"Hiroshi Oota has found a security flaw in EDE (part of CEDET), a development tool included in Emacs. EDE can store various information about a project, such as how to build the project, in a file named Project.ede in the project directory tree. When the minor mode `global-ede-mode' is enabled, visiting a file causes Emacs to look for Project.ede in the file's directory or one of its parent directories. If Project.ede is present, Emacs automatically reads and evaluates the first Lisp expression in it.
This design exposes EDE users to the danger of loading malicious code from one file (Project.ede), simply by visiting another file in the same directory tree."
This affects app-editors/emacs-23.2* and -23.3* (CEDET was added in Emacs 23.2). Most probably the stand-alone app-emacs/cedet is also affected; I have to investigate though.
Adding xemacs team to CC for app-xemacs/cedet-common.
An updated patchball for Emacs is on its way to Gentoo mirrors; I'll commit the ebuild later today.
(In reply to comment #0)
> Adding xemacs team to CC for app-xemacs/cedet-common.
Sorry, this was wrong. The package (potentially) affected is app-xemacs/ede.
app-editors/emacs and app-xemacs/ede issues split off to bug 398239 and bug 398241 (after being told in #gentoo-security to do so).
Fixed in app-emacs/cedet-1.0-r1.
CCing arch teams, please stabilise.
cedet-1.0.1 has been released upstream, with the security fix included.
Please stabilise this version instead.
(In reply to comment #4)
> cedet-1.0.1 has been released upstream, with the security fix included.
> Please stabilise this version instead.
Ok, thanks. Readded amd64 (sorry, guys).
Arches, please test and mark stable:
Target keywords : "amd64 ppc sparc x86"
amd64 stable, thanks Michael
sparc keywords dropped
ppc done; closing as last arch
filed new glsa request.
Vulnerable version cedet-1.0 removed.
Untrusted search path vulnerability in EDE in CEDET before 1.0.1, as used in
GNU Emacs before 23.4 and other products, allows local users to gain
privileges via a crafted Lisp expression in a Project.ede file in the
directory, or a parent directory, of an opened file.
This issue was resolved and addressed in
GLSA 201401-31 at http://security.gentoo.org/glsa/glsa-201401-31.xml
by GLSA coordinator Mikle Kolyada (Zlogene).