Bug 578267 (CVE-2010-0825)
| Summary: | CVE-2010-0825 emacs, xemacs: Race condition by moving message from user's inbox into user's Rmail file, when movemail setgid enabled | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED NOTABUG | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | bressers, dnovotny, jrusnack, kklic |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://bugs.launchpad.net/ubuntu/+source/emacs22/+bug/531569 | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2010-04-06 18:38:20 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 578272, 578273 | ||
| Bug Blocks: | |||
|
Description
Jan Lieskovsky
2010-03-30 18:09:49 UTC
This issue does NOT affect the versions of the emacs package, as shipped with Red Hat Enterprise Linux 3, 4, and 5. The Emacs movemail binary, responsible for moving email messages from user's inbox into user's Rmail file is NOT equipped with setgid attribute (which is required for this flaw to succeed) in the versions of emacs package, as shipped with Red Hat Enterprise Linux 3, 4, and 5. -- This issue does NOT affect the versions of the xemacs package, as shipped with Red Hat Enterprise Linux 3 and 4. The Xemacs movemail binary, responsible for moving email messages from user's inbox into user's Rmail file is NOT equipped with setgid attribute (which is required for this flaw to succeed) in the versions of xemacs package, as shipped with Red Hat Enterprise Linux 3 and 4. -- This issue does NOT affect the versions of the emacs package, as shipped with Fedora release of 11 and 12. The Emacs movemail binary, responsible for moving email messages from user's inbox into user's Rmail file is NOT equipped with setgid attribute (which is required for this flaw to succeed) in the versions of emacs package, as shipped with Fedora releases of 11 and 12. -- This issue does NOT affect the versions of the xemacs package, as shipped with Fedora release of 11 and 12. The Xemacs movemail binary, responsible for moving email messages from user's inbox into user's Rmail file is NOT equipped with setgid attribute (which is required for this flaw to succeed) in the versions of the xemacs package, as shipped with Fedora releases of 11 and 12. emacs-23.1-13.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/emacs-23.1-13.fc11 emacs-23.1.94-2.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/emacs-23.1.94-2.fc13 emacs-23.1-21.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/emacs-23.1-21.fc12 I'm closing this issue as NOTABUG. No versions of emacs have the setgid bit set on the movemail utility. Without this bit set, the flaw does not exist. See Comment 4 for more details. emacs-23.1-13.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report. emacs-23.1-21.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report. |