Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 197958 (CVE-2007-5795) - app-editors/emacs hack-local-variables Security bypass (CVE-2007-5795)
Summary: app-editors/emacs hack-local-variables Security bypass (CVE-2007-5795)
Status: RESOLVED FIXED
Alias: CVE-2007-5795
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://bugs.debian.org/cgi-bin/bugrep...
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2007-11-03 13:44 UTC by Robert Buchholz (RETIRED)
Modified: 2007-12-09 19:53 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2007-11-03 13:44:07 UTC
CVE-2007-5795 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5795):
  The hack-local-variables function in Emacs before 22.2, when
  enable-local-variables is set to :safe, does not properly search lists of
  unsafe or risky variables, which might allow user-assisted attackers to
  bypass intended restrictions and modify critical program variables via a file
  containing a Local variables declaration.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2007-11-03 13:46:47 UTC
Emacs, please advise.
Is any of our ebuilds affected, or maybe other packages than app-editors/emacs?
Comment 2 Ulrich Müller gentoo-dev 2007-11-03 15:05:46 UTC
Fixed in emacs-22.1-r2. Decreasing severity to B4 since the issue doesn't affect the default configuration.

Vulnerable versions: <22.1-r2
Unaffected versions: >=22.1-r2, <22

Arch teams: Please stabilise app-editors/emacs-22.1-r2.
Comment 3 Raúl Porcel (RETIRED) gentoo-dev 2007-11-03 17:33:18 UTC
alpha/ia64/stable
Comment 4 Dawid Węgliński (RETIRED) gentoo-dev 2007-11-03 19:12:32 UTC
Stable on x86
Comment 5 Markus Rothe (RETIRED) gentoo-dev 2007-11-03 22:28:01 UTC
ppc64 stable
Comment 6 Tobias Scherbaum (RETIRED) gentoo-dev 2007-11-05 18:53:36 UTC
ppc stable
Comment 7 Mike Doty (RETIRED) gentoo-dev 2007-11-06 23:14:41 UTC
amd64 done(committed by wolf31o2 for me)
Comment 8 Chris Gianelloni (RETIRED) gentoo-dev 2007-11-06 23:15:12 UTC
You'll probably want to back-port this to the latest SLOT=21 version, too.
Comment 9 Ulrich Müller gentoo-dev 2007-11-06 23:58:03 UTC
Vulnerable revision emacs-22.1-r1 removed.

(In reply to comment #8)
> You'll probably want to back-port this to the latest SLOT=21 version, too.

Emacs 21 is not affected; the relevant code is new in version 22.
Comment 10 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-11-07 09:41:31 UTC
I tend to vote NO.
Comment 11 Robert Buchholz (RETIRED) gentoo-dev 2007-11-12 21:59:33 UTC
Setting to B3 and voting
  YES

This vulnerability, if emacs is configured as described above, allows execution of arbitrary LISP (not shell) code, therefore can overwrite files writable by emacs. See last comment on the Debian report in URL.
Comment 12 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-11-20 22:13:04 UTC
yes too, request filed.
Comment 13 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-12-09 19:53:54 UTC
GLSA 200712-03