bug#29182: CVE-2017-1000383: umask and backup files

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

bug#29182: CVE-2017-1000383: umask and backup files

Glenn Morris-3
Package: emacs
Version: 25.3
Tags: security

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000383

  GNU Emacs version 25.3.1 (and other versions most likely) ignores umask
  when creating a backup save file ("[ORIGINAL_FILENAME]~") resulting in
  files that may be world readable or otherwise accessible in ways not
  intended by the user running the emacs binary.

[I'm not sure why this apparently hasn't been reported here before now?]



Reply | Threaded
Open this post in threaded view
|

bug#29182: CVE-2017-1000383: umask and backup files

Glenn Morris-3

I think the actual complaint appears at http://seclists.org/oss-sec/2017/q4/159
and could be summarized as "if you create a file, then make your umask
more restrictive, then edit it with Emacs, the backup file inherits the
same permissions as the original file, not the more restrictive umask
permissions".

Eg:
umask 002
touch foo
ls -l foo #   -> -rw-rw-r--
umask 007
emacs-25.3 -Q foo
 make some changes and save
touch foo2
ls -l foo*
 foo  -rw-rw-r--.
 foo~ -rw-rw-r--.
 foo2 -rw-rw----.

(With backup-by-copying non-nil, the result is the same.)

I don't really know what my opinion of this issue is...
I imagine I would have made the same reply as
http://seclists.org/oss-sec/2017/q4/184

 [Emacs] copies the permission from the file being edited. Although the
 [backup] file is readable by others this does not leak any information
 here, since the file being edited is already readable by others.

but this is dismissed with:

  ...it doesn't matter because a security assertion made via umask is
  being violated, so it wins a CVE. Also for example if you later delete
  that file and think you're safe the copy is still floating around
  world readable. Or you have something indexing the files and ignoring
  that file type, and the [~] gets indexed, and so on.

Anyway, you can probably find every shade of opinion on what to do about
this already expressed in that oss-sec thread or the related vim one.

I think I've found it useful many, many times that ~ files have the same
permissions as the originals.




Reply | Threaded
Open this post in threaded view
|

bug#29182: CVE-2017-1000383: umask and backup files

Glenn Morris-3

One solution is to put backup files in a single (private) location,
rather than alongside the original file. This is achievable in Emacs
with eg

(setq backup-directory-alist '(("\\`/[^/|:][^/|]*:")
   ("." . "<HOME>/.emacs.d/backups")))

where ~/.emacs.d/backups is created mode 700. I've used this in my
personal config for years.

A very brief search suggests that this seems to be what newer editors
(eg LibreOffice) do for backup files.



Reply | Threaded
Open this post in threaded view
|

bug#29182: CVE-2017-1000383: umask and backup files

Glenn Morris-3

Rightly or wrong, distributions etc pay attention to CVEs, so I think
an official response from Emacs on this issue would be good.

(My personal favourite is
https://security-tracker.debian.org/tracker/CVE-2017-1000383 )



Reply | Threaded
Open this post in threaded view
|

bug#29182: CVE-2017-1000383: umask and backup files

Eli Zaretskii
> From: Glenn Morris <[hidden email]>
> Date: Mon, 13 Nov 2017 17:04:55 -0500
>
> Rightly or wrong, distributions etc pay attention to CVEs, so I think
> an official response from Emacs on this issue would be good.

I'm not sure how should we provide an official response there.  The
list there is mostly of issues with very old versions, and there's a
reference to bug reports which were closed.  What else is needed?  And
what's the procedure?