Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 216880 - app-editors/emacs vcdiff insecure temporary file creation (CVE-2008-1694)
Summary: app-editors/emacs vcdiff insecure temporary file creation (CVE-2008-1694)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-04-08 15:05 UTC by Robert Buchholz (RETIRED)
Modified: 2008-04-29 13:09 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
emacs-vcsdiff-tmp-race.patch (emacs-vcsdiff-tmp-race.patch,831 bytes, patch)
2008-04-08 15:07 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-04-08 15:05:19 UTC
Steve Grubb of Red Hat discovered that vcdiff script as shipped with Emacs
(confirmed in versions 20.7 to 22.1.50) uses temporary files insecurely,
which makes it possible for local attacker to conduct a symlink attack and
make the victim overwrite arbitrary file.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-04-08 15:07:14 UTC
This issues is under embargo until April, 11th. I don't think we need to prestable this, but please prepare an ebuild to be committed on that date.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-04-08 15:07:43 UTC
Created attachment 149105 [details, diff]
emacs-vcsdiff-tmp-race.patch
Comment 3 Ulrich Müller gentoo-dev 2008-04-08 16:01:00 UTC
app-editors/xemacs is also affected.
Comment 4 Hans de Graaff gentoo-dev 2008-04-09 06:33:48 UTC
According to the documentation this file is only used with SCCS, so you have to wonder how many people will still be bitten by this.

In any case I've prepared a patched xemacs-21.4.21-r1
Comment 5 Ulrich Müller gentoo-dev 2008-04-09 12:14:34 UTC
(In reply to comment #4)
> According to the documentation this file is only used with SCCS, so you have
> to wonder how many people will still be bitten by this.

Seems it is still used at Red Hat. ;-)

Anyhow, ebuilds for patched GNU Emacs 21 and 22 are ready.
Emacs 18 is not affected.
Comment 6 Ulrich Müller gentoo-dev 2008-04-11 14:00:39 UTC
Fixed versions for GNU Emacs committed:
   emacs-21.4-r15
   emacs-22.1-r4
   emacs-22.2-r1

I've committed 21.4-r15 and 22.1-r4 straight to stable, since there seems to be no sensible way how arch teams could test vcdiff (we don't have SCCS, and vcdiff doesn't work with dev-util/cssc).

Concerning comment 4, I'd like to propose that the severity is decreased to B3, because only a tiny fraction of users will be affected by this issue.
Comment 7 Hans de Graaff gentoo-dev 2008-04-11 14:19:35 UTC
app-editors/xemacs-21.4.21-r1 is now in the tree, and based on Ulrich's reasoning in comment 6 I've also committed straight to stable.
Comment 8 Robert Buchholz (RETIRED) gentoo-dev 2008-04-11 14:45:37 UTC
It's a vote. Considering we have no way to use it, I'd consider it lower priority than other vulnerabilities than othets of the same type. So, I'd go over NO.
Comment 9 Ulrich Müller gentoo-dev 2008-04-13 10:49:46 UTC
The live ebuilds in app-editors/emacs-cvs (nothing stable there) still suffer from this, and I am waiting for upstream fixing it.

Upstream has been informed of the issue, I suppose?
Comment 10 Ulrich Müller gentoo-dev 2008-04-19 08:24:55 UTC
(In reply to comment #9)
> The live ebuilds in app-editors/emacs-cvs (nothing stable there) still suffer
> from this, and I am waiting for upstream fixing it.

Fixed upstream:

2008-04-18  Steve Grubb  <sgrubb@redhat.com>  (tiny change)

        * vcdiff: Use mktemp (CVE-2008-1694).
Comment 11 Peter Volkov (RETIRED) gentoo-dev 2008-04-21 08:24:30 UTC
Forgot to say, Fixed in release snapshot.
Comment 12 Matthias Geerdsen (RETIRED) gentoo-dev 2008-04-29 13:09:36 UTC
thought I did already... but also voting no here