Debian Bug report logs -
#684694
emacs24: CVE-2012-3479: GNU Emacs file-local variables
Reported by: Henri Salo <henri@nerv.fi>
Date: Mon, 13 Aug 2012 06:57:01 UTC
Severity: important
Tags: fixed-upstream, security
Found in version emacs24/24.1+1-4
Fixed in version 24.2+1-1
Done: Rob Browning <rlb@defaultvalue.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Rob Browning <rlb@defaultvalue.org>:
Bug#684694; Package emacs24.
(Mon, 13 Aug 2012 06:57:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Henri Salo <henri@nerv.fi>:
New Bug report received and forwarded. Copy sent to Rob Browning <rlb@defaultvalue.org>.
(Mon, 13 Aug 2012 06:57:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: emacs24
Version: 24.1+1-4
Severity: important
Tags: security, fixed-upstream
Paul Ling has found a security flaw in the file-local variables code in GNU Emacs. When the Emacs user option `enable-local-variables' is set to `:safe' (the default value is t), Emacs should automatically refuse to evaluate `eval' forms in file-local variable sections. Due to the bug, Emacs instead automatically evaluates such `eval' forms. Thus, if the user changes the value of `enable-local-variables' to `:safe', visiting a malicious file can cause automatic execution of arbitrary Emacs Lisp code with the permissions of the user. The bug is present in Emacs 23.2, 23.3, 23.4, and 24.1.
More details:
http://debbugs.gnu.org/cgi/bugreport.cgi?bug=12155
http://www.openwall.com/lists/oss-security/2012/08/13/1
http://www.openwall.com/lists/oss-security/2012/08/13/2
I haven't manually verified this in Debian packages. Please ask in case you want me to do it.
- Henri Salo
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#684694; Package emacs24.
(Tue, 14 Aug 2012 02:15:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Rob Browning <rlb@defaultvalue.org>:
Extra info received and forwarded to list.
(Tue, 14 Aug 2012 02:15:03 GMT) (full text, mbox, link).
Message #10 received at 684694@bugs.debian.org (full text, mbox, reply):
Henri Salo <henri@nerv.fi> writes:
> Paul Ling has found a security flaw in the file-local variables code
> in GNU Emacs. When the Emacs user option `enable-local-variables' is
> set to `:safe' (the default value is t), Emacs should automatically
> refuse to evaluate `eval' forms in file-local variable sections. Due
> to the bug, Emacs instead automatically evaluates such `eval' forms.
> Thus, if the user changes the value of `enable-local-variables' to
> :safe', visiting a malicious file can cause automatic execution of
> arbitrary Emacs Lisp code with the permissions of the user. The bug is
> present in Emacs 23.2, 23.3, 23.4, and 24.1.
>
> More details:
> http://debbugs.gnu.org/cgi/bugreport.cgi?bug=12155
> http://www.openwall.com/lists/oss-security/2012/08/13/1
> http://www.openwall.com/lists/oss-security/2012/08/13/2
>
> I haven't manually verified this in Debian packages. Please ask in
> case you want me to do it.
I'll be happy to work on this, but I may not have much time until
Thu/Fri.
Thanks for the help
--
Rob Browning
rlb @defaultvalue.org and @debian.org
GPG as of 2002-11-03 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4
Information forwarded
to debian-bugs-dist@lists.debian.org, Rob Browning <rlb@defaultvalue.org>:
Bug#684694; Package emacs24.
(Wed, 05 Sep 2012 16:03:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Rob Browning <rlb@defaultvalue.org>.
(Wed, 05 Sep 2012 16:03:07 GMT) (full text, mbox, link).
Message #15 received at 684694@bugs.debian.org (full text, mbox, reply):
On Mon, Aug 13, 2012 at 09:03:34PM -0500, Rob Browning wrote:
> Henri Salo <henri@nerv.fi> writes:
>
> > Paul Ling has found a security flaw in the file-local variables code
> > in GNU Emacs. When the Emacs user option `enable-local-variables' is
> > set to `:safe' (the default value is t), Emacs should automatically
> > refuse to evaluate `eval' forms in file-local variable sections. Due
> > to the bug, Emacs instead automatically evaluates such `eval' forms.
> > Thus, if the user changes the value of `enable-local-variables' to
> > :safe', visiting a malicious file can cause automatic execution of
> > arbitrary Emacs Lisp code with the permissions of the user. The bug is
> > present in Emacs 23.2, 23.3, 23.4, and 24.1.
> >
> > More details:
> > http://debbugs.gnu.org/cgi/bugreport.cgi?bug=12155
> > http://www.openwall.com/lists/oss-security/2012/08/13/1
> > http://www.openwall.com/lists/oss-security/2012/08/13/2
> >
> > I haven't manually verified this in Debian packages. Please ask in
> > case you want me to do it.
>
> I'll be happy to work on this, but I may not have much time until
> Thu/Fri.
What's the status?
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#684694; Package emacs24.
(Thu, 06 Sep 2012 00:45:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Rob Browning <rlb@defaultvalue.org>:
Extra info received and forwarded to list.
(Thu, 06 Sep 2012 00:45:10 GMT) (full text, mbox, link).
Message #20 received at 684694@bugs.debian.org (full text, mbox, reply):
Moritz Muehlenhoff <jmm@inutil.org> writes:
> On Mon, Aug 13, 2012 at 09:03:34PM -0500, Rob Browning wrote:
>> I'll be happy to work on this, but I may not have much time until
>> Thu/Fri.
>
> What's the status?
For CVE-2012-3479 (#684695), I prepared the release and sent the debdiff
to rt.debian.org (#4005) on Aug 24th, asking if it was acceptable.
Since I haven't heard back, I haven't uploaded yet.
