emacs21: Arbitrary code execution when opening malicious file (local variables)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
emacs21 (Debian) |
Fix Released
|
Unknown
|
|||
emacs21 (Ubuntu) |
Invalid
|
High
|
Martin Pitt |
Bug Description
Automatically imported from Debian bug report #286183 http://
Debian Bug Importer (debzilla) wrote : | #1 |
Debian Bug Importer (debzilla) wrote : | #2 |
Message-ID: <email address hidden>
Date: Sat, 18 Dec 2004 06:54:29 +0000
From: Jan Minar <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: emacs21: Arbitrary code execution when opening malicious file (local variables)
--eJnRUKwClWJh1Khz
Content-Type: multipart/mixed; boundary=
Content-
--opJtzjQTFsWo+cga
Content-Type: text/plain; charset=iso-8859-2
Content-
Content-
Package: emacs21
Version: 21.2-1
Severity: grave
Justification: user security hole
Hi.
In December 2002[sic!], Georgi Guninski <email address hidden> writes in
<email address hidden>:
> Attached file demonstrates GNU Emacs 21.2.1 starting process if a text fi=
le is=20
> opened. Just open it with emacs and check for processes "yes".
>=20
> I suggest disabling local variables by default, because probably there ar=
e=20
> similar bugs of the same nature.
You can view the thread for example at Google Groups:
http://
b2fdae321?
Dguninski%
man.763.
The same url in Quoted Printable, in case it got mangled somehow en
route (run it thru recode /qp..):
http://
=3D
b2fdae321?
groups%3Fq%3=3D
Dguninski%
=3D
man.763.
Georgi's file is enclosed verbatim.
I just tried it with emacs in Woody and indeed, the yes processes
started to spawn on a fast pace. I went even a bit further and found
out that the execution is not sandboxed in any way, as I was able to
execute a script that writes out a script in my home directory, chmod +x
it, and runs it in turn.
In the above thread, it's mentioned another security bug was found
earlier that week, so please take a look at it.
Cheers,
-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux kontryhel 2.4.28-jan #2 Sat Nov 27 02:52:26 GMT 2004 i686
Locale: LANG=3DC, LC_CTYPE=
Versions of packages emacs21 depends on:
ii dpkg 1.9.21 Package maintenance system for=
Deb
ii emacsen-common 1.4.15 Common facilities for all emac=
sen.
ii libc6 2.2.5-11.5 GNU C Library: Shared librarie=
s an
ii libjpeg62 6b-5 The Independent JPEG Group's J=
PEG=20
ii liblockfile1 1.03 NFS-safe locking library, incl=
udes
ii libncurses5 5.2.20020112a-7 Shared libraries for terminal =
hand
ii libpng2 1.0.12-3.woody.9 PNG library - runtime
ii libtiff3g 3.5.5-6woody1 Tag Image File Format library
ii xaw3dg 1.5-13 Xaw3d widget set
ii xlibs ...
In Debian Bug tracker #286183, Rob Browning (rlb) wrote : Re: Bug#286183: emacs21: Arbitrary code execution when opening malicious file (local variables) | #3 |
Jan Minar <email address hidden> writes:
> I just tried it with emacs in Woody and indeed, the yes processes
> started to spawn on a fast pace. I went even a bit further and
> found out that the execution is not sandboxed in any way, as I was
> able to execute a script that writes out a script in my home
> directory, chmod +x it, and runs it in turn.
I can verify this in the stable emacs21. So far I've been unable to
reproduce it in unstable (21.3+1-8).
Security team summary: openening the emacs1.emacs file in the
indicated google link with a stable emacs will result in yes being
launched many times without any advance warning to the user. I
presume arbitrary other code might be substituted. I'm not yet sure
how this was changed in 21.3+1, but that version (the one in
testing/unsable) doesn't appear to execute the code provided in either
the emacs1.emacs or emacs2.emacs sample exploits. I'm going to see if
I can locate the relevant diff.
Thanks
--
Rob Browning
rlb @defaultvalue.org and @debian.org; previously @cs.utexas.edu
GPG starting 2002-11-03 = 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4
Debian Bug Importer (debzilla) wrote : | #4 |
Message-ID: <email address hidden>
Date: Sat, 18 Dec 2004 17:13:57 -0600
From: Rob Browning <email address hidden>
To: Jan Minar <email address hidden>
Cc: <email address hidden>, <email address hidden>
Subject: Re: Bug#286183: emacs21: Arbitrary code execution when opening
malicious file (local variables)
Jan Minar <email address hidden> writes:
> I just tried it with emacs in Woody and indeed, the yes processes
> started to spawn on a fast pace. I went even a bit further and
> found out that the execution is not sandboxed in any way, as I was
> able to execute a script that writes out a script in my home
> directory, chmod +x it, and runs it in turn.
