emacs22-common: CVE-2008-3949: Interactive Python Session loads module from current directory

Debian Bug report logs - #499568
emacs22-common: CVE-2008-3949: Interactive Python Session loads module from current directory

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Sven Joachim <svenjoac@gmx.de>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: emacs22-common: CVE-2008-3949: Interactive Python Session loads module from current directory

Date: Fri, 19 Sep 2008 23:06:33 +0200

[Message part 1 (text/plain, inline)]

Package: emacs22-common
Version: 22.2+2-3
Severity: important
Tags: security patch fixed-upstream

The following mail was sent to the emacs-devel mailing list shortly
after the release of Emacs 22.3:

[Message part 2 (message/rfc822, inline)]

From: Chong Yidong <cyd@stupidchicken.com>

To: emacs-devel@gnu.org

Subject: Vulnerability in Emacs python integration

Date: Fri, 05 Sep 2008 13:16:38 -0400

Romain Francoise has found a security risk in a feature of GNU Emacs
related to how Emacs interacts with Python.  Emacs version 22.3, which
was just released, contains a fix.  A patch for earlier version of Emacs
is described below.

The vulnerability may allow an attacker to run malicious code if the
user runs the Emacs command `run-python' while the current directory is
world-writable, or if the user toggles `eldoc-mode' and visits a Python
source file in a world-writable directory.


Description of the vulnerability:

The Emacs command `run-python' launches an interactive Python
interpreter.  After the Python process starts up, Emacs automatically
sends it the line

import emacs

which normally imports a script named emacs.py which is distributed with
Emacs.  This script, which is typically located in a write-protected
installation directory with other Emacs program files, defines various
functions to help the Python process communicate with Emacs.

The vulnerability arises because Python, by default, prepends '' to the
module search path, so modules are looked for in the current directory.
If the current directory is world-writable, an attacker may insert
malicious code by adding a fake Python module named emacs.py into that
directory.

Furthermore, emacs.py imports other non-built-in Python modules, such as
`inspect'.  The same vulnerability exists for these import statements.

By default, merely visiting and editing a *.py source file does not
launch a Python subprocess; you either have to call `M-x run-python', or
enable Emacs code that calls `run-python' automatically, such as
`eldoc-mode'.

The Python developers, in a private communication, have stated that they
do not regard this module-importing behavior as a security problem for
Python per se, because running a python script in a world-writable
directory is itself a security hazard.  In the Emacs context, however,
it's much less obvious that it's unsafe to call `run-python' while the
current directory is world-writable; therefore, the problem discussed
here can be regarded as a security risk.

The following patch, against the Emacs 22.2 source tree, removes '' from
sys.path in the command-line arguments for invoking the Python process.
(Because `sys' is a "built-in module", an attacker cannot insert
malicious code by adding sys.py to the current directory.)

*** emacs/lisp/progmodes/python.el    8 May 2008 03:42:10 -0000      1.89
--- emacs/lisp/progmodes/python.el    24 Aug 2008 19:47:09 -0000     1.90
***************
*** 1547,1553 ****
    ;; invoked.  Would support multiple processes better.
    (when (or new (not (comint-check-proc python-buffer)))
      (with-current-buffer
!     (let* ((cmdlist (append (python-args-to-list cmd) '("-i")))
             (path (getenv "PYTHONPATH"))
                    (process-environment        ; to import emacs.py
                                                (cons (concat
                                                "PYTHONPATH="
--- 1547,1555 ----
    ;; invoked.  Would support multiple processes better.
    (when (or new (not (comint-check-proc python-buffer)))
      (with-current-buffer
!     (let* ((cmdlist
!           (append (python-args-to-list cmd)
!                                        '("-i" "-c" "import sys; sys.path.remove('')")))
               (path (getenv "PYTHONPATH"))
                      (process-environment      ; to import emacs.py
                                                (cons (concat
                                                "PYTHONPATH="

[Message part 3 (text/plain, inline)]

If you fix this vulnerability please also include the CVE id
in your changelog entry.


-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26.5-libata
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages emacs22-common depends on:
ii  dpkg                          1.14.22    Debian package management system
ii  emacsen-common                1.4.17     Common facilities for all emacsen

emacs22-common recommends no packages.

Versions of packages emacs22-common suggests:
pn  emacs22-common-non-dfsg       <none>     (no description available)
ii  emacs22-el                    22.2+2-3   GNU Emacs LISP (.el) files

-- no debconf information

Message #10 received at 499568@bugs.debian.org (full text, mbox, reply):

From: Rob Browning <rlb@defaultvalue.org>

To: Sven Joachim <svenjoac@gmx.de>

Cc: 499568@bugs.debian.org

Subject: Re: Bug#499568: emacs22-common: CVE-2008-3949: Interactive Python Session loads module from current directory

Date: Sat, 20 Sep 2008 18:35:37 -0700

Sven Joachim <svenjoac@gmx.de> writes:

> Package: emacs22-common
> Version: 22.2+2-3
> Severity: important
> Tags: security patch fixed-upstream
>
> The following mail was sent to the emacs-devel mailing list shortly
> after the release of Emacs 22.3:

Thanks for the report.  I'll look in to this in the next few days.

-- 
Rob Browning
rlb @defaultvalue.org and @debian.org; previously @cs.utexas.edu
GPG as of 2002-11-03 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4

Message #17 received at 499568@bugs.debian.org (full text, mbox, reply):

From: Steve Cotton <steve0001@s.cotton.clara.co.uk>

To: 499568@bugs.debian.org

Subject: Not just Emacs

Date: Thu, 2 Oct 2008 19:56:28 +0100

Bug #484305 reports the same problem in Vim, X-Chat,
Gnumeric, python-nautilus and gedit.

Message #22 received at 499568@bugs.debian.org (full text, mbox, reply):

From: Sven Joachim <svenjoac@gmx.de>

To: Steve Cotton <steve0001@s.cotton.clara.co.uk>

Cc: 499568@bugs.debian.org

Subject: Re: Bug#499568: Not just Emacs

Date: Thu, 02 Oct 2008 22:05:52 +0200

On 2008-10-02 20:56 +0200, Steve Cotton wrote:

> Bug #484305 reports the same problem in Vim, X-Chat,
> Gnumeric, python-nautilus and gedit.

And there are very likely dozens of other applications affected where
the problem just isn't known yet.  Unfortunately the Python guys don't
seem to be willing to fix their gross design flaw, if I interpret
http://bugs.python.org/issue946373 correctly.

So yeah, we're going to enjoy more CVEs and DSAs like this one. :-/

Sven

Message #27 received at 499568@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: Rob Browning <rlb@defaultvalue.org>, 499568@bugs.debian.org

Subject: Re: Bug#499568: emacs22-common: CVE-2008-3949: Interactive Python Session loads module from current directory

Date: Mon, 6 Oct 2008 17:33:49 +0200

[Message part 1 (text/plain, inline)]

Hi Rob,
* Rob Browning <rlb@defaultvalue.org> [2008-09-21 14:23]:
> Sven Joachim <svenjoac@gmx.de> writes:
> > Package: emacs22-common
> > Version: 22.2+2-3
> > Severity: important
> > Tags: security patch fixed-upstream
> >
> > The following mail was sent to the emacs-devel mailing list shortly
> > after the release of Emacs 22.3:
> 
> Thanks for the report.  I'll look in to this in the next few days.

Any news on that? Do you need an NMU in case you have no 
time to prepare an update yourself?

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #32 received at 499568@bugs.debian.org (full text, mbox, reply):

From: Rob Browning <rlb@defaultvalue.org>

To: Nico Golde <nion@debian.org>

Cc: 499568@bugs.debian.org

Subject: Re: Bug#499568: emacs22-common: CVE-2008-3949: Interactive Python Session loads module from current directory

Date: Tue, 07 Oct 2008 22:28:09 -0700

Nico Golde <nion@debian.org> writes:

> Hi Rob,
> * Rob Browning <rlb@defaultvalue.org> [2008-09-21 14:23]:
>> Sven Joachim <svenjoac@gmx.de> writes:
>> > Package: emacs22-common
>> > Version: 22.2+2-3
>> > Severity: important
>> > Tags: security patch fixed-upstream
>> >
>> > The following mail was sent to the emacs-devel mailing list shortly
>> > after the release of Emacs 22.3:
>> 
>> Thanks for the report.  I'll look in to this in the next few days.
>
> Any news on that? Do you need an NMU in case you have no 
> time to prepare an update yourself?

Thanks for the offer.  If we need this before this weekend, then yes,
please go ahead with an NMU.  Otherwise I should be able to work on it
then.

-- 
Rob Browning
rlb @defaultvalue.org and @debian.org; previously @cs.utexas.edu
GPG as of 2002-11-03 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4

Message #37 received at 499568@bugs.debian.org (full text, mbox, reply):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

To: Rob Browning <rlb@defaultvalue.org>, 499568@bugs.debian.org

Cc: Nico Golde <nion@debian.org>

Subject: Re: Bug#499568: emacs22-common: CVE-2008-3949: Interactive Python Session loads module from current directory

Date: Wed, 15 Oct 2008 06:38:48 +0100

Hi,

On Tue, 2008-10-07 at 22:28 -0700, Rob Browning wrote: 
> Nico Golde <nion@debian.org> writes:
> 
> > Hi Rob,
> > * Rob Browning <rlb@defaultvalue.org> [2008-09-21 14:23]:
[...] 
> >> Thanks for the report.  I'll look in to this in the next few days.
> >
> > Any news on that? Do you need an NMU in case you have no 
> > time to prepare an update yourself?
> 
> Thanks for the offer.  If we need this before this weekend, then yes,
> please go ahead with an NMU.  Otherwise I should be able to work on it
> then.

Any news on that (either way)?

Regards,

Adam

Message #42 received at 499568@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Cc: Rob Browning <rlb@defaultvalue.org>, 499568@bugs.debian.org

Subject: Re: Bug#499568: emacs22-common: CVE-2008-3949: Interactive Python Session loads module from current directory

Date: Wed, 15 Oct 2008 16:03:56 +0200

[Message part 1 (text/plain, inline)]

Hi Adam,
* Adam D. Barratt <adam@adam-barratt.org.uk> [2008-10-15 09:43]:
> On Tue, 2008-10-07 at 22:28 -0700, Rob Browning wrote: 
> > Nico Golde <nion@debian.org> writes:
> > 
> > > Hi Rob,
> > > * Rob Browning <rlb@defaultvalue.org> [2008-09-21 14:23]:
> [...] 
> > >> Thanks for the report.  I'll look in to this in the next few days.
> > >
> > > Any news on that? Do you need an NMU in case you have no 
> > > time to prepare an update yourself?
> > 
> > Thanks for the offer.  If we need this before this weekend, then yes,
> > please go ahead with an NMU.  Otherwise I should be able to work on it
> > then.
> 
> Any news on that (either way)?

I got a mail by Robert stating that he needs a few more days 
but is working on an upload.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #47 received at 499568@bugs.debian.org (full text, mbox, reply):

From: Rob Browning <rlb@defaultvalue.org>

To: Nico Golde <nion@debian.org>

Cc: "Adam D. Barratt" <adam@adam-barratt.org.uk>, 499568@bugs.debian.org

Subject: Re: Bug#499568: emacs22-common: CVE-2008-3949: Interactive Python Session loads module from current directory

Date: Wed, 15 Oct 2008 20:55:51 -0700

Nico Golde <nion@debian.org> writes:

> I got a mail by Robert stating that he needs a few more days but is
> working on an upload.

I went ahead and fixed a couple of other bugs while I was at it.  I
should be uploading either tonight or tomorrow night.

Thanks
-- 
Rob Browning
rlb @defaultvalue.org and @debian.org; previously @cs.utexas.edu
GPG as of 2002-11-03 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4

Message #52 received at 499568-close@bugs.debian.org (full text, mbox, reply):

From: Rob Browning <rlb@defaultvalue.org>

To: 499568-close@bugs.debian.org

Subject: Bug#499568: fixed in emacs22 22.2+2-4

Date: Fri, 17 Oct 2008 02:02:07 +0000

Source: emacs22
Source-Version: 22.2+2-4

We believe that the bug you reported is fixed in the latest version of
emacs22, which is due to be installed in the Debian FTP archive:

emacs22-bin-common_22.2+2-4_i386.deb
  to pool/main/e/emacs22/emacs22-bin-common_22.2+2-4_i386.deb
emacs22-common_22.2+2-4_all.deb
  to pool/main/e/emacs22/emacs22-common_22.2+2-4_all.deb
emacs22-el_22.2+2-4_all.deb
  to pool/main/e/emacs22/emacs22-el_22.2+2-4_all.deb
emacs22-gtk_22.2+2-4_i386.deb
  to pool/main/e/emacs22/emacs22-gtk_22.2+2-4_i386.deb
emacs22-nox_22.2+2-4_i386.deb
  to pool/main/e/emacs22/emacs22-nox_22.2+2-4_i386.deb
emacs22_22.2+2-4.diff.gz
  to pool/main/e/emacs22/emacs22_22.2+2-4.diff.gz
emacs22_22.2+2-4.dsc
  to pool/main/e/emacs22/emacs22_22.2+2-4.dsc
emacs22_22.2+2-4_i386.deb
  to pool/main/e/emacs22/emacs22_22.2+2-4_i386.deb
emacs_22.2+2-4_all.deb
  to pool/main/e/emacs22/emacs_22.2+2-4_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 499568@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Rob Browning <rlb@defaultvalue.org> (supplier of updated emacs22 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 14 Oct 2008 21:28:47 -0700
Source: emacs22
Binary: emacs emacs22 emacs22-nox emacs22-gtk emacs22-bin-common emacs22-common emacs22-el
Architecture: source all i386
Version: 22.2+2-4
Distribution: unstable
Urgency: medium
Maintainer: Rob Browning <rlb@defaultvalue.org>
Changed-By: Rob Browning <rlb@defaultvalue.org>
Description: 
 emacs      - The GNU Emacs editor (metapackage)
 emacs22    - The GNU Emacs editor
 emacs22-bin-common - The GNU Emacs editor's shared, architecture dependent files
 emacs22-common - The GNU Emacs editor's shared, architecture independent infrastru
 emacs22-el - GNU Emacs LISP (.el) files
 emacs22-gtk - The GNU Emacs editor (with GTK user interface)
 emacs22-nox - The GNU Emacs editor (without X support)
Closes: 447378 476108 499568
Changes: 
 emacs22 (22.2+2-4) unstable; urgency=medium
 .
   * Fix a security problem related to the invocation of python
     (CVE-2008-3949).  Avoid including the current directory in the module
     lookup path when invoking python from python.el.  Thanks to Sven
     Joachim <svenjoac@gmx.de> and Michael Berg <michaeljberg@gmail.com>.
     (closes: #499568)
 .
   * Invoke xmlstarlet from flymake as xmlstarlet rather than xml.  Thanks
     to Jussi Judin <jjudin+debian@iki.fi>. (closes: #447378)
 .
   * Fix vc-mode's handling of internal temporary buffers.  This should
     avoid failures when trying to open files under monotone version
     control.  Thanks to Sven Joachim <svenjoac@gmx.de> and Michael Berg
     <michaeljberg@gmail.com>. (closes: #476108)
Checksums-Sha1: 
 69718012718c33b073142c79f7fe054ed846c202 1340 emacs22_22.2+2-4.dsc
 c87ec6f1735aff3f21a393cd1de367c465c2b38b 45460 emacs22_22.2+2-4.diff.gz
 19cbb5ea528f335bb167f11105948b28662f81d6 19778 emacs_22.2+2-4_all.deb
 9184cfc7436fb7164cc3c90685979a56b9ae2591 14628030 emacs22-common_22.2+2-4_all.deb
 a232ad7c72c7db2fd8d43683063366ce1ebf4e6a 11357252 emacs22-el_22.2+2-4_all.deb
 fa9fb9a9b1cfe63d7f4df66e5f4d30df6968d13f 2606864 emacs22_22.2+2-4_i386.deb
 60a8d575cd43bdf6d70f8d77bcf641d1c51bae12 2339278 emacs22-nox_22.2+2-4_i386.deb
 7ad563330e1e2a2d595baa74dfb197410f61bd03 2596376 emacs22-gtk_22.2+2-4_i386.deb
 ce5d0f5fc57164a05009d3fad0a2c911a323d72d 165122 emacs22-bin-common_22.2+2-4_i386.deb
Checksums-Sha256: 
 5c46f7e73d53edf286317380b79183023533cc29d1db0fca6ee02a386a984357 1340 emacs22_22.2+2-4.dsc
 85f4293d1f9a47b169873bcaf5461ed751f391be3b76bfc8e4565274b24ea1c9 45460 emacs22_22.2+2-4.diff.gz
 525c7db3703a49b4fe8976d837e484bd9e9f0f53de7afc6a258858b12f5a62bc 19778 emacs_22.2+2-4_all.deb
 36fad4ba39cc319f2be34185bb8ce264c96f251c3ce04be0a977b459f876cc6b 14628030 emacs22-common_22.2+2-4_all.deb
 26cfe3f2c66fdbbd5741554563ad34c9ce4757371bee7222d3a29fc0731507e6 11357252 emacs22-el_22.2+2-4_all.deb
 00af5e124348c0f38327616201013b32c028e709b980cfdcc99dbe5c66ed80f4 2606864 emacs22_22.2+2-4_i386.deb
 600995816fbd7d3c947b5990e39bb5ceee9de59cba496753ba0f2417ae87851a 2339278 emacs22-nox_22.2+2-4_i386.deb
 50aa87ee8a185043e7b30a4c72190836bfbe078a05f1042b8a895b1ab736b0d2 2596376 emacs22-gtk_22.2+2-4_i386.deb
 17b7fa8ae0ccd3f7caa6b6eec7fe6998b14c7ac74544a32d1d6513f4cc498f38 165122 emacs22-bin-common_22.2+2-4_i386.deb
Files: 
 c1f78bfc9a2dbfdb9ed3d99abc25a6b2 1340 editors optional emacs22_22.2+2-4.dsc
 aaf04d992f617f1848d628cccc0ac25f 45460 editors optional emacs22_22.2+2-4.diff.gz
 f91f0e83a2b8fbcc610c024486bf28c5 19778 editors optional emacs_22.2+2-4_all.deb
 f16d905a5c083104ce3a86d730610a01 14628030 editors optional emacs22-common_22.2+2-4_all.deb
 886c564698c6d0bb5ae1ca1c3996e34d 11357252 editors optional emacs22-el_22.2+2-4_all.deb
 099862d5c04036fae01310fd2976bc69 2606864 editors optional emacs22_22.2+2-4_i386.deb
 b0bb50be3c80eb631d7b4740aa4b4b7f 2339278 editors optional emacs22-nox_22.2+2-4_i386.deb
 147952f1dcbf1a997253677d4bfd692a 2596376 editors optional emacs22-gtk_22.2+2-4_i386.deb
 84c4cd358a10c49d952d450927631580 165122 editors optional emacs22-bin-common_22.2+2-4_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkj37vgACgkQJcjTd4x+c6QGagCgqvTWqrn4mThlWurlNvROAuEi
3D8An2qKrY7ZvCl/L/Pd3gV9yaMkBaBN
=uOl+
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.