Package: xemacs21
Severity: important
Tags: security
This was brought to our attention by Red Hat on vendor-sec:
Steve Grubb of Red Hat discovered that vcdiff script as shipped with
Emacs (confirmed in versions 20.7 to 22.1.50) uses temporary files
insecurely, which makes it possible for local attacker to conduct a
symlink attack and make the victim overwrite arbitrary file.
diff -ur emacs-21.4.orig/lib-src/vcdiff emacs-21.4/lib-src/vcdiff
--- emacs-21.4.orig/lib-src/vcdiff 2006-09-28 12:07:51.000000000
-0400
+++ emacs-21.4/lib-src/vcdiff 2006-09-28 15:58:53.000000000 -0400
@@ -86,14 +86,14 @@
case $f in
s.* | */s.*)
if
- rev1=/tmp/geta$$
+ rev1=`mktemp /tmp/geta.XXXXXXXX`
get -s -p -k $sid1 "$f" > $rev1 &&
case $sid2 in
'')
workfile=`expr " /$f" : '.*/s.\(.*\)'`
;;
*)
- rev2=/tmp/getb$$
+ rev2=`mktemp /tmp/getb.XXXXXXXX`
get -s -p -k $sid2 "$f" > $rev2
workfile=$rev2
esac
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.24-1-686 (SMP w/1 CPU core)
Locale: LANG=C, [EMAIL PROTECTED] (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
