Ubuntu

emacs21: Arbitrary code execution when opening malicious file (local variables)

Reported by Debian Bug Importer on 2004-12-18
4
Affects Status Importance Assigned to Milestone
emacs21 (Debian)
Fix Released
Unknown
emacs21 (Ubuntu)
High
Martin Pitt

Bug Description

Automatically imported from Debian bug report #286183 http://bugs.debian.org/286183

Debian Bug Importer (debzilla) wrote :

Automatically imported from Debian bug report #286183 http://bugs.debian.org/286183

Debian Bug Importer (debzilla) wrote :
Download full text (4.3 KiB)

Message-ID: <email address hidden>
Date: Sat, 18 Dec 2004 06:54:29 +0000
From: Jan Minar <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: emacs21: Arbitrary code execution when opening malicious file (local variables)

--eJnRUKwClWJh1Khz
Content-Type: multipart/mixed; boundary="opJtzjQTFsWo+cga"
Content-Disposition: inline

--opJtzjQTFsWo+cga
Content-Type: text/plain; charset=iso-8859-2
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: emacs21
Version: 21.2-1
Severity: grave
Justification: user security hole

Hi.

In December 2002[sic!], Georgi Guninski <email address hidden> writes in
<email address hidden>:

> Attached file demonstrates GNU Emacs 21.2.1 starting process if a text fi=
le is=20
> opened. Just open it with emacs and check for processes "yes".
>=20
> I suggest disabling local variables by default, because probably there ar=
e=20
> similar bugs of the same nature.

You can view the thread for example at Google Groups:

http://groups-beta.google.com/group/gnu.emacs.bug/browse_frm/thread/9424ec1=
b2fdae321?hl=3Den&lr=3D&ie=3DUTF-8&oe=3DUTF-8&rnum=3D1&prev=3D/groups%3Fq%3=
Dguninski%2Bemacs%26hl%3Den%26lr%3D%26ie%3DUTF-8%26oe%3DUTF-8%26selm%3Dmail=
man.763.1041357806.19936.bug-gnu-emacs%2540gnu.org%26rnum%3D1

The same url in Quoted Printable, in case it got mangled somehow en
route (run it thru recode /qp..):

http://groups-beta.google.com/group/gnu.emacs.bug/browse_frm/thread/9424ec1=
=3D
b2fdae321?hl=3D3Den&lr=3D3D&ie=3D3DUTF-8&oe=3D3DUTF-8&rnum=3D3D1&prev=3D3D/=
groups%3Fq%3=3D
Dguninski%2Bemacs%26hl%3Den%26lr%3D%26ie%3DUTF-8%26oe%3DUTF-8%26selm%3Dmail=
=3D
man.763.1041357806.19936.bug-gnu-emacs%2540gnu.org%26rnum%3D1

Georgi's file is enclosed verbatim.

I just tried it with emacs in Woody and indeed, the yes processes
started to spawn on a fast pace. I went even a bit further and found
out that the execution is not sandboxed in any way, as I was able to
execute a script that writes out a script in my home directory, chmod +x
it, and runs it in turn.

In the above thread, it's mentioned another security bug was found
earlier that week, so please take a look at it.

Cheers,
-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux kontryhel 2.4.28-jan #2 Sat Nov 27 02:52:26 GMT 2004 i686
Locale: LANG=3DC, LC_CTYPE=3Dcs_CZ.ISO-8859-2

Versions of packages emacs21 depends on:
ii dpkg 1.9.21 Package maintenance system for=
 Deb
ii emacsen-common 1.4.15 Common facilities for all emac=
sen.
ii libc6 2.2.5-11.5 GNU C Library: Shared librarie=
s an
ii libjpeg62 6b-5 The Independent JPEG Group's J=
PEG=20
ii liblockfile1 1.03 NFS-safe locking library, incl=
udes
ii libncurses5 5.2.20020112a-7 Shared libraries for terminal =
hand
ii libpng2 1.0.12-3.woody.9 PNG library - runtime
ii libtiff3g 3.5.5-6woody1 Tag Image File Format library
ii xaw3dg 1.5-13 Xaw3d widget set
ii xlibs ...

Read more...

Jan Minar <email address hidden> writes:

> I just tried it with emacs in Woody and indeed, the yes processes
> started to spawn on a fast pace. I went even a bit further and
> found out that the execution is not sandboxed in any way, as I was
> able to execute a script that writes out a script in my home
> directory, chmod +x it, and runs it in turn.

