CVE-2014-3421

Published: 8 May 2014

lisp/gnus/gnus-fun.el in GNU Emacs 24.3 and earlier allows local users to overwrite arbitrary files via a symlink attack on the /tmp/gnus.face.ppm temporary file.

Priority

Status

Package	Release	Status
emacs24 Launchpad, Ubuntu, Debian	artful	Does not exist
	bionic	Does not exist
	cosmic	Does not exist
	impish	Does not exist
	hirsute	Does not exist
	jammy	Does not exist
	disco	Does not exist
	eoan	Does not exist
	focal	Does not exist
	groovy	Does not exist
	kinetic	Does not exist
	lunar	Does not exist
	trusty	Does not exist (trusty was needed)
	upstream	Released (24.3+1-4)
	xenial	Not vulnerable (24.5+1-6ubuntu1)
	zesty	Not vulnerable (24.5+1-8ubuntu2)
	Patches: upstream: http://lists.gnu.org/archive/html/emacs-diffs/2014-05/msg00055.html
	This vulnerability is mitigated in part by the use of hardlink restrictions in Ubuntu. This vulnerability is mitigated in part by the use of symlink restrictions in Ubuntu.
xemacs21 Launchpad, Ubuntu, Debian	impish	Not vulnerable (code-not-present)
	hirsute	Not vulnerable (code-not-present)
	jammy	Not vulnerable (code-not-present)
	artful	Not vulnerable (code-not-present)
	bionic	Not vulnerable (code-not-present)
	cosmic	Does not exist
	disco	Does not exist
	eoan	Not vulnerable (code-not-present)
	focal	Not vulnerable (code-not-present)
	groovy	Not vulnerable (code-not-present)
	kinetic	Not vulnerable (code-not-present)
	lucid	Ignored (end of life)
	lunar	Not vulnerable (code-not-present)
	precise	Not vulnerable (code-not-present)
	quantal	Not vulnerable (code-not-present)
	saucy	Not vulnerable (code-not-present)
	trusty	Does not exist (trusty was not-affected [code-not-present])
	upstream	Needs triage
	utopic	Not vulnerable (code-not-present)
	vivid	Not vulnerable (code-not-present)
	wily	Not vulnerable (code-not-present)
	xenial	Not vulnerable (code-not-present)
	yakkety	Not vulnerable (code-not-present)
	zesty	Not vulnerable (code-not-present)
emacs22 Launchpad, Ubuntu, Debian	impish	Does not exist
	hirsute	Does not exist
	jammy	Does not exist
	artful	Does not exist
	bionic	Does not exist
	cosmic	Does not exist
	disco	Does not exist
	eoan	Does not exist
	focal	Does not exist
	groovy	Does not exist
	kinetic	Does not exist
	lucid	Ignored (end of life)
	lunar	Does not exist
	precise	Does not exist
	quantal	Does not exist
	saucy	Does not exist
	trusty	Does not exist
	upstream	Needs triage
	utopic	Does not exist
	vivid	Does not exist
	wily	Does not exist
	xenial	Does not exist
	yakkety	Does not exist
	zesty	Does not exist
emacs-snapshot Launchpad, Ubuntu, Debian	impish	Does not exist
	hirsute	Does not exist
	jammy	Does not exist
	artful	Does not exist
	bionic	Does not exist
	cosmic	Does not exist
	disco	Does not exist
	eoan	Does not exist
	focal	Does not exist
	groovy	Does not exist
	kinetic	Does not exist
	lucid	Ignored (end of life)
	lunar	Does not exist
	precise	Does not exist
	quantal	Does not exist
	saucy	Does not exist
	trusty	Does not exist
	upstream	Needs triage
	utopic	Does not exist
	vivid	Does not exist
	wily	Does not exist
	xenial	Does not exist
	yakkety	Does not exist
	zesty	Does not exist
emacs23 Launchpad, Ubuntu, Debian	impish	Does not exist
	hirsute	Does not exist
	jammy	Does not exist
	artful	Does not exist
	bionic	Does not exist
	cosmic	Does not exist
	disco	Does not exist
	eoan	Does not exist
	focal	Does not exist
	groovy	Does not exist
	kinetic	Does not exist
	lucid	Ignored (end of life)
	lunar	Does not exist
	precise	Ignored (end of life)
	quantal	Ignored (end of life)
	saucy	Ignored (end of life)
	trusty	Does not exist (trusty was needed)
	upstream	Needs triage
	utopic	Ignored (end of life)
	vivid	Does not exist
	wily	Does not exist
	xenial	Does not exist
	yakkety	Does not exist
	zesty	Does not exist
	Patches: upstream: http://lists.gnu.org/archive/html/emacs-diffs/2014-05/msg00055.html
	This vulnerability is mitigated in part by the use of hardlink restrictions in Ubuntu. This vulnerability is mitigated in part by the use of symlink restrictions in Ubuntu.
emacs25 Launchpad, Ubuntu, Debian	impish	Does not exist
	jammy	Does not exist
	artful	Not vulnerable
	bionic	Not vulnerable
	cosmic	Does not exist
	disco	Does not exist
	eoan	Does not exist
	focal	Does not exist
	groovy	Does not exist
	hirsute	Does not exist
	kinetic	Does not exist
	lunar	Does not exist
	trusty	Does not exist
	upstream	Not vulnerable
	xenial	Does not exist
	zesty	Not vulnerable
xemacs21-packages Launchpad, Ubuntu, Debian	kinetic	Ignored (end of life, was needed)
	hirsute	Ignored (end of life)
	jammy	Needed
	xenial	Needed
	vivid	Ignored (end of life)
	impish	Ignored (end of life)
	artful	Ignored (end of life)
	bionic	Needed
	cosmic	Does not exist
	disco	Does not exist
	eoan	Ignored (end of life)
	focal	Needed
	groovy	Ignored (end of life)
	lucid	Ignored (end of life)
	lunar	Needed
	precise	Ignored (end of life)
	quantal	Ignored (end of life)
	saucy	Ignored (end of life)
	trusty	Does not exist (trusty was needed)
	upstream	Needs triage
	utopic	Ignored (end of life)
	wily	Ignored (end of life)
	yakkety	Ignored (end of life)
	zesty	Ignored (end of life)
	This vulnerability is mitigated in part by the use of hardlink restrictions in Ubuntu. This vulnerability is mitigated in part by the use of symlink restrictions in Ubuntu.

References

Bugs

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=747100

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›