Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 79686

Summary: app-editors/[x]emacs: movemail arbitrary code execution (CAN-2005-0100)
Product: Gentoo Security Reporter: Sune Kloppenborg Jeppesen (RETIRED) <jaervosz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: emacs, ppc-macos, soulse, xemacs
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---
Attachments:
Description Flags
emacs21-movemail-popfmt.diff
none
xemacs21-movemail-popfmt.diff
none
emacs-21.3-r6.ebuild none

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-01-27 02:10:56 UTC
Max Vozeler discovered several format string vulnerabilities in the
movemail utility of Emacs, the well-known editor.  Via connecting to a
malicious POP server an attacker can execute arbitrary code under the
privileges of group mail (or worse, depending on the permissions of
the movemail binary).
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-01-27 02:12:46 UTC
Created attachment 49636 [details, diff]
emacs21-movemail-popfmt.diff
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-01-27 02:13:17 UTC
Created attachment 49637 [details, diff]
xemacs21-movemail-popfmt.diff
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2005-01-27 06:26:19 UTC
What are the permissions of our movemail(s) ?

usata: this is confidential, please prepare patched emacs ebuilds that you can attach to this bug for arch testing. Nothing in CVS yet.
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2005-01-31 01:35:41 UTC
usata: Coordinated release date set to Febraury 6, please prepare patched ebuilds and attach them to the bug.
Comment 5 Mamoru KOMACHI (RETIRED) gentoo-dev 2005-01-31 23:40:04 UTC
Our movemails permissions are
-rwxr-xr-x  1 root root 18824 Aug  2  2004 movemail (emacs)
-rwxr-xr-x  1 root root   60304 Sep  2 08:58 movemail (xemacs)

I'll prepare patched ebuilds.
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2005-02-04 06:03:46 UTC
usata: if you have ebuilds, you can attach them to the bug so that we can call some arch people to test them.
Comment 7 Mamoru KOMACHI (RETIRED) gentoo-dev 2005-02-04 07:13:25 UTC
Created attachment 50337 [details]
emacs-21.3-r6.ebuild

Patched version of Emacs ebuild.
Comment 8 Mamoru KOMACHI (RETIRED) gentoo-dev 2005-02-04 07:15:14 UTC
rac: could you make a patched ebuild for XEmacs?
(I'm not a member of XEmacs herd)
Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2005-02-07 05:01:24 UTC
Now public.
Emacs/xemacs teams, please commit ebuilds to CVS.
Comment 10 Thierry Carrez (RETIRED) gentoo-dev 2005-02-07 05:03:01 UTC
*** Bug 81098 has been marked as a duplicate of this bug. ***
Comment 11 Mamoru KOMACHI (RETIRED) gentoo-dev 2005-02-08 02:53:18 UTC
I've just committed emacs-21.4.ebuild (upstream released 21.4) to CVS.
The only difference between 21.3 and 21.4 is the movemail patch.
Arch maintainers: please test and keyword it stable.
Comment 12 Thierry Carrez (RETIRED) gentoo-dev 2005-02-08 04:26:13 UTC
ppc-macos: please test and keyword emacs-21.4 ~ppc-macos if you can.
Other arches, please test and mark emacs-21.4 stable.

xemacs herd, please commit an updated xemacs ebuild.
Comment 13 Mamoru KOMACHI (RETIRED) gentoo-dev 2005-02-08 05:24:57 UTC
Emacs 21.4 won't compile on ppc-macos (21.4 is only 21.3 + movemail patch).
I'll create updated another cvs snapshot ebuild for ppc-macos.
Comment 14 Gustavo Zacarias (RETIRED) gentoo-dev 2005-02-08 06:17:41 UTC
sparc stable.
Comment 15 Olivier Crete (RETIRED) gentoo-dev 2005-02-08 09:03:51 UTC
emacs stable on x86..
Comment 16 Markus Rothe (RETIRED) gentoo-dev 2005-02-08 11:53:42 UTC
emacs is stable on ppc64.
Comment 17 Homer Parker (RETIRED) gentoo-dev 2005-02-08 17:48:47 UTC
Compiles and runs for me

emerge --info
Portage 2.0.51-r15 (default-linux/amd64/2005.0, gcc-3.4.3, glibc-2.3.4.20041102-r0, 2.6.10-gentoo-r6 x86_64)
=================================================================
System uname: 2.6.10-gentoo-r6 x86_64 AMD Athlon(tm) 64 Processor 3200+
Gentoo Base System version 1.6.9
Python:              dev-lang/python-2.3.4 [2.3.4 (#1, Jan 30 2005, 21:39:15)]
dev-lang/python:     2.3.4
sys-devel/autoconf:  2.13, 2.59-r6
sys-devel/automake:  1.5, 1.6.3, 1.7.9-r1, 1.4_p6, 1.9.4, 1.8.5-r3
sys-devel/binutils:  2.15.90.0.1.1-r3, 2.15.92.0.2-r2
sys-devel/libtool:   1.5.10-r4
virtual/os-headers:  2.6.8.1-r4
ACCEPT_KEYWORDS="amd64 ~amd64"
AUTOCLEAN="yes"
CFLAGS="-march=k8 -fomit-frame-pointer -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/lib/X11/xkb /usr/lib/mozilla/defaults/pref /usr/share/config /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"
CXXFLAGS="-march=k8 -fomit-frame-pointer -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoaddcvs autoconfig ccache distlocks fixpackages sandbox"
GENTOO_MIRRORS="ftp://gentoo.netnitco.net/pub/mirrors/gentoo/source/ ftp://mirrors.tds.net/gentoo ftp://gentoo.ccccom.com"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="amd64 X acpi alsa bash-completion berkdb bitmap-fonts bonobo bzip2 bzlib cdr crypt css cups dga directfb divx4linux dvd dvdread encode esd ethereal exif f77 fam fbcon flac foomaticdb fortran gdbm geoip gif gimpprint gmp gnome gnomedb gphoto2 gps gstreamer gtk gtk2 gtkhtml howl icq ieee1394 imagemagick imap imlib jabber jp2 jpeg lzw lzw-tiff memlimit mozilla moznocompose moznoirc moznomail mpeg mpi msession msn ncurses nls no-old-linux nodrm nptl nptlonly offensive oggvorbis opengl oscar oss pam pcmcia pcntl pcre pdflib perl pic png pnp posix ppds pthreads python quicktime readline samba sasl sdl session slp speex spell ssl sysvipc szip tcltk tcpd tidy tiff truetype truetype-fonts type1-fonts usb userlocales vim-with-x wxwindows xml2 xmms xpm xrandr xv xvid xvmc yahoo zlib"
Unset:  ASFLAGS, CBUILD, CTARGET, LANG, LC_ALL, LDFLAGS
Comment 18 Marcus D. Hanwell (RETIRED) gentoo-dev 2005-02-09 03:03:47 UTC
emacs-21.4 stable on amd64.
Comment 19 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-02-09 03:31:23 UTC
Stable on ppc.
Comment 20 Bryan Østergaard (RETIRED) gentoo-dev 2005-02-09 15:47:17 UTC
emacs-21.4 stable on alpha.
Comment 21 Thierry Carrez (RETIRED) gentoo-dev 2005-02-11 07:22:47 UTC
Sent en email to rac, would be a pity to mask xemacs because it's late :)
Comment 22 Matthew Kennedy (RETIRED) gentoo-dev 2005-02-15 06:44:22 UTC
I created xemacs-21.4.15-r3 which includes the fix and committed it to CVS.
Since its stable on all archs I didn't apply it to all previous ebuilds.  Should
we package.mask as follows?

    <=app-editors/xemacs-21.4.15-r2


Comment 23 Thierry Carrez (RETIRED) gentoo-dev 2005-02-15 07:51:53 UTC
No need to package.mask, but you can remove old versions if you want. 
Committed stable on all arches by maintainer, so ready for a GLSA.
Comment 24 Thierry Carrez (RETIRED) gentoo-dev 2005-02-15 13:48:40 UTC
GLSA 200502-20