[Bug 531569] Re: Emacs movemail race condition
Jaunty reached end-of-life on 23 October 2010 so I'll close the report ** Changed in: emacs21 (Ubuntu Jaunty) Status: Confirmed = Won't Fix -- You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. https://bugs.launchpad.net/bugs/531569 Title: Emacs movemail race condition -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 531569] Re: Emacs movemail race condition
Intrepid Ibex reached end-of-life on 30 April 2010 so I am closing the report. The bug is still marked as confirmed in later versions of Ubuntu. ** Changed in: emacs21 (Ubuntu Intrepid) Status: Confirmed = Invalid -- Emacs movemail race condition https://bugs.launchpad.net/bugs/531569 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 531569] Re: Emacs movemail race condition
** Attachment removed: CVE-2010-0825.sh http://launchpadlibrarian.net/41879562/CVE-2010-0825.sh ** Visibility changed to: Public -- Emacs movemail race condition https://bugs.launchpad.net/bugs/531569 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 531569] Re: Emacs movemail race condition
** Changed in: emacs23 (Ubuntu Lucid) Status: Confirmed = Fix Released ** Changed in: emacs22 (Ubuntu Lucid) Status: Confirmed = Fix Released ** Changed in: emacs22 (Ubuntu Hardy) Status: Confirmed = Fix Released ** Changed in: emacs22 (Ubuntu Intrepid) Status: Confirmed = Fix Released ** Changed in: emacs22 (Ubuntu Jaunty) Status: Confirmed = Fix Released ** Changed in: emacs22 (Ubuntu Karmic) Status: Confirmed = Fix Released ** Changed in: emacs23 (Ubuntu Karmic) Status: Confirmed = Fix Released -- Emacs movemail race condition https://bugs.launchpad.net/bugs/531569 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 531569] Re: Emacs movemail race condition
http://www.ubuntu.com/usn/USN-919-1 -- Emacs movemail race condition https://bugs.launchpad.net/bugs/531569 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 531569] Re: Emacs movemail race condition
** Attachment removed: Exploit for emacs race condition http://launchpadlibrarian.net/40123119/exploit.sh -- Emacs movemail race condition https://bugs.launchpad.net/bugs/531569 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 531569] Re: Emacs movemail race condition
While testing this patch, it seems that there is still a condition where movemail wipes the mailbox (though it doesn't leak contents any more). Here is an updated reproducer that tests for the conditions... ** Attachment added: CVE-2010-0825.sh http://launchpadlibrarian.net/41879562/CVE-2010-0825.sh -- Emacs movemail race condition https://bugs.launchpad.net/bugs/531569 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 531569] Re: Emacs movemail race condition
New patch coming right up, ready in 10 minutes. -- Emacs movemail race condition https://bugs.launchpad.net/bugs/531569 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 531569] Re: Emacs movemail race condition
As promised...this takes the same approach as before - dropping the egid before calls to open() or creat(). I made another pass through the code to make sure there weren't any other vulnerable calls, so this should finally kill these bugs. I tested using the reproducer to confirm it fixes the race, and made sure functionality is still intact. ** Patch added: New patch for movemail http://launchpadlibrarian.net/41882940/movemail.patch -- Emacs movemail race condition https://bugs.launchpad.net/bugs/531569 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 531569] Re: Emacs movemail race condition
Cool! Thanks very much for the quick turn-around. :) -- Emacs movemail race condition https://bugs.launchpad.net/bugs/531569 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 531569] Re: Emacs movemail race condition
** Visibility changed to: Public ** Visibility changed to: Private -- Emacs movemail race condition https://bugs.launchpad.net/bugs/531569 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs