GNU bug report logs - #27986
26.0.50; `rename-file' can rename files without confirmation

Previous Next

Package: emacs;

Reported by: Philipp <p.stephani2 <at> gmail.com>

Date: Sun, 6 Aug 2017 15:41:02 UTC

Severity: important

Tags: security

Found in version 26.0.50

Done: Paul Eggert <eggert <at> cs.ucla.edu>

Bug is archived. No further changes may be made.

Full log

Message #14 received at 27986 <at> debbugs.gnu.org (full text, mbox):

From: Paul Eggert <eggert <at> cs.ucla.edu>
To: Eli Zaretskii <eliz <at> gnu.org>
Cc: Philipp <p.stephani2 <at> gmail.com>, 27986 <at> debbugs.gnu.org
Subject: Re: bug#27986: 26.0.50; 'rename-file' can rename files without
 confirmation
Date: Sun, 13 Aug 2017 15:42:05 -0700

[Message part 1 (text/plain, inline)]
Paul Eggert wrote:
> there are races on GNU/Linux which can lead to potential security problems. 
> Perhaps we can't fix these races on MS-Windows but we should be able to fix them 
> on a GNUish host. However, we will need to change the semantics of rename-file 
> etc. slightly, since no single system call supports the cp-like target rewriting 
> of these functions. I have a fix in mind to do that in a hopefully 
> compatible-enough way, which I'll try to propose soon. I'll keep 
> case-insensitive file systems in mind when I do that.

Attached is a proposed patch to fix this security problem. If I understand 
things correctly, the fix should work on MS-Windows and on case-insensitive file 
systems. Since this patch entails an incompatible change to the (undocumented) 
behavior of (rename-file A B) when B is a directory but is not a directory name, 
I'll mention the proposed change on emacs-devel.

[0001-Fix-race-with-rename-file-etc.-with-dir-NEWNAME.patch (text/x-patch, attachment)]
This bug report was last modified 7 years and 257 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.