Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 236498 (CVE-2008-3949) - app-editors/emacs < 22.2-r3 Interactive Python Session loads module from PWD (CVE-2008-3949)
Summary: app-editors/emacs < 22.2-r3 Interactive Python Session loads module from PWD ...
Status: RESOLVED FIXED
Alias: CVE-2008-3949
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa+]
Keywords:
: 236508 (view as bug list)
Depends on: 220535
Blocks:
  Show dependency tree
 
Reported: 2008-09-02 20:50 UTC by Robert Buchholz (RETIRED)
Modified: 2009-02-23 22:23 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
emacs-python-nopwd.patch (emacs-python-nopwd.patch,1.16 KB, patch)
2008-09-02 20:52 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-09-02 20:50:53 UTC
** Please note that this issue is confidential and no information should be
disclosed until it is made public, see "Whiteboard" for a date **

Chong Yidong wrote:
Romain Francoise has found a security risk in a feature of GNU Emacs
related to interacting with Python.

Emacs allows the user to launch an interactive Python process.  When
this process is started, Emacs automatically sends it the line

import emacs

which imports a script named emacs.py which is distributed with Emacs.
This script is typically located in a write-protected installation
directory, together with other Emacs program files; it provides various
functions to help the Python process communicate with Emacs.  Upon
running, emacs.py imports other Python modules which are not built-in:

import os, sys, traceback, inspect, __main__

Merely visiting and editing a *.py source file does not launch a Python
subprocess; you have to enable certain Emacs modes, such as eldoc-mode,
to do so.

The vulnerability arises because Python, by default, prepends '' to the
module search path, so modules are looked for in the current directory.
If the user opens a Python file in a world-writable directory, an
attacker could insert malicious code by adding fake modules to that
directory, such as a fake emacs.py or inspect.py.

The Python developers have told us that they do not regard the importing
of modules from the current directory as a security problem for Python
itself.  The argument is that running a python script in a
world-writable directory is itself a security hazard.  However, when
running an Emacs command, it may be much less obvious to the user that a
security hazard is present.

The following patch, against the Emacs 22.2 source tree, fixes the
problem by removing '' from sys.path in the command-line arguments for
invoking the Python process.  (Because `sys' is a "built-in module", an
attacker cannot insert malicious code by adding sys.py to the current
directory.)

A forthcoming release of GNU Emacs, version 22.3, will contain this fix.

If any vendor would like further details, please send me an email.
Please let us know before disclosing this vulnerability by updating your
Emacs packages.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-09-02 20:52:47 UTC
Created attachment 164408 [details, diff]
emacs-python-nopwd.patch
Comment 2 Christian Faulhammer (RETIRED) gentoo-dev 2008-09-02 21:42:10 UTC
*** Bug 236508 has been marked as a duplicate of this bug. ***
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-09-02 22:17:32 UTC
Arch Security Liaisons, please test and mark stable:
=app-editors/emacs-22.2-r3
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"

CC'ing current Liaisons:
   alpha : yoswink, armin76
   amd64 : keytoaster, tester
    hppa : jer
     ppc : dertobi123
   ppc64 : corsair
   sparc : fmccor
     x86 : maekke, armin76
Comment 4 Ulrich Müller gentoo-dev 2008-09-03 00:22:16 UTC
app-editors/emacs <22 and app-editors/emacs-cvs are not affected.
Comment 5 Olivier Crete (RETIRED) gentoo-dev 2008-09-03 03:09:51 UTC
amd64 stable
Comment 6 Markus Rothe (RETIRED) gentoo-dev 2008-09-03 06:08:41 UTC
ppc64 stable
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2008-09-03 07:04:05 UTC
Stable for HPPA.
Comment 8 Raúl Porcel (RETIRED) gentoo-dev 2008-09-03 09:51:26 UTC
alpha/ia64/sparc/x86 stable
Comment 9 Ulrich Müller gentoo-dev 2008-09-05 19:07:06 UTC
The vulnerability has been announced at <http://lists.gnu.org/archive/html/emacs-devel/2008-09/msg00215.html>, so can you please open this bug now?
Comment 10 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-09-05 20:31:54 UTC
(In reply to comment #9)
> The vulnerability has been announced at
> <http://lists.gnu.org/archive/html/emacs-devel/2008-09/msg00215.html>, so can
> you please open this bug now?
> 
done, removing sec liaison and CC'ing remaining arches.
Comment 11 Christian Faulhammer (RETIRED) gentoo-dev 2008-09-05 20:38:46 UTC
(In reply to comment #10)
> (In reply to comment #9)
> > The vulnerability has been announced at
> > <http://lists.gnu.org/archive/html/emacs-devel/2008-09/msg00215.html>, so can
> > you please open this bug now?
> > 
> done, removing sec liaison and CC'ing remaining arches.

 This bug can be safely closed after a possible GLSA as we handle further stabilisations in bug 220535
Comment 12 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-09-05 20:40:42 UTC
(In reply to comment #11)
> (In reply to comment #10)
> > (In reply to comment #9)
> > > The vulnerability has been announced at
> > > <http://lists.gnu.org/archive/html/emacs-devel/2008-09/msg00215.html>, so can
> > > you please open this bug now?
> > > 
> > done, removing sec liaison and CC'ing remaining arches.
> 
>  This bug can be safely closed after a possible GLSA as we handle further
> stabilisations in bug 220535
> 

ok, thanks for the info.
Comment 13 Tobias Scherbaum (RETIRED) gentoo-dev 2008-09-06 21:35:55 UTC
ppc stable
Comment 14 Ulrich Müller gentoo-dev 2008-09-06 22:07:48 UTC
All supported archs stable.

Vulnerable versions: <22.2-r3
Unaffected:          >=22.2-r3, <22
Comment 15 Ulrich Müller gentoo-dev 2008-09-26 09:28:29 UTC
arm/s390/sh stable, thanks vapier and armin76.
Comment 16 Christian Faulhammer (RETIRED) gentoo-dev 2009-01-29 07:54:48 UTC
Security, can we assist you in any way bringing out the GLSA?  Maybe by reviewing it.
Comment 17 Pierre-Yves Rofes (RETIRED) gentoo-dev 2009-02-23 22:23:36 UTC
GLSA 200902-06, sorry for the delay.