Debian Bug report logs -
#476611
CVE-2008-1694: vcdiff insecure temporary file
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Thu, 17 Apr 2008 22:06:13 UTC
Severity: important
Tags: fixed-upstream, security
Found in version emacs22/22.2+1-1
Fixed in version emacs22/22.2+2-2
Done: Rob Browning <rlb@defaultvalue.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Rob Browning <rlb@defaultvalue.org>:
Bug#476611; Package emacs22.
(full text, mbox, link).
Acknowledgement sent to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to Rob Browning <rlb@defaultvalue.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: emacs22
Version: 22.2+1-1
Severity: important
Tags: security
This was brought to our attention by Red Hat on vendor-sec:
Steve Grubb of Red Hat discovered that vcdiff script as shipped with Emacs
(confirmed in versions 20.7 to 22.1.50) uses temporary files insecurely,
which makes it possible for local attacker to conduct a symlink attack and
make the victim overwrite arbitrary file.
diff -ur emacs-21.4.orig/lib-src/vcdiff emacs-21.4/lib-src/vcdiff
--- emacs-21.4.orig/lib-src/vcdiff 2006-09-28 12:07:51.000000000 -0400
+++ emacs-21.4/lib-src/vcdiff 2006-09-28 15:58:53.000000000 -0400
@@ -86,14 +86,14 @@
case $f in
s.* | */s.*)
if
- rev1=/tmp/geta$$
+ rev1=`mktemp /tmp/geta.XXXXXXXX`
get -s -p -k $sid1 "$f" > $rev1 &&
case $sid2 in
'')
workfile=`expr " /$f" : '.*/s.\(.*\)'`
;;
*)
- rev2=/tmp/getb$$
+ rev2=`mktemp /tmp/getb.XXXXXXXX`
get -s -p -k $sid2 "$f" > $rev2
workfile=$rev2
esac
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.24-1-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash
Versions of packages emacs22 depends on:
ii emacs22-bin-common 22.2+1-1 The GNU Emacs editor's shared, arc
ii libasound2 1.0.16-2 ALSA library
ii libc6 2.7-10 GNU C Library: Shared libraries
ii libice6 2:1.0.4-1 X11 Inter-Client Exchange library
ii libjpeg62 6b-14 The Independent JPEG Group's JPEG
ii libncurses5 5.6+20080405-1 Shared libraries for terminal hand
ii libpng12-0 1.2.15~beta5-3 PNG library - runtime
ii libsm6 2:1.0.3-1+b1 X11 Session Management library
ii libtiff4 3.8.2-8 Tag Image File Format (TIFF) libra
ii libx11-6 2:1.0.3-7 X11 client-side library
ii libxext6 2:1.0.4-1 X11 miscellaneous extension librar
ii libxmu6 2:1.0.4-1 X11 miscellaneous utility library
ii libxpm4 1:3.5.7-1 X11 pixmap library
ii libxt6 1:1.0.5-3 X11 toolkit intrinsics library
ii xaw3dg 1.5+E-15 Xaw3d widget set
ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime
emacs22 recommends no packages.
-- no debconf information
Information forwarded to debian-bugs-dist@lists.debian.org, Rob Browning <rlb@defaultvalue.org>:
Bug#476611; Package emacs22.
(full text, mbox, link).
Acknowledgement sent to Romain Francoise <romain@orebokech.com>:
Extra info received and forwarded to list. Copy sent to Rob Browning <rlb@defaultvalue.org>.
(full text, mbox, link).
Message #10 received at 476611@bugs.debian.org (full text, mbox, reply):
tags 476611 fixed-upstream
quit
Moritz Muehlenhoff <jmm@debian.org> writes:
> Steve Grubb of Red Hat discovered that vcdiff script as shipped with Emacs
> (confirmed in versions 20.7 to 22.1.50) uses temporary files insecurely,
> which makes it possible for local attacker to conduct a symlink attack and
> make the victim overwrite arbitrary file.
Thanks for the report; patch merged upstream in the Emacs 22 release
branch and the trunk.
Tags added: fixed-upstream
Request was from Romain Francoise <romain@orebokech.com>
to control@bugs.debian.org.
(Fri, 18 Apr 2008 18:33:03 GMT) (full text, mbox, link).
Reply sent to Rob Browning <rlb@defaultvalue.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #17 received at 476611-close@bugs.debian.org (full text, mbox, reply):
Source: emacs22
Source-Version: 22.2+2-2
We believe that the bug you reported is fixed in the latest version of
emacs22, which is due to be installed in the Debian FTP archive:
emacs22-bin-common_22.2+2-2_i386.deb
to pool/main/e/emacs22/emacs22-bin-common_22.2+2-2_i386.deb
emacs22-common_22.2+2-2_all.deb
to pool/main/e/emacs22/emacs22-common_22.2+2-2_all.deb
emacs22-el_22.2+2-2_all.deb
to pool/main/e/emacs22/emacs22-el_22.2+2-2_all.deb
emacs22-gtk_22.2+2-2_i386.deb
to pool/main/e/emacs22/emacs22-gtk_22.2+2-2_i386.deb
emacs22-nox_22.2+2-2_i386.deb
to pool/main/e/emacs22/emacs22-nox_22.2+2-2_i386.deb
emacs22_22.2+2-2.diff.gz
to pool/main/e/emacs22/emacs22_22.2+2-2.diff.gz
emacs22_22.2+2-2.dsc
to pool/main/e/emacs22/emacs22_22.2+2-2.dsc
emacs22_22.2+2-2_i386.deb
to pool/main/e/emacs22/emacs22_22.2+2-2_i386.deb
emacs_22.2+2-2_all.deb
to pool/main/e/emacs22/emacs_22.2+2-2_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 476611@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Rob Browning <rlb@defaultvalue.org> (supplier of updated emacs22 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 26 Apr 2008 22:02:40 -0700
Source: emacs22
Binary: emacs emacs22 emacs22-nox emacs22-gtk emacs22-bin-common emacs22-common emacs22-el
Architecture: source all i386
Version: 22.2+2-2
Distribution: unstable
Urgency: medium
Maintainer: Rob Browning <rlb@defaultvalue.org>
Changed-By: Rob Browning <rlb@defaultvalue.org>
Description:
emacs - The GNU Emacs editor (metapackage)
emacs22 - The GNU Emacs editor
emacs22-bin-common - The GNU Emacs editor's shared, architecture dependent files
emacs22-common - The GNU Emacs editor's shared, architecture independent infrastru
emacs22-el - GNU Emacs LISP (.el) files
emacs22-gtk - The GNU Emacs editor (with GTK user interface)
emacs22-nox - The GNU Emacs editor (without X support)
Closes: 448391 476611 477215
Changes:
emacs22 (22.2+2-2) unstable; urgency=medium
.
* Fix debian-expand-file-name-dfsg and describe-gnu-project (C-h C-p).
Thanks to Valery V. Vorotyntsev <valery.vv@gmail.com>.
(closes: #448391, #477215)
.
* Fix an insecurity in vcdiff's temporary file handling
(CVE-2008-1694). Thanks to Moritz Muehlenhoff <jmm@debian.org> and
Steve Grubb. (closes: #476611)
Checksums-Sha1:
5f712b261d6a160726d319019849c3ac04e83833 1332 emacs22_22.2+2-2.dsc
b36f6a0eba92f7eafad32774da16007471cac96d 41091 emacs22_22.2+2-2.diff.gz
7e37821eb7836e2b4053abcaad7351c6f346b55d 19234 emacs_22.2+2-2_all.deb
90a438a623e3c417d0d980667325e454cc65524f 14624904 emacs22-common_22.2+2-2_all.deb
c1db02968d673dffaf32113bce8ad6883c9307fb 11356382 emacs22-el_22.2+2-2_all.deb
8af389709de6ffa85f27e66de14b549e53118ad8 2584466 emacs22_22.2+2-2_i386.deb
92812b70f7ac89c06e39b5c530f4a3cc195e1ae3 2328564 emacs22-nox_22.2+2-2_i386.deb
231f0637071be7f82be3111aa2150bd017b0be06 2576670 emacs22-gtk_22.2+2-2_i386.deb
5fb412b8569663a181cfeadd3c4945891dfc3313 160850 emacs22-bin-common_22.2+2-2_i386.deb
Checksums-Sha256:
ee51162d9939ef2dd83d050892b3a0bc1b2c4acd222c85801b4c858bcd3e34b4 1332 emacs22_22.2+2-2.dsc
3a744468413d8db2a8feb4a5bdae90dddd89ea7c39a71487818e15ae7729a825 41091 emacs22_22.2+2-2.diff.gz
3c8d1bc9870a32c2f712de617ba86647e280390b062a4b8f72a5578710a9a493 19234 emacs_22.2+2-2_all.deb
aa09fb9ab3241ca739eeb23262427388ad6fab20de8c9d7e5db64ddb8150896c 14624904 emacs22-common_22.2+2-2_all.deb
48470ff434c4afd8c5fb0db17eae72ca1f71082ede14a81a9e2820eddc76c48f 11356382 emacs22-el_22.2+2-2_all.deb
f713e80789868bb658b383a07701cd5ac9495d0a83e90811a88af382d97f145e 2584466 emacs22_22.2+2-2_i386.deb
e2eef040eeef26991eca0ecf2d66fd4472d8029f1c116f9a41dc382ce6a6e5e8 2328564 emacs22-nox_22.2+2-2_i386.deb
ee67b3878d7f8044909b53bc41300203620ba606df147d11af0654f8680edc2b 2576670 emacs22-gtk_22.2+2-2_i386.deb
06e5444bd94cd35616ed4ef45eb1b949a2a56d17e0d412a84845223a3e21e27b 160850 emacs22-bin-common_22.2+2-2_i386.deb
Files:
396496e7300c8e7cc69cd68d0a21f764 1332 editors optional emacs22_22.2+2-2.dsc
77079786171a8616952a0f3383d05f46 41091 editors optional emacs22_22.2+2-2.diff.gz
96da06b1a22e36397f735b0131bc9b02 19234 editors optional emacs_22.2+2-2_all.deb
97839e6f1c74e36c382ea7512b881c38 14624904 editors optional emacs22-common_22.2+2-2_all.deb
0da0d5428ae15efb081f28a40d56edb5 11356382 editors optional emacs22-el_22.2+2-2_all.deb
05567878e2a6c962d6311b848a6418de 2584466 editors optional emacs22_22.2+2-2_i386.deb
dd46a80d83c771ee11c325b3642977bd 2328564 editors optional emacs22-nox_22.2+2-2_i386.deb
7c8abec28587cea2fdbfc0518a875431 2576670 editors optional emacs22-gtk_22.2+2-2_i386.deb
6b707e69e58d326893612e9882c5f415 160850 editors optional emacs22-bin-common_22.2+2-2_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFIFBsVJcjTd4x+c6QRAubhAJ9Nc3Ah7ErkPmN0vCzvrdkQzSvWtQCgt6+/
AKyOMLiYwcavIdDPUIpvk7g=
=lm0h
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 13 Jun 2008 07:27:33 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:10:31 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon