Re: RUS-CERT Advisory 200004-01: GNU Emacs 20

[glynn () SENSEI CO UK (Glynn Clements)]

Dan Harkless wrote:

> >                 RUS-CERT Advisory 200004-01: GNU Emacs 20
>
> As an XEmacs user, I would have liked to have seen one of the following
> statements:
>
> * These vulnerabilities only apply to GNU Emacs, not XEmacs.
>
> * We do not know if these vulnerabilities also apply to XEmacs.
>
> * These vulnerabilities apply to equally to GNU Emacs and XEmacs.

I guess that it would be option 2.

>    On the systems listed above, when a new subprocess is created
>    using the builtin Lisp function start-process, Emacs doesn't set
>    proper permissions for the slave PTY device.

On XEmacs, start-process only uses a pty if process-connection-type is
"t", otherwise it uses (unnamed) pipes.

> 2. Unsafe creation of temporary files
>
>   2.1. Scope
>
>    All Unix-like Emacs platforms on which public directories are
>    used to store temporary files.

Recent versions of XEmacs honour $TMPDIR, so there shouldn't be any
need to use public directories.

>   3.3. Problem
>
>    Functions like read-passwd do not clear the the history of
>    recently typed keys. In fact, there is no way to do that from
>    Emacs Lisp.

Ditto for XEmacs.

--
Glynn Clements <glynn () sensei co uk>