OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Morten Welinder (terradiku.dk)
Date: Tue Aug 07 2001 - 15:10:05 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    I have been sitting on this one for half a year. Time to disclose
    it.

    rcs2log uses files in /tmp insecurely.

    This was reported to the Emacs maintainers an aeon or two ago.
    Current preleases have a fix. (And have had it for at least half
    a year.)

    NOTE NOTE NOTE: there seem to be quite a few sources for rcs2log
    out there. A SuSE 6.3 (I think) seems to install three different
    versions in four different spots.

    Morten

    xyz:~> ls -l `locate rcs2log`
    -rwxr-xr-x 1 root root 17927 Nov 8 1999 /usr/bin/rcs2log
    -rwxr-xr-x 1 root root 17927 Nov 8 1999 /usr/lib/cvs/contrib/rcs2log
    -rwxr-xr-x 1 root root 17902 Nov 8 1999 /usr/lib/emacs/20.4/i386-suse-linux/rcs2log
    -rwxr-xr-x 1 root root 17357 Feb 8 2001 /usr/lib/xemacs/21.1.10/i386-suse-linux/rcs2log