Debian Bug report logs - #408929
emacs21: crash on spam

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Hendrik Tews <H.Tews@cs.ru.nl>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: emacs21: crash on spam

Date: Mon, 29 Jan 2007 12:25:21 +0100

[Message part 1 (text/plain, inline)]

Package: emacs21
Version: 21.4a+1-3
Severity: critical

The spam email appended below causes emacs to crash with 

   *** glibc detected *** free(): invalid next size (normal): 0x08706488 ***
   Fatal error (6).

or even simply with

   Fatal error (11).Segmentation fault

To reproduce:

start emacs with emacs -q --no-site-file
inside emacs, evaluate 

   (setq load-path (nconc load-path (list "/usr/share/emacs21/site-lisp/vm")))
   (autoload 'vm-mode "vm" "Run VM major mode on a buffer" t)

then visit the file spam-bug
do M-x vm-mode  
--everything fine up to here--
hit space

-- System Information:
Debian Release: 4.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-3-k7
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)

Versions of packages emacs21 depends on:
ii  emacs21-bin-common        21.4a+1-3      The GNU Emacs editor's shared, arc
ii  libc6                     2.3.6.ds1-8    GNU C Library: Shared libraries
ii  libice6                   1:1.0.1-2      X11 Inter-Client Exchange library
ii  libjpeg62                 6b-13          The Independent JPEG Group's JPEG 
ii  libncurses5               5.5-5          Shared libraries for terminal hand
ii  libpng12-0                1.2.15~beta5-1 PNG library - runtime
ii  libsm6                    1:1.0.1-3      X11 Session Management library
ii  libtiff4                  3.8.2-7        Tag Image File Format (TIFF) libra
ii  libungif4g                4.1.4-4        shared library for GIF images
ii  libx11-6                  2:1.0.3-4      X11 client-side library
ii  libxext6                  1:1.0.1-2      X11 miscellaneous extension librar
ii  libxmu6                   1:1.0.2-2      X11 miscellaneous utility library
ii  libxpm4                   1:3.5.5-2      X11 pixmap library
ii  libxt6                    1:1.0.2-2      X11 toolkit intrinsics library
ii  xaw3dg                    1.5+E-14       Xaw3d widget set
ii  zlib1g                    1:1.2.3-13     compression library - runtime

emacs21 recommends no packages.


Package: vm
Version: 7.19-11

Versions of packages vm depends on:
ii  emacs21                       21.4a+1-3  The GNU Emacs editor
ii  ucf                           2.0018.1   Update Configuration File: preserv

Versions of packages vm recommends:
ii  make                          3.81-2     The GNU version of the "make" util


-- no debconf information

Here is the problematic spam:

[spam-bug (application/octet-stream, attachment)]

Message #16 received at 408929@bugs.debian.org (full text, mbox, reply):

From: Steve Langasek <vorlon@debian.org>

To: Hendrik Tews <H.Tews@cs.ru.nl>, 408929@bugs.debian.org

Subject: Re: Bug#408929: emacs21: crash on spam

Date: Sun, 4 Feb 2007 02:21:54 -0800

[Message part 1 (text/plain, inline)]

On Mon, Jan 29, 2007 at 12:25:21PM +0100, Hendrik Tews wrote:
> Package: emacs21
> Version: 21.4a+1-3
> Severity: critical

> The spam email appended below causes emacs to crash with 

>    *** glibc detected *** free(): invalid next size (normal): 0x08706488 ***
>    Fatal error (6).

> or even simply with

>    Fatal error (11).Segmentation fault

> To reproduce:

> start emacs with emacs -q --no-site-file
> inside emacs, evaluate 

>    (setq load-path (nconc load-path (list "/usr/share/emacs21/site-lisp/vm")))
>    (autoload 'vm-mode "vm" "Run VM major mode on a buffer" t)

> then visit the file spam-bug
> do M-x vm-mode  
> --everything fine up to here--
> hit space

Attached is a reduced test case, consisting only of the GIF from this email
with all other attachments stripped.

I've reassigned this bug from emacs21 to vm; it seems likely to me that the
bug lies with the vm mode, not with emacs directly.

Other image viewers don't seem to have problems with this attachment, and
other GIFs don't seem to cause problems for emacs21/vm.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/

[spam-bug (text/plain, attachment)]

Message #21 received at 408929@bugs.debian.org (full text, mbox, reply):

From: Romain Francoise <rfrancoise@debian.org>

To: Steve Langasek <vorlon@debian.org>

Cc: Hendrik Tews <H.Tews@cs.ru.nl>, 408929@bugs.debian.org, control@bugs.debian.org

Subject: Re: Bug#408929: emacs21: crash on spam

Date: Sun, 04 Feb 2007 13:12:21 +0100

[Message part 1 (text/plain, inline)]

reassign 408929 emacs21
tags 408929 patch
quit

This is a known bug in the way Emacs computes the size of some GIF
images; the attached patch (adapted from a similar change in CVS)
fixes the crash for me.

Thanks,

-- 
  ,''`.
 : :' :        Romain Francoise <rfrancoise@debian.org>
 `. `'         http://people.debian.org/~rfrancoise/
   `-

[emacs21-408929.patch (text/x-diff, attachment)]

Message #26 received at 408929@bugs.debian.org (full text, mbox, reply):

From: Steve Langasek <vorlon@debian.org>

To: Romain Francoise <rfrancoise@debian.org>

Cc: Hendrik Tews <H.Tews@cs.ru.nl>, 408929@bugs.debian.org

Subject: Re: Bug#408929: emacs21: crash on spam

Date: Sun, 4 Feb 2007 04:15:37 -0800

On Sun, Feb 04, 2007 at 01:12:21PM +0100, Romain Francoise wrote:
> reassign 408929 emacs21
> tags 408929 patch
> quit

> This is a known bug in the way Emacs computes the size of some GIF
> images; the attached patch (adapted from a similar change in CVS)
> fixes the crash for me.

Ok, thanks for the quick fix.

I've tagged this bug security, because it wasn't clear to me whether this
was a potentially exploitable problem.  Do you think that tag applies here?
If not, I think the bug should be downgraded.

Cheers,
-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/

Message #35 received at 408929@bugs.debian.org (full text, mbox, reply):

From: Romain Francoise <rfrancoise@debian.org>

To: Steve Langasek <vorlon@debian.org>

Cc: Hendrik Tews <H.Tews@cs.ru.nl>, 408929@bugs.debian.org

Subject: Re: Bug#408929: emacs21: crash on spam

Date: Sun, 04 Feb 2007 14:38:39 +0100

Steve Langasek <vorlon@debian.org> writes:

> I've tagged this bug security, because it wasn't clear to me
> whether this was a potentially exploitable problem.  Do you think
> that tag applies here?

Yes, I think it does.  Crashing Emacs is a denial of service attack
against the various applications that run inside it, and can cause
data loss...  Whether code execution is actually possible, I don't
know.

(On the other hand, VM should not display images by default, but
that is a separate issue.)

-- 
  ,''`.
 : :' :        Romain Francoise <rfrancoise@debian.org>
 `. `'         http://people.debian.org/~rfrancoise/
   `-

Message #40 received at 408929@bugs.debian.org (full text, mbox, reply):

From: Steve Langasek <vorlon@debian.org>

To: Jérôme Marant <jmarant@free.fr>, Romain Francoise <rfrancoise@debian.org>

Cc: debian-release@lists.debian.org, Hendrik Tews <H.Tews@cs.ru.nl>, 408929@bugs.debian.org

Subject: Re: Fwd: Processed: Re: Bug#408929: emacs21: crash on spam

Date: Sun, 4 Feb 2007 13:36:42 -0800

severity 408929 important
thanks

On Sun, Feb 04, 2007 at 01:56:40PM +0100, Jérôme Marant wrote:
> I'll ask that we tag this bug as etch-ignore: there are tons of bugs like
> this one in Emacs and there are multiple chances to expose such bugs
> by using many different packages.

> Futhermore, emacs21 is (and more generally stable emacs releases are) not
> supported upstream so we have no chances to get help  from them
> (they are preparing the next release BTW).

This last is certainly not a reason to etch-ignore a bug; on the contrary,
it speaks to the overall releasability of the package if neither upstream
nor the maintainers are prepared to cope with possible security bugs that
are uncovered in the version releasing with etch.

However, the current argument in favor of treating this as a grave, security
bug is that it's a DoS causing data loss of unsaved files:

On Sun, Feb 04, 2007 at 02:38:39PM +0100, Romain Francoise wrote:
> Steve Langasek <vorlon@debian.org> writes:

> > I've tagged this bug security, because it wasn't clear to me
> > whether this was a potentially exploitable problem.  Do you think
> > that tag applies here?

> Yes, I think it does.  Crashing Emacs is a denial of service attack
> against the various applications that run inside it, and can cause
> data loss...  Whether code execution is actually possible, I don't
> know.

DoSes, while security bugs, are not treated as grave security bugs; that
severity is reserved for bugs that allow code execution under the attacker's
control.  And data loss because you didn't save before the application
crashed is not the sense in which "data loss" is taken to mean in the policy
definition of grave bugs -- the "data loss" argument is reserved for bugs
that eat your data directly, not as a side effect of you not having saved
your data.

So if there's no evidence of arbitrary code execution, I think it's
appropriate here to downgrade the bug -- but the security team should also
be apprised.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/

Message #47 received at 408929@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Jérôme Marant <jmarant@free.fr>, Romain Francoise <rfrancoise@debian.org>, debian-release@lists.debian.org, Hendrik Tews <H.Tews@cs.ru.nl>, 408929@bugs.debian.org

Subject: Re: Fwd: Processed: Re: Bug#408929: emacs21: crash on spam

Date: Sun, 4 Feb 2007 23:03:44 +0100

Steve Langasek wrote:
> So if there's no evidence of arbitrary code execution, I think it's
> appropriate here to downgrade the bug -- but the security team should also
> be apprised.

glibc 2.3.4 introduced more secure heap management, which renders several
code injection attacks moot. (most notably double frees)
The message that was posted in the bug report appears to trigger such a
sanity check. 
But it might be possible that smarter attacks might circumvent the glibc checks
in the future, so we should err on the safe side and apply Romain's patch.

Cheers,
        Moritz

Message #52 received at 408929@bugs.debian.org (full text, mbox, reply):

From: Florian Weimer <fw@deneb.enyo.de>

To: Moritz Muehlenhoff <jmm@inutil.org>

Cc: 408929@bugs.debian.org, Jérôme Marant <jmarant@free.fr>, Romain Francoise <rfrancoise@debian.org>, debian-release@lists.debian.org, Hendrik Tews <H.Tews@cs.ru.nl>

Subject: Re: Bug#408929: Fwd: Processed: Re: Bug#408929: emacs21: crash on spam

Date: Mon, 05 Feb 2007 10:09:18 +0100

* Moritz Muehlenhoff:

> glibc 2.3.4 introduced more secure heap management, which renders several
> code injection attacks moot.

I think these additional checks have already been bypassed.  Shall I
dig up a reference?

Message #57 received at 408929@bugs.debian.org (full text, mbox, reply):

From: Romain Francoise <rfrancoise@debian.org>

To: debian-release@lists.debian.org

Cc: Jérôme Marant <jmarant@free.fr>, Hendrik Tews <H.Tews@cs.ru.nl>, 408929@bugs.debian.org

Subject: Re: Fwd: Processed: Re: Bug#408929: emacs21: crash on spam

Date: Mon, 05 Feb 2007 20:51:53 +0100

Steve Langasek <vorlon@debian.org> writes:

> So if there's no evidence of arbitrary code execution, I think
> it's appropriate here to downgrade the bug -- but the security
> team should also be apprised.

Fine with me.

-- 
  ,''`.
 : :' :        Romain Francoise <rfrancoise@debian.org>
 `. `'         http://people.debian.org/~rfrancoise/
   `-

Message #62 received at 408929@bugs.debian.org (full text, mbox, reply):

From: Steve Kemp <steve@steve.org.uk>

To: 408929@bugs.debian.org

Cc: team@security.debian.org

Subject: Re: emacs21 crash on spam

Date: Mon, 18 Jun 2007 12:48:48 +0100

  Joey if you could allocate a CVE ID I'll handle an upload
 for Etch.

Steve
-- 

Message #67 received at 408929@bugs.debian.org (full text, mbox, reply):

From: Martin Schulze <joey@infodrom.org>

To: Steve Kemp <steve@steve.org.uk>

Cc: 408929@bugs.debian.org, team@security.debian.org

Subject: Re: emacs21 crash on spam

Date: Mon, 18 Jun 2007 14:24:13 +0200

Steve Kemp wrote:
> 
>   Joey if you could allocate a CVE ID I'll handle an upload
>  for Etch.

Please use CVE-2007-2833.

Regards,

	Joey

-- 
Still can't talk about what I can't talk about.  Sorry.  -- Bruce Schneier

Message #72 received at 408929@bugs.debian.org (full text, mbox, reply):

From: Steffen Joeris <steffen.joeris@skolelinux.de>

To: 408929@bugs.debian.org

Subject: patch from DSA with NMU proposal

Date: Mon, 13 Aug 2007 22:19:35 +1000

[Message part 1 (text/plain, inline)]

Hi

Attached you will find an NMU proposal. It includes the patch from the last 
DSA upload. Can you please consider including this patch or give me 
permission to upload this NMU and get the issue fixed in unstable and 
testing? I can also include the removal of the emacs metapackage in this NMU, 
if you want, although this is not my main concern here :)
Thanks for your efforts.

