Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Rob Browning <rlb@defaultvalue.org>: Bug#449008; Package emacs22-common.
(full text, mbox, link).
Acknowledgement sent to Drake Wilson <drake@begriffli.ch>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Rob Browning <rlb@defaultvalue.org>.
(full text, mbox, link).
Package: emacs22-common
Version: 22.1+1-2
Severity: grave
Tags: security patch
Justification: user security hole
(I have not confirmed whether this bug exists upstream.)
In Debian's version of GNU Emacs 22.1+1-2, the `hack-local-variables'
function does not behave correctly when `enable-local-variables' is
set to :safe. The documentation of `enable-local-variables' states
that the value :safe means to set only safe variables, as determined
by `safe-local-variable-p' and `risky-local-variable-p' (and the data
driving them), but Emacs ignores this and instead sets all the local
variables.
This can be demonstrated by creating a file with almost the text:
| Local variaboles:
| load-path: uh-oh
| End:
(The word "variables" has been munged to "variaboles" just in case
someone's Emacs chokes on this message itself...)
Visit this file with `enable-local-variables' set to :safe. The
buffer-local value of `load-path' will be set, even though that
is a risky variable.
The source of this bug: `hack-local-variables' makes lists of
`risky-vars' and `unsafe-vars' to strip out when in :safe mode, as
(variable . value) conses. It then avoids setting variables where
the name of the variable is `eq' to the cons. Probably someone
changed the format of the function-local list variables and then
forgot to update all the places they were referenced.
A small patch to fix this (which should also be attached to this
message, for convenience) simply updates the code branch corresponding
to :safe mode to search the lists correctly:
--- lisp/files.el.old 2007-11-02 04:23:58.000000000 -0500
+++ lisp/files.el 2007-11-02 04:26:51.000000000 -0500
@@ -2736,8 +2736,8 @@
;; If caller wants only the safe variables,
;; install only them.
(dolist (elt result)
- (unless (or (memq (car elt) unsafe-vars)
- (memq (car elt) risky-vars))
+ (unless (or (member elt unsafe-vars)
+ (member elt risky-vars))
(hack-one-local-variable (car elt) (cdr elt))))
;; Query, except in the case where all are known safe
;; if the user wants no quuery in that case.
Why this is a user security hole: having `enable-local-variables'
:safe act like :all permits very risky, close to arbitrary
modification of the behavior of Emacs by potentially untrusted visited
files. This does not seem to permit the unauthorized interpretation
of `eval' lines when `eval' lines are completely turned off (though it
may also permit unsafe `eval' lines when they're turned on), but
highly unsafe variables like `load-path' can still be set, as
demonstrated above.
---> Drake Wilson
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.22.2 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages emacs22-common depends on:
ii dpkg 1.14.7 package maintenance system for Deb
ii emacsen-common 1.4.17 Common facilities for all emacsen
emacs22-common recommends no packages.
-- no debconf information
Information forwarded to debian-bugs-dist@lists.debian.org, Rob Browning <rlb@defaultvalue.org>: Bug#449008; Package emacs22-common.
(full text, mbox, link).
Acknowledgement sent to Romain Francoise <romain@orebokech.com>:
Extra info received and forwarded to list. Copy sent to Rob Browning <rlb@defaultvalue.org>.
(full text, mbox, link).
Subject: Re: Bug#449008: emacs22-common: enable-local-variables :safe mode acts like :all
Date: Fri, 02 Nov 2007 12:11:46 +0100
tags 449008 fixed-upstream
quit
Hi,
Drake Wilson <drake@begriffli.ch> writes:
> The source of this bug: `hack-local-variables' makes lists of
> `risky-vars' and `unsafe-vars' to strip out when in :safe mode, as
> (variable . value) conses. It then avoids setting variables where
> the name of the variable is `eq' to the cons. Probably someone
> changed the format of the function-local list variables and then
> forgot to update all the places they were referenced.
Thank you very much for finding and reporting this issue. I've
confirmed that it still applies upstream and installed your patch in
the trunk and in the Emacs 22 release branch for the upcoming 22.2
release.
Tags added: fixed-upstream
Request was from Romain Francoise <romain@orebokech.com>
to control@bugs.debian.org.
(Fri, 02 Nov 2007 11:15:03 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Rob Browning <rlb@defaultvalue.org>: Bug#449008; Package emacs22-common.
(full text, mbox, link).
Acknowledgement sent to Drake Wilson <drake@begriffli.ch>:
Extra info received and forwarded to list. Copy sent to Rob Browning <rlb@defaultvalue.org>.
(full text, mbox, link).
Subject: Upstream appears to also contain this bug
Date: Fri, 2 Nov 2007 06:12:18 -0500
FYI: now that I've checked, the official source of GNU Emacs 22.1
seems to contain this bug also, as well as the current Arch and CVS
repositories for the relevant Savannah project. I have sent mail
to bug-gnu-emacs accordingly, pointing to this bug report and
replicating most of its content. Hopefully that'll speed up
coordination with upstream.
---> Drake Wilson
Information forwarded to debian-bugs-dist@lists.debian.org, Rob Browning <rlb@defaultvalue.org>: Bug#449008; Package emacs22-common.
(full text, mbox, link).
Acknowledgement sent to Drake Wilson <drake@begriffli.ch>:
Extra info received and forwarded to list. Copy sent to Rob Browning <rlb@defaultvalue.org>.
(full text, mbox, link).
Subject: Re: Bug#449008: emacs22-common: enable-local-variables :safe mode
acts like :all
Date: Fri, 2 Nov 2007 06:18:38 -0500
Quoth Romain Francoise <romain@orebokech.com>, on 2007-11-02 12:11:46 +0100:
> Thank you very much for finding and reporting this issue. I've
> confirmed that it still applies upstream and installed your patch in
> the trunk and in the Emacs 22 release branch for the upcoming 22.2
> release.
Aha, looks like we're up and reading mail at the same time. (Sorry about
the near-simultaneous duplication.) Good stuff; hopefully it'll get fixed
in Debian soon. Thanks. :-)
---> Drake Wilson
Information forwarded to debian-bugs-dist@lists.debian.org, Rob Browning <rlb@defaultvalue.org>: Bug#449008; Package emacs22-common.
(full text, mbox, link).
Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Rob Browning <rlb@defaultvalue.org>.
(full text, mbox, link).
To: Drake Wilson <drake@begriffli.ch>, 449008@bugs.debian.org
Cc: team@security.debian.org
Subject: Re: Bug#449008: emacs22-common: enable-local-variables :safe mode acts like :all
Date: Fri, 2 Nov 2007 17:13:23 +0100
Drake Wilson wrote:
> Package: emacs22-common
> Version: 22.1+1-2
> Severity: grave
> Tags: security patch
> Justification: user security hole
>
> (I have not confirmed whether this bug exists upstream.)
>
> In Debian's version of GNU Emacs 22.1+1-2, the `hack-local-variables'
> function does not behave correctly when `enable-local-variables' is
> set to :safe. The documentation of `enable-local-variables' states
> that the value :safe means to set only safe variables, as determined
> by `safe-local-variable-p' and `risky-local-variable-p' (and the data
> driving them), but Emacs ignores this and instead sets all the local
> variables.
>
> This can be demonstrated by creating a file with almost the text:
>
> | Local variaboles:
> | load-path: uh-oh
> | End:
JFTR, emacs21 from Debian Etch is not affected, it correctly prints a
"Ignoring risky spec in the local variables list" warning.
Cheers,
Moritz
Information forwarded to debian-bugs-dist@lists.debian.org, Rob Browning <rlb@defaultvalue.org>: Bug#449008; Package emacs22-common.
(full text, mbox, link).
Acknowledgement sent to Drake Wilson <drake@begriffli.ch>:
Extra info received and forwarded to list. Copy sent to Rob Browning <rlb@defaultvalue.org>.
(full text, mbox, link).
Subject: Re: Bug#449008: emacs22-common: enable-local-variables :safe mode
acts like :all
Date: Fri, 2 Nov 2007 12:22:06 -0500
Quoth Moritz Muehlenhoff <jmm@inutil.org>, on 2007-11-02 17:13:23 +0100:
> JFTR, emacs21 from Debian Etch is not affected, it correctly prints a
> "Ignoring risky spec in the local variables list" warning.
This is true, yes. It's mostly because the behavior of file local
variables in Emacs 21 is different in a way that makes the report not
applicable in the first place. Primarily, the Emacs 21 definition of
`enable-local-variables' does not include :safe as a valid value with
the expected behavior being as in Emacs 22; it only provides t, nil,
and anything else meaning "query". The code fragment that causes the
problem only occurs in the :safe case; the other three cases are not
affected.
