Debian Bug report logs -
#499568
emacs22-common: CVE-2008-3949: Interactive Python Session loads module from current directory
Reported by: Sven Joachim <svenjoac@gmx.de>
Date: Fri, 19 Sep 2008 22:36:01 UTC
Severity: grave
Tags: fixed-upstream, patch, security
Found in version emacs22/22.2+2-3
Fixed in version emacs22/22.2+2-4
Done: Rob Browning <rlb@defaultvalue.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Sven Joachim <svenjoac@gmx.de>, secure-testing-team@lists.alioth.debian.org, Rob Browning <rlb@defaultvalue.org>
:
Bug#499568
; Package emacs22-common
.
(Fri, 19 Sep 2008 22:36:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Sven Joachim <svenjoac@gmx.de>
:
New Bug report received and forwarded. Copy sent to Sven Joachim <svenjoac@gmx.de>, secure-testing-team@lists.alioth.debian.org, Rob Browning <rlb@defaultvalue.org>
.
(Fri, 19 Sep 2008 22:36:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: emacs22-common
Version: 22.2+2-3
Severity: important
Tags: security patch fixed-upstream
The following mail was sent to the emacs-devel mailing list shortly
after the release of Emacs 22.3:
[Message part 2 (message/rfc822, inline)]
Romain Francoise has found a security risk in a feature of GNU Emacs
related to how Emacs interacts with Python. Emacs version 22.3, which
was just released, contains a fix. A patch for earlier version of Emacs
is described below.
The vulnerability may allow an attacker to run malicious code if the
user runs the Emacs command `run-python' while the current directory is
world-writable, or if the user toggles `eldoc-mode' and visits a Python
source file in a world-writable directory.
Description of the vulnerability:
The Emacs command `run-python' launches an interactive Python
interpreter. After the Python process starts up, Emacs automatically
sends it the line
import emacs
which normally imports a script named emacs.py which is distributed with
Emacs. This script, which is typically located in a write-protected
installation directory with other Emacs program files, defines various
functions to help the Python process communicate with Emacs.
The vulnerability arises because Python, by default, prepends '' to the
module search path, so modules are looked for in the current directory.
If the current directory is world-writable, an attacker may insert
malicious code by adding a fake Python module named emacs.py into that
directory.
Furthermore, emacs.py imports other non-built-in Python modules, such as
`inspect'. The same vulnerability exists for these import statements.
By default, merely visiting and editing a *.py source file does not
launch a Python subprocess; you either have to call `M-x run-python', or
enable Emacs code that calls `run-python' automatically, such as
`eldoc-mode'.
The Python developers, in a private communication, have stated that they
do not regard this module-importing behavior as a security problem for
Python per se, because running a python script in a world-writable
directory is itself a security hazard. In the Emacs context, however,
it's much less obvious that it's unsafe to call `run-python' while the
current directory is world-writable; therefore, the problem discussed
here can be regarded as a security risk.
The following patch, against the Emacs 22.2 source tree, removes '' from
sys.path in the command-line arguments for invoking the Python process.
(Because `sys' is a "built-in module", an attacker cannot insert
malicious code by adding sys.py to the current directory.)
*** emacs/lisp/progmodes/python.el 8 May 2008 03:42:10 -0000 1.89
--- emacs/lisp/progmodes/python.el 24 Aug 2008 19:47:09 -0000 1.90
***************
*** 1547,1553 ****
;; invoked. Would support multiple processes better.
(when (or new (not (comint-check-proc python-buffer)))
(with-current-buffer
! (let* ((cmdlist (append (python-args-to-list cmd) '("-i")))
(path (getenv "PYTHONPATH"))
(process-environment ; to import emacs.py
(cons (concat
"PYTHONPATH="
--- 1547,1555 ----
;; invoked. Would support multiple processes better.
(when (or new (not (comint-check-proc python-buffer)))
(with-current-buffer
! (let* ((cmdlist
! (append (python-args-to-list cmd)
! '("-i" "-c" "import sys; sys.path.remove('')")))
(path (getenv "PYTHONPATH"))
(process-environment ; to import emacs.py
(cons (concat
"PYTHONPATH="
[Message part 3 (text/plain, inline)]
If you fix this vulnerability please also include the CVE id
in your changelog entry.