Cheers
Steffen

[nmu.patch (text/x-diff, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #77 received at 408929@bugs.debian.org (full text, mbox, reply):

From: Steffen Joeris <steffen.joeris@skolelinux.de>

To: 433861@bugs.debian.org, 408929@bugs.debian.org

Subject: nmu patch

Date: Tue, 21 Aug 2007 17:48:56 +1000

[Message part 1 (text/plain, inline)]

Hi

Attached you will find the final nmu.patch, which I uploaded to unstable.
I had to fix the other RC bug as well, because I could not upload a smaller 
version of the emacs metapackage, than the one, which is already in the 
archive. Sorry for the noise and I hope you did not mind. Feel free to 
contact me, if you have further queries.

Cheers
Steffen

[nmu.patch (text/x-diff, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #82 received at 408929-close@bugs.debian.org (full text, mbox, reply):

From: Steffen Joeris <white@debian.org>

To: 408929-close@bugs.debian.org

Subject: Bug#408929: fixed in emacs21 21.4a+1-5.1

Date: Tue, 21 Aug 2007 07:47:05 +0000

Source: emacs21
Source-Version: 21.4a+1-5.1

We believe that the bug you reported is fixed in the latest version of
emacs21, which is due to be installed in the Debian FTP archive:

emacs21-bin-common_21.4a+1-5.1_i386.deb
  to pool/main/e/emacs21/emacs21-bin-common_21.4a+1-5.1_i386.deb
emacs21-common_21.4a+1-5.1_all.deb
  to pool/main/e/emacs21/emacs21-common_21.4a+1-5.1_all.deb
emacs21-el_21.4a+1-5.1_all.deb
  to pool/main/e/emacs21/emacs21-el_21.4a+1-5.1_all.deb
emacs21-nox_21.4a+1-5.1_i386.deb
  to pool/main/e/emacs21/emacs21-nox_21.4a+1-5.1_i386.deb
emacs21_21.4a+1-5.1.diff.gz
  to pool/main/e/emacs21/emacs21_21.4a+1-5.1.diff.gz
emacs21_21.4a+1-5.1.dsc
  to pool/main/e/emacs21/emacs21_21.4a+1-5.1.dsc
emacs21_21.4a+1-5.1_i386.deb
  to pool/main/e/emacs21/emacs21_21.4a+1-5.1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 408929@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Steffen Joeris <white@debian.org> (supplier of updated emacs21 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 21 Aug 2007 05:23:01 +0000
Source: emacs21
Binary: emacs21-el emacs21-common emacs21-nox emacs21-bin-common emacs21
Architecture: source all i386
Version: 21.4a+1-5.1
Distribution: unstable
Urgency: high
Maintainer: Rob Browning <rlb@defaultvalue.org>
Changed-By: Steffen Joeris <white@debian.org>
Description: 
 emacs21    - The GNU Emacs editor
 emacs21-bin-common - The GNU Emacs editor's shared, architecture dependent files
 emacs21-common - The GNU Emacs editor's shared, architecture independent infrastru
 emacs21-el - GNU Emacs LISP (.el) files
 emacs21-nox - The GNU Emacs editor (without X support)
Closes: 408929 433861
Changes: 
 emacs21 (21.4a+1-5.1) unstable; urgency=high
 .
   * Non-maintainer upload by the testing-security team
   * Include patch (CVE-2007-2833.diff) to fix a crash when determining
     the size of some GIF images (Closes: #408929) Fixes: CVE-2007-2833
   * Don't produce the emacs metapackage anymore, because it is now
     build by the emacs22 source package (Closes: #433861)
Files: 
 e99385d45ed0ac972b3f2f7beae37708 880 editors optional emacs21_21.4a+1-5.1.dsc
 26a8f6c129b323e21bad45d3b413b747 188543 editors optional emacs21_21.4a+1-5.1.diff.gz
 f28fbfbd137393eab64fdc64a42cc9b8 9438736 editors optional emacs21-common_21.4a+1-5.1_all.deb
 48175495c8b6c85bad7716c4421d7fa8 7211568 editors optional emacs21-el_21.4a+1-5.1_all.deb
 0180ad45ff4f2c0688022c848160de39 2023698 editors optional emacs21_21.4a+1-5.1_i386.deb
 a0d6488b393f4405908e934ab9ca5d0c 1832178 editors optional emacs21-nox_21.4a+1-5.1_i386.deb
 58526615fa4266a7c1795cf483ecfee7 147762 editors optional emacs21-bin-common_21.4a+1-5.1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGypgb62zWxYk/rQcRAjoYAJ9V3a4msEHj7UvTV9dmEIgp7yukkACfSK8g
y3qYanF2XZhzsm/3cccBx0M=
=0uJR
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.