Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 398239 - <app-editors/emacs-23.3-r4 : security flaw in EDE, local execution of arbitrary code (CVE-2012-0035)
Summary: <app-editors/emacs-23.3-r4 : security flaw in EDE, local execution of arbitra...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://lists.gnu.org/archive/html/ema...
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-01-09 11:54 UTC by Ulrich Müller
Modified: 2014-03-20 10:43 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ulrich Müller gentoo-dev 2012-01-09 11:54:37 UTC
+++ This bug was initially created as a clone of Bug #398227 +++

"Hiroshi Oota has found a security flaw in EDE (part of CEDET), a development tool included in Emacs. EDE can store various information about a project, such as how to build the project, in a file named Project.ede in the project directory tree. When the minor mode `global-ede-mode' is enabled, visiting a file causes Emacs to look for Project.ede in the file's directory or one of its parent directories. If Project.ede is present, Emacs automatically reads and evaluates the first Lisp expression in it.

This design exposes EDE users to the danger of loading malicious code from one file (Project.ede), simply by visiting another file in the same directory tree."

This affects app-editors/emacs-23.2* and -23.3* (CEDET was added in Emacs 23.2).
Comment 1 Ulrich Müller gentoo-dev 2012-01-09 11:58:39 UTC
Upstream commit is here:
<http://bzr.savannah.gnu.org/lh/emacs/emacs-23/revision/100631>

CCing arch teams, please stabilise app-editors/emacs-23.3-r4.
Comment 2 Agostino Sarubbo gentoo-dev 2012-01-09 20:51:11 UTC
According to Tim, is B
Comment 3 Agostino Sarubbo gentoo-dev 2012-01-09 20:57:27 UTC
amd64 stable
Comment 4 Ulrich Müller gentoo-dev 2012-01-09 22:21:30 UTC
Hm, the summary isn't quite accurate. Please note that versions <23.2 don't support CEDET and are therefore not affected by the bug. Here's a complete list of vulnerable versions:

app-editors/emacs:
              PVR <= 23.1-r3     unaffected
23.2       <= PVR <= 23.3-r3     vulnerable
23.4-r4    <= PVR                unaffected

app-editors/emacs-vcs (live ebuilds omitted):
              PVR <= 23.0.96     unaffected
23.1.90    <= PVR <= 23.2.94     vulnerable
23.3.90    <= PVR <  24          unaffected
24.0.50_pre20110116 <= PVR <= 24.0.92  vulnerable
24.0.92-r1 <= PVR                unaffected
Comment 5 Ulrich Müller gentoo-dev 2012-01-09 22:23:08 UTC
(In reply to comment #4)
> 23.4-r4    <= PVR                unaffected

That should be 23.3-r4, of course. Sorry for the bugspam.
Comment 6 Mark Loeser (RETIRED) gentoo-dev 2012-01-11 18:17:18 UTC
ppc/ppc64 done
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2012-01-11 18:37:07 UTC
What a mess! So this is the target, right?:
=app-editors/emacs-23.3-r4
Comment 8 Ulrich Müller gentoo-dev 2012-01-11 18:39:35 UTC
(In reply to comment #7)
> What a mess! So this is the target, right?:
> =app-editors/emacs-23.3-r4

Right (see comment 1).
emacs-vcs has no stable versions.
Comment 9 Thomas Kahle (RETIRED) gentoo-dev 2012-01-15 14:17:29 UTC
x86 done. Thanks
Comment 10 Raúl Porcel (RETIRED) gentoo-dev 2012-01-15 19:08:18 UTC
alpha/arm/ia64/s390/sh/sparc stable
Comment 11 Jeroen Roovers (RETIRED) gentoo-dev 2012-01-16 03:00:27 UTC
Stable for HPPA.
Comment 12 Ulrich Müller gentoo-dev 2012-01-16 06:44:54 UTC
Stable on all architectures. Vulnerable revision (emacs-23.2-r2) removed.
Comment 13 Agostino Sarubbo gentoo-dev 2012-01-16 09:38:23 UTC
filed new request
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2012-10-21 18:55:38 UTC
CVE-2012-0035 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0035):
  Untrusted search path vulnerability in EDE in CEDET before 1.0.1, as used in
  GNU Emacs before 23.4 and other products, allows local users to gain
  privileges via a crafted Lisp expression in a Project.ede file in the
  directory, or a parent directory, of an opened file.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2014-03-20 10:43:36 UTC
This issue was resolved and addressed in
 GLSA 201403-05 at http://security.gentoo.org/glsa/glsa-201403-05.xml
by GLSA coordinator Sergey Popov (pinkbyte).