Dan Rosenberg found a race condition in the Emacs's Rmail subsystem, when moving mail from user's inbox into user's Rmail file. A local attacker could use this flaw to conduct symlink attacks on the mailbox of the targeted user, leading to possibility to read or alter mail of the victim. References: [1] https://bugs.launchpad.net/ubuntu/+source/emacs22/+bug/531569 [2] http://www.ubuntu.com/usn/USN-919-1 Flaw exploitability note: In order the above attack scenario to succeed, the Emacs / Xemacs movemail binary would need to be equipped with the setgid attribute. This is NOT the case for versions of emacs and xemacs packages, as shipped within various Red Hat products.
This issue does NOT affect the versions of the emacs package, as shipped with Red Hat Enterprise Linux 3, 4, and 5. The Emacs movemail binary, responsible for moving email messages from user's inbox into user's Rmail file is NOT equipped with setgid attribute (which is required for this flaw to succeed) in the versions of emacs package, as shipped with Red Hat Enterprise Linux 3, 4, and 5. -- This issue does NOT affect the versions of the xemacs package, as shipped with Red Hat Enterprise Linux 3 and 4. The Xemacs movemail binary, responsible for moving email messages from user's inbox into user's Rmail file is NOT equipped with setgid attribute (which is required for this flaw to succeed) in the versions of xemacs package, as shipped with Red Hat Enterprise Linux 3 and 4. -- This issue does NOT affect the versions of the emacs package, as shipped with Fedora release of 11 and 12. The Emacs movemail binary, responsible for moving email messages from user's inbox into user's Rmail file is NOT equipped with setgid attribute (which is required for this flaw to succeed) in the versions of emacs package, as shipped with Fedora releases of 11 and 12. -- This issue does NOT affect the versions of the xemacs package, as shipped with Fedora release of 11 and 12. The Xemacs movemail binary, responsible for moving email messages from user's inbox into user's Rmail file is NOT equipped with setgid attribute (which is required for this flaw to succeed) in the versions of the xemacs package, as shipped with Fedora releases of 11 and 12.
emacs-23.1-13.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/emacs-23.1-13.fc11
emacs-23.1.94-2.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/emacs-23.1.94-2.fc13
emacs-23.1-21.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/emacs-23.1-21.fc12
I'm closing this issue as NOTABUG. No versions of emacs have the setgid bit set on the movemail utility. Without this bit set, the flaw does not exist. See Comment 4 for more details.
emacs-23.1-13.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
emacs-23.1-21.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.