|
|
Subscribe / Log in / New account

MeeGo alert MeeGo-SA-10:11 (emacs)



From:
    	      "Ware, Ryan R" <ryan.r.ware@intel.com> 


To:
    	      "meego-security@meego.com" <meego-security@meego.com> 


Subject:
    	      [MeeGo-security] [MeeGo-SA-10:11.emacs] Vulnerability in Emacs
	Movemail 


Date:
    	      Fri, 27 Aug 2010 16:21:48 -0700


Message-ID:
    	      <C89D969C.363A4%ryan.r.ware@intel.com>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
==
MeeGo-SA-10:11.emacs                Security Advisory
                                                                MeeGo
Project

Topic:          Vulnerability in Emacs Movemail

Category:       Emacs
Module:         emacs
Announced:      August 3, 2010
Affects:        MeeGo 1.0
Corrected:      August 3, 2010
MeeGo BID: 1512
CVE:  CVE-2010-0825

For general information regarding MeeGo Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://www.MeeGo.com/>.

I.   Background

Emacs is a powerful, customizable, self-documenting, modeless text
editor. Emacs contains special code editing features, a scripting
language (elisp), and the capability to read mail, news, and more
without leaving the editor.

II.  Problem Description

lib-src/movemail.c in movemail in emacs 22 and 23 allows local users
to read, modify, or delete arbitrary mailbox files via a symlink
attack, related to improper file-permission checks.
CVSS v2 Base: 4.4 (MEDIUM)
Access Vector: Locally exploitable

III. Impact

Access control error allowing read, modify or delete of arbitrary
mailbox files (CWE-264).

IV.  Workaround

None

V.   Solution

Update to package emacs-23.1-7.1 or later.

VI. References

http://bugs.meego.com/show_bug.cgi?id=1512
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-...
http://cwe.mitre.org/data/definitions/264.html

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.13 (Darwin)

iQEcBAEBAgAGBQJMeENrAAoJECxjfBlj7RcKK08IAI3Ck8r3+c/RQPDa1IxR5uZ3
RkSNh1zHt9X8KjJ3WScvy/zA9wp8WH26c6zGsE0hrnSSrzNd5KcfB1A/8NGKR/mm
xHCt4DQPrpgSJYfmH4l1oZRgEJizl9E6dz7kgmApKQ5LW6V3OfX7N3/g0sohZHMF
/js8zOrTcNYlFsKb2xQJEWE1FD91z563x1sgSuNlSDHrQRMr2Exo4Y308JNm9hYx
uYXLZPE2HSdW2c3seKUDmqY5stUKAzQILZTtEkwPnjtTwSIUMztQiGn/BcXwHN7X
n4Nc6/YtK/D8ibcVOIAOwEkUTELCYiweCOPKI02Xdu/Mj6koHIeiol6iWsUrKac=
=AWmU
-----END PGP SIGNATURE-----

_______________________________________________
MeeGo-security mailing list
MeeGo-security@meego.com
http://lists.meego.com/listinfo/meego-security
to post comments


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds