From unknown Sat Sep 20 12:00:31 2025 X-Loop: help-debbugs@gnu.org Subject: bug#17416: insecure temp files in ob-screen.el Resent-From: Glenn Morris Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org, emacs-orgmode@gnu.org Resent-Date: Tue, 06 May 2014 04:15:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 17416 X-GNU-PR-Package: emacs,org-mode X-GNU-PR-Keywords: security To: 17416@debbugs.gnu.org X-Debbugs-Original-To: submit@debbugs.gnu.org Received: via spool by submit@debbugs.gnu.org id=B.139934968121660 (code B ref -1); Tue, 06 May 2014 04:15:01 +0000 Received: (at submit) by debbugs.gnu.org; 6 May 2014 04:14:41 +0000 Received: from localhost ([127.0.0.1]:52230 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1WhWm8-0005dI-Kn for submit@debbugs.gnu.org; Tue, 06 May 2014 00:14:41 -0400 Received: from fencepost.gnu.org ([208.118.235.10]:43345 ident=Debian-exim) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1WhWm5-0005dA-Ij for submit@debbugs.gnu.org; Tue, 06 May 2014 00:14:38 -0400 Received: from rgm by fencepost.gnu.org with local (Exim 4.71) (envelope-from ) id 1WhWm4-0004aO-Tu; Tue, 06 May 2014 00:14:36 -0400 From: Glenn Morris X-Spook: Maple PLO Uzbekistan Osama Plame InfoSec benelux Telex X-Ran: %;;A(2V5itFX$]-Fv[UN<".jf6!q/3.+Wn_j|o#$;v'@:P.MAqZ}JcJ7~"v X-Hue: cyan X-Attribution: GM Date: Tue, 06 May 2014 00:14:36 -0400 Message-ID: <61ljbl1v.fsf@fencepost.gnu.org> User-Agent: Gnus (www.gnus.org), GNU Emacs (www.gnu.org/software/emacs/) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Spam-Score: -5.7 (-----) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.7 (-----) Package: emacs,org-mode Version: 24.3.90 Severity: important Tags: security org-babel-screen-session-write-temp-file and org-babel-screen-test seem to use predictable temp-file names, which is a security issue. Using `make-temp-file', or if the file names really need to be predictable, something equivalent to `doc-view-make-safe-dir' (there should really be a general utility function for this IMO) to first create a /tmp subdirectory would avoid this. From unknown Sat Sep 20 12:00:31 2025 X-Loop: help-debbugs@gnu.org Subject: bug#17416: [O] bug#17416: insecure temp files in ob-screen.el In-Reply-To: <61ljbl1v.fsf@fencepost.gnu.org> Resent-From: Eric Schulte Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org, emacs-orgmode@gnu.org Resent-Date: Thu, 08 May 2014 01:16:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 17416 X-GNU-PR-Package: emacs,org-mode X-GNU-PR-Keywords: security To: Glenn Morris Cc: 17416@debbugs.gnu.org Received: via spool by 17416-submit@debbugs.gnu.org id=B17416.139951174130479 (code B ref 17416); Thu, 08 May 2014 01:16:02 +0000 Received: (at 17416) by debbugs.gnu.org; 8 May 2014 01:15:41 +0000 Received: from localhost ([127.0.0.1]:54976 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1WiCw1-0007vW-7T for submit@debbugs.gnu.org; Wed, 07 May 2014 21:15:41 -0400 Received: from mail-pd0-f172.google.com ([209.85.192.172]:46239) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1WiCvz-0007vI-Ax for 17416@debbugs.gnu.org; Wed, 07 May 2014 21:15:40 -0400 Received: by mail-pd0-f172.google.com with SMTP id g10so1737590pdj.31 for <17416@debbugs.gnu.org>; Wed, 07 May 2014 18:15:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:cc:subject:date:references:message-id:user-agent :mime-version:content-type; bh=exyVjSkPrI8CHybSi3yXcsvae4QXS25aYQwkThtJ/H8=; b=VP6TbHAhmK3/UYhPgfqFlnj8UG6wKaVI40ec4JCyAgRMecvbj8U1wcxtH3Vx+7pNLW 7VPCY/at3z2HumNjlZblY+Oo1sSYs4soMlL5cO8tP9rtT//AzZ3g1+QeS9YuJXmE04PO g/7BL92ON7huTweG4/kXIAS4kyhXfzbvnSGqYaCOz167K+hh4MvdTv6qPM7az4hOgEVu X3Dxnrp8LXmz/OcqHJPXauZu9gQS1F6wO2vae1xZgZYXoTd7S4BBDvC0zyiQ9X3dT+wi k71BzmWoXvHP5YRXo0FCCXNLyxmFLKtY8NTsJAlQBB37QOQJg7JbNUP65oCaPFJy79xy 8rlg== X-Received: by 10.67.4.138 with SMTP id ce10mr1322543pad.12.1399511733355; Wed, 07 May 2014 18:15:33 -0700 (PDT) Received: from bagel (c-174-56-50-60.hsd1.nm.comcast.net. [174.56.50.60]) by mx.google.com with ESMTPSA id yx3sm5463827pbb.6.2014.05.07.18.15.26 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 07 May 2014 18:15:32 -0700 (PDT) From: Eric Schulte Date: Wed, 07 May 2014 05:35:37 -0400 References: <61ljbl1v.fsf@fencepost.gnu.org> Message-ID: <87vbthm5pe.