From xemacs-m  Thu Sep 25 09:18:02 1997
Received: from wfdutilgw.ml.com (wfdutilf01.ml.com [206.3.74.31])
	by xemacs.org (8.8.5/8.8.5) with ESMTP id JAA18372
	for <xemacs-beta@xemacs.org>; Thu, 25 Sep 1997 09:18:02 -0500 (CDT)
Received: from ml1.ml.com ([199.201.57.130])
	by wfdutilgw.ml.com (8.8.7/8.8.7/MLgwo-3.05) with ESMTP id KAA06284
	for <xemacs-beta@xemacs.org>; Thu, 25 Sep 1997 10:18:41 -0400 (EDT)
Received: from commpost.ml.com (commpost.ml.com [146.125.4.24])
	by ml1.ml.com (8.8.5/8.8.5/MLml4-2.07) with SMTP id KAA19998
	for <xemacs-beta@xemacs.org>; Thu, 25 Sep 1997 10:17:34 -0400 (EDT)
Received: from spssunp.spspme.ml.com (spssunp.spspme.ml.com [192.168.111.13]) by commpost.ml.com (8.6.12/8.6.12) with ESMTP id KAA07878 for <xemacs-beta@xemacs.org>; Thu, 25 Sep 1997 10:17:32 -0400
Received: by spssunp.spspme.ml.com (SMI-8.6/SMI-4.1)
	id KAA00561; Thu, 25 Sep 1997 10:17:32 -0400
To: XEmacs Beta List <xemacs-beta@xemacs.org>
Subject: Re: Fatal serious (security) flaw in XEmacs 19.16/20.3
References: <m2zpp22ae9.fsf@altair.xemacs.org>
X-Face: ""xJff<P[R~C67]V?J|X^Dr`YigXK|;1wX<rt^>%{>hr-{:QXl"Xk2O@@(+F]e{"%EYQiW@mUuvEsL>=mx96j12qW[%m;|:B^n{J8k?Mz[K1_+H;$v,nYx^1o_=4M,L+]FIU~[[`-w~~xsy-BX,?tAF_.8u&0y*@aCv;a}Y'{w@#*@iwAl?oZpvvv
X-Y-Zippy: NOT fucking!! Also not a PACKAGE of LOOSE-LEAF PAPER!!
Mime-Version: 1.0 (generated by tm-edit 7.108)
Content-Type: text/plain; charset=US-ASCII
From: Colin Rafferty <craffert@ml.com>
Date: 25 Sep 1997 10:17:29 -0400
In-Reply-To: SL Baur's message of "24 Sep 1997 23:08:30 -0700"
Message-ID: <ocrsout5vgm.fsf@ml.com>
Lines: 28
X-Mailer: Gnus v5.5/XEmacs 20.3(beta23) - "Sarajevo"

SL Baur writes:

> Please evaluate this function (in a separate invocation if you are
> reading mail in XEmacs) and report back if you *do not* see an error
> message or check to see what your system #defines MAXNAMLEN to.

This is XEmacs 20.3 "Sarajevo" [Lucid] (sparc-sun-solaris2.5.1, Mule).

I see the expected (from  *Message-Log*):

Opening directory: File name too long, /home/craffert/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

Here is the actual error (from debug-on-error t):

(file-error "Opening directory" "File name too long" "/home/craffert/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa")

> [1]  A unit definition of `show stopper' if there ever was one.

What is the security flaw?

Seriously, I agree that this is a bug, but if a malicious user can get
your XEmacs to open a too-long-named file, he can get it to run a
`call-process' as well.

I wouldn't call this a show-stopper, just a limit bug.

-- 
Colin

