Summary: | app-editors/emacs-cvs, app-emacs/tramp: mktemp insecure file creation (CVE-2007-5377) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Ulrich Müller <ulm> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | emacs, xemacs |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | All | ||
URL: | http://lists.gnu.org/archive/html/emacs-devel/2007-10/msg00132.html | ||
Whiteboard: | B3? [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Ulrich Müller
2007-10-04 14:38:21 UTC
(In reply to comment #0) > =app-editors/emacs-cvs-22.1.50_p20070829 (CVS snapshot) Can be masked, we want it in the tree as reference because shortly after big changes were introduced into upstream's tree. Patch it? > =app-editors/emacs-cvs-23.0.0-r7 (live CVS, hardmasked) > =app-editors/emacs-cvs-23.0.50 (live CVS) Will regulate itself by upstream, we can do a revision bump to force users to upgrade. > =app-emacs/tramp-2.1.10-r1 (stable) Will be patched by us. > I have verified that app-editors/emacs and <app-emacs/tramp-2.1 are _not_ > affected by the problem. And you even filed it faster than me! Here I propose B3 as severity, because confidential information can leak. Upstream has committed a patch to their CVS, and I have backported it to app-emacs/tramp-2.1.10 and app-editors/emacs-cvs-22.1.50_p20070829. I still have to do some more testing, but I hope I can commit new ebuilds for both this evening. Current status: =app-editors/emacs-cvs-22.1.50_p20070829 fixed in -r1 =app-editors/emacs-cvs-23.0.0-r7 live CVS, not yet fixed, hardmasked =app-editors/emacs-cvs-23.0.50 live CVS, was fixed by upstream security team: asking you for advice, is a revbump needed here? =app-emacs/tramp-2.1.10-r1 fixed in -r2 Arch teams: Please stabilise app-emacs/tramp-2.1.10-r2 Test plan: <http://overlays.gentoo.org/proj/emacs/wiki/test%20plans> (In reply to comment #3) > Arch teams: Please stabilise app-emacs/tramp-2.1.10-r2 > Test plan: <http://overlays.gentoo.org/proj/emacs/wiki/test%20plans> ppc stable x86 stable alpha/sparc stable amd64 stable app-emacs/tramp-2.1.10-r1 removed. Everything fixed (or hardmasked) now. Your typical insecure temp file creation bug, I vote yes for GLSA. voting yes too, and request filed. Vulnerable versions: app-emacs-tramp <2.1.10-r2 Unaffected versions: app-emacs/tramp <2.1, >=2.1.10-r2 app-editors/emacs-cvs never had any stable version. GLSA 200710-22 Just to be explicit about this: app-xemacs/tramp-1.37 is based on tramp 2.0.55 and thus not affected by this bug. When a new version of app-xemacs/tramp is generated upstream we (=xemacs herd) should check that this is not based on a version that has this issue. |