GNU bug report logs - #29182
CVE-2017-1000383: umask and backup files

Previous Next

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Glenn Morris <rgm <at> gnu.org>
Subject: bug#29182: closed (Re: bug#29182: CVE-2017-1000383: umask and
 backup files)
Date: Mon, 10 Aug 2020 16:26:02 +0000

[Message part 1 (text/plain, inline)]

Your bug report

#29182: CVE-2017-1000383: umask and backup files

which was filed against the emacs package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 29182 <at> debbugs.gnu.org.

-- 
29182: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=29182
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]

From: Stefan Kangas <stefan <at> marxist.se>
To: Eli Zaretskii <eliz <at> gnu.org>
Cc: Glenn Morris <rgm <at> gnu.org>, 29182-done <at> debbugs.gnu.org
Subject: Re: bug#29182: CVE-2017-1000383: umask and backup files
Date: Mon, 10 Aug 2020 09:25:39 -0700

Stefan Kangas <stefan <at> marxist.se> writes:

> Eli Zaretskii <eliz <at> gnu.org> writes:
>
>>> From: Glenn Morris <rgm <at> gnu.org>
>>> Date: Mon, 13 Nov 2017 17:04:55 -0500
>>>
>>> Rightly or wrong, distributions etc pay attention to CVEs, so I think
>>> an official response from Emacs on this issue would be good.
>>
>> I'm not sure how should we provide an official response there.  The
>> list there is mostly of issues with very old versions, and there's a
>> reference to bug reports which were closed.  What else is needed?  And
>> what's the procedure?
>
> OK, so this is almost 2 years old now, but I've looked into it a bit.

That was 44 weeks ago.

> This CVE has been rejected by at least Debian ("this CVE assignment is
> nonsense"), Redhat (bug has status "CLOSED WONTFIX") and Gentoo (bug has
> status "INVALID").
>
> I think it's fair to say that we don't want to "fix" this, since it
> should not really have been a CVE in the first place.
>
> I suggest to do the following:
>
> 1. There is a CVE status called disputed.  We should try to acquire that
>    status.  More information at:
>    https://cve.mitre.org/about/faqs.html#disputed_signify_in_cve_entry
>
>    It would be good if someone more senior than me tried to contact
>    MITRE, who handles the CVE to see how that works.  AFAICT, the way to
>    contact them is through this web form: https://cveform.mitre.org/
>
> 2. Tag this bug as wontfix.
>
> If MITRE don't reply, or do nothing -- fine, we close the bug.  If they
> do reply, or better yet add the status disputed -- good, it's there for
> posterity.  We then close the bug.

No one seemed interested in doing (1) and I've tagged the bug as
proposed in (2).

I'm therefore closing this bug report now.

Best regards,
Stefan Kangas

[Message part 3 (message/rfc822, inline)]

From: Glenn Morris <rgm <at> gnu.org>
To: submit <at> debbugs.gnu.org
Subject: CVE-2017-1000383: umask and backup files
Date: Mon, 06 Nov 2017 16:56:18 -0500

Package: emacs
Version: 25.3
Tags: security

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000383

  GNU Emacs version 25.3.1 (and other versions most likely) ignores umask
  when creating a backup save file ("[ORIGINAL_FILENAME]~") resulting in
  files that may be world readable or otherwise accessible in ways not
  intended by the user running the emacs binary.

[I'm not sure why this apparently hasn't been reported here before now?]

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.