|Summary:||app-editors/emacs-cvs, app-emacs/tramp: mktemp insecure file creation (CVE-2007-5377)|
|Product:||Gentoo Security||Reporter:||Ulrich Müller <ulm>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Package list:||Runtime testing required:||---|
Description Ulrich Müller 2007-10-04 14:38:21 UTC
According to http://lists.gnu.org/archive/html/emacs-devel/2007-10/msg00132.html there might be a "temp file hole" in Emacs functions tramp-make-temp-file and tramp-make-tramp-temp-file. Affected ebuilds: =app-editors/emacs-cvs-22.1.50_p20070829 (CVS snapshot) =app-editors/emacs-cvs-23.0.0-r7 (live CVS, hardmasked) =app-editors/emacs-cvs-23.0.50 (live CVS) =app-emacs/tramp-2.1.10-r1 (stable) I have verified that app-editors/emacs and <app-emacs/tramp-2.1 are _not_ affected by the problem.
Comment 1 Christian Faulhammer (RETIRED) 2007-10-04 15:05:35 UTC
(In reply to comment #0) > =app-editors/emacs-cvs-22.1.50_p20070829 (CVS snapshot) Can be masked, we want it in the tree as reference because shortly after big changes were introduced into upstream's tree. Patch it? > =app-editors/emacs-cvs-23.0.0-r7 (live CVS, hardmasked) > =app-editors/emacs-cvs-23.0.50 (live CVS) Will regulate itself by upstream, we can do a revision bump to force users to upgrade. > =app-emacs/tramp-2.1.10-r1 (stable) Will be patched by us. > I have verified that app-editors/emacs and <app-emacs/tramp-2.1 are _not_ > affected by the problem. And you even filed it faster than me! Here I propose B3 as severity, because confidential information can leak.
Comment 2 Ulrich Müller 2007-10-06 16:29:24 UTC
Upstream has committed a patch to their CVS, and I have backported it to app-emacs/tramp-2.1.10 and app-editors/emacs-cvs-22.1.50_p20070829. I still have to do some more testing, but I hope I can commit new ebuilds for both this evening.
Comment 3 Ulrich Müller 2007-10-06 18:02:06 UTC
Current status: =app-editors/emacs-cvs-22.1.50_p20070829 fixed in -r1 =app-editors/emacs-cvs-23.0.0-r7 live CVS, not yet fixed, hardmasked =app-editors/emacs-cvs-23.0.50 live CVS, was fixed by upstream security team: asking you for advice, is a revbump needed here? =app-emacs/tramp-2.1.10-r1 fixed in -r2 Arch teams: Please stabilise app-emacs/tramp-2.1.10-r2 Test plan: <http://overlays.gentoo.org/proj/emacs/wiki/test%20plans>
Comment 4 Tobias Scherbaum (RETIRED) 2007-10-06 21:30:06 UTC
(In reply to comment #3) > Arch teams: Please stabilise app-emacs/tramp-2.1.10-r2 > Test plan: <http://overlays.gentoo.org/proj/emacs/wiki/test%20plans> ppc stable
Comment 5 Christian Faulhammer (RETIRED) 2007-10-06 21:52:41 UTC
Comment 6 Raúl Porcel (RETIRED) 2007-10-09 17:32:33 UTC
Comment 7 Mike Doty (RETIRED) 2007-10-11 07:31:25 UTC
Comment 8 Ulrich Müller 2007-10-11 07:38:54 UTC
app-emacs/tramp-2.1.10-r1 removed. Everything fixed (or hardmasked) now.
Comment 9 Matt Drew (RETIRED) 2007-10-11 21:35:31 UTC
Your typical insecure temp file creation bug, I vote yes for GLSA.
Comment 10 Pierre-Yves Rofes (RETIRED) 2007-10-11 21:37:31 UTC
voting yes too, and request filed.
Comment 11 Ulrich Müller 2007-10-11 21:51:54 UTC
Vulnerable versions: app-emacs-tramp <2.1.10-r2 Unaffected versions: app-emacs/tramp <2.1, >=2.1.10-r2 app-editors/emacs-cvs never had any stable version.
Comment 12 Pierre-Yves Rofes (RETIRED) 2007-10-20 21:24:53 UTC
Comment 13 Hans de Graaff 2007-10-24 10:58:31 UTC
Just to be explicit about this: app-xemacs/tramp-1.37 is based on tramp 2.0.55 and thus not affected by this bug. When a new version of app-xemacs/tramp is generated upstream we (=xemacs herd) should check that this is not based on a version that has this issue.