GNU bug report logs -
#4291
23.1; doc-view-mode temporary directory vulnerable to denial of service
Previous Next
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 4291 in the body.
You can then email your comments to 4291 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-submit-list <at> lists.donarmstrong.com, Emacs Bugs <bug-gnu-emacs <at> gnu.org>:
bug#4291; Package
emacs.
(Sun, 30 Aug 2009 00:10:06 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
David Bremner <bremner-dated-1252800134.2fccb3 <at> pivot.cs.unb.ca>:
New bug report received and forwarded. Copy sent to
Emacs Bugs <bug-gnu-emacs <at> gnu.org>.
(Sun, 30 Aug 2009 00:10:06 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> emacsbugs.donarmstrong.com (full text, mbox):
By default doc-view-mode makes a directory /tmp/docview$uid . Since
this is easily predictable, a malicious person could cause docview to
fail simply by creating a directory with the same name.
In GNU Emacs 23.1.1 (i486-pc-linux-gnu, X toolkit, Xaw3d scroll bars)
of 2009-08-03 on raven, modified by Debian
Windowing system distributor `The X.Org Foundation', version 11.0.10603000
configured using `configure '--build=i486-linux-gnu' '--host=i486-linux-gnu' '--prefix=/usr' '--sharedstatedir=/var/lib' '--libexecdir=/usr/lib' '--localstatedir=/var/lib' '--infodir=/usr/share/info' '--mandir=/usr/share/man' '--with-pop=yes' '--enable-locallisppath=/etc/emacs23:/etc/emacs:/usr/local/share/emacs/23.1/site-lisp:/usr/local/share/emacs/site-lisp:/usr/share/emacs/23.1/site-lisp:/usr/share/emacs/site-lisp:/usr/share/emacs/23.1/leim' '--with-x=yes' '--with-x-toolkit=athena' '--with-toolkit-scroll-bars' 'build_alias=i486-linux-gnu' 'host_alias=i486-linux-gnu' 'CFLAGS=-DDEBIAN -g -O2' 'LDFLAGS=-g' 'CPPFLAGS=''
Important settings:
value of $LC_ALL: nil
value of $LC_COLLATE: nil
value of $LC_CTYPE: nil
value of $LC_MESSAGES: nil
value of $LC_MONETARY: nil
value of $LC_NUMERIC: nil
value of $LC_TIME: nil
value of $LANG: en_CA.UTF-8
value of $XMODIFIERS: nil
locale-coding-system: utf-8-unix
default-enable-multibyte-characters: t
Major mode: Fundamental
Minor modes in effect:
diff-auto-refine-mode: t
tool-bar-mode: t
mouse-wheel-mode: t
menu-bar-mode: t
file-name-shadow-mode: t
global-font-lock-mode: t
font-lock-mode: t
blink-cursor-mode: t
global-auto-composition-mode: t
auto-encryption-mode: t
auto-compression-mode: t
line-number-mode: t
transient-mark-mode: t
Recent input:
M-x C-g C-x C-f t e a SPC c s SPC 2 SPC SPC w i SPC
c SPC SPC SPC SPC <return> M-x r e p SPC o SPC SPC
r SPC SPC SPC <return>
Recent messages:
Loading /home/bremner/.emacs-custom.el (source)...
Loading epa-mail...done
Loading /home/bremner/.emacs-custom.el (source)...done
Loading /usr/share/emacs/site-lisp/haskell-mode/haskell-site-file.el (source)...done
For information about GNU Emacs and the GNU system, type C-h C-a.
Quit
Making completion list... [2 times]
File mode specification error: (file-error "Doing chmod" "operation not permitted" "/tmp/docview1000")
Loading vc-git...done
Making completion list... [3 times]
Information forwarded
to
bug-submit-list <at> lists.donarmstrong.com, Emacs Bugs <bug-gnu-emacs <at> gnu.org>:
bug#4291; Package
emacs.
(Mon, 31 Aug 2009 01:50:03 GMT)
Full text and
rfc822 format available.
Message #8 received at 4291 <at> emacsbugs.donarmstrong.com (full text, mbox):
David Bremner wrote:
> By default doc-view-mode makes a directory /tmp/docview$uid . Since
> this is easily predictable, a malicious person could cause docview to
> fail simply by creating a directory with the same name.
Couldn't they do the same thing by simply filling /tmp with junk, no
matter what filename is used?
(Emacs server also uses the same name every time AFAIK.)
Information forwarded
to
bug-submit-list <at> lists.donarmstrong.com, Emacs Bugs <bug-gnu-emacs <at> gnu.org>:
bug#4291; Package
emacs.