I can verify this in the stable emacs21. So far I've been unable to
reproduce it in unstable (21.3+1-8).

Security team summary: openening the emacs1.emacs file in the
indicated google link with a stable emacs will result in yes being
launched many times without any advance warning to the user. I
presume arbitrary other code might be substituted. I'm not yet sure
how this was changed in 21.3+1, but that version (the one in
testing/unsable) doesn't appear to execute the code provided in either
the emacs1.emacs or emacs2.emacs sample exploits. I'm going to see if
I can locate the relevant diff.

Thanks
--
Rob Browning
rlb @defaultvalue.org and @debian.org; previously @cs.utexas.edu
GPG starting 2002-11-03 = 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4

Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Sat, 18 Dec 2004 17:13:57 -0600
From: Rob Browning <email address hidden>
To: Jan Minar <email address hidden>
Cc: <email address hidden>, <email address hidden>
Subject: Re: Bug#286183: emacs21: Arbitrary code execution when opening
 malicious file (local variables)

Jan Minar <email address hidden> writes:

> I just tried it with emacs in Woody and indeed, the yes processes
> started to spawn on a fast pace. I went even a bit further and
> found out that the execution is not sandboxed in any way, as I was
> able to execute a script that writes out a script in my home
> directory, chmod +x it, and runs it in turn.

I can verify this in the stable emacs21. So far I've been unable to
reproduce it in unstable (21.3+1-8).

Security team summary: openening the emacs1.emacs file in the
indicated google link with a stable emacs will result in yes being
launched many times without any advance warning to the user. I
presume arbitrary other code might be substituted. I'm not yet sure
how this was changed in 21.3+1, but that version (the one in
testing/unsable) doesn't appear to execute the code provided in either
the emacs1.emacs or emacs2.emacs sample exploits. I'm going to see if
I can locate the relevant diff.

Thanks
--
Rob Browning
rlb @defaultvalue.org and @debian.org; previously @cs.utexas.edu
GPG starting 2002-11-03 = 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4

Rob Browning <email address hidden> writes:

> Security team summary: opening the emacs1.emacs file in the
> indicated google link with a stable emacs will result in yes being
> launched many times without any advance warning to the user. I
> presume arbitrary other code might be substituted. I'm not yet sure
> how this was changed in 21.3+1, but that version (the one in
> testing/unsable) doesn't appear to execute the code provided in
> either the emacs1.emacs or emacs2.emacs sample exploits. I'm going
> to see if I can locate the relevant diff.

I've culled a patch from the diff between 21.2 and 21.3 which appears
to fix the problem. I'll wait to hear from the security team, and I
may also run it by emacs-devel.

--
Rob Browning
rlb @defaultvalue.org and @debian.org; previously @cs.utexas.edu
GPG starting 2002-11-03 = 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4

Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Sat, 18 Dec 2004 18:37:01 -0600
From: Rob Browning <email address hidden>
To: <email address hidden>
Cc: Jan Minar <email address hidden>, <email address hidden>
Subject: Re: Bug#286183: emacs21: Arbitrary code execution when opening
 malicious file (local variables)

Rob Browning <email address hidden> writes:

> Security team summary: opening the emacs1.emacs file in the
> indicated google link with a stable emacs will result in yes being
> launched many times without any advance warning to the user. I
> presume arbitrary other code might be substituted. I'm not yet sure
> how this was changed in 21.3+1, but that version (the one in
> testing/unsable) doesn't appear to execute the code provided in
> either the emacs1.emacs or emacs2.emacs sample exploits. I'm going
> to see if I can locate the relevant diff.

I've culled a patch from the diff between 21.2 and 21.3 which appears
to fix the problem. I'll wait to hear from the security team, and I
may also run it by emacs-devel.

--
Rob Browning
rlb @defaultvalue.org and @debian.org; previously @cs.utexas.edu
GPG starting 2002-11-03 = 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4

On Sat, Dec 18, 2004 at 06:37:01PM -0600, Rob Browning wrote:
> Rob Browning <email address hidden> writes:
>
> > Security team summary: opening the emacs1.emacs file in the
> > indicated google link with a stable emacs will result in yes being
> > launched many times without any advance warning to the user. I
> > presume arbitrary other code might be substituted. I'm not yet sure
> > how this was changed in 21.3+1, but that version (the one in
> > testing/unsable) doesn't appear to execute the code provided in
> > either the emacs1.emacs or emacs2.emacs sample exploits. I'm going
> > to see if I can locate the relevant diff.
>
> I've culled a patch from the diff between 21.2 and 21.3 which appears
> to fix the problem. I'll wait to hear from the security team, and I
> may also run it by emacs-devel.

