** Please note that this issue is confidential and no information should be disclosed until it is made public, see "Whiteboard" for a date ** Chong Yidong wrote: Romain Francoise has found a security risk in a feature of GNU Emacs related to interacting with Python. Emacs allows the user to launch an interactive Python process. When this process is started, Emacs automatically sends it the line import emacs which imports a script named emacs.py which is distributed with Emacs. This script is typically located in a write-protected installation directory, together with other Emacs program files; it provides various functions to help the Python process communicate with Emacs. Upon running, emacs.py imports other Python modules which are not built-in: import os, sys, traceback, inspect, __main__ Merely visiting and editing a *.py source file does not launch a Python subprocess; you have to enable certain Emacs modes, such as eldoc-mode, to do so. The vulnerability arises because Python, by default, prepends '' to the module search path, so modules are looked for in the current directory. If the user opens a Python file in a world-writable directory, an attacker could insert malicious code by adding fake modules to that directory, such as a fake emacs.py or inspect.py. The Python developers have told us that they do not regard the importing of modules from the current directory as a security problem for Python itself. The argument is that running a python script in a world-writable directory is itself a security hazard. However, when running an Emacs command, it may be much less obvious to the user that a security hazard is present. The following patch, against the Emacs 22.2 source tree, fixes the problem by removing '' from sys.path in the command-line arguments for invoking the Python process. (Because `sys' is a "built-in module", an attacker cannot insert malicious code by adding sys.py to the current directory.) A forthcoming release of GNU Emacs, version 22.3, will contain this fix. If any vendor would like further details, please send me an email. Please let us know before disclosing this vulnerability by updating your Emacs packages.
Created attachment 164408 [details, diff] emacs-python-nopwd.patch
*** Bug 236508 has been marked as a duplicate of this bug. ***
Arch Security Liaisons, please test and mark stable: =app-editors/emacs-22.2-r3 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86" CC'ing current Liaisons: alpha : yoswink, armin76 amd64 : keytoaster, tester hppa : jer ppc : dertobi123 ppc64 : corsair sparc : fmccor x86 : maekke, armin76
app-editors/emacs <22 and app-editors/emacs-cvs are not affected.
amd64 stable
ppc64 stable
Stable for HPPA.
alpha/ia64/sparc/x86 stable
The vulnerability has been announced at <http://lists.gnu.org/archive/html/emacs-devel/2008-09/msg00215.html>, so can you please open this bug now?
(In reply to comment #9) > The vulnerability has been announced at > <http://lists.gnu.org/archive/html/emacs-devel/2008-09/msg00215.html>, so can > you please open this bug now? > done, removing sec liaison and CC'ing remaining arches.
(In reply to comment #10) > (In reply to comment #9) > > The vulnerability has been announced at > > <http://lists.gnu.org/archive/html/emacs-devel/2008-09/msg00215.html>, so can > > you please open this bug now? > > > done, removing sec liaison and CC'ing remaining arches. This bug can be safely closed after a possible GLSA as we handle further stabilisations in bug 220535
(In reply to comment #11) > (In reply to comment #10) > > (In reply to comment #9) > > > The vulnerability has been announced at > > > <http://lists.gnu.org/archive/html/emacs-devel/2008-09/msg00215.html>, so can > > > you please open this bug now? > > > > > done, removing sec liaison and CC'ing remaining arches. > > This bug can be safely closed after a possible GLSA as we handle further > stabilisations in bug 220535 > ok, thanks for the info.
ppc stable
All supported archs stable. Vulnerable versions: <22.2-r3 Unaffected: >=22.2-r3, <22
arm/s390/sh stable, thanks vapier and armin76.
Security, can we assist you in any way bringing out the GLSA? Maybe by reviewing it.
GLSA 200902-06, sorry for the delay.