The software specifies permissions for a security-critical resource in a way that allows the resource to be read or modified by unintended actors.
Never create NULL ACLs; an attacker can set it to Everyone.
emacs-23.1/src/w32proc.c
The highlighted line of code below is the trigger point of this particular Centos 6 misc weakness.
DWORD flags;
char dir[ MAXPATHLEN ];
if (cp == NULL) abort ();
memset (&start, 0, sizeof (start));
start.cb = sizeof (start);
#ifdef HAVE_NTGUI
if (NILP (Vw32_start_process_show_window) && !is_gui_app)
start.dwFlags = STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW;
else
start.dwFlags = STARTF_USESTDHANDLES;
start.wShowWindow = SW_HIDE;
start.hStdInput = GetStdHandle (STD_INPUT_HANDLE);
start.hStdOutput = GetStdHandle (STD_OUTPUT_HANDLE);
start.hStdError = GetStdHandle (STD_ERROR_HANDLE);
#endif /* HAVE_NTGUI */
#if 0
/* Explicitly specify no security */
if (!InitializeSecurityDescriptor (&sec_desc, SECURITY_DESCRIPTOR_REVISION))
goto EH_Fail;
if (!SetSecurityDescriptorDacl (&sec_desc, TRUE, NULL, FALSE))
goto EH_Fail;
#endif
sec_attrs.nLength = sizeof (sec_attrs);
sec_attrs.lpSecurityDescriptor = NULL /* &sec_desc */;
sec_attrs.bInheritHandle = FALSE;
strcpy (dir, process_dir);
unixtodos_filename (dir);
flags = (!NILP (Vw32_start_process_share_console)
? CREATE_NEW_PROCESS_GROUP
: CREATE_NEW_CONSOLE);
if (NILP (Vw32_start_process_inherit_error_mode))
flags |= CREATE_DEFAULT_ERROR_MODE;
if (!CreateProcess (exe, cmdline, &sec_attrs, NULL, TRUE,
flags, env, dir, &start, &cp->procinfo))
goto EH_Fail;
cp->pid = (int) cp->procinfo.dwProcessId;
/* Hack for Windows 95, which assigns large (ie negative) pids */
if (cp->pid < 0)
cp->pid = -cp->pid;
/* pid must fit in a Lisp_Int */