Summary: | virtual/emacs: symlink attacks (CVE-2010-0825) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Stefan Behte (RETIRED) <craig> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED INVALID | ||
Severity: | normal | CC: | emacs |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugs.launchpad.net/ubuntu/+bug/531569 | ||
Whiteboard: | A3 [invalid] | ||
Package list: | Runtime testing required: | --- |
Description
Stefan Behte (RETIRED)
2010-06-25 19:25:48 UTC
Since none of the Emacs ebuilds installs the movemail program with a setuid or setgid bit, we are not affected. See also Redhat's statement at NVD. CVE-2010-0825 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0825): lib-src/movemail.c in movemail in emacs 22 and 23 allows local users to read, modify, or delete arbitrary mailbox files via a symlink attack, related to improper file-permission checks. |