From debbugs-submit-bounces@debbugs.gnu.org Mon Nov 06 16:56:28 2017 Received: (at submit) by debbugs.gnu.org; 6 Nov 2017 21:56:28 +0000 Received: from localhost ([127.0.0.1]:54718 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eBpNc-0000EJ-KX for submit@debbugs.gnu.org; Mon, 06 Nov 2017 16:56:28 -0500 Received: from eggs.gnu.org ([208.118.235.92]:60992) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eBpNa-0000E7-SV for submit@debbugs.gnu.org; Mon, 06 Nov 2017 16:56:27 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eBpNU-0001Db-Fw for submit@debbugs.gnu.org; Mon, 06 Nov 2017 16:56:21 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:52850) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eBpNU-0001DX-C8 for submit@debbugs.gnu.org; Mon, 06 Nov 2017 16:56:20 -0500 Received: from rgm by fencepost.gnu.org with local (Exim 4.82) (envelope-from ) id 1eBpNS-00012y-Hv; Mon, 06 Nov 2017 16:56:18 -0500 From: Glenn Morris To: submit@debbugs.gnu.org Subject: CVE-2017-1000383: umask and backup files X-Spook: Trafficking CNCIS ARPA Nationalist supercomputer Brown X-Ran: a$FnS_F/U`WxT3>:j()&ySm.cAg}w4Y5{C"dH$~]e User-Agent: Gnus (www.gnus.org), GNU Emacs (www.gnu.org/software/emacs/) MIME-Version: 1.0 Content-Type: text/plain X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) Package: emacs Version: 25.3 Tags: security https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000383 GNU Emacs version 25.3.1 (and other versions most likely) ignores umask when creating a backup save file ("[ORIGINAL_FILENAME]~") resulting in files that may be world readable or otherwise accessible in ways not intended by the user running the emacs binary. [I'm not sure why this apparently hasn't been reported here before now?] From debbugs-submit-bounces@debbugs.gnu.org Mon Nov 06 20:57:34 2017 Received: (at 29182) by debbugs.gnu.org; 7 Nov 2017 01:57:35 +0000 Received: from localhost ([127.0.0.1]:54973 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eBt8w-0007Md-MZ for submit@debbugs.gnu.org; Mon, 06 Nov 2017 20:57:34 -0500 Received: from eggs.gnu.org ([208.118.235.92]:53959) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eBt8v-0007MQ-J0 for 29182@debbugs.gnu.org; Mon, 06 Nov 2017 20:57:33 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eBt8p-0006RR-Dw for 29182@debbugs.gnu.org; Mon, 06 Nov 2017 20:57:28 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-0.0 required=5.0 tests=BAYES_40,RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:60013) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eBt8p-0006RN-B2 for 29182@debbugs.gnu.org; Mon, 06 Nov 2017 20:57:27 -0500 Received: from rgm by fencepost.gnu.org with local (Exim 4.82) (envelope-from ) id 1eBt8o-0002nw-Re; Mon, 06 Nov 2017 20:57:26 -0500 From: Glenn Morris To: 29182@debbugs.gnu.org Subject: Re: bug#29182: CVE-2017-1000383: umask and backup files References: X-Spook: Whitehouse National preparedness Plume Saddam Hussein X-Ran: hH%;FiTg>&`AWr-((zW8[ (Glenn Morris's message of "Mon, 06 Nov 2017 16:56:18 -0500") Message-ID: <6tefpag8ah.fsf@fencepost.gnu.org> User-Agent: Gnus (www.gnus.org), GNU Emacs (www.gnu.org/software/emacs/) MIME-Version: 1.0 Content-Type: text/plain X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: 29182 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) I think the actual complaint appears at http://seclists.org/oss-sec/2017/q4/159 and could be summarized as "if you create a file, then make your umask more restrictive, then edit it with Emacs, the