Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 325553 (CVE-2010-0825)

Summary: virtual/emacs: symlink attacks (CVE-2010-0825)
Product: Gentoo Security Reporter: Stefan Behte (RETIRED) <craig>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED INVALID    
Severity: normal CC: emacs
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugs.launchpad.net/ubuntu/+bug/531569
Whiteboard: A3 [invalid]
Package list:
Runtime testing required: ---

Description Stefan Behte (RETIRED) gentoo-dev Security 2010-06-25 19:25:48 UTC 
CVE-2010-0825 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0825):
  lib-src/movemail.c in movemail in emacs 22 and 23 allows local users
  to read, modify, or delete arbitrary mailbox files via a symlink
  attack, related to improper file-permission checks.
Comment 1 Ulrich Müller gentoo-dev 2010-06-25 20:38:24 UTC 
Since none of the Emacs ebuilds installs the movemail program with a setuid or setgid bit, we are not affected. See also Redhat's statement at NVD.
Comment 2 Stefan Behte (RETIRED) gentoo-dev Security 2010-06-25 21:37:03 UTC 
CVE-2010-0825 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0825):
  lib-src/movemail.c in movemail in emacs 22 and 23 allows local users
  to read, modify, or delete arbitrary mailbox files via a symlink
  attack, related to improper file-permission checks.