Dan Harkless wrote:
> > RUS-CERT Advisory 200004-01: GNU Emacs 20
>
> As an XEmacs user, I would have liked to have seen one of the following
> statements:
>
> * These vulnerabilities only apply to GNU Emacs, not XEmacs.
>
> * We do not know if these vulnerabilities also apply to XEmacs.
>
> * These vulnerabilities apply to equally to GNU Emacs and XEmacs.
I guess that it would be option 2.
> On the systems listed above, when a new subprocess is created
> using the builtin Lisp function start-process, Emacs doesn't set
> proper permissions for the slave PTY device.
On XEmacs, start-process only uses a pty if process-connection-type is
"t", otherwise it uses (unnamed) pipes.
> 2. Unsafe creation of temporary files
>
> 2.1. Scope
>
> All Unix-like Emacs platforms on which public directories are
> used to store temporary files.
Recent versions of XEmacs honour $TMPDIR, so there shouldn't be any
need to use public directories.
> 3.3. Problem
>
> Functions like read-passwd do not clear the the history of
> recently typed keys. In fact, there is no way to do that from
> Emacs Lisp.
Ditto for XEmacs.
--
Glynn Clements <[EMAIL PROTECTED]>