(Mon, 31 Aug 2009 15:00:06 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Stefan Monnier <monnier <at> iro.umontreal.ca>:
Extra info received and forwarded to list. Copy sent to
Emacs Bugs <bug-gnu-emacs <at> gnu.org>.
(Mon, 31 Aug 2009 15:00:06 GMT)
Full text and
rfc822 format available.
Message #13 received at 4291 <at> emacsbugs.donarmstrong.com (full text, mbox):
>> By default doc-view-mode makes a directory /tmp/docview$uid . Since
>> this is easily predictable, a malicious person could cause docview to
>> fail simply by creating a directory with the same name.
> Couldn't they do the same thing by simply filling /tmp with junk, no
> matter what filename is used?
Yes, tho it's a bit different: your case can be avoided by appropriate
use of quotas on /tmp (yes, I realize this is highly unlikely), and your
case cannot be obtained without impacting the system as a whole
(i.e. it's less discrete).
> (Emacs server also uses the same name every time AFAIK.)
Yes, and Emacs server needs this name to be predictable (an "ls /tmp"
shows that other services, such as `orbit', are similarly vulnerable).
IIRC /tmp/docview$uid is predictable because doc-view tries to reuse
previouly-rendered pages. I'm not convinced this is really a good
feature, but obviously the author thought it was important, so I'd
rather not drop it without a discussion.
Stefan
Information forwarded
to
bug-submit-list <at> lists.donarmstrong.com, Emacs Bugs <bug-gnu-emacs <at> gnu.org>:
bug#4291; Package
emacs.
(Tue, 01 Sep 2009 21:20:03 GMT)
Full text and
rfc822 format available.
Message #16 received at 4291 <at> emacsbugs.donarmstrong.com (full text, mbox):
Stefan Monnier wrote:
> Yes, tho it's a bit different: your case can be avoided by appropriate
> use of quotas on /tmp (yes, I realize this is highly unlikely), and your
> case cannot be obtained without impacting the system as a whole
> (i.e. it's less discrete).
The original scenario doesn't seem likely (or discreet). I suggest
just making docview give an explicit error if its cache dir: a) cannot
be created; or b) exists but cannot be read or written to.
Severity set to 'minor' from 'normal'
Request was from
Glenn Morris <rgm <at> gnu.org>
to
control <at> emacsbugs.donarmstrong.com.
(Tue, 01 Sep 2009 21:20:07 GMT)
Full text and
rfc822 format available.
Information forwarded
to
owner <at> debbugs.gnu.org, bug-gnu-emacs <at> gnu.org:
bug#4291; Package
emacs.
(Tue, 12 Jul 2011 21:20:04 GMT)
Full text and
rfc822 format available.
Message #21 received at 4291 <at> debbugs.gnu.org (full text, mbox):
Stefan Monnier <monnier <at> iro.umontreal.ca> writes:
> IIRC /tmp/docview$uid is predictable because doc-view tries to reuse
> previouly-rendered pages. I'm not convinced this is really a good
> feature, but obviously the author thought it was important, so I'd
> rather not drop it without a discussion.
It could just stash the directory name in a variable, and use the normal
`make-temp-file' to create the directory, couldn't it?
--
(domestic pets only, the antidote for overdose, milk.)
bloggy blog http://lars.ingebrigtsen.no/
Information forwarded
to
owner <at> debbugs.gnu.org, bug-gnu-emacs <at> gnu.org:
bug#4291; Package
emacs.
(Tue, 12 Jul 2011 21:45:04 GMT)
Full text and
rfc822 format available.
Message #24 received at 4291 <at> debbugs.gnu.org (full text, mbox):
Lars Magne Ingebrigtsen wrote:
> Stefan Monnier <monnier <at> iro.umontreal.ca> writes:
>
>> IIRC /tmp/docview$uid is predictable because doc-view tries to reuse
>> previouly-rendered pages. I'm not convinced this is really a good
>> feature, but obviously the author thought it was important, so I'd
>> rather not drop it without a discussion.
>
> It could just stash the directory name in a variable, and use the normal
> `make-temp-file' to create the directory, couldn't it?
I think the idea referred to above is to potentially re-use pages
converted by a previous Emacs instance (which seems like a bad feature
to me too).
Information forwarded
to
owner <at> debbugs.gnu.org, bug-gnu-emacs <at> gnu.org:
bug#4291; Package
emacs.
(Tue, 12 Jul 2011 21:47:01 GMT)
Full text and
rfc822 format available.
