|Summary:||<app-editors/emacs-23.3-r4 : security flaw in EDE, local execution of arbitrary code (CVE-2012-0035)|
|Product:||Gentoo Security||Reporter:||Ulrich Müller <ulm>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Package list:||Runtime testing required:||---|
Description Ulrich Müller 2012-01-09 11:54:37 UTC
+++ This bug was initially created as a clone of Bug #398227 +++ "Hiroshi Oota has found a security flaw in EDE (part of CEDET), a development tool included in Emacs. EDE can store various information about a project, such as how to build the project, in a file named Project.ede in the project directory tree. When the minor mode `global-ede-mode' is enabled, visiting a file causes Emacs to look for Project.ede in the file's directory or one of its parent directories. If Project.ede is present, Emacs automatically reads and evaluates the first Lisp expression in it. This design exposes EDE users to the danger of loading malicious code from one file (Project.ede), simply by visiting another file in the same directory tree." This affects app-editors/emacs-23.2* and -23.3* (CEDET was added in Emacs 23.2).
Comment 1 Ulrich Müller 2012-01-09 11:58:39 UTC
Upstream commit is here: <http://bzr.savannah.gnu.org/lh/emacs/emacs-23/revision/100631> CCing arch teams, please stabilise app-editors/emacs-23.3-r4.
Comment 2 Agostino Sarubbo 2012-01-09 20:51:11 UTC
According to Tim, is B
Comment 3 Agostino Sarubbo 2012-01-09 20:57:27 UTC
Comment 4 Ulrich Müller 2012-01-09 22:21:30 UTC
Hm, the summary isn't quite accurate. Please note that versions <23.2 don't support CEDET and are therefore not affected by the bug. Here's a complete list of vulnerable versions: app-editors/emacs: PVR <= 23.1-r3 unaffected 23.2 <= PVR <= 23.3-r3 vulnerable 23.4-r4 <= PVR unaffected app-editors/emacs-vcs (live ebuilds omitted): PVR <= 23.0.96 unaffected 23.1.90 <= PVR <= 23.2.94 vulnerable 23.3.90 <= PVR < 24 unaffected 24.0.50_pre20110116 <= PVR <= 24.0.92 vulnerable 24.0.92-r1 <= PVR unaffected
Comment 5 Ulrich Müller 2012-01-09 22:23:08 UTC
(In reply to comment #4) > 23.4-r4 <= PVR unaffected That should be 23.3-r4, of course. Sorry for the bugspam.
Comment 6 Mark Loeser (RETIRED) 2012-01-11 18:17:18 UTC
Comment 7 Jeroen Roovers (RETIRED) 2012-01-11 18:37:07 UTC
What a mess! So this is the target, right?: =app-editors/emacs-23.3-r4
Comment 8 Ulrich Müller 2012-01-11 18:39:35 UTC
(In reply to comment #7) > What a mess! So this is the target, right?: > =app-editors/emacs-23.3-r4 Right (see comment 1). emacs-vcs has no stable versions.
Comment 9 Thomas Kahle (RETIRED) 2012-01-15 14:17:29 UTC
x86 done. Thanks
Comment 10 Raúl Porcel (RETIRED) 2012-01-15 19:08:18 UTC
Comment 11 Jeroen Roovers (RETIRED) 2012-01-16 03:00:27 UTC
Stable for HPPA.
Comment 12 Ulrich Müller 2012-01-16 06:44:54 UTC
Stable on all architectures. Vulnerable revision (emacs-23.2-r2) removed.
Comment 13 Agostino Sarubbo 2012-01-16 09:38:23 UTC
filed new request
Comment 14 GLSAMaker/CVETool Bot 2012-10-21 18:55:38 UTC
CVE-2012-0035 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0035): Untrusted search path vulnerability in EDE in CEDET before 1.0.1, as used in GNU Emacs before 23.4 and other products, allows local users to gain privileges via a crafted Lisp expression in a Project.ede file in the directory, or a parent directory, of an opened file.
Comment 15 GLSAMaker/CVETool Bot 2014-03-20 10:43:36 UTC
This issue was resolved and addressed in GLSA 201403-05 at http://security.gentoo.org/glsa/glsa-201403-05.xml by GLSA coordinator Sergey Popov (pinkbyte).