backup file inherits the same permissions as the original file, not the more restrictive umask permissions". Eg: umask 002 touch foo ls -l foo # -> -rw-rw-r-- umask 007 emacs-25.3 -Q foo make some changes and save touch foo2 ls -l foo* foo -rw-rw-r--. foo~ -rw-rw-r--. foo2 -rw-rw----. (With backup-by-copying non-nil, the result is the same.) I don't really know what my opinion of this issue is... I imagine I would have made the same reply as http://seclists.org/oss-sec/2017/q4/184 [Emacs] copies the permission from the file being edited. Although the [backup] file is readable by others this does not leak any information here, since the file being edited is already readable by others. but this is dismissed with: ...it doesn't matter because a security assertion made via umask is being violated, so it wins a CVE. Also for example if you later delete that file and think you're safe the copy is still floating around world readable. Or you have something indexing the files and ignoring that file type, and the [~] gets indexed, and so on. Anyway, you can probably find every shade of opinion on what to do about this already expressed in that oss-sec thread or the related vim one. I think I've found it useful many, many times that ~ files have the same permissions as the originals. From debbugs-submit-bounces@debbugs.gnu.org Tue Nov 07 14:29:34 2017 Received: (at 29182) by debbugs.gnu.org; 7 Nov 2017 19:29:34 +0000 Received: from localhost ([127.0.0.1]:57025 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eC9Z0-0005yf-Mk for submit@debbugs.gnu.org; Tue, 07 Nov 2017 14:29:34 -0500 Received: from eggs.gnu.org ([208.118.235.92]:50421) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eC9Yy-0005yN-0Z for 29182@debbugs.gnu.org; Tue, 07 Nov 2017 14:29:32 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eC9Yr-0001U4-QF for 29182@debbugs.gnu.org; Tue, 07 Nov 2017 14:29:26 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:56938) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eC9Yr-0001Tz-Mj for 29182@debbugs.gnu.org; Tue, 07 Nov 2017 14:29:25 -0500 Received: from rgm by fencepost.gnu.org with local (Exim 4.82) (envelope-from ) id 1eC9Yr-0001i4-9D; Tue, 07 Nov 2017 14:29:25 -0500 From: Glenn Morris To: 29182@debbugs.gnu.org Subject: Re: bug#29182: CVE-2017-1000383: umask and backup files References: <6tefpag8ah.fsf@fencepost.gnu.org> X-Spook: Kennedy Ermes Attorney General Smallpox Smart Crowell X-Ran: wP8JM:Pf\l^EF(q@|J5iNwYoA|bPDr,z'=GbhCv!QVgbizj_iK~spt~Y"3'5TT/_G@?Zty X-Hue: cyan X-Debbugs-No-Ack: yes X-Attribution: GM Date: Tue, 07 Nov 2017 14:29:25 -0500 In-Reply-To: <6tefpag8ah.fsf@fencepost.gnu.org> (Glenn Morris's message of "Mon, 06 Nov 2017 20:57:26 -0500") Message-ID: User-Agent: Gnus (www.gnus.org), GNU Emacs (www.gnu.org/software/emacs/) MIME-Version: 1.0 Content-Type: text/plain X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: 29182 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) One solution is to put backup files in a single (private) location, rather than alongside the original file. This is achievable in Emacs with eg (setq backup-directory-alist '(("\\`/[^/|:][^/|]*:") ("." . "/.emacs.d/backups"))) where ~/.emacs.d/backups is created mode 700. I've used this in my personal config for years. A very brief search suggests that this seems to be what newer editors (eg LibreOffice) do for backup files. From debbugs-submit-bounces@debbugs.gnu.org Mon Nov 13 17:05:04 2017 Received: (at 29182) by debbugs.gnu.org; 13 Nov 