Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 194713 - app-editors/emacs-cvs, app-emacs/tramp: mktemp insecure file creation (CVE-2007-5377)
Summary: app-editors/emacs-cvs, app-emacs/tramp: mktemp insecure file creation (CVE-20...
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: B3? [glsa]
Depends on:
Reported: 2007-10-04 14:38 UTC by Ulrich Müller
Modified: 2011-01-18 11:26 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Ulrich Müller gentoo-dev 2007-10-04 14:38:21 UTC
According to there might be a "temp file hole" in Emacs functions tramp-make-temp-file and tramp-make-tramp-temp-file.

Affected ebuilds:

   =app-editors/emacs-cvs-22.1.50_p20070829 (CVS snapshot)
   =app-editors/emacs-cvs-23.0.0-r7 (live CVS, hardmasked)
   =app-editors/emacs-cvs-23.0.50 (live CVS)
   =app-emacs/tramp-2.1.10-r1 (stable)

I have verified that app-editors/emacs and <app-emacs/tramp-2.1 are _not_ affected by the problem.
Comment 1 Christian Faulhammer (RETIRED) gentoo-dev 2007-10-04 15:05:35 UTC
(In reply to comment #0)
>    =app-editors/emacs-cvs-22.1.50_p20070829 (CVS snapshot)

 Can be masked, we want it in the tree as reference because shortly after big changes were introduced into upstream's tree.  Patch it?

>    =app-editors/emacs-cvs-23.0.0-r7 (live CVS, hardmasked)
>    =app-editors/emacs-cvs-23.0.50 (live CVS)

 Will regulate itself by upstream, we can do a revision bump to force users to upgrade.

>    =app-emacs/tramp-2.1.10-r1 (stable)

 Will be patched by us.
> I have verified that app-editors/emacs and <app-emacs/tramp-2.1 are _not_
> affected by the problem.

 And you even filed it faster than me! 

Here I propose B3 as severity, because confidential information can leak.
Comment 2 Ulrich Müller gentoo-dev 2007-10-06 16:29:24 UTC
Upstream has committed a patch to their CVS, and I have backported it to app-emacs/tramp-2.1.10 and app-editors/emacs-cvs-22.1.50_p20070829.

I still have to do some more testing, but I hope I can commit new ebuilds for both this evening.
Comment 3 Ulrich Müller gentoo-dev 2007-10-06 18:02:06 UTC
Current status:

   fixed in -r1

   live CVS, not yet fixed, hardmasked

   live CVS, was fixed by upstream
   security team: asking you for advice, is a revbump needed here?

   fixed in -r2

Arch teams: Please stabilise app-emacs/tramp-2.1.10-r2
Test plan: <>
Comment 4 Tobias Scherbaum (RETIRED) gentoo-dev 2007-10-06 21:30:06 UTC
(In reply to comment #3)
> Arch teams: Please stabilise app-emacs/tramp-2.1.10-r2
> Test plan: <>

ppc stable

Comment 5 Christian Faulhammer (RETIRED) gentoo-dev 2007-10-06 21:52:41 UTC
x86 stable
Comment 6 Raúl Porcel (RETIRED) gentoo-dev 2007-10-09 17:32:33 UTC
alpha/sparc stable
Comment 7 Mike Doty (RETIRED) gentoo-dev 2007-10-11 07:31:25 UTC
amd64 stable
Comment 8 Ulrich Müller gentoo-dev 2007-10-11 07:38:54 UTC
app-emacs/tramp-2.1.10-r1 removed.
Everything fixed (or hardmasked) now.
Comment 9 Matt Drew (RETIRED) gentoo-dev 2007-10-11 21:35:31 UTC
Your typical insecure temp file creation bug, I vote yes for GLSA.
Comment 10 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-10-11 21:37:31 UTC
voting yes too, and request filed.
Comment 11 Ulrich Müller gentoo-dev 2007-10-11 21:51:54 UTC
Vulnerable versions:
app-emacs-tramp   <2.1.10-r2

Unaffected versions:
app-emacs/tramp   <2.1, >=2.1.10-r2

app-editors/emacs-cvs never had any stable version.
Comment 12 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-10-20 21:24:53 UTC
GLSA 200710-22
Comment 13 Hans de Graaff gentoo-dev 2007-10-24 10:58:31 UTC
Just to be explicit about this: app-xemacs/tramp-1.37 is based on tramp 2.0.55 and thus not affected by this bug. When a new version of app-xemacs/tramp is generated upstream we (=xemacs herd) should check that this is not based on a version that has this issue.