Our maintainer told me that you may be the proper person to contact. I propose to disclose this on February 10th. Regards, Joey ----- Forwarded message from Martin Schulze <joey(a)infodrom.org&gt; ----- Date: Wed, 26 Jan 2005 12:22:22 +0100 From: Martin Schulze <joey(a)infodrom.org&gt; To: "Stephen J. Turnbull" <stephen(a)xemacs.org&gt; Cc: Debian Security Team <team(a)security.debian.org&gt; Subject: Re: Emacs issue X-Folder: debian-security-private(a)lists.infodrom.org Stephen J. Turnbull wrote: > >>>>> "Martin" == Martin Schulze <joey(a)infodrom.org&gt; writes: > > Martin> can I talk confidential to you about a security issue in > Martin> Emacs? Or could you tell me who I should talk to instead? > > If you mean XEmacs, you can start by writing to me, and I can tell you > who knows the most about whatever it is. If you mean GNU Emacs, or > Emacs in general, I would say write to rms(a)gnu.org. The problem exists in both, unfortunately. I'm also discussing this with Richard. Max Vozeler discovered several format string vulnerabilities in the movemail utility of Emacs. Via connecting to a malicious POP server an attacker can execute arbitrary code under the privileges of group mail (or worse if installed setuid root which is not the case for Debian at least). Max provided a patch for both Emacs and XEmacs. I'm attaching the one for XEmacs. CAN-2005-0100 was assigned to this issue. CAN-2004-nnnn a unique identifier for a vulnerability in a software package. The database behind this is maintained at MITRE's Common Vulnerabilities and Exposures project <http://cve.mitre.org/cve/>;. Details for such an id are available after a few days of quarantaine at <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-nnnn>;. Many vendors (both propriatery and Free Software) participate in this database and assign the id to vulnerability reports or updates they produce. These IDs help us security people generally for identifying if a given package is fixed or if a given update fixes which problem. Please mention this ID in the changelog and/or project announcements. I would like to discuss a disclosure date that will give vendors (I will get in touch with them) enough time to prepare updates. This should be in roughly two weeks. Would that be ok for you?