Report forwarded to debian-bugs-dist@lists.debian.org, Rob Browning <rlb@defaultvalue.org>: Bug#286183; Package emacs21.
(full text, mbox, link).
Acknowledgement sent to Jan Minar <jjminar@FastMail.FM>:
New Bug report received and forwarded. Copy sent to Rob Browning <rlb@defaultvalue.org>.
(full text, mbox, link).
Package: emacs21
Version: 21.2-1
Severity: grave
Justification: user security hole
Hi.
In December 2002[sic!], Georgi Guninski <gunin...@guninski.com> writes in
<mailman.749.1041337086.19936.bug-gnu-emacs@gnu.org>:
> Attached file demonstrates GNU Emacs 21.2.1 starting process if a text file is
> opened. Just open it with emacs and check for processes "yes".
>
> I suggest disabling local variables by default, because probably there are
> similar bugs of the same nature.
You can view the thread for example at Google Groups:
http://groups-beta.google.com/group/gnu.emacs.bug/browse_frm/thread/9424ec1b2fdae321?hl=en&lr=&ie=UTF-8&oe=UTF-8&rnum=1&prev=/groups%3Fq%3Dguninski%2Bemacs%26hl%3Den%26lr%3D%26ie%3DUTF-8%26oe%3DUTF-8%26selm%3Dmailman.763.1041357806.19936.bug-gnu-emacs%2540gnu.org%26rnum%3D1
The same url in Quoted Printable, in case it got mangled somehow en
route (run it thru recode /qp..):
http://groups-beta.google.com/group/gnu.emacs.bug/browse_frm/thread/9424ec1=
b2fdae321?hl=3Den&lr=3D&ie=3DUTF-8&oe=3DUTF-8&rnum=3D1&prev=3D/groups%3Fq%3=
Dguninski%2Bemacs%26hl%3Den%26lr%3D%26ie%3DUTF-8%26oe%3DUTF-8%26selm%3Dmail=
man.763.1041357806.19936.bug-gnu-emacs%2540gnu.org%26rnum%3D1
Georgi's file is enclosed verbatim.
I just tried it with emacs in Woody and indeed, the yes processes
started to spawn on a fast pace. I went even a bit further and found
out that the execution is not sandboxed in any way, as I was able to
execute a script that writes out a script in my home directory, chmod +x
it, and runs it in turn.
In the above thread, it's mentioned another security bug was found
earlier that week, so please take a look at it.
Cheers,
-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux kontryhel 2.4.28-jan #2 Sat Nov 27 02:52:26 GMT 2004 i686
Locale: LANG=C, LC_CTYPE=cs_CZ.ISO-8859-2
Versions of packages emacs21 depends on:
ii dpkg 1.9.21 Package maintenance system for Deb
ii emacsen-common 1.4.15 Common facilities for all emacsen.
ii libc6 2.2.5-11.5 GNU C Library: Shared libraries an
ii libjpeg62 6b-5 The Independent JPEG Group's JPEG
ii liblockfile1 1.03 NFS-safe locking library, includes
ii libncurses5 5.2.20020112a-7 Shared libraries for terminal hand
ii libpng2 1.0.12-3.woody.9 PNG library - runtime
ii libtiff3g 3.5.5-6woody1 Tag Image File Format library
ii xaw3dg 1.5-13 Xaw3d widget set
ii xlibs 4.1.0-16woody5 X Window System client libraries
ii zlib1g 1:1.1.4-1.0woody0 compression library - runtime
--
)^o-o^| jabber: rdancer@NJS.NetLab.Cz
| .v K e-mail: jjminar FastMail FM
` - .' phone: +44(0)7981 738 696
\ __/Jan icq: 345 355 493
__|o|__Minář irc: rdancer@IRC.FreeNode.Net
Jan Minar <jjminar@FastMail.FM> writes:
> I just tried it with emacs in Woody and indeed, the yes processes
> started to spawn on a fast pace. I went even a bit further and
> found out that the execution is not sandboxed in any way, as I was
> able to execute a script that writes out a script in my home
> directory, chmod +x it, and runs it in turn.
I can verify this in the stable emacs21. So far I've been unable to
reproduce it in unstable (21.3+1-8).
Security team summary: openening the emacs1.emacs file in the
indicated google link with a stable emacs will result in yes being
launched many times without any advance warning to the user. I
presume arbitrary other code might be substituted. I'm not yet sure
how this was changed in 21.3+1, but that version (the one in
testing/unsable) doesn't appear to execute the code provided in either
the emacs1.emacs or emacs2.emacs sample exploits. I'm going to see if
I can locate the relevant diff.
Thanks
--
Rob Browning
rlb @defaultvalue.org and @debian.org; previously @cs.utexas.edu
GPG starting 2002-11-03 = 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4
Information forwarded to debian-bugs-dist@lists.debian.org: Bug#286183; Package emacs21.
(full text, mbox, link).
Acknowledgement sent to Rob Browning <rlb@defaultvalue.org>:
Extra info received and forwarded to list.
(full text, mbox, link).
Rob Browning <rlb@defaultvalue.org> writes:
> Security team summary: opening the emacs1.emacs file in the
> indicated google link with a stable emacs will result in yes being
> launched many times without any advance warning to the user. I
> presume arbitrary other code might be substituted. I'm not yet sure
> how this was changed in 21.3+1, but that version (the one in
> testing/unsable) doesn't appear to execute the code provided in
> either the emacs1.emacs or emacs2.emacs sample exploits. I'm going
> to see if I can locate the relevant diff.
I've culled a patch from the diff between 21.2 and 21.3 which appears
to fix the problem. I'll wait to hear from the security team, and I
may also run it by emacs-devel.
--
Rob Browning
rlb @defaultvalue.org and @debian.org; previously @cs.utexas.edu
GPG starting 2002-11-03 = 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4
Information forwarded to debian-bugs-dist@lists.debian.org, Rob Browning <rlb@defaultvalue.org>: Bug#286183; Package emacs21.
(full text, mbox, link).
Acknowledgement sent to Jan Minar <jjminar@FastMail.FM>:
Extra info received and forwarded to list. Copy sent to Rob Browning <rlb@defaultvalue.org>.
(full text, mbox, link).
On Sat, Dec 18, 2004 at 06:37:01PM -0600, Rob Browning wrote:
> Rob Browning <rlb@defaultvalue.org> writes:
>
> > Security team summary: opening the emacs1.emacs file in the
> > indicated google link with a stable emacs will result in yes being
> > launched many times without any advance warning to the user. I
> > presume arbitrary other code might be substituted. I'm not yet sure
> > how this was changed in 21.3+1, but that version (the one in
> > testing/unsable) doesn't appear to execute the code provided in
> > either the emacs1.emacs or emacs2.emacs sample exploits. I'm going
> > to see if I can locate the relevant diff.
>
> I've culled a patch from the diff between 21.2 and 21.3 which appears
> to fix the problem. I'll wait to hear from the security team, and I
> may also run it by emacs-devel.
Other emacs and xemacs packages might/probably are affected as well. I
am not familiar with emacs packages in debian (or emacs at all),
therefore someone else will have to check this.
--
)^o-o^| jabber: rdancer@NJS.NetLab.Cz
| .v K e-mail: jjminar FastMail FM
` - .' phone: +44(0)7981 738 696
\ __/Jan icq: 345 355 493
__|o|__Minář irc: rdancer@IRC.FreeNode.Net
Tags added: woody
Request was from Frank Lichtenheld <djpig@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Tags added: security
Request was from Don Armstrong <don@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Bug marked as fixed in version 21.3, send any further explanations to Jan Minar <jjminar@FastMail.FM>
Request was from Nathanael Nerode <neroden@twcny.rr.com>
to control@bugs.debian.org.
(full text, mbox, link).
Bug marked as fixed in version 21.4a-1, send any further explanations to Jan Minar <jjminar@FastMail.FM>
Request was from Steve Langasek <vorlon@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 26 Jun 2007 19:59:59 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.