GNU Emacs Password History Vulnerability
BID:1127
Info
GNU Emacs Password History Vulnerability
| Bugtraq ID: | 1127 |
| Class: | Design Error |
| CVE: | |
| Remote: | No |
| Local: | Yes |
| Published: | Apr 18 2000 12:00AM |
| Updated: | Apr 18 2000 12:00AM |
| Credit: | This vulnerability was announced in an advisory from RUS-CERT on April 18, 2000. |
| Vulnerable: |
GNU Emacs 20.6 GNU Emacs 20.5 GNU Emacs 20.4 GNU Emacs 20.3 GNU Emacs 20.2 GNU Emacs 20.1 GNU Emacs 20.0 |
| Not Vulnerable: | |
Discussion
GNU Emacs Password History Vulnerability
A vulnerability exists in the way in which passwords are stored in history, in Emacs 20, from GNU. Passwords read using the read-password function under emacs-lisp are not cleared from the history cache. This means that anyone who has access to an Emacs session on a terminal can use the history to potentially gain passwords captured.
A vulnerability exists in the way in which passwords are stored in history, in Emacs 20, from GNU. Passwords read using the read-password function under emacs-lisp are not cleared from the history cache. This means that anyone who has access to an Emacs session on a terminal can use the history to potentially gain passwords captured.
Exploit / POC
GNU Emacs Password History Vulnerability
Simply going through the history should reveal passwords that are present in the buffers.
Simply going through the history should reveal passwords that are present in the buffers.
Solution / Fix
GNU Emacs Password History Vulnerability
Solution:
Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
A patch was issued from RUS-Cert when they issued an advisory for this problem.
GNU Emacs 20.6
Solution:
Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
A patch was issued from RUS-Cert when they issued an advisory for this problem.
GNU Emacs 20.6
-
RUS-Cert emacs-20.6-patch
http://www.securityfocus.com/data/vulnerabilities/patches/emacs-20.6-p atch
References
GNU Emacs Password History Vulnerability
References:
References: