197958 CVE-2007-5795 2007-11-03 13:44 0000 app-editors/emacs hack-local-variables Security bypass (CVE-2007-5795) 2007-12-09 19:53:54 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=449008 B3 [glsa] P2 minor --- 1 rbu@gentoo.org security@gentoo.org emacs@gentoo.org rbu@gentoo.org 2007-11-03 13:44:07 0000 CVE-2007-5795 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5795): The hack-local-variables function in Emacs before 22.2, when enable-local-variables is set to :safe, does not properly search lists of unsafe or risky variables, which might allow user-assisted attackers to bypass intended restrictions and modify critical program variables via a file containing a Local variables declaration. rbu@gentoo.org 2007-11-03 13:46:47 0000 Emacs, please advise. Is any of our ebuilds affected, or maybe other packages than app-editors/emacs? ulm@gentoo.org 2007-11-03 15:05:46 0000 Fixed in emacs-22.1-r2. Decreasing severity to B4 since the issue doesn't affect the default configuration. Vulnerable versions: <22.1-r2 Unaffected versions: >=22.1-r2, <22 Arch teams: Please stabilise app-editors/emacs-22.1-r2. armin76@gentoo.org 2007-11-03 17:33:18 0000 alpha/ia64/stable cla@gentoo.org 2007-11-03 19:12:32 0000 Stable on x86 corsair@gentoo.org 2007-11-03 22:28:01 0000 ppc64 stable dertobi123@gentoo.org 2007-11-05 18:53:36 0000 ppc stable kingtaco@gentoo.org 2007-11-06 23:14:41 0000 amd64 done(committed by wolf31o2 for me) wolf31o2@gentoo.org 2007-11-06 23:15:12 0000 You'll probably want to back-port this to the latest SLOT=21 version, too. ulm@gentoo.org 2007-11-06 23:58:03 0000 Vulnerable revision emacs-22.1-r1 removed. (In reply to comment #8) > You'll probably want to back-port this to the latest SLOT=21 version, too. Emacs 21 is not affected; the relevant code is new in version 22. jaervosz@gentoo.org 2007-11-07 09:41:31 0000 I tend to vote NO. rbu@gentoo.org 2007-11-12 21:59:33 0000 Setting to B3 and voting YES This vulnerability, if emacs is configured as described above, allows execution of arbitrary LISP (not shell) code, therefore can overwrite files writable by emacs. See last comment on the Debian report in URL. py@gentoo.org 2007-11-20 22:13:04 0000 yes too, request filed. py@gentoo.org 2007-12-09 19:53:54 0000 GLSA 200712-03