Thanks
--
Rob Browning
rlb @defaultvalue.org and @debian.org
GPG as of 2002-11-03 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4
Information forwarded
to debian-bugs-dist@lists.debian.org, Rob Browning <rlb@defaultvalue.org>:
Bug#684694; Package emacs24.
(Thu, 06 Sep 2012 07:21:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Rob Browning <rlb@defaultvalue.org>.
(Thu, 06 Sep 2012 07:21:03 GMT) (full text, mbox, link).
Message #25 received at 684694@bugs.debian.org (full text, mbox, reply):
On Wed, Sep 05, 2012 at 07:42:47PM -0500, Rob Browning wrote:
> Moritz Muehlenhoff <jmm@inutil.org> writes:
>
> > On Mon, Aug 13, 2012 at 09:03:34PM -0500, Rob Browning wrote:
>
> >> I'll be happy to work on this, but I may not have much time until
> >> Thu/Fri.
> >
> > What's the status?
>
> For CVE-2012-3479 (#684695), I prepared the release and sent the debdiff
> to rt.debian.org (#4005) on Aug 24th, asking if it was acceptable.
> Since I haven't heard back, I haven't uploaded yet.
I was more thinking about unstable, where this is still unfixed for emacs23.
Hopefully someone will have time to release the stable-security update
soon.
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#684694; Package emacs24.
(Thu, 06 Sep 2012 15:54:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Rob Browning <rlb@defaultvalue.org>:
Extra info received and forwarded to list.
(Thu, 06 Sep 2012 15:54:03 GMT) (full text, mbox, link).
Message #30 received at 684694@bugs.debian.org (full text, mbox, reply):
Moritz Muehlenhoff <jmm@inutil.org> writes:
> I was more thinking about unstable, where this is still unfixed for emacs23.
In that case I've had to take some time to finish working out another
problem (that requires simultaneous changes to emacs23/24 in both wheezy
and sid) -- it's an issue with the emacs metapackage binary that
involves the creation of a new gcc-defaults-style source package.
At this point, I think I've finished discussing that with the release
team, but haven't had time since then (until today) to finish the work.
I expect to have uploads for both before Monday.
> Hopefully someone will have time to release the stable-security update
> soon.
How does that work? I have the packages ready to go, but was just
waiting for approval to upload -- or does the security team handle
building stable packages?
Thanks
--
Rob Browning
rlb @defaultvalue.org and @debian.org
GPG as of 2002-11-03 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4
Reply sent
to Rob Browning <rlb@defaultvalue.org>:
You have taken responsibility.
(Sun, 09 Sep 2012 19:30:06 GMT) (full text, mbox, link).
Notification sent
to Henri Salo <henri@nerv.fi>:
Bug acknowledged by developer.
(Sun, 09 Sep 2012 19:30:06 GMT) (full text, mbox, link).
Message #35 received at 684694-done@bugs.debian.org (full text, mbox, reply):
Version: 24.2+1-1
Henri Salo <henri@nerv.fi> writes:
> Package: emacs24
> Severity: important
> Tags: security, fixed-upstream
>
> Paul Ling has found a security flaw in the file-local variables code
> in GNU Emacs. When the Emacs user option `enable-local-variables' is
> set to `:safe' (the default value is t), Emacs should automatically
> refuse to evaluate `eval' forms in file-local variable sections. Due
> to the bug, Emacs instead automatically evaluates such `eval' forms.
> Thus, if the user changes the value of `enable-local-variables' to
> :safe', visiting a malicious file can cause automatic execution of
> arbitrary Emacs Lisp code with the permissions of the user. The bug is
> present in Emacs 23.2, 23.3, 23.4, and 24.1.
This should be fixed by 24.2+1-1, but I put the wrong bug number in the
changelog (Closes: ...). Closing now.
Thanks
--
Rob Browning
rlb @defaultvalue.org and @debian.org
GPG as of 2002-11-03 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4
Information forwarded
to debian-bugs-dist@lists.debian.org, Rob Browning <rlb@defaultvalue.org>:
Bug#684694; Package emacs24.
(Wed, 03 Oct 2012 09:48:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Rob Browning <rlb@defaultvalue.org>.
(Wed, 03 Oct 2012 09:48:06 GMT) (full text, mbox, link).
Message #40 received at 684694@bugs.debian.org (full text, mbox, reply):
On Thu, Sep 06, 2012 at 10:52:30AM -0500, Rob Browning wrote:
> Moritz Muehlenhoff <jmm@inutil.org> writes:
>
> > I was more thinking about unstable, where this is still unfixed for emacs23.
>
> In that case I've had to take some time to finish working out another
> problem (that requires simultaneous changes to emacs23/24 in both wheezy
> and sid) -- it's an issue with the emacs metapackage binary that
> involves the creation of a new gcc-defaults-style source package.
>
> At this point, I think I've finished discussing that with the release
> team, but haven't had time since then (until today) to finish the work.
> I expect to have uploads for both before Monday.
>
> > Hopefully someone will have time to release the stable-security update
> > soon.
>
> How does that work? I have the packages ready to go, but was just
> waiting for approval to upload -- or does the security team handle
> building stable packages?
Hi Rob,
Sorry the late response. I'm very short of time the last months and
apparently noone else chimed in on this thread.
Please upload your build to security-master (it needs to be build with
-sa, since emacs23 is new in the stable-security suite (otherwise
the security buildd network will trigger strange errors)
As for the other security issues (untrusted search path in CEDET):
I had a look at the Ubuntu security update for Emacs, which the released
a few days ago; they also ignored the CEDET issue since they couldn't
create a backport for the releases based on releases older than 23.3.
Also, since the vulnerability is rather far-fetched we can ignore it
for Squeeze IMHO.
Cheers,
Moritz
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 01 Nov 2012 07:30:31 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:42:25 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon