Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 630680 (CVE-2017-14482) - <app-editors/emacs-{23.4-r16,24.5-r4,25.2-r1}: possible to use this extension command to transparently execute arbitrary code
Summary: <app-editors/emacs-{23.4-r16,24.5-r4,25.2-r1}: possible to use this extension...
Status: RESOLVED FIXED
Alias: CVE-2017-14482
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B2 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-09-11 14:13 UTC by Aleksandr Wagner (Kivak)
Modified: 2018-01-07 23:48 UTC (History)
1 user (show)

See Also:
Package list:
app-editors/emacs-23.4-r16 app-editors/emacs-24.5-r4 app-editors/emacs-25.3
Runtime testing required: Yes
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Aleksandr Wagner (Kivak) 2017-09-11 14:13:51 UTC
From $URL:

Enriched mode implements an extension command to the text/enriched format called "x-display", which stores "display" text properties. It's possible to use this extension command to transparently execute arbitrary code in an Emacs process that opens a text/enriched file.

Upstream issue:

https://debbugs.gnu.org/cgi/bugreport.cgi?bug=28350

Upstream patch:

https://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-25&id=9ad0fcc54442a9a01d41be19880250783426db70

References:

http://seclists.org/oss-sec/2017/q3/422
Comment 1 Ulrich Müller gentoo-dev 2017-09-11 18:00:10 UTC
Fixed in slots 23, 24, and 25:

   emacs-23.4-r16
   emacs-24.5-r4
   emacs-25.2-r1

Slot 18 (emacs-18.59-r11) is _not_ affected, since the vulnerable code did not yet exist in version 18.
Comment 2 D'juan McDonald (domhnall) 2017-09-11 18:20:16 UTC
@arches, please proceed to stabilization, thank you!

Daj Uan (jmbailey/mbailey_j)
Gentoo Security Padawan
Comment 3 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-09-11 22:10:13 UTC
sparc is no longer a stable profile.
Comment 4 Ulrich Müller gentoo-dev 2017-09-12 05:08:29 UTC
(In reply to Aaron Bauman from comment #3)
> sparc is no longer a stable profile.

But it has stable keywords. Readding to CC (as acked by its arch team).
Comment 5 Ulrich Müller gentoo-dev 2017-09-12 06:32:33 UTC
Upstream has released emacs-25.3 containing the fix.
Arch teams, note the updated package list:

   emacs-23.4-r16
   emacs-24.5-r4
   emacs-25.3
Comment 6 Sergei Trofimovich gentoo-dev 2017-09-12 07:20:40 UTC
ia64 stable
Comment 7 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-09-12 11:17:19 UTC
(In reply to Ulrich Müller from comment #4)
> (In reply to Aaron Bauman from comment #3)
> > sparc is no longer a stable profile.
> 
> But it has stable keywords. Readding to CC (as acked by its arch team).

No, it is not longer security supported and is not a stable arch.  Don't abstain from a vote then come running around trying to enforce policies on things you apparently don't understand.
Comment 8 Sergei Trofimovich gentoo-dev 2017-09-13 07:35:19 UTC
(In reply to Aaron Bauman from comment #7)
> (In reply to Ulrich Müller from comment #4)
> > (In reply to Aaron Bauman from comment #3)
> > > sparc is no longer a stable profile.
> > 
> > But it has stable keywords. Readding to CC (as acked by its arch team).
> 
> No, it is not longer security supported and is not a stable arch.  Don't
> abstain from a vote then come running around trying to enforce policies on
> things you apparently don't understand.

FYI: you answer does not make sense for me.
We are clearly missing common ground.

Let's continue in https://archives.gentoo.org/gentoo-dev/message/d733c56155140b54646a4714303bfc1c
Comment 9 Tobias Klausmann gentoo-dev 2017-09-14 17:50:25 UTC
Stable on alpha.
Comment 10 Markus Meier gentoo-dev 2017-09-15 04:40:47 UTC
arm stable, tested by Yury German
Comment 11 Sergei Trofimovich gentoo-dev 2017-09-16 20:33:56 UTC
hppa stable
Comment 12 Sergei Trofimovich gentoo-dev 2017-09-23 13:56:01 UTC
ppc64 stable
Comment 13 Sergei Trofimovich gentoo-dev 2017-09-24 17:30:56 UTC
ppc stable
Comment 14 Thomas Deutschmann gentoo-dev Security 2017-10-03 00:43:38 UTC
x86 stable
Comment 15 Agostino Sarubbo gentoo-dev 2017-12-01 11:20:54 UTC
amd64 stable
Comment 16 Larry the Git Cow gentoo-dev 2017-12-03 11:12:21 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b950741cd641bbb454b13b81c591ac26f53b1884

commit b950741cd641bbb454b13b81c591ac26f53b1884
Author:     Ulrich Müller <ulm@gentoo.org>
AuthorDate: 2017-12-03 11:11:47 +0000
Commit:     Ulrich Müller <ulm@gentoo.org>
CommitDate: 2017-12-03 11:11:47 +0000

    app-editors/emacs: Remove all vulnerable versions.
    
    Bug: https://bugs.gentoo.org/630680
    Package-Manager: Portage-2.3.16, Repoman-2.3.6

 app-editors/emacs/Manifest              |   2 -
 app-editors/emacs/emacs-23.4-r15.ebuild | 346 -------------------------------
 app-editors/emacs/emacs-24.5-r3.ebuild  | 344 ------------------------------
 app-editors/emacs/emacs-25.2.ebuild     | 356 --------------------------------
 4 files changed, 1048 deletions(-)}
Comment 17 Ulrich Müller gentoo-dev 2017-12-03 11:20:24 UTC
Stable on all security supported arches.
@sparc: Removing you from CC here, please continue in bug 639598.

All vulnerable versions have been removed.
Comment 18 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2018-01-05 14:15:27 UTC
glsa request has been filed
Comment 19 GLSAMaker/CVETool Bot gentoo-dev 2018-01-07 23:48:35 UTC
This issue was resolved and addressed in
 GLSA 201801-07 at https://security.gentoo.org/glsa/201801-07
by GLSA coordinator Aaron Bauman (b-man).