I can verify this in the stable emacs21. So far I've been unable to
reproduce it in unstable (21.3+1-8).
Security team summary: openening the emacs1.emacs file in the
indicated google link with a stable emacs will result in yes being
launched many times without any advance warning to the user. I
presume arbitrary other code might be substituted. I'm not yet sure
how this was changed in 21.3+1, but that version (the one in
testing/unsable) doesn't appear to execute the code provided in either
the emacs1.emacs or emacs2.emacs sample exploits. I'm going to see if
I can locate the relevant diff.
Thanks
--
Rob Browning
rlb @defaultvalue.org and @debian.org; previously @cs.utexas.edu
GPG starting 2002-11-03 = 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4
In Debian Bug tracker #286183, Rob Browning (rlb) wrote : | #5 |
Rob Browning <email address hidden> writes:
> Security team summary: opening the emacs1.emacs file in the
> indicated google link with a stable emacs will result in yes being
> launched many times without any advance warning to the user. I
> presume arbitrary other code might be substituted. I'm not yet sure
> how this was changed in 21.3+1, but that version (the one in
> testing/unsable) doesn't appear to execute the code provided in
> either the emacs1.emacs or emacs2.emacs sample exploits. I'm going
> to see if I can locate the relevant diff.
I've culled a patch from the diff between 21.2 and 21.3 which appears
to fix the problem. I'll wait to hear from the security team, and I
may also run it by emacs-devel.
--
Rob Browning
rlb @defaultvalue.org and @debian.org; previously @cs.utexas.edu
GPG starting 2002-11-03 = 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4
Debian Bug Importer (debzilla) wrote : | #6 |
Message-ID: <email address hidden>
Date: Sat, 18 Dec 2004 18:37:01 -0600
From: Rob Browning <email address hidden>
To: <email address hidden>
Cc: Jan Minar <email address hidden>, <email address hidden>
Subject: Re: Bug#286183: emacs21: Arbitrary code execution when opening
malicious file (local variables)
Rob Browning <email address hidden> writes:
> Security team summary: opening the emacs1.emacs file in the
> indicated google link with a stable emacs will result in yes being
> launched many times without any advance warning to the user. I
> presume arbitrary other code might be substituted. I'm not yet sure
> how this was changed in 21.3+1, but that version (the one in
> testing/unsable) doesn't appear to execute the code provided in
> either the emacs1.emacs or emacs2.emacs sample exploits. I'm going
> to see if I can locate the relevant diff.
I've culled a patch from the diff between 21.2 and 21.3 which appears
to fix the problem. I'll wait to hear from the security team, and I
may also run it by emacs-devel.
--
Rob Browning
rlb @defaultvalue.org and @debian.org; previously @cs.utexas.edu
GPG starting 2002-11-03 = 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4
In Debian Bug tracker #286183, Jan Minar (jjminar) wrote : | #7 |
On Sat, Dec 18, 2004 at 06:37:01PM -0600, Rob Browning wrote:
> Rob Browning <email address hidden> writes:
>
> > Security team summary: opening the emacs1.emacs file in the
> > indicated google link with a stable emacs will result in yes being
> > launched many times without any advance warning to the user. I
> > presume arbitrary other code might be substituted. I'm not yet sure
> > how this was changed in 21.3+1, but that version (the one in
> > testing/unsable) doesn't appear to execute the code provided in
> > either the emacs1.emacs or emacs2.emacs sample exploits. I'm going
> > to see if I can locate the relevant diff.
>
> I've culled a patch from the diff between 21.2 and 21.3 which appears
> to fix the problem. I'll wait to hear from the security team, and I
> may also run it by emacs-devel.
Other emacs and xemacs packages might/probably are affected as well. I
am not familiar with emacs packages in debian (or emacs at all),
therefore someone else will have to check this.