2017 22:05:04 +0000 Received: from localhost ([127.0.0.1]:38991 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eEMqm-0000vF-FA for submit@debbugs.gnu.org; Mon, 13 Nov 2017 17:05:04 -0500 Received: from eggs.gnu.org ([208.118.235.92]:54017) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eEMqj-0000uh-GF for 29182@debbugs.gnu.org; Mon, 13 Nov 2017 17:05:01 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eEMqd-0008BH-Mx for 29182@debbugs.gnu.org; Mon, 13 Nov 2017 17:04:56 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:44876) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eEMqd-0008BB-JQ for 29182@debbugs.gnu.org; Mon, 13 Nov 2017 17:04:55 -0500 Received: from rgm by fencepost.gnu.org with local (Exim 4.82) (envelope-from ) id 1eEMqd-0007fO-9J; Mon, 13 Nov 2017 17:04:55 -0500 From: Glenn Morris To: 29182@debbugs.gnu.org Subject: Re: bug#29182: CVE-2017-1000383: umask and backup files References: <6tefpag8ah.fsf@fencepost.gnu.org> X-Spook: Brown out Cain and Abel Defcon Gangs Operation Iraqi X-Ran: `xrft.5}^;^2J-|*X^8%qZm4|]*SG`_HRMw2od3'gzu:Cj^Y%PiWmoq}Ll"]Dohq;G_ (Glenn Morris's message of "Tue, 07 Nov 2017 14:29:25 -0500") Message-ID: User-Agent: Gnus (www.gnus.org), GNU Emacs (www.gnu.org/software/emacs/) MIME-Version: 1.0 Content-Type: text/plain X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: 29182 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) Rightly or wrong, distributions etc pay attention to CVEs, so I think an official response from Emacs on this issue would be good. (My personal favourite is https://security-tracker.debian.org/tracker/CVE-2017-1000383 ) From debbugs-submit-bounces@debbugs.gnu.org Tue Nov 14 10:24:46 2017 Received: (at 29182) by debbugs.gnu.org; 14 Nov 2017 15:24:46 +0000 Received: from localhost ([127.0.0.1]:40324 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eEd4v-0001Mm-V9 for submit@debbugs.gnu.org; Tue, 14 Nov 2017 10:24:46 -0500 Received: from eggs.gnu.org ([208.118.235.92]:43043) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eEd4u-0001MZ-5w for 29182@debbugs.gnu.org; Tue, 14 Nov 2017 10:24:44 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eEd4l-0008Du-Ne for 29182@debbugs.gnu.org; Tue, 14 Nov 2017 10:24:38 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:32950) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eEd4l-0008Do-KS for 29182@debbugs.gnu.org; Tue, 14 Nov 2017 10:24:35 -0500 Received: from [176.228.60.248] (port=3444 helo=home-c4e4a596f7) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1eEd4k-00012d-QW; Tue, 14 Nov 2017 10:24:35 -0500 Date: Tue, 14 Nov 2017 17:24:45 +0200 Message-Id: <834lpwlw76.fsf@gnu.org> From: Eli Zaretskii To: Glenn Morris In-reply-to: (message from Glenn Morris on Mon, 13 Nov 2017 17:04:55 -0500) Subject: Re: bug#29182: CVE-2017-1000383: umask and backup files References: <6tefpag8ah.fsf@fencepost.gnu.org> X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: 29182 Cc: 29182@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Eli Zaretskii Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) > From: Glenn Morris > Date: Mon, 13 Nov 2017 17:04:55 -0500 > > Rightly or wrong, distributions etc pay attention to CVEs, so I think > an official response from Emacs on this issue would be good. I'm not sure how should we provide an official response there. The list there is mostly of issues with very old versions, and there's a reference to bug reports which were closed. What else is needed? And what's the procedure? From