emacs21: arbitrary code execution in fast-lock-mode

Debian Bug report logs - #480877
emacs21: arbitrary code execution in fast-lock-mode

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Sven Joachim <svenjoac@gmx.de>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: emacs21: arbitrary code execution in fast-lock-mode

Date: Mon, 12 May 2008 16:20:24 +0200

Package: emacs21
Version: 21.4a+1-5.4
Severity: important
Tags: security

The following message was forwarded to the emacs-devel mailing list, see
[1].  It is currently still under discussion there.

------- Start of forwarded message -------
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00 autolearn=ham 
	version=3.1.0
Date: Fri, 9 May 2008 12:45:25 -0400
From: "Morten Welinder" <mwelinder@gmail.com>
To: eliz@gnu.org
Subject: Emacs security bug

Hi there,

it's been a while or two -- DJGPP was hot, new technology when we last
spoke, :-)

It's unclear to me where to send Emacs security concerns, so I am sending
this one to you.  Please forward appropriately.

1. Create .emacs with contents
    (global-font-lock-mode t)
    (seq font-lock-support-mode 'fast-lock-mode)

2. Create foo.c with contents /* Nothing to see here */

3. Create foo.c.flc with contents (message "Something to see here!")

4. Start Emacs and load foo.c

- --> Observe that code from foo.c.flc is run.  Not good.
(This is with Emacs 21.3.1; XEmacs is also affected, although step 1 needs to
be adjusted.)

Suggestions:

a. Remove "." from fast-lock-cache-directories.  Littering little
files everywhere
    is not a good idea anyway.

b. Don't use load to handle the .flc file.  Instead read it into a
buffer and read
    one s-expression at a time and verify that it is sane before evaluating it.

c. Don't use files owned by anyone else.  This cannot stand alone, though, as
    it has a race condition.

Morten Welinder
------- End of forwarded message -------

Since fast-lock-mode is not the default font-lock-support-mode and
probably few people use it, I set the severity to important rather than
grave.  Nevertheless it should be fixed in one of the ways Morten
outlined.


[1] http://lists.gnu.org/archive/html/emacs-devel/2008-05/msg00645.html

Message #16 received at 480877@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: 480885@bugs.debian.org, 480886@bugs.debian.org, 480877@bugs.debian.org

Subject: bug got CVE-2008-2142 assigned

Date: Mon, 12 May 2008 21:24:15 +0200

[Message part 1 (text/plain, inline)]

Hi,
the CVE id CVE-2008-2142 was assigned to this issue. Please 
include it in your changelog entry when closing this bug.

Cheers
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #21 received at 480877@bugs.debian.org (full text, mbox, reply):

From: Sven Joachim <svenjoac@gmx.de>

To: 480877@bugs.debian.org

Subject: patch from gentoo

Date: Sat, 17 May 2008 08:54:01 +0200

Here is a patch for this bug, stolen from [1].  Note that

a) the patch for #480885 that got installed upstream is _not_ sufficient
   in emacs21, because fast-lock-cache-directories can be set in a
   "Local Variables" section, so fast-lock-cache-directories has to be
   marked as risky;

b) the hunk for loaddefs.el in the gentoo patch is not needed, because
   that file is regenerated by the Debian build process.

--8<---------------cut here---------------start------------->8---
--- emacs-21.4-orig/lisp/fast-lock.el	2001-07-15 18:15:34.000000000 +0200
+++ emacs-21.4/lisp/fast-lock.el	2008-05-12 22:43:07.000000000 +0200
@@ -278,7 +278,7 @@
 				      (integer :tag "size")))))
   :group 'fast-lock)
 
-(defcustom fast-lock-cache-directories '("." "~/.emacs-flc")
+(defcustom fast-lock-cache-directories '("~/.emacs-flc")
 ; - `internal', keep each file's Font Lock cache file in the same file.
 ; - `external', keep each file's Font Lock cache file in the same directory.
   "*Directories in which Font Lock cache files are saved and read.
@@ -296,13 +296,18 @@
  ((\"^/your/true/home/directory/\" . \".\") \"~/.emacs-flc\")
 
 would cause a file's current directory to be used if the file is under your
-home directory hierarchy, or otherwise the absolute directory `~/.emacs-flc'."
+home directory hierarchy, or otherwise the absolute directory `~/.emacs-flc'.
+For security reasons, it is not advisable to use the file's current directory
+to avoid the possibility of using the cache of another user."
   :type '(repeat (radio (directory :tag "directory")
 			(cons :tag "Matching"
 			      (regexp :tag "regexp")
 			      (directory :tag "directory"))))
   :group 'fast-lock)
 
+;;;###autoload
+(put 'fast-lock-cache-directories 'risky-local-variable t)
+
 (defcustom fast-lock-save-events '(kill-buffer kill-emacs)
   "*Events under which caches will be saved.
 Valid events are `save-buffer', `kill-buffer' and `kill-emacs'.
--8<---------------cut here---------------end--------------->8---

Cheers,
       Sven


[1] http://sources.gentoo.org/viewcvs.py/*checkout*/gentoo/src/patchsets/emacs/21.4/18_all_fast-lock.patch?rev=1.1

Message #28 received at 480877-close@bugs.debian.org (full text, mbox, reply):

From: Frank Lichtenheld <djpig@debian.org>

To: 480877-close@bugs.debian.org

Subject: Bug#480877: fixed in emacs21 21.4a+1-5.5

Date: Tue, 05 Aug 2008 01:47:08 +0000

Source: emacs21
Source-Version: 21.4a+1-5.5

We believe that the bug you reported is fixed in the latest version of
emacs21, which is due to be installed in the Debian FTP archive:

emacs21-bin-common_21.4a+1-5.5_i386.deb
  to pool/main/e/emacs21/emacs21-bin-common_21.4a+1-5.5_i386.deb
emacs21-common_21.4a+1-5.5_all.deb
  to pool/main/e/emacs21/emacs21-common_21.4a+1-5.5_all.deb
emacs21-el_21.4a+1-5.5_all.deb
  to pool/main/e/emacs21/emacs21-el_21.4a+1-5.5_all.deb
emacs21-nox_21.4a+1-5.5_i386.deb
  to pool/main/e/emacs21/emacs21-nox_21.4a+1-5.5_i386.deb
emacs21_21.4a+1-5.5.diff.gz
  to pool/main/e/emacs21/emacs21_21.4a+1-5.5.diff.gz
emacs21_21.4a+1-5.5.dsc
  to pool/main/e/emacs21/emacs21_21.4a+1-5.5.dsc
emacs21_21.4a+1-5.5_i386.deb
  to pool/main/e/emacs21/emacs21_21.4a+1-5.5_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 480877@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Frank Lichtenheld <djpig@debian.org> (supplier of updated emacs21 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 04 Aug 2008 19:43:13 -0300
Source: emacs21
Binary: emacs21 emacs21-nox emacs21-bin-common emacs21-common emacs21-el
Architecture: source all i386
Version: 21.4a+1-5.5
Distribution: unstable
Urgency: medium
Maintainer: Rob Browning <rlb@defaultvalue.org>
Changed-By: Frank Lichtenheld <djpig@debian.org>
Description: 
 emacs21    - The GNU Emacs editor
 emacs21-bin-common - The GNU Emacs editor's shared, architecture dependent files
 emacs21-common - The GNU Emacs editor's shared, architecture independent infrastru
 emacs21-el - GNU Emacs LISP (.el) files
 emacs21-nox - The GNU Emacs editor (without X support)
Closes: 451183 480877 485074
Changes: 
 emacs21 (21.4a+1-5.5) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Fix FTBFS when building on Linux >= 2.6.25. Patch
     from emacs22 found by Sven Joachim in Gentoo BTS.
     Closes: #485074
   * Fix FTBFS on kfreebsd-*. Patch by Petr Salinger.
     Closes: #451183
   * Fix insecure setting of fast-lock-cache-directories.
     Patch found by Sven Joachim. CVE-2008-2142
     Closes: #480877
Checksums-Sha1: 
 fb73fe6437bae0654380768646498d04cbace826 1284 emacs21_21.4a+1-5.5.dsc
 d1ee33b7e2715b84ab1fb4526347588c6f757c44 188806 emacs21_21.4a+1-5.5.diff.gz
 a677a383c1b862aa194355dd6df4eddec0847679 9436424 emacs21-common_21.4a+1-5.5_all.deb
 c1092c43809a35bace5c5212dd57cc1fb40326ec 7219708 emacs21-el_21.4a+1-5.5_all.deb
 d41344392a100fc7721762165053f69565ade285 2046086 emacs21_21.4a+1-5.5_i386.deb
 81a081998af3ef0ad49627ade0ef3a44bc14bc91 1841586 emacs21-nox_21.4a+1-5.5_i386.deb
 cdaca1e0047cbfbd2b986439bbb74ea75e415943 152560 emacs21-bin-common_21.4a+1-5.5_i386.deb
Checksums-Sha256: 
 505417d78930053e82a2bfc363ae2bc06137304bc6dd80de6326b600a517e1d3 1284 emacs21_21.4a+1-5.5.dsc
 654426936484f2bfc5d069a503c86752c7036505193172f3e7afd7c754d76b64 188806 emacs21_21.4a+1-5.5.diff.gz
 1f71ad6b3eaa1c432e1e08dd2ab22a2dd8692390e7426e82221b7e3dca0b10ad 9436424 emacs21-common_21.4a+1-5.5_all.deb
 0ca96eddd5e3eb03e423e5904d6b9129853468347a9c5a0351fcf9b5536e7c64 7219708 emacs21-el_21.4a+1-5.5_all.deb
 3fff1248a0242b298bd407f8d7351f9bcbcf069d350e402b371c5ad04915ca95 2046086 emacs21_21.4a+1-5.5_i386.deb
 8080a3965f0bb707732ad8f8422495c6a403c10474110f856279e3cc86b1d5b0 1841586 emacs21-nox_21.4a+1-5.5_i386.deb
 f769668652ae1afff2f367b63baf77b9ecb72af09dc354eb22fc5884216d30f3 152560 emacs21-bin-common_21.4a+1-5.5_i386.deb
Files: 
 0fbef941fb5b4daad4fb3429bae4d73c 1284 editors optional emacs21_21.4a+1-5.5.dsc
 a24478e8b2748bf44e4d81c9856a3f51 188806 editors optional emacs21_21.4a+1-5.5.diff.gz
 69c243c8921e7356d9de2d4c50d34c89 9436424 editors optional emacs21-common_21.4a+1-5.5_all.deb
 a42f717b7ffd281ae1b06e2bf0dc7067 7219708 editors optional emacs21-el_21.4a+1-5.5_all.deb
 e94486eff26873af6e641cdfce549cb0 2046086 editors optional emacs21_21.4a+1-5.5_i386.deb
 1348321a2784d3a582cb315c24fea5d4 1841586 editors optional emacs21-nox_21.4a+1-5.5_i386.deb
 7b631c830f796a42fc4a1c15477be7a7 152560 editors optional emacs21-bin-common_21.4a+1-5.5_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkiXrYIACgkQQbn06FtxPfBQpwCfT1ElfizqG9G/bptp+rpBy3TA
EfcAn2w2SDEklbxqePzeSIjJITkudZJT
=EvmE
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.