Other emacs and xemacs packages might/probably are affected as well. I
am not familiar with emacs packages in debian (or emacs at all),
therefore someone else will have to check this.

--
 )^o-o^| jabber: <email address hidden>
 | .v K e-mail: jjminar FastMail FM
 ` - .' phone: +44(0)7981 738 696
  \ __/Jan icq: 345 355 493
 __|o|__Minář irc: <email address hidden>

Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Sun, 19 Dec 2004 14:06:55 +0000
From: Jan Minar <email address hidden>
To: Rob Browning <email address hidden>
Cc: <email address hidden>, <email address hidden>
Subject: Re: Bug#286183: emacs21: Arbitrary code execution when opening malicious file (local
 variables)

--YZ5djTAD1cGYuMQK
Content-Type: text/plain; charset=iso-8859-2
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sat, Dec 18, 2004 at 06:37:01PM -0600, Rob Browning wrote:
> Rob Browning <email address hidden> writes:
>=20
> > Security team summary: opening the emacs1.emacs file in the
> > indicated google link with a stable emacs will result in yes being
> > launched many times without any advance warning to the user. I
> > presume arbitrary other code might be substituted. I'm not yet sure
> > how this was changed in 21.3+1, but that version (the one in
> > testing/unsable) doesn't appear to execute the code provided in
> > either the emacs1.emacs or emacs2.emacs sample exploits. I'm going
> > to see if I can locate the relevant diff.
>=20
> I've culled a patch from the diff between 21.2 and 21.3 which appears
> to fix the problem. I'll wait to hear from the security team, and I
> may also run it by emacs-devel.

Other emacs and xemacs packages might/probably are affected as well. I
am not familiar with emacs packages in debian (or emacs at all),
therefore someone else will have to check this.

--=20
 )^o-o^| jabber: <email address hidden>
 | .v K e-mail: jjminar FastMail FM
 ` - .' phone: +44(0)7981 738 696
  \ __/Jan icq: 345 355 493
 __|o|__Min=E1=F8 irc: <email address hidden>

--YZ5djTAD1cGYuMQK
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQFBxYr/+uczK20Fa5cRAlJmAKDbbuWe5O8hfCYRWWvo4JwxjtqusgCgvhCU
rLiqKNWssiPtUmuAWaH+YGs=
=Hi5Z
-----END PGP SIGNATURE-----

--YZ5djTAD1cGYuMQK--

Martin Pitt (pitti) wrote :

We have version 21.3+1 in both Warty and Hoary, so we are not affected.

# Automatically generated email from bts, devscripts version 2.8.5
 # seems to be fixed in 21.3
tags 286183 woody

Debian Bug Importer (debzilla) wrote :

Message-Id: <email address hidden>
Date: Fri, 7 Jan 2005 17:26:18 +0100
From: Frank Lichtenheld <email address hidden>
To: <email address hidden>
Subject: tagging 286183

# Automatically generated email from bts, devscripts version 2.8.5
 # seems to be fixed in 21.3
tags 286183 woody

Debian Bug Importer (debzilla) wrote :

Message-Id: <email address hidden>
Date: Sun, 25 Sep 2005 23:57:53 -0700
From: Don Armstrong <email address hidden>
To: <email address hidden>
Subject: tagging 286183

# Automatically generated email from bts, devscripts version 2.9.7
tags 286183 security

# Automatically generated email from bts, devscripts version 2.9.7
tags 286183 security

close 286183 21.3
thanks

--
Nathanael Nerode <email address hidden>

"(Instead, we front-load the flamewars and grudges in
the interest of efficiency.)" --Steve Lanagasek,
http://lists.debian.org/debian-devel/2005/09/msg01056.html

Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Thu, 5 Jan 2006 03:27:52 -0500
From: Nathanael Nerode <email address hidden>
To: <email address hidden>
Subject: version-tagging

close 286183 21.3
thanks

--
Nathanael Nerode <email address hidden>

"(Instead, we front-load the flamewars and grudges in
the interest of efficiency.)" --Steve Lanagasek,
http://lists.debian.org/debian-devel/2005/09/msg01056.html

# Automatically generated email from bts, devscripts version 2.9.19
 # mark as closed in an existing version of the package
close 286183 21.4a-1

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.