Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 194713

Summary: app-editors/emacs-cvs, app-emacs/tramp: mktemp insecure file creation (CVE-2007-5377)
Product: Gentoo Security Reporter: Ulrich Müller <ulm>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: emacs, xemacs
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
URL: http://lists.gnu.org/archive/html/emacs-devel/2007-10/msg00132.html
Whiteboard: B3? [glsa]
Package list:
Runtime testing required: ---

Description Ulrich Müller gentoo-dev 2007-10-04 14:38:21 UTC
According to http://lists.gnu.org/archive/html/emacs-devel/2007-10/msg00132.html there might be a "temp file hole" in Emacs functions tramp-make-temp-file and tramp-make-tramp-temp-file.

Affected ebuilds:

   =app-editors/emacs-cvs-22.1.50_p20070829 (CVS snapshot)
   =app-editors/emacs-cvs-23.0.0-r7 (live CVS, hardmasked)
   =app-editors/emacs-cvs-23.0.50 (live CVS)
   =app-emacs/tramp-2.1.10-r1 (stable)

I have verified that app-editors/emacs and <app-emacs/tramp-2.1 are _not_ affected by the problem.
Comment 1 Christian Faulhammer (RETIRED) gentoo-dev 2007-10-04 15:05:35 UTC
(In reply to comment #0)
>    =app-editors/emacs-cvs-22.1.50_p20070829 (CVS snapshot)

 Can be masked, we want it in the tree as reference because shortly after big changes were introduced into upstream's tree.  Patch it?

>    =app-editors/emacs-cvs-23.0.0-r7 (live CVS, hardmasked)
>    =app-editors/emacs-cvs-23.0.50 (live CVS)

 Will regulate itself by upstream, we can do a revision bump to force users to upgrade.

>    =app-emacs/tramp-2.1.10-r1 (stable)

 Will be patched by us.
 
> I have verified that app-editors/emacs and <app-emacs/tramp-2.1 are _not_
> affected by the problem.

 And you even filed it faster than me! 

Here I propose B3 as severity, because confidential information can leak.
Comment 2 Ulrich Müller gentoo-dev 2007-10-06 16:29:24 UTC
Upstream has committed a patch to their CVS, and I have backported it to app-emacs/tramp-2.1.10 and app-editors/emacs-cvs-22.1.50_p20070829.

I still have to do some more testing, but I hope I can commit new ebuilds for both this evening.
Comment 3 Ulrich Müller gentoo-dev 2007-10-06 18:02:06 UTC
Current status:

=app-editors/emacs-cvs-22.1.50_p20070829
   fixed in -r1

=app-editors/emacs-cvs-23.0.0-r7
   live CVS, not yet fixed, hardmasked

=app-editors/emacs-cvs-23.0.50
   live CVS, was fixed by upstream
   security team: asking you for advice, is a revbump needed here?

=app-emacs/tramp-2.1.10-r1
   fixed in -r2


Arch teams: Please stabilise app-emacs/tramp-2.1.10-r2
Test plan: <http://overlays.gentoo.org/proj/emacs/wiki/test%20plans>
Comment 4 Tobias Scherbaum (RETIRED) gentoo-dev 2007-10-06 21:30:06 UTC
(In reply to comment #3)
> Arch teams: Please stabilise app-emacs/tramp-2.1.10-r2
> Test plan: <http://overlays.gentoo.org/proj/emacs/wiki/test%20plans>

ppc stable

Comment 5 Christian Faulhammer (RETIRED) gentoo-dev 2007-10-06 21:52:41 UTC
x86 stable
Comment 6 Raúl Porcel (RETIRED) gentoo-dev 2007-10-09 17:32:33 UTC
alpha/sparc stable
Comment 7 Mike Doty (RETIRED) gentoo-dev 2007-10-11 07:31:25 UTC
amd64 stable
Comment 8 Ulrich Müller gentoo-dev 2007-10-11 07:38:54 UTC
app-emacs/tramp-2.1.10-r1 removed.
Everything fixed (or hardmasked) now.
Comment 9 Matt Drew (RETIRED) gentoo-dev 2007-10-11 21:35:31 UTC
Your typical insecure temp file creation bug, I vote yes for GLSA.
Comment 10 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-10-11 21:37:31 UTC
voting yes too, and request filed.
Comment 11 Ulrich Müller gentoo-dev 2007-10-11 21:51:54 UTC
Vulnerable versions:
app-emacs-tramp   <2.1.10-r2

Unaffected versions:
app-emacs/tramp   <2.1, >=2.1.10-r2

app-editors/emacs-cvs never had any stable version.
Comment 12 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-10-20 21:24:53 UTC
GLSA 200710-22
Comment 13 Hans de Graaff gentoo-dev 2007-10-24 10:58:31 UTC
Just to be explicit about this: app-xemacs/tramp-1.37 is based on tramp 2.0.55 and thus not affected by this bug. When a new version of app-xemacs/tramp is generated upstream we (=xemacs herd) should check that this is not based on a version that has this issue.