emacs21: Arbitrary code execution when opening malicious file (local variables)

Automatically imported from Debian bug report #286183 http://bugs.debian.org/286183

Message-ID: <email address hidden>
Date: Sat, 18 Dec 2004 06:54:29 +0000
From: Jan Minar <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: emacs21: Arbitrary code execution when opening malicious file (local variables)

--eJnRUKwClWJh1Khz
Content-Type: multipart/mixed; boundary="opJtzjQTFsWo+cga"
Content-Disposition: inline

--opJtzjQTFsWo+cga
Content-Type: text/plain; charset=iso-8859-2
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: emacs21
Version: 21.2-1
Severity: grave
Justification: user security hole

Hi.

In December 2002[sic!], Georgi Guninski <email address hidden> writes in
<email address hidden>:

> Attached file demonstrates GNU Emacs 21.2.1 starting process if a text fi=
le is=20
> opened. Just open it with emacs and check for processes "yes".
>=20
> I suggest disabling local variables by default, because probably there ar=
e=20
> similar bugs of the same nature.

You can view the thread for example at Google Groups:

http://groups-beta.google.com/group/gnu.emacs.bug/browse_frm/thread/9424ec1=
b2fdae321?hl=3Den&lr=3D&ie=3DUTF-8&oe=3DUTF-8&rnum=3D1&prev=3D/groups%3Fq%3=
Dguninski%2Bemacs%26hl%3Den%26lr%3D%26ie%3DUTF-8%26oe%3DUTF-8%26selm%3Dmail=
man.763.1041357806.19936.bug-gnu-emacs%2540gnu.org%26rnum%3D1

The same url in Quoted Printable, in case it got mangled somehow en
route (run it thru recode /qp..):

http://groups-beta.google.com/group/gnu.emacs.bug/browse_frm/thread/9424ec1=
=3D
b2fdae321?hl=3D3Den&lr=3D3D&ie=3D3DUTF-8&oe=3D3DUTF-8&rnum=3D3D1&prev=3D3D/=
groups%3Fq%3=3D
Dguninski%2Bemacs%26hl%3Den%26lr%3D%26ie%3DUTF-8%26oe%3DUTF-8%26selm%3Dmail=
=3D
man.763.1041357806.19936.bug-gnu-emacs%2540gnu.org%26rnum%3D1

Georgi's file is enclosed verbatim.

I just tried it with emacs in Woody and indeed, the yes processes
started to spawn on a fast pace. I went even a bit further and found
out that the execution is not sandboxed in any way, as I was able to
execute a script that writes out a script in my home directory, chmod +x
it, and runs it in turn.

In the above thread, it's mentioned another security bug was found
earlier that week, so please take a look at it.

Cheers,
-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux kontryhel 2.4.28-jan #2 Sat Nov 27 02:52:26 GMT 2004 i686
Locale: LANG=3DC, LC_CTYPE=3Dcs_CZ.ISO-8859-2

Versions of packages emacs21 depends on:
ii dpkg 1.9.21 Package maintenance system for=
 Deb
ii emacsen-common 1.4.15 Common facilities for all emac=
sen.
ii libc6 2.2.5-11.5 GNU C Library: Shared librarie=
s an
ii libjpeg62 6b-5 The Independent JPEG Group's J=
PEG=20
ii liblockfile1 1.03 NFS-safe locking library, incl=
udes
ii libncurses5 5.2.20020112a-7 Shared libraries for terminal =
hand
ii libpng2 1.0.12-3.woody.9 PNG library - runtime
ii libtiff3g 3.5.5-6woody1 Tag Image File Format library
ii xaw3dg 1.5-13 Xaw3d widget set
ii xlibs ...

Message-ID: <email address hidden>
Date: Sat, 18 Dec 2004 17:13:57 -0600
From: Rob Browning <email address hidden>
To: Jan Minar <email address hidden>
Cc: <email address hidden>, <email address hidden>
Subject: Re: Bug#286183: emacs21: Arbitrary code execution when opening
 malicious file (local variables)

Jan Minar <email address hidden> writes:

> I just tried it with emacs in Woody and indeed, the yes processes
> started to spawn on a fast pace. I went even a bit further and
> found out that the execution is not sandboxed in any way, as I was
> able to execute a script that writes out a script in my home
> directory, chmod +x it, and runs it in turn.

I can verify this in the stable emacs21. So far I've been unable to
reproduce it in unstable (21.3+1-8).

Security team summary: openening the emacs1.emacs file in the
indicated google link with a stable emacs will result in yes being
launched many times without any advance warning to the user. I
presume arbitrary other code might be substituted. I'm not yet sure
how this was changed in 21.3+1, but that version (the one in
testing/unsable) doesn't appear to execute the code provided in either
the emacs1.emacs or emacs2.emacs sample exploits. I'm going to see if
I can locate the relevant diff.

Thanks
--
Rob Browning
rlb @defaultvalue.org and @debian.org; previously @cs.utexas.edu
GPG starting 2002-11-03 = 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4

Message-ID: <email address hidden>
Date: Sat, 18 Dec 2004 18:37:01 -0600
From: Rob Browning <email address hidden>
To: <email address hidden>
Cc: Jan Minar <email address hidden>, <email address hidden>
Subject: Re: Bug#286183: emacs21: Arbitrary code execution when opening
 malicious file (local variables)

Rob Browning <email address hidden> writes:

> Security team summary: opening the emacs1.emacs file in the
> indicated google link with a stable emacs will result in yes being
> launched many times without any advance warning to the user. I
> presume arbitrary other code might be substituted. I'm not yet sure
> how this was changed in 21.3+1, but that version (the one in
> testing/unsable) doesn't appear to execute the code provided in
> either the emacs1.emacs or emacs2.emacs sample exploits. I'm going
> to see if I can locate the relevant diff.

I've culled a patch from the diff between 21.2 and 21.3 which appears
to fix the problem. I'll wait to hear from the security team, and I
may also run it by emacs-devel.

--
Rob Browning
rlb @defaultvalue.org and @debian.org; previously @cs.utexas.edu
GPG starting 2002-11-03 = 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4

Message-ID: <email address hidden>
Date: Sun, 19 Dec 2004 14:06:55 +0000
From: Jan Minar <email address hidden>
To: Rob Browning <email address hidden>
Cc: <email address hidden>, <email address hidden>
Subject: Re: Bug#286183: emacs21: Arbitrary code execution when opening malicious file (local
 variables)

--YZ5djTAD1cGYuMQK
Content-Type: text/plain; charset=iso-8859-2
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sat, Dec 18, 2004 at 06:37:01PM -0600, Rob Browning wrote:
> Rob Browning <email address hidden> writes:
>=20
> > Security team summary: opening the emacs1.emacs file in the
> > indicated google link with a stable emacs will result in yes being
> > launched many times without any advance warning to the user. I
> > presume arbitrary other code might be substituted. I'm not yet sure
> > how this was changed in 21.3+1, but that version (the one in
> > testing/unsable) doesn't appear to execute the code provided in
> > either the emacs1.emacs or emacs2.emacs sample exploits. I'm going
> > to see if I can locate the relevant diff.
>=20
> I've culled a patch from the diff between 21.2 and 21.3 which appears
> to fix the problem. I'll wait to hear from the security team, and I
> may also run it by emacs-devel.

Other emacs and xemacs packages might/probably are affected as well. I
am not familiar with emacs packages in debian (or emacs at all),
therefore someone else will have to check this.

--=20
 )^o-o^| jabber: <email address hidden>
 | .v K e-mail: jjminar FastMail FM
 ` - .' phone: +44(0)7981 738 696
  \ __/Jan icq: 345 355 493
 __|o|__Min=E1=F8 irc: <email address hidden>

--YZ5djTAD1cGYuMQK
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQFBxYr/+uczK20Fa5cRAlJmAKDbbuWe5O8hfCYRWWvo4JwxjtqusgCgvhCU
rLiqKNWssiPtUmuAWaH+YGs=
=Hi5Z
-----END PGP SIGNATURE-----

--YZ5djTAD1cGYuMQK--

We have version 21.3+1 in both Warty and Hoary, so we are not affected.

Message-Id: <email address hidden>
Date: Fri, 7 Jan 2005 17:26:18 +0100
From: Frank Lichtenheld <email address hidden>
To: <email address hidden>
Subject: tagging 286183

# Automatically generated email from bts, devscripts version 2.8.5
 # seems to be fixed in 21.3
tags 286183 woody

Message-Id: <email address hidden>
Date: Sun, 25 Sep 2005 23:57:53 -0700
From: Don Armstrong <email address hidden>
To: <email address hidden>
Subject: tagging 286183

# Automatically generated email from bts, devscripts version 2.9.7
tags 286183 security

Message-ID: <email address hidden>
Date: Thu, 5 Jan 2006 03:27:52 -0500
From: Nathanael Nerode <email address hidden>
To: <email address hidden>
Subject: version-tagging

close 286183 21.3
thanks

--
Nathanael Nerode <email address hidden>

"(Instead, we front-load the flamewars and grudges in
the interest of efficiency.)" --Steve Lanagasek,
http://lists.debian.org/debian-devel/2005/09/msg01056.html