398239 – <app-editors/emacs-23.3-r4 : security flaw in EDE, local execution of arbitrary code (CVE-2012-0035)

Bug 398239 - <app-editors/emacs-23.3-r4 : security flaw in EDE, local execution of arbitrary code (CVE-2012-0035)

Summary: <app-editors/emacs-23.3-r4 : security flaw in EDE, local execution of arbitra...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:	http://lists.gnu.org/archive/html/ema...
Whiteboard:	B2 [glsa]
Keywords:

Depends on:
Blocks:

Reported:	2012-01-09 11:54 UTC by Ulrich Müller
Modified:	2014-03-20 10:43 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ulrich Müller gentoo-dev

2012-01-09 11:54:37 UTC

+++ This bug was initially created as a clone of Bug #398227 +++

"Hiroshi Oota has found a security flaw in EDE (part of CEDET), a development tool included in Emacs. EDE can store various information about a project, such as how to build the project, in a file named Project.ede in the project directory tree. When the minor mode `global-ede-mode' is enabled, visiting a file causes Emacs to look for Project.ede in the file's directory or one of its parent directories. If Project.ede is present, Emacs automatically reads and evaluates the first Lisp expression in it.

This design exposes EDE users to the danger of loading malicious code from one file (Project.ede), simply by visiting another file in the same directory tree."

This affects app-editors/emacs-23.2* and -23.3* (CEDET was added in Emacs 23.2).

Comment 1 Ulrich Müller gentoo-dev

2012-01-09 11:58:39 UTC

Upstream commit is here:
<http://bzr.savannah.gnu.org/lh/emacs/emacs-23/revision/100631>

CCing arch teams, please stabilise app-editors/emacs-23.3-r4.

Comment 2 Agostino Sarubbo gentoo-dev

2012-01-09 20:51:11 UTC

According to Tim, is B

Comment 3 Agostino Sarubbo gentoo-dev

2012-01-09 20:57:27 UTC

amd64 stable

Comment 4 Ulrich Müller gentoo-dev

2012-01-09 22:21:30 UTC

Hm, the summary isn't quite accurate. Please note that versions <23.2 don't support CEDET and are therefore not affected by the bug. Here's a complete list of vulnerable versions:

app-editors/emacs:
              PVR <= 23.1-r3     unaffected
23.2       <= PVR <= 23.3-r3     vulnerable
23.4-r4    <= PVR                unaffected

app-editors/emacs-vcs (live ebuilds omitted):
              PVR <= 23.0.96     unaffected
23.1.90    <= PVR <= 23.2.94     vulnerable
23.3.90    <= PVR <  24          unaffected
24.0.50_pre20110116 <= PVR <= 24.0.92  vulnerable
24.0.92-r1 <= PVR                unaffected

Comment 5 Ulrich Müller gentoo-dev

2012-01-09 22:23:08 UTC

(In reply to comment #4)
> 23.4-r4    <= PVR                unaffected

That should be 23.3-r4, of course. Sorry for the bugspam.

Comment 6 Mark Loeser (RETIRED) gentoo-dev

2012-01-11 18:17:18 UTC

ppc/ppc64 done

Comment 7 Jeroen Roovers (RETIRED) gentoo-dev

2012-01-11 18:37:07 UTC

What a mess! So this is the target, right?:
=app-editors/emacs-23.3-r4

Comment 8 Ulrich Müller gentoo-dev

2012-01-11 18:39:35 UTC

(In reply to comment #7)
> What a mess! So this is the target, right?:
> =app-editors/emacs-23.3-r4

Right (see comment 1).
emacs-vcs has no stable versions.

Comment 9 Thomas Kahle (RETIRED) gentoo-dev

2012-01-15 14:17:29 UTC

x86 done. Thanks

Comment 10 Raúl Porcel (RETIRED) gentoo-dev

2012-01-15 19:08:18 UTC

alpha/arm/ia64/s390/sh/sparc stable

Comment 11 Jeroen Roovers (RETIRED) gentoo-dev

2012-01-16 03:00:27 UTC

Stable for HPPA.

Comment 12 Ulrich Müller gentoo-dev

2012-01-16 06:44:54 UTC

Stable on all architectures. Vulnerable revision (emacs-23.2-r2) removed.

Comment 13 Agostino Sarubbo gentoo-dev

2012-01-16 09:38:23 UTC

filed new request

Comment 14 GLSAMaker/CVETool Bot gentoo-dev

2012-10-21 18:55:38 UTC

CVE-2012-0035 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0035):
  Untrusted search path vulnerability in EDE in CEDET before 1.0.1, as used in
  GNU Emacs before 23.4 and other products, allows local users to gain
  privileges via a crafted Lisp expression in a Project.ede file in the
  directory, or a parent directory, of an opened file.

Comment 15 GLSAMaker/CVETool Bot gentoo-dev

2014-03-20 10:43:36 UTC

This issue was resolved and addressed in
 GLSA 201403-05 at http://security.gentoo.org/glsa/glsa-201403-05.xml
by GLSA coordinator Sergey Popov (pinkbyte).