Bug 197958 - app-editors/emacs hack-local-variables Security bypass (CVE-2007-5795)
Bug#: 197958 (CVE-2007-5795) Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: minor Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: rbu@gentoo.org
Component: Vulnerabilities
URL:  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=449008
Summary: app-editors/emacs hack-local-variables Security bypass (CVE-2007-5795)
Keywords:  
Status Whiteboard: B3 [glsa]
Opened: 2007-11-03 13:44 0000
Description:   Opened: 2007-11-03 13:44 0000 
CVE-2007-5795 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5795):
  The hack-local-variables function in Emacs before 22.2, when
  enable-local-variables is set to :safe, does not properly search lists of
  unsafe or risky variables, which might allow user-assisted attackers to
  bypass intended restrictions and modify critical program variables via a file
  containing a Local variables declaration.

------- Comment #1 From Robert Buchholz 2007-11-03 13:46:47 0000 ------- 
Emacs, please advise.
Is any of our ebuilds affected, or maybe other packages than app-editors/emacs?

------- Comment #2 From Ulrich Müller 2007-11-03 15:05:46 0000 ------- 
Fixed in emacs-22.1-r2. Decreasing severity to B4 since the issue doesn't
affect the default configuration.

Vulnerable versions: <22.1-r2
Unaffected versions: >=22.1-r2, <22

Arch teams: Please stabilise app-editors/emacs-22.1-r2.

------- Comment #3 From Raúl Porcel 2007-11-03 17:33:18 0000 ------- 
alpha/ia64/stable

------- Comment #4 From Dawid Węgliński 2007-11-03 19:12:32 0000 ------- 
Stable on x86

------- Comment #5 From Markus Rothe 2007-11-03 22:28:01 0000 ------- 
ppc64 stable

------- Comment #6 From Tobias Scherbaum 2007-11-05 18:53:36 0000 ------- 
ppc stable

------- Comment #7 From Mike Doty 2007-11-06 23:14:41 0000 ------- 
amd64 done(committed by wolf31o2 for me)

------- Comment #8 From Chris Gianelloni (RETIRED) 2007-11-06 23:15:12 0000 ------- 
You'll probably want to back-port this to the latest SLOT=21 version, too.

------- Comment #9 From Ulrich Müller 2007-11-06 23:58:03 0000 ------- 
Vulnerable revision emacs-22.1-r1 removed.

(In reply to comment #8)
> You'll probably want to back-port this to the latest SLOT=21 version, too.

Emacs 21 is not affected; the relevant code is new in version 22.

------- Comment #10 From Sune Kloppenborg Jeppesen 2007-11-07 09:41:31 0000 ------- 
I tend to vote NO.

------- Comment #11 From Robert Buchholz 2007-11-12 21:59:33 0000 ------- 
Setting to B3 and voting
  YES

This vulnerability, if emacs is configured as described above, allows execution
of arbitrary LISP (not shell) code, therefore can overwrite files writable by
emacs. See last comment on the Debian report in URL.

------- Comment #12 From Pierre-Yves Rofes 2007-11-20 22:13:04 0000 ------- 
yes too, request filed.

------- Comment #13 From Pierre-Yves Rofes 2007-12-09 19:53:54 0000 ------- 
GLSA 200712-03