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.26.5-libata
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages emacs22-common depends on:
ii dpkg 1.14.22 Debian package management system
ii emacsen-common 1.4.17 Common facilities for all emacsen
emacs22-common recommends no packages.
Versions of packages emacs22-common suggests:
pn emacs22-common-non-dfsg <none> (no description available)
ii emacs22-el 22.2+2-3 GNU Emacs LISP (.el) files
-- no debconf information
Information forwarded
to debian-bugs-dist@lists.debian.org
:
Bug#499568
; Package emacs22-common
.
(Sun, 21 Sep 2008 01:39:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Rob Browning <rlb@defaultvalue.org>
:
Extra info received and forwarded to list.
(Sun, 21 Sep 2008 01:39:02 GMT) (full text, mbox, link).
Message #10 received at 499568@bugs.debian.org (full text, mbox, reply):
Sven Joachim <svenjoac@gmx.de> writes:
> Package: emacs22-common
> Version: 22.2+2-3
> Severity: important
> Tags: security patch fixed-upstream
>
> The following mail was sent to the emacs-devel mailing list shortly
> after the release of Emacs 22.3:
Thanks for the report. I'll look in to this in the next few days.
--
Rob Browning
rlb @defaultvalue.org and @debian.org; previously @cs.utexas.edu
GPG as of 2002-11-03 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4
Severity set to `grave' from `important'
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org
.
(Thu, 02 Oct 2008 14:33:08 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Rob Browning <rlb@defaultvalue.org>
:
Bug#499568
; Package emacs22-common
.
(Thu, 02 Oct 2008 18:57:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Steve Cotton <steve0001@s.cotton.clara.co.uk>
:
Extra info received and forwarded to list. Copy sent to Rob Browning <rlb@defaultvalue.org>
.
(Thu, 02 Oct 2008 18:57:02 GMT) (full text, mbox, link).
Message #17 received at 499568@bugs.debian.org (full text, mbox, reply):
Bug #484305 reports the same problem in Vim, X-Chat,
Gnumeric, python-nautilus and gedit.
Information forwarded
to debian-bugs-dist@lists.debian.org, Rob Browning <rlb@defaultvalue.org>
:
Bug#499568
; Package emacs22-common
.
(Thu, 02 Oct 2008 20:09:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Sven Joachim <svenjoac@gmx.de>
:
Extra info received and forwarded to list. Copy sent to Rob Browning <rlb@defaultvalue.org>
.
(Thu, 02 Oct 2008 20:09:02 GMT) (full text, mbox, link).
Message #22 received at 499568@bugs.debian.org (full text, mbox, reply):
On 2008-10-02 20:56 +0200, Steve Cotton wrote:
> Bug #484305 reports the same problem in Vim, X-Chat,
> Gnumeric, python-nautilus and gedit.
And there are very likely dozens of other applications affected where
the problem just isn't known yet. Unfortunately the Python guys don't
seem to be willing to fix their gross design flaw, if I interpret
http://bugs.python.org/issue946373 correctly.
So yeah, we're going to enjoy more CVEs and DSAs like this one. :-/
Sven
Information forwarded
to debian-bugs-dist@lists.debian.org, Rob Browning <rlb@defaultvalue.org>
:
Bug#499568
; Package emacs22-common
.
(Mon, 06 Oct 2008 15:36:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Nico Golde <nion@debian.org>
:
Extra info received and forwarded to list. Copy sent to Rob Browning <rlb@defaultvalue.org>
.
(Mon, 06 Oct 2008 15:36:02 GMT) (full text, mbox, link).
Message #27 received at 499568@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Rob,
* Rob Browning <rlb@defaultvalue.org> [2008-09-21 14:23]:
> Sven Joachim <svenjoac@gmx.de> writes:
> > Package: emacs22-common
> > Version: 22.2+2-3
> > Severity: important
> > Tags: security patch fixed-upstream
> >
> > The following mail was sent to the emacs-devel mailing list shortly
> > after the release of Emacs 22.3:
>
> Thanks for the report. I'll look in to this in the next few days.
