Ubuntu
emacs21 package

Bug #11265
Comment #0

Comment 0 for bug 11265

Revision history for this message

In Debian Bug tracker #286183, Jan Minar (jjminar) wrote on 2004-12-18:

Package: emacs21
Version: 21.2-1
Severity: grave
Justification: user security hole

Hi.

In December 2002[sic!], Georgi Guninski <email address hidden> writes in
<email address hidden>:

> Attached file demonstrates GNU Emacs 21.2.1 starting process if a text file is
> opened. Just open it with emacs and check for processes "yes".
>
> I suggest disabling local variables by default, because probably there are
> similar bugs of the same nature.

You can view the thread for example at Google Groups:

http://groups-beta.google.com/group/gnu.emacs.bug/browse_frm/thread/9424ec1b2fdae321?hl=en&lr=&ie=UTF-8&oe=UTF-8&rnum=1&prev=/groups%3Fq%3Dguninski%2Bemacs%26hl%3Den%26lr%3D%26ie%3DUTF-8%26oe%3DUTF-8%26selm%3Dmailman.763.1041357806.19936.bug-gnu-emacs%2540gnu.org%26rnum%3D1

The same url in Quoted Printable, in case it got mangled somehow en
route (run it thru recode /qp..):

http://groups-beta.google.com/group/gnu.emacs.bug/browse_frm/thread/9424ec1=
b2fdae321?hl=3Den&lr=3D&ie=3DUTF-8&oe=3DUTF-8&rnum=3D1&prev=3D/groups%3Fq%3=
Dguninski%2Bemacs%26hl%3Den%26lr%3D%26ie%3DUTF-8%26oe%3DUTF-8%26selm%3Dmail=
man.763.1041357806.19936.bug-gnu-emacs%2540gnu.org%26rnum%3D1

Georgi's file is enclosed verbatim.

I just tried it with emacs in Woody and indeed, the yes processes
started to spawn on a fast pace. I went even a bit further and found
out that the execution is not sandboxed in any way, as I was able to
execute a script that writes out a script in my home directory, chmod +x
it, and runs it in turn.

In the above thread, it's mentioned another security bug was found
earlier that week, so please take a look at it.

Cheers,
-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux kontryhel 2.4.28-jan #2 Sat Nov 27 02:52:26 GMT 2004 i686
Locale: LANG=C, LC_CTYPE=cs_CZ.ISO-8859-2

Versions of packages emacs21 depends on:
ii dpkg 1.9.21 Package maintenance system for Deb
ii emacsen-common 1.4.15 Common facilities for all emacsen.
ii libc6 2.2.5-11.5 GNU C Library: Shared libraries an
ii libjpeg62 6b-5 The Independent JPEG Group's JPEG
ii liblockfile1 1.03 NFS-safe locking library, includes
ii libncurses5 5.2.20020112a-7 Shared libraries for terminal hand
ii libpng2 1.0.12-3.woody.9 PNG library - runtime
ii libtiff3g 3.5.5-6woody1 Tag Image File Format library
ii xaw3dg 1.5-13 Xaw3d widget set
ii xlibs 4.1.0-16woody5 X Window System client libraries
ii zlib1g 1:1.1.4-1.0woody0 compression library - runtime

--
)^o-o^| jabber: <email address hidden>
| .v K e-mail: jjminar FastMail FM
` - .' phone: +44(0)7981 738 696
\ __/Jan icq: 345 355 493
__|o|__Minář irc: <email address hidden>

Package: emacs21
Version: 21.2-1
Severity: grave
Justification: user security hole

Hi.

In December 2002[sic!], Georgi Guninski <gunin...@guninski.com> writes in
<mailman.749.1041337086.19936.bug-gnu-emacs@gnu.org>:

> Attached file demonstrates GNU Emacs 21.2.1 starting process if a text file is 
> opened. Just open it with emacs and check for processes "yes".
> 
> I suggest disabling local variables by default, because probably there are 
> similar bugs of the same nature.

You can view the thread for example at Google Groups:

The same url in Quoted Printable, in case it got mangled somehow en
route (run it thru recode /qp..):

Georgi's file is enclosed verbatim.

I just tried it with emacs in Woody and indeed, the yes processes
started to spawn on a fast pace.  I went even a bit further and found
out that the execution is not sandboxed in any way, as I was able to
execute a script that writes out a script in my home directory, chmod +x
it, and runs it in turn.

In the above thread, it's mentioned another security bug was found
earlier that week, so please take a look at it.

Cheers,
-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux kontryhel 2.4.28-jan #2 Sat Nov 27 02:52:26 GMT 2004 i686
Locale: LANG=C, LC_CTYPE=cs_CZ.ISO-8859-2

Versions of packages emacs21 depends on:
ii  dpkg                   1.9.21            Package maintenance system for Deb
ii  emacsen-common         1.4.15            Common facilities for all emacsen.
ii  libc6                  2.2.5-11.5        GNU C Library: Shared libraries an
ii  libjpeg62              6b-5              The Independent JPEG Group's JPEG 
ii  liblockfile1           1.03              NFS-safe locking library, includes
ii  libncurses5            5.2.20020112a-7   Shared libraries for terminal hand
ii  libpng2                1.0.12-3.woody.9  PNG library - runtime
ii  libtiff3g              3.5.5-6woody1     Tag Image File Format library
ii  xaw3dg                 1.5-13            Xaw3d widget set
ii  xlibs                  4.1.0-16woody5    X Window System client libraries
ii  zlib1g                 1:1.1.4-1.0woody0 compression library - runtime

-- 
 )^o-o^|    jabber: rdancer@NJS.NetLab.Cz
 | .v  K    e-mail: jjminar FastMail FM
 `  - .'     phone: +44(0)7981 738 696
  \ __/Jan     icq: 345 355 493
 __|o|__Minář  irc: rdancer@IRC.FreeNode.Net

Ubuntuemacs21 package

Comment 0 for bug 11265

Ubuntu
emacs21 package