Bug 13458

Summary: emacs new security issues CVE-2014-342[1-4]
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: sysadmin-bugs, tmb
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/600793/
Whiteboard: MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
Source RPM: emacs-24.3-4.mga4.src.rpm CVE:
Status comment:

Description David Walser 2014-05-30 17:53:22 CEST 
Fedora has issued an advisory on May 21:
https://lists.fedoraproject.org/pipermail/package-announce/2014-May/133825.html

Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Advisory:
========================

Updated emacs packages fix security vulnerabilities:

Steve Kemp discovered multiple temporary file handling issues in Emacs. A
local attacker could use these flaws to perform symbolic link attacks against
users running Emacs (CVE-2014-3421, CVE-2014-3422, CVE-2014-3423,
CVE-2014-3424).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3421
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3422
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3423
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3424
https://lists.fedoraproject.org/pipermail/package-announce/2014-May/133825.html
========================

Updated packages in core/updates_testing:
========================
emacs-24.2-5.1.mga3
emacs-el-24.2-5.1.mga3
emacs-doc-24.2-5.1.mga3
emacs-leim-24.2-5.1.mga3
emacs-nox-24.2-5.1.mga3
emacs-common-24.2-5.1.mga3
emacs-24.3-4.1.mga4
emacs-el-24.3-4.1.mga4
emacs-doc-24.3-4.1.mga4
emacs-leim-24.3-4.1.mga4
emacs-nox-24.3-4.1.mga4
emacs-common-24.3-4.1.mga4

from SRPMS:
emacs-24.2-5.1.mga3.src.rpm
emacs-24.3-4.1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2014-05-30 17:53:28 CEST

Whiteboard: (none) => MGA3TOO

David Walser 2014-05-30 19:35:44 CEST

URL: (none) => http://lwn.net/Vulnerabilities/600793/

Comment 1 claire robinson 2014-06-03 11:28:37 CEST 
Checked the patches were applied to the files mentioned in the original report (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=747100) with madb rpmdiff feature and all applied so just ensuring emacs updates/starts ok for each arch.

Whiteboard: MGA3TOO => MGA3TOO has_procedure

Comment 2 claire robinson 2014-06-03 12:40:45 CEST 
Testing complete mga4 32 & 64

Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure mga4-32-ok mga4-64-ok

Comment 3 claire robinson 2014-06-04 17:05:00 CEST 
Testing complete mga3 32 & 64

Validating. Advisory uploaded.

Could sysadmin please push to 3 & 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 4 Thomas Backlund 2014-06-06 08:28:08 CEST 
Update pushed:
http://advisories.mageia.org/MGASA-2014-0250.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED