CVE-2017-1000383 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000383): GNU Emacs version 25.3.1 (and other versions most likely) ignores umask when creating a backup save file ("[ORIGINAL_FILENAME]~") resulting in files that may be world readable or otherwise accessible in ways not intended by the user running the emacs binary. References: http://www.openwall.com/lists/oss-security/2017/10/31/1 @ Maintainer(s): Please confirm which versions in the tree are vulnerable.
I cannot reproduce this: $ umask 077 $ echo hallo >foo $ ls -l foo -rw------- 1 ulm users 6 Nov 2 06:52 foo $ emacs -Q foo $ ls -l foo foo~ -rw------- 1 ulm users 7 Nov 2 06:52 foo -rw------- 1 ulm users 6 Nov 2 06:52 foo~ $ emacs --version GNU Emacs 25.3.1 Copyright (C) 2017 Free Software Foundation, Inc. GNU Emacs comes with ABSOLUTELY NO WARRANTY. You may redistribute copies of GNU Emacs under the terms of the GNU General Public License. For more information about these matters, see the file named COPYING.
(In reply to Aleksandr Wagner (Kivak) from comment #0) > References: > > http://www.openwall.com/lists/oss-security/2017/10/31/1 This seems to be about vim, not emacs? > @ Maintainer(s): Please confirm which versions in the tree are vulnerable. Tested with: app-editors/emacs-18.59-r11 app-editors/emacs-23.4-r16 app-editors/emacs-24.5-r4 app-editors/emacs-25.3 app-editors/emacs-vcs-26.0.90 All of them appear to work as intended, i.e. I cannot reproduce claimed behaviour with any of them.
With this scenario I'm seeing something different: $ touch file $ ls -l file -rw-r--r-- 1 graaff users 0 Nov 2 07:03 file $ umask 077 $ emacs file $ ls -l total 1.0K -rw-r--r-- 1 graaff users 2 Nov 2 07:03 file -rw-r--r-- 1 graaff users 0 Nov 2 07:03 file.~1~ Still this is not a bug, given that conceptually no new file has been created. Letting existing file (and their backups) keep the original permissions even when umask changes seems to be the right thing to do.
