Bug 11414

Summary: xemacs-packages dir by default 777
Product: [Retired] Red Hat Powertools Reporter: Vladimir Vukicevic <vladimir>
Component: xemacsAssignee: Ngo Than <than>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 6.2Keywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2000-05-15 16:15:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Vladimir Vukicevic 2000-05-15 08:45:35 UTC
XEmacs 21 (and up) includes support for an automatic package installing
system. The problem is that, by default, /usr/lib/xemacs/xemacs-packages
is installed with mode 777, thus allowing any user to upgrade packages --
but also to introduce any trojan horses or any other such things,
especially on shared systems.

Since xemacs is so complex, this can be exploited in many ways (i.e.
hacking term.el or shell.el to save passwords, etc.)

Comment 1 Trond Eivind Glomsrxd 2000-07-12 15:28:19 UTC
This was fixed at some point. Thanks.