Emacs 21.2 TOCTTOU bug report

emacs-pretest-bug

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Emacs 21.2 TOCTTOU bug report

From:	Jinpeng Wei
Subject:	Emacs 21.2 TOCTTOU bug report
Date:	Wed, 30 Nov 2005 01:39:24 -0500 (EST)

Hi,

It seems that Emacs  21.2 contains a TOCTTOU
(Time-Of-Check-To-Time-Of-Use) bug. It happens when Emacs is run by root
to edit a file owned by a normal user (also the attacker) and Emacs saves
the file being edited. As a result of a successful attack, the attacker
can read the content of /etc/shadow. This is because Emacs has a <open,
chmod> TOCTTOU vulnerability which can be exploited by replacing the file
being edited with a symbolic link to /etc/shadow after open() but before
chmod(). We found this problem using our detection tools, and we discuss
it in a recent paper which will appear in USENIX FAST 2005. This bug may
have been fixed in the newer Emacs versions, but we feel responsible to
inform the community about this before we publish the results. We are
looking forward to hearing from the Emacs developers and we are willing to
do our best to help improving Emacs further.

Thank you,

Sincerely,

Jinpeng Wei
Ph.D. Student
Center for Experimental Research in Computer Systems
College of Computing
Georgia Institute of Technology

[Prev in Thread]

Current Thread

[Next in Thread]

Emacs 21.2 TOCTTOU bug report, Jinpeng Wei <=

Prev by Date: Re: DEL key doesn't kill mouse-dragged region
Next by Date: RE: DEL key doesn't kill mouse-dragged region
Previous by thread: customize-face
Index(es):
- Date
- Thread