Any news on that? Do you need an NMU in case you have no
time to prepare an update yourself?
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org
:
Bug#499568
; Package emacs22-common
.
(Wed, 08 Oct 2008 05:33:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Rob Browning <rlb@defaultvalue.org>
:
Extra info received and forwarded to list.
(Wed, 08 Oct 2008 05:33:03 GMT) (full text, mbox, link).
Message #32 received at 499568@bugs.debian.org (full text, mbox, reply):
Nico Golde <nion@debian.org> writes:
> Hi Rob,
> * Rob Browning <rlb@defaultvalue.org> [2008-09-21 14:23]:
>> Sven Joachim <svenjoac@gmx.de> writes:
>> > Package: emacs22-common
>> > Version: 22.2+2-3
>> > Severity: important
>> > Tags: security patch fixed-upstream
>> >
>> > The following mail was sent to the emacs-devel mailing list shortly
>> > after the release of Emacs 22.3:
>>
>> Thanks for the report. I'll look in to this in the next few days.
>
> Any news on that? Do you need an NMU in case you have no
> time to prepare an update yourself?
Thanks for the offer. If we need this before this weekend, then yes,
please go ahead with an NMU. Otherwise I should be able to work on it
then.
--
Rob Browning
rlb @defaultvalue.org and @debian.org; previously @cs.utexas.edu
GPG as of 2002-11-03 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4
Information forwarded
to debian-bugs-dist@lists.debian.org, Rob Browning <rlb@defaultvalue.org>
:
Bug#499568
; Package emacs22-common
.
(Wed, 15 Oct 2008 05:42:02 GMT) (full text, mbox, link).
Acknowledgement sent
to "Adam D. Barratt" <adam@adam-barratt.org.uk>
:
Extra info received and forwarded to list. Copy sent to Rob Browning <rlb@defaultvalue.org>
.
(Wed, 15 Oct 2008 05:42:03 GMT) (full text, mbox, link).
Message #37 received at 499568@bugs.debian.org (full text, mbox, reply):
Hi,
On Tue, 2008-10-07 at 22:28 -0700, Rob Browning wrote:
> Nico Golde <nion@debian.org> writes:
>
> > Hi Rob,
> > * Rob Browning <rlb@defaultvalue.org> [2008-09-21 14:23]:
[...]
> >> Thanks for the report. I'll look in to this in the next few days.
> >
> > Any news on that? Do you need an NMU in case you have no
> > time to prepare an update yourself?
>
> Thanks for the offer. If we need this before this weekend, then yes,
> please go ahead with an NMU. Otherwise I should be able to work on it
> then.
Any news on that (either way)?
Regards,
Adam
Information forwarded
to debian-bugs-dist@lists.debian.org, Rob Browning <rlb@defaultvalue.org>
:
Bug#499568
; Package emacs22-common
.
(Wed, 15 Oct 2008 14:06:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Nico Golde <nion@debian.org>
:
Extra info received and forwarded to list. Copy sent to Rob Browning <rlb@defaultvalue.org>
.
(Wed, 15 Oct 2008 14:06:03 GMT) (full text, mbox, link).
Message #42 received at 499568@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Adam,
* Adam D. Barratt <adam@adam-barratt.org.uk> [2008-10-15 09:43]:
> On Tue, 2008-10-07 at 22:28 -0700, Rob Browning wrote:
> > Nico Golde <nion@debian.org> writes:
> >
> > > Hi Rob,
> > > * Rob Browning <rlb@defaultvalue.org> [2008-09-21 14:23]:
> [...]
> > >> Thanks for the report. I'll look in to this in the next few days.
> > >
> > > Any news on that? Do you need an NMU in case you have no
> > > time to prepare an update yourself?
> >
> > Thanks for the offer. If we need this before this weekend, then yes,
> > please go ahead with an NMU. Otherwise I should be able to work on it
> > then.
>
> Any news on that (either way)?
I got a mail by Robert stating that he needs a few more days
but is working on an upload.
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org
:
Bug#499568
; Package emacs22-common
.
(Thu, 16 Oct 2008 03:57:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Rob Browning <rlb@defaultvalue.org>
:
Extra info received and forwarded to list.
(Thu, 16 Oct 2008 03:57:05 GMT) (full text, mbox, link).
Message #47 received at 499568@bugs.debian.org (full text, mbox, reply):
Nico Golde <nion@debian.org> writes:
> I got a mail by Robert stating that he needs a few more days but is
> working on an upload.
I went ahead and fixed a couple of other bugs while I was at it. I
should be uploading either tonight or tomorrow night.
Thanks
--
Rob Browning
rlb @defaultvalue.org and @debian.org; previously @cs.utexas.edu
GPG as of 2002-11-03 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4
Reply sent
to Rob Browning <rlb@defaultvalue.org>
:
You have taken responsibility.
(Fri, 17 Oct 2008 02:30:07 GMT) (full text, mbox, link).
Notification sent
to Sven Joachim <svenjoac@gmx.de>
:
Bug acknowledged by developer.
(Fri, 17 Oct 2008 02:30:07 GMT) (full text, mbox, link).
Message #52 received at 499568-close@bugs.debian.org (full text, mbox, reply):
Source: emacs22
Source-Version: 22.2+2-4
We believe that the bug you reported is fixed in the latest version of
emacs22, which is due to be installed in the Debian FTP archive:
emacs22-bin-common_22.2+2-4_i386.deb
to pool/main/e/emacs22/emacs22-bin-common_22.2+2-4_i386.deb
emacs22-common_22.2+2-4_all.deb
to pool/main/e/emacs22/emacs22-common_22.2+2-4_all.deb
emacs22-el_22.2+2-4_all.deb
to pool/main/e/emacs22/emacs22-el_22.2+2-4_all.deb
emacs22-gtk_22.2+2-4_i386.deb
to pool/main/e/emacs22/emacs22-gtk_22.2+2-4_i386.deb
emacs22-nox_22.2+2-4_i386.deb
to pool/main/e/emacs22/emacs22-nox_22.2+2-4_i386.deb
emacs22_22.2+2-4.diff.gz
to pool/main/e/emacs22/emacs22_22.2+2-4.diff.gz
emacs22_22.2+2-4.dsc
to pool/main/e/emacs22/emacs22_22.2+2-4.dsc
emacs22_22.2+2-4_i386.deb
to pool/main/e/emacs22/emacs22_22.2+2-4_i386.deb
emacs_22.2+2-4_all.deb
to pool/main/e/emacs22/emacs_22.2+2-4_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 499568@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Rob Browning <rlb@defaultvalue.org> (supplier of updated emacs22 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 14 Oct 2008 21:28:47 -0700
Source: emacs22
Binary: emacs emacs22 emacs22-nox emacs22-gtk emacs22-bin-common emacs22-common emacs22-el
Architecture: source all i386
Version: 22.2+2-4
Distribution: unstable
Urgency: medium
Maintainer: Rob Browning <rlb@defaultvalue.org>
Changed-By: Rob Browning <rlb@defaultvalue.org>
Description:
emacs - The GNU Emacs editor (metapackage)
emacs22 - The GNU Emacs editor
emacs22-bin-common - The GNU Emacs editor's shared, architecture dependent files
emacs22-common - The GNU Emacs editor's shared, architecture independent infrastru
emacs22-el - GNU Emacs LISP (.el) files
emacs22-gtk - The GNU Emacs editor (with GTK user interface)
emacs22-nox - The GNU Emacs editor (without X support)
Closes: 447378 476108 499568
Changes:
emacs22 (22.2+2-4) unstable; urgency=medium
.
* Fix a security problem related to the invocation of python
(CVE-2008-3949). Avoid including the current directory in the module
lookup path when invoking python from python.el. Thanks to Sven
Joachim <svenjoac@gmx.de> and Michael Berg <michaeljberg@gmail.com>.
(closes: #499568)
.
* Invoke xmlstarlet from flymake as xmlstarlet rather than xml. Thanks
to Jussi Judin <jjudin+debian@iki.fi>. (closes: #447378)
.
* Fix vc-mode's handling of internal temporary buffers. This should
avoid failures when trying to open files under monotone version
control. Thanks to Sven Joachim <svenjoac@gmx.de> and Michael Berg
<michaeljberg@gmail.com>. (closes: #476108)
Checksums-Sha1:
69718012718c33b073142c79f7fe054ed846c202 1340 emacs22_22.2+2-4.dsc
c87ec6f1735aff3f21a393cd1de367c465c2b38b 45460 emacs22_22.2+2-4.diff.gz
19cbb5ea528f335bb167f11105948b28662f81d6 19778 emacs_22.2+2-4_all.deb
9184cfc7436fb7164cc3c90685979a56b9ae2591 14628030 emacs22-common_22.2+2-4_all.deb
a232ad7c72c7db2fd8d43683063366ce1ebf4e6a 11357252 emacs22-el_22.2+2-4_all.deb
fa9fb9a9b1cfe63d7f4df66e5f4d30df6968d13f 2606864 emacs22_22.2+2-4_i386.deb
60a8d575cd43bdf6d70f8d77bcf641d1c51bae12 2339278 emacs22-nox_22.2+2-4_i386.deb
7ad563330e1e2a2d595baa74dfb197410f61bd03 2596376 emacs22-gtk_22.2+2-4_i386.deb
ce5d0f5fc57164a05009d3fad0a2c911a323d72d 165122 emacs22-bin-common_22.2+2-4_i386.deb
Checksums-Sha256:
5c46f7e73d53edf286317380b79183023533cc29d1db0fca6ee02a386a984357 1340 emacs22_22.2+2-4.dsc
85f4293d1f9a47b169873bcaf5461ed751f391be3b76bfc8e4565274b24ea1c9 45460 emacs22_22.2+2-4.diff.gz
525c7db3703a49b4fe8976d837e484bd9e9f0f53de7afc6a258858b12f5a62bc 19778 emacs_22.2+2-4_all.deb
36fad4ba39cc319f2be34185bb8ce264c96f251c3ce04be0a977b459f876cc6b 14628030 emacs22-common_22.2+2-4_all.deb
26cfe3f2c66fdbbd5741554563ad34c9ce4757371bee7222d3a29fc0731507e6 11357252 emacs22-el_22.2+2-4_all.deb
00af5e124348c0f38327616201013b32c028e709b980cfdcc99dbe5c66ed80f4 2606864 emacs22_22.2+2-4_i386.deb
600995816fbd7d3c947b5990e39bb5ceee9de59cba496753ba0f2417ae87851a 2339278 emacs22-nox_22.2+2-4_i386.deb
50aa87ee8a185043e7b30a4c72190836bfbe078a05f1042b8a895b1ab736b0d2 2596376 emacs22-gtk_22.2+2-4_i386.deb
17b7fa8ae0ccd3f7caa6b6eec7fe6998b14c7ac74544a32d1d6513f4cc498f38 165122 emacs22-bin-common_22.2+2-4_i386.deb
Files:
c1f78bfc9a2dbfdb9ed3d99abc25a6b2 1340 editors optional emacs22_22.2+2-4.dsc
aaf04d992f617f1848d628cccc0ac25f 45460 editors optional emacs22_22.2+2-4.diff.gz
f91f0e83a2b8fbcc610c024486bf28c5 19778 editors optional emacs_22.2+2-4_all.deb
f16d905a5c083104ce3a86d730610a01 14628030 editors optional emacs22-common_22.2+2-4_all.deb
886c564698c6d0bb5ae1ca1c3996e34d 11357252 editors optional emacs22-el_22.2+2-4_all.deb
099862d5c04036fae01310fd2976bc69 2606864 editors optional emacs22_22.2+2-4_i386.deb
b0bb50be3c80eb631d7b4740aa4b4b7f 2339278 editors optional emacs22-nox_22.2+2-4_i386.deb
147952f1dcbf1a997253677d4bfd692a 2596376 editors optional emacs22-gtk_22.2+2-4_i386.deb
84c4cd358a10c49d952d450927631580 165122 editors optional emacs22-bin-common_22.2+2-4_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkj37vgACgkQJcjTd4x+c6QGagCgqvTWqrn4mThlWurlNvROAuEi
3D8An2qKrY7ZvCl/L/Pd3gV9yaMkBaBN
=uOl+
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Thu, 20 Nov 2008 07:29:07 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:39:08 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.