assigned to the issue in lisp/emacs-lisp/find-gc.el Upstream fix: http://lists.gnu.org/archive/html/emacs-diffs/2014-05/msg00056.html CVE-2014-3423 was assigned to the issue in lisp/net/browse-url.el (this one does not currently have a fix) Upstream note: http://lists.gnu.org/archive/html/emacs-diffs/2014-05/msg00057.html CVE-2014-3424 was assigned to the issue in lisp/net/tramp.el Upstream fix: http://lists.gnu.org/archive/html/emacs-diffs/2014-05/msg00060.html References: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=747100 http://seclists.org/oss-sec/2014/q2/269 http://debbugs.gnu.org/cgi/bugreport.cgi?bug=17428 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Here is a table of emacs slots affected by the respective issues: +---------------+----------------+-----+-----+-----+-----+-----+ | CVE | file | :18 | :21 | :22 | :23 | :24 | +---------------+----------------+-----+-----+-----+-----+-----+ | CVE-2014-3421 | gnus-fun.el | no | no | yes | yes | yes | +---------------+----------------+-----+-----+-----+-----+-----+ | CVE-2014-3422 | find-gc.el | no | yes | yes | yes | yes | +---------------+----------------+-----+-----+-----+-----+-----+ | CVE-2014-3423 | browse-url.el | no | yes | yes | yes | yes | +---------------+----------------+-----+-----+-----+-----+-----+ | CVE-2014-3424 | tramp{,-sh}.el | no | no | yes | yes | yes | +---------------+----------------+-----+-----+-----+-----+-----+ The reason why some old versions are unaffected is that they didn't yet include the code in question. XEmacs is also affected (CCing XEmacs team): - The code in gnus, browse-url, and tramp is very similar to that in GNU Emacs. This affects packages app-xemacs/gnus, app-xemacs/mail-lib, and app-xemacs/tramp, respectively. - find-gc.el is part of app-xemacs/xemacs-devel, but the code is different, and doesn't seem to create any files in /tmp. (In reply to Agostino Sarubbo from comment #0) > CVE-2014-3423 was assigned to the issue in lisp/net/browse-url.el (this one > does not currently have a fix) > Upstream note: > http://lists.gnu.org/archive/html/emacs-diffs/2014-05/msg00057.html Should we wait for a fix for this one? AFAICS, Gentoo has never packaged Mosaic, so it's unlikely that users would have a ~/.mosaicpid file (and a process running under that pid). Security team, please advise.
(In reply to Ulrich Müller from comment #1) > XEmacs is also affected (CCing XEmacs team): > - The code in gnus, browse-url, and tramp is very similar to that in GNU > Emacs. This affects packages app-xemacs/gnus, app-xemacs/mail-lib, and > app-xemacs/tramp, respectively. > - find-gc.el is part of app-xemacs/xemacs-devel, but the code is different, > and doesn't seem to create any files in /tmp. Reported to XEmacs upstream: http://tracker.xemacs.org/XEmacs/its/issue868
I've backported the upstream patches for CVE-2014-3421, 3422, and 2324 to Emacs versions 24.3 (trivial) and 23.4: <http://git.overlays.gentoo.org/gitweb/?p=proj/emacs-tools.git;a=commit;h=f93ca92566a63f8dce17b92ae23b0e79757a0a36> > CVE-2014-3423 was assigned to the issue in lisp/net/browse-url.el (this one > does not currently have a fix) > Upstream note: > http://lists.gnu.org/archive/html/emacs-diffs/2014-05/msg00057.html This can only be solved by removing the functionality for old Mosaic versions: <http://git.overlays.gentoo.org/gitweb/?p=proj/emacs-tools.git;a=blob;f=emacs/24.3/07_all_browse-url-no-mosaic.patch;h=3ccab76711588e12152decd6a898edcab84c0953;hb=refs/heads/patchsets> All four issues should therefore be fixed in these revisions: app-editors/emacs-23.4-r9 app-editors/emacs-24.3-r5 CCing arch teams, please stabilise above ebuilds. (You'll need to stabilise the dependency app-emacs/emacs-common-gentoo-1.4-r1 as well.)
Is it really so hard to put three atoms on separate lines and put the target keywords on a separate line? Is it this? It can't be because this doesn't mention app-editors/xemacs yet. =app-editors/emacs-23.4-r9 =app-editors/emacs-24.3-r5 =app-emacs/emacs-common-gentoo-1.4-r1 Targeted stable KEYWORDS : alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
(In reply to Jeroen Roovers from comment #4) > Is it really so hard to put three atoms on separate lines and put the target > keywords on a separate line? All information is there in comment #3. Re-adding arch teams to CC, please stabilise: app-editors/emacs-23.4-r9 app-editors/emacs-24.3-r5 app-emacs/emacs-common-gentoo-1.4-r1 (needed as dependency)
And no, waiting for XEmacs packages to be fixed before stabilising the GNU Emacs ones makes no sense.
(In reply to Agostino Sarubbo from comment #0) > CVE-2014-3423 was assigned to the issue in lisp/net/browse-url.el (this one > does not currently have a fix) Patch from upstream is available now, using this in 23.4-r10 and 24.3-r6: http://lists.gnu.org/archive/html/emacs-diffs/2014-05/msg00084.html Arch teams, please stabilise: app-editors/emacs-23.4-r10 app-editors/emacs-24.3-r6 app-emacs/emacs-common-gentoo-1.4-r1 (needed as dependency)
Thanks.
Stable for HPPA.
OK this vulnerability is affecting: app-editors/emacs app-xemacs/gnus app-xemacs/mail-lib app-xemacs/tramp app-editors/xemacs ? Some of them are listed as part of the bugs. Do we want to split this vulnerability up, for emacs a and a new bug for xemacs or just stabilize one and then call for another stabilization again later (which is confusing in my mind).
(In reply to Yury German from comment #10) > OK this vulnerability is affecting: > app-editors/emacs > app-xemacs/gnus > app-xemacs/mail-lib > app-xemacs/tramp > app-editors/xemacs ? app-editors/xemacs itself isn't affected. XEmacs is modular, so most of its lisp files are in separate packages. > Some of them are listed as part of the bugs. Do we want to split this > vulnerability up, for emacs a and a new bug for xemacs or just stabilize one > and then call for another stabilization again later (which is confusing in > my mind). I've changed the Whiteboard for now. (This scheme was previously used in <https://bugs.gentoo.org/show_activity.cgi?id=221197>, so I hope it is o.k.)
arm stable
The app-xemacs/*-packages have been updated upstream conserning the temporary file issues and are now in the state pre-released (as defined by upstream.) I need to figure out the best way to get that into gentoo stable.
(In reply to Ulrich Müller from comment #7) > Arch teams, please stabilise: > > app-editors/emacs-23.4-r10 > app-editors/emacs-24.3-r6 > app-emacs/emacs-common-gentoo-1.4-r1 (needed as dependency) Update, please stabilise these versions: app-editors/emacs-23.4-r11 app-editors/emacs-24.3-r6 app-emacs/emacs-common-gentoo-1.4-r1 (needed as dependency)
amd64 stable
alpha stable
ia64 stable
ppc64 stable
ppc stable
sparc stable
x86 stable. Maintainer(s), please cleanup. Security, please vote.
(In reply to Agostino Sarubbo from comment #21) > Maintainer(s), please cleanup. All vulnerable versions of GNU Emacs removed.
CVE-2014-3424 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3424): lisp/net/tramp-sh.el in GNU Emacs 24.3 and earlier allows local users to overwrite arbitrary files via a symlink attack on a /tmp/tramp.##### temporary file. CVE-2014-3423 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3423): lisp/net/browse-url.el in GNU Emacs 24.3 and earlier allows local users to overwrite arbitrary files via a symlink attack on a /tmp/Mosaic.##### temporary file. CVE-2014-3422 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3422): lisp/emacs-lisp/find-gc.el in GNU Emacs 24.3 and earlier allows local users to overwrite arbitrary files via a symlink attack on a temporary file under /tmp/esrc/. CVE-2014-3421 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3421): lisp/gnus/gnus-fun.el in GNU Emacs 24.3 and earlier allows local users to overwrite arbitrary files via a symlink attack on the /tmp/gnus.face.ppm temporary file.
Using upstream pre-release packages for solving the xemacs packages security issues. Arch teams, please stabilise: app-xemacs/gnus-1.99 app-xemacs/mail-lib-1.83 app-xemacs/tramp-1.52 Keywords: alpha amd64 ppc ppc64 sparc x86
(In reply to Mats Lidell from comment #24) > Using upstream pre-release packages for solving the xemacs packages security > issues. > > Arch teams, please stabilise: > > app-xemacs/gnus-1.99 > app-xemacs/mail-lib-1.83 > app-xemacs/tramp-1.52 > > Keywords: alpha amd64 ppc ppc64 sparc x86 Do we have any other packages to stabilize to fix this bug?
No these three are the only remaining packages that needs to be stabilized.
Stable on alpha.
x86 stable
Regarding GLSA vote, I vote NO.
ppc64 stable. Maintainer(s), please cleanup. Security, please vote.
(In reply to Agostino Sarubbo from comment #33) > Maintainer(s), please cleanup. All vulnerable versions removed. Thanks matsl.
GLSA Vote: No
Arches and Maintainer(s), Thank you for your work. GLSA Vote: No No GLSA - Closing Bug as Resolved