debbugs-submit-bounces@debbugs.gnu.org Sun Oct 06 00:09:15 2019 Received: (at 29182) by debbugs.gnu.org; 6 Oct 2019 04:09:15 +0000 Received: from localhost ([127.0.0.1]:45432 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iGxr9-0000cw-3o for submit@debbugs.gnu.org; Sun, 06 Oct 2019 00:09:15 -0400 Received: from mail-pf1-f178.google.com ([209.85.210.178]:36095) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iGxr7-0000ci-Bo for 29182@debbugs.gnu.org; Sun, 06 Oct 2019 00:09:13 -0400 Received: by mail-pf1-f178.google.com with SMTP id y22so6366561pfr.3 for <29182@debbugs.gnu.org>; Sat, 05 Oct 2019 21:09:13 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=gPY709LRVnnB2LUnUMeWma54c/prouANsWdws8NxCX8=; b=UUw703iGErgfhl+aLjWczKlJdRqv+5wF1JOPCMejY0/JWH+nkHl1zfPphyRUF0qeJJ D4Z7ntgvGhwyJSmSCdXfzSjMpafwqNcYuitMsXnAbDFlChptg+hsrhiL1+8DZEegxaJE J1O14UbPlp9jCmMYptYvLruGMK6/ziUlE0aoALOPu0h1nZmi5BYMh95N8TCwqPHI40Yz HAlrxhy/QD+gbmKpZphWhYzQ0nLNhxvXOjHEFUhZOtG3THgCbIRvJEuwoTXH0Qo3kfZJ PC6o9C5v0yubjL9j++QdvEulhaDxBEm3pxeAjw8W25TpRq1zECgP6T/xBk+puHLsz5XM 7YZg== X-Gm-Message-State: APjAAAWwpYiYwMcjxWTgJSU1h/eGv0CwtIR4SB8WZzsbuoK4omjp24dP Fl9/XLeCLvE+iGaPrbCGd9gRV2+I+KPxUsrWG/OfPk/S X-Google-Smtp-Source: APXvYqzCUjbrvaKYrL15Kz2+Ng/5nFur5XGNUs1bo6Q5VGve+RmDEB0WbShVHKUB+R7s8Y2+gDHNaNYyUr9LNqUqOKU= X-Received: by 2002:a65:5802:: with SMTP id g2mr24937524pgr.333.1570334947352; Sat, 05 Oct 2019 21:09:07 -0700 (PDT) MIME-Version: 1.0 From: Stefan Kangas Date: Sun, 6 Oct 2019 06:08:56 +0200 Message-ID: Subject: Re: bug#29182: CVE-2017-1000383: umask and backup files To: Eli Zaretskii Content-Type: text/plain; charset="UTF-8" X-Spam-Score: 0.3 (/) X-Debbugs-Envelope-To: 29182 Cc: Glenn Morris , 29182@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) Eli Zaretskii writes: >> From: Glenn Morris >> Date: Mon, 13 Nov 2017 17:04:55 -0500 >> >> Rightly or wrong, distributions etc pay attention to CVEs, so I think >> an official response from Emacs on this issue would be good. > > I'm not sure how should we provide an official response there. The > list there is mostly of issues with very old versions, and there's a > reference to bug reports which were closed. What else is needed? And > what's the procedure? OK, so this is almost 2 years old now, but I've looked into it a bit. This CVE has been rejected by at least Debian ("this CVE assignment is nonsense"), Redhat (bug has status "CLOSED WONTFIX") and Gentoo (bug has status "INVALID"). I think it's fair to say that we don't want to "fix" this, since it should not really have been a CVE in the first place. I suggest to do the following: 1. There is a CVE status called disputed. We should try to acquire that status. More information at: https://cve.mitre.org/about/faqs.html#disputed_signify_in_cve_entry It would be good if someone more senior than me tried to contact MITRE, who handles the CVE to see how that works. AFAICT, the way to contact them is through this web form: https://cveform.mitre.org/ 2. Tag this bug as wontfix. If MITRE don't reply, or do nothing -- fine, we close the bug. If they do reply, or better yet add the status disputed -- good, it's there for posterity. We then close the bug. Best regards, Stefan Kangas PS. This CVE has the tag "withdrawn" in a Github repository which seems to be handled by the CVE team at MITRE. Not sure what that means, if anything, but it seemed interesting enough to mention. https://github.com/CVEProject/cvelist/pull/19 From debbugs-submit-bounces@debbugs.gnu.org Sun Oct 06 09:17:34 2019 Received: (at 29182) by debbugs.gnu.org; 6 Oct 2019 13:17:34 +0000 Received: from localhost ([127.0.0.1]:45813 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iH6Pm-00017J-Eb for submit@debbugs.gnu.org; Sun, 06 Oct 2019 09:17:34 -0400 Received: from mail-io1-f44.google.com ([209.85.166.44]:44951) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iH6Pk-000174-6v for 29182@debbugs.gnu.org; Sun, 06 Oct 2019 09:17:32 -0400 Received: by mail-io1-f44.google.com with SMTP id w12so22933265iol.11 for <29182@debbugs.gnu.org>; Sun, 06 Oct 2019 06:17:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version; bh=shVmK+gQ4VQLxhp8j5ro7aET8lgUCxvv90jHAnq3q4s=; b=ihmgdM+vjkWR7lXb+g/vT0f6bT06ylgfKXmbPY/gbMlCBJU2DJZBYW2I70GodO7z5O gCpWx2qDRf/4ksSSnFzYJJ+0Q8bhbPxGi4pbDQEsoQN6XHAis98KQniBlXjN+9GOk50S 1VsRKGJ36Ho7UDkYbiH4ZcljZqTpCwZcdszRu+3l52ryieBrG/uwf4MZ1ToeHHUgrCby YsDPUaJomIvMmtWInRwraw6wplMv0Xb4XKafC0YbxTJxBR2xJOif4pEyRtI1w/CaPsLL RVsYfpLaLtWsss+u0Sov7n3mVq0p/3r1szaquOgnvby33Pw8Wf8R2VzHQBUNOQf9cZ68 /hfQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version; bh=shVmK+gQ4VQLxhp8j5ro7aET8lgUCxvv90jHAnq3q4s=; b=EhVHEvWqSc/sHQF9V9uKiKTfesFhSYd5BTZ3wcmwBDNDYamBKysQYs2HC8CayqFwZo hEtCq0NCAWeiaatSumshMejOPPSiLpuz3KpHfluHJx3Z+K0kL1YXxpPBNVtbXaJrKkm7 fdXJ+Wtnt/pcOZQAEtsGA+zmY6OLjCE/Jyg9BWTWJDoAZjhg/2a/k/vkYqbvyI41+lkD pNyIs3ZJo4gF+tMokteG7XhsrlMks5qo+WyM4DrbShvGlUNuFo5Iz/nYDWmpWir1Eouj UXd6VjkWnYFXKoHGhnhfD9X830bQ+J1B3CV4Kv2iobBcTI60KW7Ts/ftFeGoZ8pgXTo+ eVTQ== X-Gm-Message-State: APjAAAXo66wftHwHnx5YPwLAnifOQsJu9LaX/70D30ramiYYrGQ45eQ6 Ceh461+DwbUswAfPmtvasn6tB6n5 X-Google-Smtp-Source: APXvYqzqhLQJEvjjR6/5MqDebdBSnBM9DJkw/0VKRTplr1fCxnsW4vuU80ZpZDVBBRf4hWOE4TJhZA== X-Received: by 2002:a92:40c2:: with SMTP id d63mr24355897ill.180.1570367846498; Sun, 06 Oct 2019 06:17:26 -0700 (PDT) Received: from minid (cbl-45-2-119-34.yyz.frontiernetworks.ca. [45.2.119.34]) by smtp.gmail.com with ESMTPSA id q66sm5896627ili.69.2019.10.06.06.17.25 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Sun, 06 Oct 2019 06:17:25 -0700 (PDT) From: Noam Postavsky To: Stefan Kangas Subject: Re: bug#29182: CVE-2017-1000383: umask and backup files References: Date: Sun, 06 Oct 2019 09:17:25 -0400 In-Reply-To: (Stefan Kangas's message of "Sun, 6 Oct 2019 06:08:56 +0200") Message-ID: <878spy813u.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 29182 Cc: Glenn Morris , Eli Zaretskii , 29182@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Stefan Kangas writes: > PS. This CVE has the tag "withdrawn" in a Github repository which seems > to be handled by the CVE team at MITRE. Not sure what that means, if > anything, but it seemed interesting enough to mention. > > https://github.com/CVEProject/cvelist/pull/19 I think it's just that specific pull request which has status "withdrawn", because it accidentally lumps together unrelated commits. The CVE file itself doesn't mention anything about "withdrawn". https://github.com/CVEProject/cvelist/blob/master/2017/1000xxx/CVE-2017-1000383.json From debbugs-submit-bounces@debbugs.gnu.org Tue Oct 08 02:06:31 2019 Received: (at 29182) by debbugs.gnu.org; 8 Oct 2019 06:06:31 +0000 Received: from localhost ([127.0.0.1]:49370 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iHidj-0006J3-67 for submit@debbugs.gnu.org; Tue, 08 Oct 2019 02:06:31 -0400 Received: from eggs.gnu.org ([209.51.188.92]:60763) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iHidh-0006Ir-Cr for 29182@debbugs.gnu.org; Tue, 08 Oct 2019 02:06:29 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:36343) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1iHidc-0002QP-AB; Tue, 08 Oct 2019 02:06:24 -0400 Received: from rgm by fencepost.gnu.org with local (Exim 4.82) (envelope-from ) id 1iHidP-0008FN-Aj; Tue, 08 Oct 2019 02:06:14 -0400 From: Glenn Morris To: Stefan Kangas Subject: Re: bug#29182: CVE-2017-1000383: umask and backup files References: X-Spook: John Kerry ANC Tuberculosis Nuevo Leon Plume Extremism X-Ran: kw&X';dwQ!:`3=+rt'4d8NH;,YKvvp*?t-t|n`W0)z^orv0vV]]:!1E6TY_YiQQ[.'L25K X-Hue: brightyellow X-Debbugs-No-Ack: yes X-Attribution: GM Date: Tue, 08 Oct 2019 02:05:58 -0400 In-Reply-To: (Stefan Kangas's message of "Sun, 6 Oct 2019 06:08:56 +0200") Message-ID: User-Agent: Gnus (www.gnus.org), GNU Emacs (www.gnu.org/software/emacs/) MIME-Version: 1.0 Content-Type: text/plain X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 29182 Cc: 29182@debbugs.gnu.org, Eli Zaretskii X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) It is a silly CVE, but IMO backups belong by default in a private subdirectory of user-emacs-directory (user-data-directory if such a thing existed). From debbugs-submit-bounces@debbugs.gnu.org Tue Oct 08 05:25:15 2019 Received: (at 29182) by debbugs.gnu.org; 8 Oct 2019 09:25:15 +0000 Received: from localhost ([127.0.0.1]:49559 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iHlk3-0002ex-8F for submit@debbugs.gnu.org; Tue, 08 Oct 2019 05:25:15 -0400 Received: from mail-pl1-f177.google.com ([209.85.214.177]:38069) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iHlk1-0002ef-Ct for 29182@debbugs.gnu.org; Tue, 08 Oct 2019 05:25:13 -0400 Received: by mail-pl1-f177.google.com with SMTP id w8so8208914plq.5 for <29182@debbugs.gnu.org>; Tue, 08 Oct 2019 02:25:13 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=fT/kEhithfbg03bN/urF7Y0UC/FX2UkdzaVfMCMqUS0=; b=SjE34KjUCUp1Cmvq6HZRycaLJ0/Qg7POF+gx1ZbpUHgb8yFCbYF0D/UP9skBA+h6b+ ARZloh3bq257bSLDtmV0+hdZRGCh0J5KJ1Sm0RclIo7eGJqrZdSGgba54CQAYAWuohED BdqqsgdAywkmTiMihGtR3iPYl9xba/O2u7mX5K2sdfs21AUTCGMEIFtalHIIGQ6j8SxZ LdG8SRSAE8p4iK0/l3/KXqYhUJyHu64mdQeHgqBMwEHL2fABoms/1k26B6jy8W9wKrox 0cgAMvLfDf+YRZKzMOzepTAmFo04Cd+MA+NXa0SgTJahpEJsxU1YaZUGeCMvaeUS/TPr 4PNw== X-Gm-Message-State: APjAAAWCuHKVasaV/8LDgQ0r/XOCrnZYH7rYKqxB+b+6qEDxhNUkMVXg 8L0AZqAQvTRyTA6izQaP18fesloo2UNd6NZ3w1w= X-Google-Smtp-Source: APXvYqxTD35pHxLEKsNQbh1Uw/wnoYOXKphq8nM8KP2dQrjOKfN1tL1gGm6FrllCAjoL2loxjzbXaJD0/U1yiNRfHoM= X-Received: by 2002:a17:902:326:: with SMTP id 35mr35211578pld.128.1570526707149; Tue, 08 Oct 2019 02:25:07 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Stefan Kangas Date: Tue, 8 Oct 2019 11:24:55 +0200 Message-ID: Subject: Re: bug#29182: CVE-2017-1000383: umask and backup files To: Glenn Morris Content-Type: text/plain; charset="UTF-8" X-Spam-Score: 0.3 (/) X-Debbugs-Envelope-To: 29182 Cc: 29182@debbugs.gnu.org, Eli Zaretskii X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) Glenn Morris writes: > It is a silly CVE, but IMO backups belong by default in a private > subdirectory of user-emacs-directory (user-data-directory if such a > thing existed). That's what I do, personally. But it's not unproblematic to do that by default, in my opinion. What if I'm editing a file on an encrypted filesystem, thinking that it's safe there, and Emacs silently saves a copy of said file in my home directory on an unencrypted file system? Best regards, Stefan Kangas From debbugs-submit-bounces@debbugs.gnu.org Sun Jan 19 10:25:29 2020 Received: (at control) by debbugs.gnu.org; 19 Jan 2020 15:25:29 +0000 Received: from localhost ([127.0.0.1]:43753 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1itCS9-0006jA-3Y for submit@debbugs.gnu.org; Sun, 19 Jan 2020 10:25:29 -0500 Received: from ted.gofardesign.uk ([67.225.143.91]:53256) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1itCS7-0006iw-DX for control@debbugs.gnu.org; Sun, 19 Jan 2020 10:25:27 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=marxist.se; s=default; h=Content-Type:MIME-Version:Message-ID:Date:References: In-Reply-To:Subject:To:From:Sender:Reply-To:Cc:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=GYW5mduAoaEiUjlim+tSPwND1kl0akho4gjgLERs6yY=; b=malrcSbPINRWQ1hdUGf8XH7ryp qrtGPWe9Xz3dK7HQmVB37oIuEis+Bi3Sv1e9QFwqHQhciPQGN1QbPIHVaoahemf7U5+k5G94K471p ItmBJnrhobTO5dLgJxaxTet6Gup7OmyKO8tSVj9oeoeaoWcLayX2KhM3ZpVlGhB2Jyx8EHLe3km9u GFpgtZp1CL4IUPJ361YxDNAYZWB2rY39ieqcmMbEhO+G45vOFlmXNXDjVnloG0lhvzVme+UwXaOqr h0Xld1eFHsnBW7QohOjfU2vFenHI9xyvLxuz/Lm+jqKz5dGMTui1BN84ABSFCM1vybp5vEVk5X55v Gsm/UNWA==; Received: from h-70-69.a785.priv.bahnhof.se ([155.4.70.69]:52208 helo=localhost) by ted.gofardesign.uk with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92) (envelope-from ) id 1itCS1-0004nZ-Oa for control@debbugs.gnu.org; Sun, 19 Jan 2020 10:25:22 -0500 From: Stefan Kangas To: control Subject: Re: bug#29182: CVE-2017-1000383: umask and backup files In-Reply-To: (Stefan Kangas's message of "Sun, 6 Oct 2019 06:08:56 +0200") References: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.0.50 (gnu/linux) Date: Sun, 19 Jan 2020 16:25:19 +0100 Message-ID: <87wo9ntqn4.fsf@marxist.se> MIME-Version: 1.0 Content-Type: text/plain X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - ted.gofardesign.uk X-AntiAbuse: Original Domain - debbugs.gnu.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - marxist.se X-Get-Message-Sender-Via: ted.gofardesign.uk: authenticated_id: stefan@marxist.se X-Authenticated-Sender: ted.gofardesign.uk: stefan@marxist.se X-Source: X-Source-Args: X-Source-Dir: X-Spam-Score: 3.0 (+++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: tags 29182 + notabug wontfix thanks Content analysis details: (3.0 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: marxist.se] 1.0 PDS_TONAME_EQ_TOLOCAL_VSHORT Very short body and From looks like 2 different emails 2.0 PDS_TONAME_EQ_TOLOCAL_SHORT Short body with To: name matches everything in local email X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 2.0 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: tags 29182 + notabug wontfix thanks Content analysis details: (2.0 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: marxist.se] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 1.0 PDS_TONAME_EQ_TOLOCAL_VSHORT Very short body and From looks like 2 different emails -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager 2.0 PDS_TONAME_EQ_TOLOCAL_SHORT Short body with To: name matches everything in local email tags 29182 + notabug wontfix thanks From debbugs-submit-bounces@debbugs.gnu.org Mon Aug 10 12:25:45 2020 Received: (at 29182-done) by debbugs.gnu.org; 10 Aug 2020 16:25:45 +0000 Received: from localhost ([127.0.0.1]:37321 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1k5AcL-0001L9-Lx for submit@debbugs.gnu.org; Mon, 10 Aug 2020 12:25:45 -0400 Received: from mail-yb1-f196.google.com ([209.85.219.196]:33020) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1k5AcL-0001Km-0W for 29182-done@debbugs.gnu.org; Mon, 10 