GNU bug report logs - #29182
CVE-2017-1000383: umask and backup files

Previous Next

Package: emacs;

Reported by: Glenn Morris <rgm <at> gnu.org>

Date: Mon, 6 Nov 2017 21:57:02 UTC

Severity: normal

Tags: notabug, security, wontfix

Found in version 25.3

Done: Stefan Kangas <stefan <at> marxist.se>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Stefan Kangas <stefan <at> marxist.se>
To: Eli Zaretskii <eliz <at> gnu.org>
Cc: Glenn Morris <rgm <at> gnu.org>, 29182 <at> debbugs.gnu.org
Subject: bug#29182: CVE-2017-1000383: umask and backup files
Date: Sun, 6 Oct 2019 06:08:56 +0200

Eli Zaretskii <eliz <at> gnu.org> writes:

>> From: Glenn Morris <rgm <at> gnu.org>
>> Date: Mon, 13 Nov 2017 17:04:55 -0500
>>
>> Rightly or wrong, distributions etc pay attention to CVEs, so I think
>> an official response from Emacs on this issue would be good.
>
> I'm not sure how should we provide an official response there.  The
> list there is mostly of issues with very old versions, and there's a
> reference to bug reports which were closed.  What else is needed?  And
> what's the procedure?

OK, so this is almost 2 years old now, but I've looked into it a bit.

This CVE has been rejected by at least Debian ("this CVE assignment is
nonsense"), Redhat (bug has status "CLOSED WONTFIX") and Gentoo (bug has
status "INVALID").

I think it's fair to say that we don't want to "fix" this, since it
should not really have been a CVE in the first place.

I suggest to do the following:

1. There is a CVE status called disputed.  We should try to acquire that
   status.  More information at:
   https://cve.mitre.org/about/faqs.html#disputed_signify_in_cve_entry

   It would be good if someone more senior than me tried to contact
   MITRE, who handles the CVE to see how that works.  AFAICT, the way to
   contact them is through this web form: https://cveform.mitre.org/

2. Tag this bug as wontfix.

If MITRE don't reply, or do nothing -- fine, we close the bug.  If they
do reply, or better yet add the status disputed -- good, it's there for
posterity.  We then close the bug.

Best regards,
Stefan Kangas

PS. This CVE has the tag "withdrawn" in a Github repository which seems
to be handled by the CVE team at MITRE.  Not sure what that means, if
anything, but it seemed interesting enough to mention.

https://github.com/CVEProject/cvelist/pull/19
This bug report was last modified 4 years and 346 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.