Message #27 received at 4291 <at> debbugs.gnu.org (full text, mbox):
Glenn Morris <rgm <at> gnu.org> writes:
>>> IIRC /tmp/docview$uid is predictable because doc-view tries to reuse
>>> previouly-rendered pages. I'm not convinced this is really a good
>>> feature, but obviously the author thought it was important, so I'd
>>> rather not drop it without a discussion.
>>
>> It could just stash the directory name in a variable, and use the normal
>> `make-temp-file' to create the directory, couldn't it?
>
> I think the idea referred to above is to potentially re-use pages
> converted by a previous Emacs instance (which seems like a bad feature
> to me too).
Oh, I see. Hm. Sounds like a bad idea to me, too. :-)
--
(domestic pets only, the antidote for overdose, milk.)
bloggy blog http://lars.ingebrigtsen.no/
Information forwarded
to
owner <at> debbugs.gnu.org, bug-gnu-emacs <at> gnu.org:
bug#4291; Package
emacs.
(Tue, 12 Jul 2011 22:17:02 GMT)
Full text and
rfc822 format available.
Message #30 received at 4291 <at> debbugs.gnu.org (full text, mbox):
Lars Magne Ingebrigtsen <larsi <at> gnus.org> writes:
>>>> IIRC /tmp/docview$uid is predictable because doc-view tries to reuse
>>>> previouly-rendered pages. I'm not convinced this is really a good
>>>> feature, but obviously the author thought it was important, so I'd
>>>> rather not drop it without a discussion.
>>>
>>> It could just stash the directory name in a variable, and use the normal
>>> `make-temp-file' to create the directory, couldn't it?
>>
>> I think the idea referred to above is to potentially re-use pages
>> converted by a previous Emacs instance (which seems like a bad feature
>> to me too).
>
> Oh, I see. Hm. Sounds like a bad idea to me, too. :-)
I think the idea is that if you view the same pdf N times in Emacs, the
disk space won't increase monotonically (Emacs doesn't delete any of
those files AFAIK).
Information forwarded
to
owner <at> debbugs.gnu.org, bug-gnu-emacs <at> gnu.org:
bug#4291; Package
emacs.
(Tue, 12 Jul 2011 22:19:02 GMT)
Full text and
rfc822 format available.
Message #33 received at 4291 <at> debbugs.gnu.org (full text, mbox):
Chong Yidong <cyd <at> stupidchicken.com> writes:
> I think the idea is that if you view the same pdf N times in Emacs, the
> disk space won't increase monotonically (Emacs doesn't delete any of
> those files AFAIK).
If they aren't deleted, then using a single directory per UID seems like
a good choice. Perhaps the right fix here is to make the error message
better?
--
(domestic pets only, the antidote for overdose, milk.)
bloggy blog http://lars.ingebrigtsen.no/
Information forwarded
to
owner <at> debbugs.gnu.org, bug-gnu-emacs <at> gnu.org:
bug#4291; Package
emacs.
(Sat, 16 Jul 2011 19:40:02 GMT)
Full text and
rfc822 format available.
Message #36 received at 4291 <at> debbugs.gnu.org (full text, mbox):
Lars Magne Ingebrigtsen <larsi <at> gnus.org> writes:
>> I think the idea is that if you view the same pdf N times in Emacs, the
>> disk space won't increase monotonically (Emacs doesn't delete any of
>> those files AFAIK).
>
> If they aren't deleted, then using a single directory per UID seems like
> a good choice. Perhaps the right fix here is to make the error message
> better?
I've now done this.
--
(domestic pets only, the antidote for overdose, milk.)
bloggy blog http://lars.ingebrigtsen.no/
Added tag(s) fixed.
Request was from
Lars Magne Ingebrigtsen <larsi <at> gnus.org>
to
control <at> debbugs.gnu.org.
(Sat, 16 Jul 2011 19:40:03 GMT)
Full text and
rfc822 format available.
bug marked as fixed in version 24.1, send any further explanations to
4291 <at> debbugs.gnu.org and David Bremner <bremner-dated-1252800134.2fccb3 <at> pivot.cs.unb.ca>
Request was from
Lars Magne Ingebrigtsen <larsi <at> gnus.org>
to
control <at> debbugs.gnu.org.
(Sat, 16 Jul 2011 19:40:03 GMT)
Full text and
rfc822 format available.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Sun, 14 Aug 2011 11:24:05 GMT)
Full text and
rfc822 format available.
This bug report was last modified 13 years and 313 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.