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.4.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: 0.8 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.8 (/) Glenn Morris writes: > Package: emacs,org-mode > Version: 24.3.90 > Severity: important > Tags: security > > org-babel-screen-session-write-temp-file and org-babel-screen-test seem > to use predictable temp-file names, which is a security issue. Using > `make-temp-file', or if the file names really need to be predictable, > something equivalent to `doc-view-make-safe-dir' (there should really be > a general utility function for this IMO) to first create a /tmp > subdirectory would avoid this. > I just pushed up a fix for this issue. Thanks, -- Eric Schulte https://cs.unm.edu/~eschulte PGP: 0x614CA05D From unknown Sat Sep 20 12:00:31 2025 X-Loop: help-debbugs@gnu.org Subject: bug#17416: [O] bug#17416: insecure temp files in ob-screen.el In-Reply-To: <61ljbl1v.fsf@fencepost.gnu.org> Resent-From: Glenn Morris Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org, emacs-orgmode@gnu.org Resent-Date: Thu, 08 May 2014 07:05:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 17416 X-GNU-PR-Package: emacs,org-mode X-GNU-PR-Keywords: security To: Eric Schulte Cc: 17416@debbugs.gnu.org Received: via spool by 17416-submit@debbugs.gnu.org id=B17416.13995326471647 (code B ref 17416); Thu, 08 May 2014 07:05:02 +0000 Received: (at 17416) by debbugs.gnu.org; 8 May 2014 07:04:07 +0000 Received: from localhost ([127.0.0.1]:55070 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1WiINC-0000QV-Kb for submit@debbugs.gnu.org; Thu, 08 May 2014 03:04:07 -0400 Received: from fencepost.gnu.org ([208.118.235.10]:43903 ident=Debian-exim) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1WiIN9-0000QK-CX for 17416@debbugs.gnu.org; Thu, 08 May 2014 03:04:04 -0400 Received: from rgm by fencepost.gnu.org with local (Exim 4.71) (envelope-from ) id 1WiIN7-0005Ab-Jc; Thu, 08 May 2014 03:04:01 -0400 From: Glenn Morris References: <61ljbl1v.fsf@fencepost.gnu.org> <87vbthm5pe.fsf@gmail.com> X-Spook: nuclear pipeline enemy of the state BATF Axis of Evil X-Ran: ?VkqqY7:N"DTg*O>.>.'F\r*'p._A0P_BX/P?3%RGViJ!{)/YzE>XtmhkjVao':Dz\j%L" X-Hue: magenta X-Attribution: GM Date: Thu, 08 May 2014 03:04:01 -0400 Message-ID: User-Agent: Gnus (www.gnus.org), GNU Emacs (www.gnu.org/software/emacs/) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Spam-Score: -4.9 (----) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -4.9 (----) Eric Schulte wrote: >> org-babel-screen-session-write-temp-file and org-babel-screen-test seem >> to use predictable temp-file names, which is a security issue. Using >> `make-temp-file', or if the file names really need to be predictable, >> something equivalent to `doc-view-make-safe-dir' (there should really be >> a general utility function for this IMO) to first create a /tmp >> subdirectory would avoid this. > > I just pushed up a fix for this issue. Thanks, If you mean http://orgmode.org/cgit.cgi/org-mode.git/commit/?id=fea672d30ef4701721c0d4aa70462760a6b21be7 then's there still org-babel-screen-test. (These are definitely fixes that need merging into the emacs-24 branch. IIUC this means they need to be in your maint branch?) From unknown Sat Sep 20 12:00:31 2025 X-Loop: help-debbugs@gnu.org Subject: bug#17416: [O] bug#17416: insecure temp files in ob-screen.el Resent-From: Eric Schulte Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org, emacs-orgmode@gnu.org Resent-Date: Thu, 08 May 2014 18:21:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 17416 X-GNU-PR-Package: emacs,org-mode X-GNU-PR-Keywords: security To: Glenn Morris Cc: 17416@debbugs.gnu.org, Eric Schulte Received: via spool by 17416-submit@debbugs.gnu.org id=B17416.139957325918597 (code B ref 17416); Thu, 08 May 2014 18:21:02 +0000 Received: (at 17416) by debbugs.gnu.org; 8 May 2014 18:20:59 +0000 Received: from localhost ([127.0.0.1]:56261 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1WiSwE-0004ps-Fh for submit@debbugs.gnu.org; Thu, 08 May 2014 14:20:58 -0400 Received: from mail-pa0-f43.google.com ([209.85.220.43]:32784) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1WiSw5-0004pK-2D for 17416@debbugs.gnu.org; Thu, 08 May 2014 14:20:56 -0400 Received: by mail-pa0-f43.google.com with SMTP id hz1so3217308pad.2 for <17416@debbugs.gnu.org>; Thu, 08 May 2014 11:20:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version:content-type; bh=kFYGf6Toza0EPwsKC3H9QNG1OeJgKHM0JaZBKYeEfqc=; b=Mf0hRMRs6Q9q67/s8d2xNEMvH/1rGd/YsFJULDHyZZr0PfJI/4q++6w1yqgjou4Dgz Ym4xU7i/SHXCFqHO8++S49QScO9t9LBJlzni3i4d0nmB51sdayRtgfNpuOTOtjHPAjs2 OLkV3dX05mwAH+OwVSk/GOWSIoP5gNoPuUTtLCTaK6alaZZeVeGMYGurM09JXW7ekyw9 01QI53fqXmCYtyilvcDewsD6fRy+7GSXumHAsjV/jR0IcCQqurmpgTGG4oZO7L6DzLAB 8HU6aN2onub8XQUX0qtND0UE6Uz92KS3MZ7SAjHFjWA9thMexQaT2Xwl45ku3P/u6tNs xzzA== X-Received: by 10.66.227.104 with SMTP id rz8mr10621854pac.74.1399573243018; Thu, 08 May 2014 11:20:43 -0700 (PDT) Received: from bagel (c-174-56-50-60.hsd1.nm.comcast.net. [174.56.50.60]) by mx.google.com with ESMTPSA id qq5sm3247569pbb.24.2014.05.08.11.20.37 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 08 May 2014 11:20:40 -0700 (PDT) From: Eric Schulte References: <61ljbl1v.fsf@fencepost.gnu.org> <87vbthm5pe.fsf@gmail.com> Date: Thu, 08 May 2014 12:20:23 -0600 In-Reply-To: (Glenn Morris's message of "Thu, 08 May 2014 03:04:01 -0400") Message-ID: <87a9asku8o.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.4.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) Glenn Morris writes: > Eric Schulte wrote: > >>> org-babel-screen-session-write-temp-file and org-babel-screen-test seem >>> to use predictable temp-file names, which is a security issue. Using >>> `make-temp-file', or if the file names really need to be predictable, >>> something equivalent to `doc-view-make-safe-dir' (there should really be >>> a general utility function for this IMO) to first create a /tmp >>> subdirectory would avoid this. >> >> I just pushed up a fix for this issue. Thanks, > > If you mean > > http://orgmode.org/cgit.cgi/org-mode.git/commit/?id=fea672d30ef4701721c0d4aa70462760a6b21be7 > > then's there still org-babel-screen-test. > Fixed. > > (These are definitely fixes that need merging into the emacs-24 branch. > IIUC this means they need to be in your maint branch?) Cherrypicked into maint. Thanks, -- Eric Schulte https://cs.unm.edu/~eschulte PGP: 0x614CA05D From debbugs-submit-bounces@debbugs.gnu.org Mon May 12 02:11:39 2014 Received: (at control) by debbugs.gnu.org; 12 May 2014 06:11:39 +0000 Received: from localhost ([127.0.0.1]:60043 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1WjjSc-00038F-EF for submit@debbugs.gnu.org; Mon, 12 May 2014 02:11:39 -0400 Received: from fencepost.gnu.org ([208.118.235.10]:57841 ident=Debian-exim) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1WjjSa-000383-Ih for control@debbugs.gnu.org; Mon, 12 May 2014 02:11:37 -0400 Received: from rgm by fencepost.gnu.org with local (Exim 4.71) (envelope-from ) id 1WjjSZ-0007Gl-Vj for control@debbugs.gnu.org; Mon, 12 May 2014 02:11:36 -0400 Date: Mon, 12 May 2014 02:11:35 -0400 Message-Id: Subject: control message for bug 17416 To: X-Mailer: mail (GNU Mailutils 2.1) From: Glenn Morris X-Spam-Score: -5.7 (-----) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.7 (-----) close 17416 24.3.91