Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 398241 - <app-xemacs/ede-1.07: Security flaw in EDE, local execution of arbitrary code (CVE-2012-0035)
Summary: <app-xemacs/ede-1.07: Security flaw in EDE, local execution of arbitrary code...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://lists.gnu.org/archive/html/ema...
Whiteboard: B2 [glsa+ cve]
Keywords:
Depends on: 666312
Blocks:
  Show dependency tree
 
Reported: 2012-01-09 12:09 UTC by Ulrich Müller
Modified: 2018-12-06 22:03 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ulrich Müller gentoo-dev 2012-01-09 12:09:35 UTC
+++ This bug was initially created as a clone of Bug #398227 +++

From the emacs-devel mailing list:
"Hiroshi Oota has found a security flaw in EDE (part of CEDET), a development tool included in Emacs. EDE can store various information about a project, such as how to build the project, in a file named Project.ede in the project directory tree. When the minor mode `global-ede-mode' is enabled, visiting a file causes Emacs to look for Project.ede in the file's directory or one of its parent directories. If Project.ede is present, Emacs automatically reads and evaluates the first Lisp expression in it.

This design exposes EDE users to the danger of loading malicious code from one file (Project.ede), simply by visiting another file in the same directory tree."

Most likely this affects app-xemacs/ede too.
Comment 1 Hans de Graaff gentoo-dev 2012-01-09 18:11:43 UTC
Filed upstream: http://tracker.xemacs.org/XEmacs/its/issue825
Comment 2 Thomas Deutschmann gentoo-dev Security 2016-12-01 01:55:26 UTC
@ Maintainer(s): Looks like app-xemacs/ede was forgotten while bug 398227 was fixed. =app-xemacs/ede-1.03-r1, the latest version in repository, is still vulnerable:

# grep 'ede-version' /var/tmp/portage/app-xemacs/ede-1.03-r1/image/usr/lib/xemacs/xemacs-packages/lisp/ede/ede.el
(defconst ede-version "1.0pre4"

So please apply commit 2a5135c50e212ae4ddade40c9704e396e01559ca from cedet repository, use https://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/app-emacs/cedet/files/cedet-1.0-ede_security_fix.patch or copy files from cedet.

Or is it time to call tree cleaners? Please tell us how you want to proceed!
Comment 3 Ulrich Müller gentoo-dev 2016-12-01 07:32:15 UTC
There is app-xemacs/ede-1.06 in the emacs overlay. Not sure if the bug is fixed in that version (I cannot download it because ftp.xemacs.org is currently down).
Comment 4 Mats Lidell gentoo-dev 2016-12-01 23:33:03 UTC
No the bug is not fixed in that version. XEmacs package maintenance can fool you by having its own version numbers that tracks the releases as part of the xemacs package tree. Version 1.06 is actually upstream version 1.0pre4. 

It could still have been patched but from looking at the bitbucket repo it does not look that way. https://bitbucket.org/xemacs/ede

So I will look into applying the patch.

About xemacs.org. That is a sad story. It has been down since around August 2016 and it is unclear when it will be brought back online again. I have heard of initiatives to bring it up again but who knows when if ever. This means that the ebuild for xemacs now relies on that the packages are fetched from the mirrors. I don't know what impact that has on xemacs as a Gentoo package. I realize that it of course not is good that the upstream archive is dead but as long as the gentoo mirrors keeps the same archives we could still live with that, or do I need to take action on that as well?
Comment 5 Mats Lidell gentoo-dev 2016-12-26 16:16:07 UTC
Unfortunately applying the patch is easier said than done since the XEmacs packages essentially are binary packages that are just unpacked by the ebuild. The proper solution keeping that framework would be to get the patch into the upstream archive. This is unfortunately not possible at the moment since upstream infrastructure is down. 

There is however hope that this will be fixed soon since the xemacs homepage recently been brought to life. I'm having a dialog with upstream on this issue.
Comment 6 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-07-11 01:39:33 UTC
Ping,

Is there any news about the patch? The upstream is online
Comment 7 Mats Lidell gentoo-dev 2017-07-11 09:53:11 UTC
I have had no luck so far I'm afraid: https://list-archive.xemacs.org/archive/list/xemacs-beta@xemacs.org/message/T736WWQCTQS5OIS2MHAFLVMGSOIPNZBG/

I will escalate further and try to speed it up.
Comment 8 Mats Lidell gentoo-dev 2017-08-17 21:29:21 UTC
I have had no luck in getting in contact with upstream although I have tried multiple times and in different forums. I have thus masked the package and its dependencies in profiles/package.mask.

I'm still having some hope for getting in contact with upstream so I'm not going to announce these packages for removal, yet.
Comment 9 Michael Boyle 2018-05-13 02:22:42 UTC
Ping,
Has upstream gotten back to us on this. I believe we could perform a final rites on this package. 

Michael Boyle
Gentoo Security Padawan
Comment 10 Mats Lidell gentoo-dev 2018-05-23 21:14:00 UTC
I have talked to the upstream developer who plans to update the package in the beginning of June (This year!). If that happens we should be able to unmask the packages. If that does not happen I'll be happy to perform a last rites on this and the dependent packages.
Comment 11 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2018-12-02 07:46:29 UTC
Ping.
Comment 12 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2018-12-02 07:47:01 UTC
Also, I completely fail to understand why old versions of the packages are masked and kept when new versions are unmasked.
Comment 13 Mats Lidell gentoo-dev 2018-12-02 13:27:37 UTC
If you are referring to the masked packages:

<=app-xemacs/ede-1.03-r1
<=app-xemacs/semantic-1.21
<=app-xemacs/jde-1.52
<=app-xemacs/xslt-process-1.12
<=app-xemacs/xetla-1.02
<=app-xemacs/cogre-1.02
<=app-xemacs/ecb-1.22

Their updated versions were stabilized as of yesterday so I have not had the opportunity to clean up jet. My plan is to remove those and then remove the mask.

Please advice if I could have handled that differently and better.
Comment 14 Larry the Git Cow gentoo-dev 2018-12-03 21:13:05 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=98637c4c3839d525d3cffb7cfd2f294f1128f0a9

commit 98637c4c3839d525d3cffb7cfd2f294f1128f0a9
Author:     Mats Lidell <matsl@gentoo.org>
AuthorDate: 2018-12-03 21:01:01 +0000
Commit:     Mats Lidell <matsl@gentoo.org>
CommitDate: 2018-12-03 21:01:01 +0000

    package.mask: unmask app-xemacs/ede with dependencies
    
    Security issue is fixed
    
    Bug: https://bugs.gentoo.org/398241
    Signed-off-by: Mats Lidell <matsl@gentoo.org>

 profiles/package.mask | 12 ------------
 1 file changed, 12 deletions(-)
Comment 15 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-12-03 21:20:33 UTC
(In reply to Larry the Git Cow from comment #14)
> The bug has been referenced in the following commit(s):
> 
> https://gitweb.gentoo.org/repo/gentoo.git/commit/
> ?id=98637c4c3839d525d3cffb7cfd2f294f1128f0a9
> 
> commit 98637c4c3839d525d3cffb7cfd2f294f1128f0a9
> Author:     Mats Lidell <matsl@gentoo.org>
> AuthorDate: 2018-12-03 21:01:01 +0000
> Commit:     Mats Lidell <matsl@gentoo.org>
> CommitDate: 2018-12-03 21:01:01 +0000
> 
>     package.mask: unmask app-xemacs/ede with dependencies
>     
>     Security issue is fixed
>     
>     Bug: https://bugs.gentoo.org/398241
>     Signed-off-by: Mats Lidell <matsl@gentoo.org>
> 
>  profiles/package.mask | 12 ------------
>  1 file changed, 12 deletions(-)

Mats, so which version actually contains the fix?
Comment 16 Mats Lidell gentoo-dev 2018-12-03 22:27:18 UTC
The fix is provided by upstream in app-xemacs/ede-1.07.
Comment 17 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-12-03 22:44:43 UTC
GLSA opened.
Comment 18 GLSAMaker/CVETool Bot gentoo-dev 2018-12-06 22:03:10 UTC
This issue was resolved and addressed in
 GLSA 201812-05 at https://security.gentoo.org/glsa/201812-05
by GLSA coordinator Aaron Bauman (b-man).