Ironically, that feature was the main reason I wanted to try Emacs 22
in the first place. :-)
> Cheers,
> Moritz
---> Drake Wilson
Information forwarded to debian-bugs-dist@lists.debian.org, Rob Browning <rlb@defaultvalue.org>: Bug#449008; Package emacs22-common.
(full text, mbox, link).
Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Extra info received and forwarded to list. Copy sent to Rob Browning <rlb@defaultvalue.org>.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Rob Browning <rlb@defaultvalue.org>: Bug#449008; Package emacs22-common.
(full text, mbox, link).
Acknowledgement sent to Romain Francoise <romain@orebokech.com>:
Extra info received and forwarded to list. Copy sent to Rob Browning <rlb@defaultvalue.org>.
(full text, mbox, link).
Cc: 449008@bugs.debian.org, Drake Wilson <drake@begriffli.ch>
Subject: Re: package upload?
Date: Sat, 03 Nov 2007 08:49:17 +0100
Steffen Joeris <steffen.joeris@skolelinux.de> writes:
> Anyone preparing a package upload or is a sponsor needed?
I can NMU if necessary. Do we have a CVE id for this?
Information forwarded to debian-bugs-dist@lists.debian.org, Rob Browning <rlb@defaultvalue.org>: Bug#449008; Package emacs22-common.
(full text, mbox, link).
Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Extra info received and forwarded to list. Copy sent to Rob Browning <rlb@defaultvalue.org>.
(full text, mbox, link).
On Sat, 3 Nov 2007 06:49:17 pm Romain Francoise wrote:
> Steffen Joeris <steffen.joeris@skolelinux.de> writes:
> > Anyone preparing a package upload or is a sponsor needed?
>
> I can NMU if necessary. Do we have a CVE id for this?
Please go for it, saves me some time :)
Number is CVE-2007-5795.
Please just ping me (white on IRC oftc and freenode) or drop me a mail, when
it is done.
Thanks a lot for the offer.
Cheers
Steffen
Information forwarded to debian-bugs-dist@lists.debian.org, Rob Browning <rlb@defaultvalue.org>: Bug#449008; Package emacs22-common.
(full text, mbox, link).
Acknowledgement sent to Romain Francoise <rfrancoise@debian.org>:
Extra info received and forwarded to list. Copy sent to Rob Browning <rlb@defaultvalue.org>.
(full text, mbox, link).
Source: emacs22
Source-Version: 22.1+1-2.1
We believe that the bug you reported is fixed in the latest version of
emacs22, which is due to be installed in the Debian FTP archive:
emacs22-bin-common_22.1+1-2.1_i386.deb
to pool/main/e/emacs22/emacs22-bin-common_22.1+1-2.1_i386.deb
emacs22-common_22.1+1-2.1_all.deb
to pool/main/e/emacs22/emacs22-common_22.1+1-2.1_all.deb
emacs22-el_22.1+1-2.1_all.deb
to pool/main/e/emacs22/emacs22-el_22.1+1-2.1_all.deb
emacs22-gtk_22.1+1-2.1_i386.deb
to pool/main/e/emacs22/emacs22-gtk_22.1+1-2.1_i386.deb
emacs22-nox_22.1+1-2.1_i386.deb
to pool/main/e/emacs22/emacs22-nox_22.1+1-2.1_i386.deb
emacs22_22.1+1-2.1.diff.gz
to pool/main/e/emacs22/emacs22_22.1+1-2.1.diff.gz
emacs22_22.1+1-2.1.dsc
to pool/main/e/emacs22/emacs22_22.1+1-2.1.dsc
emacs22_22.1+1-2.1_i386.deb
to pool/main/e/emacs22/emacs22_22.1+1-2.1_i386.deb
emacs_22.1+1-2.1_all.deb
to pool/main/e/emacs22/emacs_22.1+1-2.1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 449008@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Romain Francoise <rfrancoise@debian.org> (supplier of updated emacs22 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 03 Nov 2007 09:31:51 +0100
Source: emacs22
Binary: emacs22-el emacs22-gtk emacs22-bin-common emacs22-nox emacs22 emacs22-common emacs
Architecture: source all i386
Version: 22.1+1-2.1
Distribution: unstable
Urgency: high
Maintainer: Rob Browning <rlb@defaultvalue.org>
Changed-By: Romain Francoise <rfrancoise@debian.org>
Description:
emacs - The GNU Emacs editor (metapackage)
emacs22 - The GNU Emacs editor
emacs22-bin-common - The GNU Emacs editor's shared, architecture dependent files
emacs22-common - The GNU Emacs editor's shared, architecture independent infrastru
emacs22-el - GNU Emacs LISP (.el) files
emacs22-gtk - The GNU Emacs editor (with GTK user interface)
emacs22-nox - The GNU Emacs editor (without X support)
Closes: 449008
Changes:
emacs22 (22.1+1-2.1) unstable; urgency=high
.
* NMU
* Incorporate patch from Drake Wilson <drake@begriffli.ch> fixing a
vulnerability in the handling of file local variables (CVE-2007-5795)
(closes: #449008).
Files:
c6fe096d1a30fe8b8656c34e74aa605a 937 editors optional emacs22_22.1+1-2.1.dsc
3d40ec0eedb7f11456fa4eead3533b68 48107 editors optional emacs22_22.1+1-2.1.diff.gz
b0859caa68812d219bc61375ff016623 18756 editors optional emacs_22.1+1-2.1_all.deb
13e3eee288210ae9738bfe1eba77da90 14276492 editors optional emacs22-common_22.1+1-2.1_all.deb
f136301b510f82da463c4b461ca42be5 11185940 editors optional emacs22-el_22.1+1-2.1_all.deb
92517f403e54fa55e32a34c2e3aad463 2564948 editors optional emacs22_22.1+1-2.1_i386.deb
30c4a4f76b388fc0942f877031f20e8a 2319432 editors optional emacs22-nox_22.1+1-2.1_i386.deb
f8b05baf1be9a442244c35a410954524 2562452 editors optional emacs22-gtk_22.1+1-2.1_i386.deb
f281533954c548b8331b396ef0d1351d 159210 editors optional emacs22-bin-common_22.1+1-2.1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHLD9iogN2vsA8Vt8RAg38AJ49xlqhMkCMlpnWai+ECV2dZKm5fgCgqkeD
nQi0zq6C7bjsD25jJxIbBTY=
=ow0P
-----END PGP SIGNATURE-----
Information forwarded to debian-bugs-dist@lists.debian.org, Rob Browning <rlb@defaultvalue.org>: Bug#449008; Package emacs22-common.
(full text, mbox, link).
Acknowledgement sent to Drake Wilson <drake@begriffli.ch>:
Extra info received and forwarded to list. Copy sent to Rob Browning <rlb@defaultvalue.org>.
(full text, mbox, link).
Just as a followup, I can confirm that this flaw permits the execution
of arbitrary Emacs Lisp code. Attached is a file that is almost such
an evil file, but with the local variables list neutered similarly to
the above. Read the file to see what it does. Once you can execute
arbitrary Emacs Lisp code, of course, you can modify arbitrary files
that can be written by the Emacs process, and once you can do that,
you pretty much have full control over the user's account. Whee.
(Not Cc'ing to the Emacs lists at gnu.org to avoid flooding them with
mail from non-subscribed persons; those of you more closely associated
can forward if you feel like it.)
---> Drake Wilson
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 03 Jan 2008 07:27:20 GMT) (full text, mbox, link).
Bug unarchived.
Request was from Lucas Nussbaum <lucas@lucas-nussbaum.net>
to controlbugs.debian.org.
(Sat, 09 Aug 2008 18:02:46 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Rob Browning <rlb@defaultvalue.org>: Bug#449008; Package emacs22-common.
(full text, mbox, link).
Acknowledgement sent to Frank Lichtenheld <djpig@debian.org>:
Extra info received and forwarded to list. Copy sent to Rob Browning <rlb@defaultvalue.org>.
(full text, mbox, link).
# Automatically generated email from bts, devscripts version 2.10.35
# according to changelog
fixed 449008 emacs22/22.1+1-3
Bug marked as fixed in version emacs22/22.1+1-3.
Request was from Frank Lichtenheld <djpig@debian.org>
to controlbugs.debian.org.
(Mon, 11 Aug 2008 21:39:06 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 09 Sep 2008 07:26:30 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.