GNU bug report logs - #4291
23.1; doc-view-mode temporary directory vulnerable to denial of service

Previous Next

Package: emacs;

Reported by: David Bremner <bremner-dated-1252800134.2fccb3 <at> pivot.cs.unb.ca>

Date: Sun, 30 Aug 2009 00:10:05 UTC

Severity: minor

Tags: fixed

Fixed in version 24.1

Done: Lars Magne Ingebrigtsen <larsi <at> gnus.org>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Stefan Monnier <monnier <at> iro.umontreal.ca>
To: Glenn Morris <rgm <at> gnu.org>
Cc: 4291 <at> debbugs.gnu.org,
        David Bremner <bremner-dated-1252800134.2fccb3 <at> pivot.cs.unb.ca>
Subject: bug#4291: 23.1; doc-view-mode temporary directory vulnerable to denial of service
Date: Mon, 31 Aug 2009 10:55:40 -0400

>> By default doc-view-mode makes a directory /tmp/docview$uid .  Since
>> this is easily predictable, a malicious person could cause docview to
>> fail simply by creating a directory with the same name.
> Couldn't they do the same thing by simply filling /tmp with junk, no
> matter what filename is used?

Yes, tho it's a bit different: your case can be avoided by appropriate
use of quotas on /tmp (yes, I realize this is highly unlikely), and your
case cannot be obtained without impacting the system as a whole
(i.e. it's less discrete).

> (Emacs server also uses the same name every time AFAIK.)

Yes, and Emacs server needs this name to be predictable (an "ls /tmp"
shows that other services, such as `orbit', are similarly vulnerable).

IIRC /tmp/docview$uid is predictable because doc-view tries to reuse
previouly-rendered pages.  I'm not convinced this is really a good
feature, but obviously the author thought it was important, so I'd
rather not drop it without a discussion.


        Stefan
This bug report was last modified 13 years and 314 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.