Aug 2020 12:25:45 -0400 Received: by mail-yb1-f196.google.com with SMTP id p191so5462481ybg.0 for <29182-done@debbugs.gnu.org>; Mon, 10 Aug 2020 09:25:44 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:in-reply-to:references:user-agent :mime-version:date:message-id:subject:to:cc; bh=8oX/xyNicr6puAlB1z2qU7NK2vU0OzYSJFhpeQN/hJ8=; b=ET92FPMELsVkR+0XzDZAPfuV/AwpUWOw9WkhQLcEfQu6nsCVL+IO6y2Dm2BeDltx64 v35rwxAXJuZq+DwMqAdkaTJE6JwyYWCzEZ+c2aGnsKH25n1ujYHlBCiqGx/P/rP6rvdb /tv3CnLzQgKwno9m252DTDDP3kHbQJK/KdRhHO+SZmhudcInDRwWYeBo6YaH5m66XJMY gD7wALQ1SM+mlBNPur2LItRS0VNCSbk3CBXBSTZviewCBR9t/tglpwooKqW1iZzxsmFX QehA66nRjWdVF8o7hNynnQ85E51o0OglEMdRCa+HmZ2MpvNJQYCJCzaszXz+nFTZl0Hi vkFw== X-Gm-Message-State: AOAM530m0Qm7XozGaHN5C1soSz5sd9s1OXSycWMYrFgSDz7bF3F9gVUk WjYPbZQniG87Y71jCR+qXZqd0mk32HlzrlEZOos= X-Google-Smtp-Source: ABdhPJxAmYRpRYApxMN69Yl7LZAiOpTJ/PDccHL5Eobie5F4y9RFridsf5WnzlmpM8scUAXwnUy5KWAtbC8tVQl9iG0= X-Received: by 2002:a25:4609:: with SMTP id t9mr39248104yba.231.1597076739464; Mon, 10 Aug 2020 09:25:39 -0700 (PDT) Received: from 753933720722 named unknown by gmailapi.google.com with HTTPREST; Mon, 10 Aug 2020 09:25:39 -0700 From: Stefan Kangas In-Reply-To: (Stefan Kangas's message of "Sun, 6 Oct 2019 06:08:56 +0200") References: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.0.50 (gnu/linux) MIME-Version: 1.0 Date: Mon, 10 Aug 2020 09:25:39 -0700 Message-ID: Subject: Re: bug#29182: CVE-2017-1000383: umask and backup files To: Eli Zaretskii Content-Type: text/plain; charset="UTF-8" X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 29182-done Cc: Glenn Morris , 29182-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Stefan Kangas writes: > Eli Zaretskii writes: > >>> From: Glenn Morris >>> Date: Mon, 13 Nov 2017 17:04:55 -0500 >>> >>> Rightly or wrong, distributions etc pay attention to CVEs, so I think >>> an official response from Emacs on this issue would be good. >> >> I'm not sure how should we provide an official response there. The >> list there is mostly of issues with very old versions, and there's a >> reference to bug reports which were closed. What else is needed? And >> what's the procedure? > > OK, so this is almost 2 years old now, but I've looked into it a bit. That was 44 weeks ago. > This CVE has been rejected by at least Debian ("this CVE assignment is > nonsense"), Redhat (bug has status "CLOSED WONTFIX") and Gentoo (bug has > status "INVALID"). > > I think it's fair to say that we don't want to "fix" this, since it > should not really have been a CVE in the first place. > > I suggest to do the following: > > 1. There is a CVE status called disputed. We should try to acquire that > status. More information at: > https://cve.mitre.org/about/faqs.html#disputed_signify_in_cve_entry > > It would be good if someone more senior than me tried to contact > MITRE, who handles the CVE to see how that works. AFAICT, the way to > contact them is through this web form: https://cveform.mitre.org/ > > 2. Tag this bug as wontfix. > > If MITRE don't reply, or do nothing -- fine, we close the bug. If they > do reply, or better yet add the status disputed -- good, it's there for > posterity. We then close the bug. No one seemed interested in doing (1) and I've tagged the bug as proposed in (2). I'm therefore closing this bug report now. Best regards, Stefan Kangas From unknown Wed Aug 20 03:38:00 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Tue, 08 Sep 2020 11:24:11 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator