Debian Bug report logs - #286183
emacs21: Arbitrary code execution when opening malicious file (local variables)

version graph

Package: emacs21; Maintainer for emacs21 is Rob Browning <rlb@defaultvalue.org>; Source for emacs21 is src:emacs (PTS, buildd, popcon).

Reported by: Jan Minar <jjminar@FastMail.FM>

Date: Sat, 18 Dec 2004 07:03:02 UTC

Severity: grave

Tags: security, woody

Found in version 21.2-1

Fixed in versions emacs21/21.3, emacs21/21.4a-1

Done: Steve Langasek <vorlon@debian.org>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Rob Browning <rlb@defaultvalue.org>:
Bug#286183; Package emacs21. (full text, mbox, link).


Acknowledgement sent to Jan Minar <jjminar@FastMail.FM>:
New Bug report received and forwarded. Copy sent to Rob Browning <rlb@defaultvalue.org>. (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Jan Minar <jjminar@FastMail.FM>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: emacs21: Arbitrary code execution when opening malicious file (local variables)
Date: Sat, 18 Dec 2004 06:54:29 +0000
[Message part 1 (text/plain, inline)]
Package: emacs21
Version: 21.2-1
Severity: grave
Justification: user security hole

Hi.

In December 2002[sic!], Georgi Guninski <gunin...@guninski.com> writes in
<mailman.749.1041337086.19936.bug-gnu-emacs@gnu.org>:

> Attached file demonstrates GNU Emacs 21.2.1 starting process if a text file is 
> opened. Just open it with emacs and check for processes "yes".
> 
> I suggest disabling local variables by default, because probably there are 
> similar bugs of the same nature.

You can view the thread for example at Google Groups:

http://groups-beta.google.com/group/gnu.emacs.bug/browse_frm/thread/9424ec1b2fdae321?hl=en&lr=&ie=UTF-8&oe=UTF-8&rnum=1&prev=/groups%3Fq%3Dguninski%2Bemacs%26hl%3Den%26lr%3D%26ie%3DUTF-8%26oe%3DUTF-8%26selm%3Dmailman.763.1041357806.19936.bug-gnu-emacs%2540gnu.org%26rnum%3D1

The same url in Quoted Printable, in case it got mangled somehow en
route (run it thru recode /qp..):

http://groups-beta.google.com/group/gnu.emacs.bug/browse_frm/thread/9424ec1=
b2fdae321?hl=3Den&lr=3D&ie=3DUTF-8&oe=3DUTF-8&rnum=3D1&prev=3D/groups%3Fq%3=
Dguninski%2Bemacs%26hl%3Den%26lr%3D%26ie%3DUTF-8%26oe%3DUTF-8%26selm%3Dmail=
man.763.1041357806.19936.bug-gnu-emacs%2540gnu.org%26rnum%3D1

Georgi's file is enclosed verbatim.

I just tried it with emacs in Woody and indeed, the yes processes
started to spawn on a fast pace.  I went even a bit further and found
out that the execution is not sandboxed in any way, as I was able to
execute a script that writes out a script in my home directory, chmod +x
it, and runs it in turn.

In the above thread, it's mentioned another security bug was found
earlier that week, so please take a look at it.


Cheers,
-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux kontryhel 2.4.28-jan #2 Sat Nov 27 02:52:26 GMT 2004 i686
Locale: LANG=C, LC_CTYPE=cs_CZ.ISO-8859-2

Versions of packages emacs21 depends on:
ii  dpkg                   1.9.21            Package maintenance system for Deb
ii  emacsen-common         1.4.15            Common facilities for all emacsen.
ii  libc6                  2.2.5-11.5        GNU C Library: Shared libraries an
ii  libjpeg62              6b-5              The Independent JPEG Group's JPEG 
ii  liblockfile1           1.03              NFS-safe locking library, includes
ii  libncurses5            5.2.20020112a-7   Shared libraries for terminal hand
ii  libpng2                1.0.12-3.woody.9  PNG library - runtime
ii  libtiff3g              3.5.5-6woody1     Tag Image File Format library
ii  xaw3dg                 1.5-13            Xaw3d widget set
ii  xlibs                  4.1.0-16woody5    X Window System client libraries
ii  zlib1g                 1:1.1.4-1.0woody0 compression library - runtime

-- 
 )^o-o^|    jabber: rdancer@NJS.NetLab.Cz
 | .v  K    e-mail: jjminar FastMail FM
 `  - .'     phone: +44(0)7981 738 696
  \ __/Jan     icq: 345 355 493
 __|o|__Minář  irc: rdancer@IRC.FreeNode.Net
[emacs1.emacs (text/plain, attachment)]
[Message part 3 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#286183; Package emacs21. (full text, mbox, link).


Acknowledgement sent to Rob Browning <rlb@defaultvalue.org>:
Extra info received and forwarded to list. (full text, mbox, link).


Message #10 received at 286183@bugs.debian.org (full text, mbox, reply):

From: Rob Browning <rlb@defaultvalue.org>
To: Jan Minar <jjminar@FastMail.FM>
Cc: 286183@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#286183: emacs21: Arbitrary code execution when opening malicious file (local variables)
Date: Sat, 18 Dec 2004 17:13:57 -0600
Jan Minar <jjminar@FastMail.FM> writes:

> I just tried it with emacs in Woody and indeed, the yes processes
> started to spawn on a fast pace.  I went even a bit further and
> found out that the execution is not sandboxed in any way, as I was
> able to execute a script that writes out a script in my home
> directory, chmod +x it, and runs it in turn.

I can verify this in the stable emacs21.  So far I've been unable to
reproduce it in unstable (21.3+1-8).

Security team summary: openening the emacs1.emacs file in the
indicated google link with a stable emacs will result in yes being
launched many times without any advance warning to the user.  I
presume arbitrary other code might be substituted.  I'm not yet sure
how this was changed in 21.3+1, but that version (the one in
testing/unsable) doesn't appear to execute the code provided in either
the emacs1.emacs or emacs2.emacs sample exploits.  I'm going to see if
I can locate the relevant diff.

Thanks
-- 
Rob Browning
rlb @defaultvalue.org and @debian.org; previously @cs.utexas.edu
GPG starting 2002-11-03 = 14DD 432F AE39 534D B592  F9A0 25C8 D377 8C7E 73A4



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#286183; Package emacs21. (full text, mbox, link).


Acknowledgement sent to Rob Browning <rlb@defaultvalue.org>:
Extra info received and forwarded to list. (full text, mbox, link).


Message #15 received at 286183@bugs.debian.org (full text, mbox, reply):

From: Rob Browning <rlb@defaultvalue.org>
To: 286183@bugs.debian.org
Cc: Jan Minar <jjminar@FastMail.FM>, team@security.debian.org
Subject: Re: Bug#286183: emacs21: Arbitrary code execution when opening malicious file (local variables)
Date: Sat, 18 Dec 2004 18:37:01 -0600
Rob Browning <rlb@defaultvalue.org> writes:

> Security team summary: opening the emacs1.emacs file in the
> indicated google link with a stable emacs will result in yes being
> launched many times without any advance warning to the user.  I
> presume arbitrary other code might be substituted.  I'm not yet sure
> how this was changed in 21.3+1, but that version (the one in
> testing/unsable) doesn't appear to execute the code provided in
> either the emacs1.emacs or emacs2.emacs sample exploits.  I'm going
> to see if I can locate the relevant diff.

I've culled a patch from the diff between 21.2 and 21.3 which appears
to fix the problem.  I'll wait to hear from the security team, and I
may also run it by emacs-devel.

-- 
Rob Browning
rlb @defaultvalue.org and @debian.org; previously @cs.utexas.edu
GPG starting 2002-11-03 = 14DD 432F AE39 534D B592  F9A0 25C8 D377 8C7E 73A4



Information forwarded to debian-bugs-dist@lists.debian.org, Rob Browning <rlb@defaultvalue.org>:
Bug#286183; Package emacs21. (full text, mbox, link).


Acknowledgement sent to Jan Minar <jjminar@FastMail.FM>:
Extra info received and forwarded to list. Copy sent to Rob Browning <rlb@defaultvalue.org>. (full text, mbox, link).


Message #20 received at 286183@bugs.debian.org (full text, mbox, reply):

From: Jan Minar <jjminar@FastMail.FM>
To: Rob Browning <rlb@defaultvalue.org>
Cc: 286183@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#286183: emacs21: Arbitrary code execution when opening malicious file (local variables)
Date: Sun, 19 Dec 2004 14:06:55 +0000
[Message part 1 (text/plain, inline)]
On Sat, Dec 18, 2004 at 06:37:01PM -0600, Rob Browning wrote:
> Rob Browning <rlb@defaultvalue.org> writes:
> 
> > Security team summary: opening the emacs1.emacs file in the
> > indicated google link with a stable emacs will result in yes being
> > launched many times without any advance warning to the user.  I
> > presume arbitrary other code might be substituted.  I'm not yet sure
> > how this was changed in 21.3+1, but that version (the one in
> > testing/unsable) doesn't appear to execute the code provided in
> > either the emacs1.emacs or emacs2.emacs sample exploits.  I'm going
> > to see if I can locate the relevant diff.
> 
> I've culled a patch from the diff between 21.2 and 21.3 which appears
> to fix the problem.  I'll wait to hear from the security team, and I
> may also run it by emacs-devel.

Other emacs and xemacs packages might/probably are affected as well.  I
am not familiar with emacs packages in debian (or emacs at all),
therefore someone else will have to check this.

-- 
 )^o-o^|    jabber: rdancer@NJS.NetLab.Cz
 | .v  K    e-mail: jjminar FastMail FM
 `  - .'     phone: +44(0)7981 738 696
  \ __/Jan     icq: 345 355 493
 __|o|__Minář  irc: rdancer@IRC.FreeNode.Net
[Message part 2 (application/pgp-signature, inline)]

Tags added: woody Request was from Frank Lichtenheld <djpig@debian.org> to control@bugs.debian.org. (full text, mbox, link).


Tags added: security Request was from Don Armstrong <don@debian.org> to control@bugs.debian.org. (full text, mbox, link).


Bug marked as fixed in version 21.3, send any further explanations to Jan Minar <jjminar@FastMail.FM> Request was from Nathanael Nerode <neroden@twcny.rr.com> to control@bugs.debian.org. (full text, mbox, link).


Bug marked as fixed in version 21.4a-1, send any further explanations to Jan Minar <jjminar@FastMail.FM> Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. (full text, mbox, link).


Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 26 Jun 2007 19:59:59 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 07:17:58 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.