--
)^o-o^| jabber: <email address hidden>
| .v K e-mail: jjminar FastMail FM
` - .' phone: +44(0)7981 738 696
\ __/Jan icq: 345 355 493
__|o|__Minář irc: <email address hidden>
Debian Bug Importer (debzilla) wrote : | #8 |
Message-ID: <email address hidden>
Date: Sun, 19 Dec 2004 14:06:55 +0000
From: Jan Minar <email address hidden>
To: Rob Browning <email address hidden>
Cc: <email address hidden>, <email address hidden>
Subject: Re: Bug#286183: emacs21: Arbitrary code execution when opening malicious file (local
variables)
--YZ5djTAD1cGYuMQK
Content-Type: text/plain; charset=iso-8859-2
Content-
Content-
On Sat, Dec 18, 2004 at 06:37:01PM -0600, Rob Browning wrote:
> Rob Browning <email address hidden> writes:
>=20
> > Security team summary: opening the emacs1.emacs file in the
> > indicated google link with a stable emacs will result in yes being
> > launched many times without any advance warning to the user. I
> > presume arbitrary other code might be substituted. I'm not yet sure
> > how this was changed in 21.3+1, but that version (the one in
> > testing/unsable) doesn't appear to execute the code provided in
> > either the emacs1.emacs or emacs2.emacs sample exploits. I'm going
> > to see if I can locate the relevant diff.
>=20
> I've culled a patch from the diff between 21.2 and 21.3 which appears
> to fix the problem. I'll wait to hear from the security team, and I
> may also run it by emacs-devel.
Other emacs and xemacs packages might/probably are affected as well. I
am not familiar with emacs packages in debian (or emacs at all),
therefore someone else will have to check this.
--=20
)^o-o^| jabber: <email address hidden>
| .v K e-mail: jjminar FastMail FM
` - .' phone: +44(0)7981 738 696
\ __/Jan icq: 345 355 493
__|o|__Min=E1=F8 irc: <email address hidden>
--YZ5djTAD1cGYuMQK
Content-Type: application/
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://
iD8DBQFBxYr/
rLiqKNWssiPtUmu
=Hi5Z
-----END PGP SIGNATURE-----
--YZ5djTAD1cGYu
Martin Pitt (pitti) wrote : | #9 |
We have version 21.3+1 in both Warty and Hoary, so we are not affected.
In Debian Bug tracker #286183, Frank Lichtenheld (djpig) wrote : tagging 286183 | #10 |
# Automatically generated email from bts, devscripts version 2.8.5
# seems to be fixed in 21.3
tags 286183 woody
Debian Bug Importer (debzilla) wrote : | #11 |
Message-Id: <email address hidden>
Date: Fri, 7 Jan 2005 17:26:18 +0100
From: Frank Lichtenheld <email address hidden>
To: <email address hidden>
Subject: tagging 286183
# Automatically generated email from bts, devscripts version 2.8.5
# seems to be fixed in 21.3
tags 286183 woody
Debian Bug Importer (debzilla) wrote : | #12 |
Message-Id: <email address hidden>
Date: Sun, 25 Sep 2005 23:57:53 -0700
From: Don Armstrong <email address hidden>
To: <email address hidden>
Subject: tagging 286183
# Automatically generated email from bts, devscripts version 2.9.7
tags 286183 security
In Debian Bug tracker #286183, Don Armstrong (don-debian) wrote : | #13 |
# Automatically generated email from bts, devscripts version 2.9.7
tags 286183 security
In Debian Bug tracker #286183, Nathanael Nerode (neroden-twcny) wrote : version-tagging | #14 |
close 286183 21.3
thanks
--
Nathanael Nerode <email address hidden>
"(Instead, we front-load the flamewars and grudges in
the interest of efficiency.)" --Steve Lanagasek,
http://
Debian Bug Importer (debzilla) wrote : | #15 |
Message-ID: <email address hidden>
Date: Thu, 5 Jan 2006 03:27:52 -0500
From: Nathanael Nerode <email address hidden>
To: <email address hidden>
Subject: version-tagging
close 286183 21.3
thanks
--
Nathanael Nerode <email address hidden>
"(Instead, we front-load the flamewars and grudges in
the interest of efficiency.)" --Steve Lanagasek,
http://
In Debian Bug tracker #286183, Steve Langasek (vorlon) wrote : closing 286183 | #16 |
# Automatically generated email from bts, devscripts version 2.9.19
# mark as closed in an existing version of the package
close 286183 21.4a-1
Automatically imported from Debian bug report #286183 http:// bugs.debian. org/286183