** Please note that this issue is confidential and no information should be
disclosed until it is made public, see "Whiteboard" for a date **
Chong Yidong wrote:
Romain Francoise has found a security risk in a feature of GNU Emacs
related to interacting with Python.
Emacs allows the user to launch an interactive Python process. When
this process is started, Emacs automatically sends it the line
which imports a script named emacs.py which is distributed with Emacs.
This script is typically located in a write-protected installation
directory, together with other Emacs program files; it provides various
functions to help the Python process communicate with Emacs. Upon
running, emacs.py imports other Python modules which are not built-in:
import os, sys, traceback, inspect, __main__
Merely visiting and editing a *.py source file does not launch a Python
subprocess; you have to enable certain Emacs modes, such as eldoc-mode,
to do so.
The vulnerability arises because Python, by default, prepends '' to the
module search path, so modules are looked for in the current directory.
If the user opens a Python file in a world-writable directory, an
attacker could insert malicious code by adding fake modules to that
directory, such as a fake emacs.py or inspect.py.
The Python developers have told us that they do not regard the importing
of modules from the current directory as a security problem for Python
itself. The argument is that running a python script in a
world-writable directory is itself a security hazard. However, when
running an Emacs command, it may be much less obvious to the user that a
security hazard is present.
The following patch, against the Emacs 22.2 source tree, fixes the
problem by removing '' from sys.path in the command-line arguments for
invoking the Python process. (Because `sys' is a "built-in module", an
attacker cannot insert malicious code by adding sys.py to the current
A forthcoming release of GNU Emacs, version 22.3, will contain this fix.
If any vendor would like further details, please send me an email.
Please let us know before disclosing this vulnerability by updating your
Created attachment 164408 [details, diff]
*** Bug 236508 has been marked as a duplicate of this bug. ***
Arch Security Liaisons, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
CC'ing current Liaisons:
alpha : yoswink, armin76
amd64 : keytoaster, tester
hppa : jer
ppc : dertobi123
ppc64 : corsair
sparc : fmccor
x86 : maekke, armin76
app-editors/emacs <22 and app-editors/emacs-cvs are not affected.
Stable for HPPA.
The vulnerability has been announced at <http://lists.gnu.org/archive/html/emacs-devel/2008-09/msg00215.html>, so can you please open this bug now?
(In reply to comment #9)
> The vulnerability has been announced at
> <http://lists.gnu.org/archive/html/emacs-devel/2008-09/msg00215.html>, so can
> you please open this bug now?
done, removing sec liaison and CC'ing remaining arches.
(In reply to comment #10)
> (In reply to comment #9)
> > The vulnerability has been announced at
> > <http://lists.gnu.org/archive/html/emacs-devel/2008-09/msg00215.html>, so can
> > you please open this bug now?
> done, removing sec liaison and CC'ing remaining arches.
This bug can be safely closed after a possible GLSA as we handle further stabilisations in bug 220535
(In reply to comment #11)
> (In reply to comment #10)
> > (In reply to comment #9)
> > > The vulnerability has been announced at
> > > <http://lists.gnu.org/archive/html/emacs-devel/2008-09/msg00215.html>, so can
> > > you please open this bug now?
> > >
> > done, removing sec liaison and CC'ing remaining arches.
> This bug can be safely closed after a possible GLSA as we handle further
> stabilisations in bug 220535
ok, thanks for the info.
All supported archs stable.
Vulnerable versions: <22.2-r3
Unaffected: >=22.2-r3, <22
arm/s390/sh stable, thanks vapier and armin76.
Security, can we assist you in any way bringing out the GLSA? Maybe by reviewing it.
GLSA 200902-06, sorry for the delay.