Max Vozeler discovered several format string vulnerabilities in the movemail utility of Emacs, the well-known editor. Via connecting to a malicious POP server an attacker can execute arbitrary code under the privileges of group mail (or worse, depending on the permissions of the movemail binary).
Created attachment 49636 [details, diff] emacs21-movemail-popfmt.diff
Created attachment 49637 [details, diff] xemacs21-movemail-popfmt.diff
What are the permissions of our movemail(s) ? usata: this is confidential, please prepare patched emacs ebuilds that you can attach to this bug for arch testing. Nothing in CVS yet.
usata: Coordinated release date set to Febraury 6, please prepare patched ebuilds and attach them to the bug.
Our movemails permissions are -rwxr-xr-x 1 root root 18824 Aug 2 2004 movemail (emacs) -rwxr-xr-x 1 root root 60304 Sep 2 08:58 movemail (xemacs) I'll prepare patched ebuilds.
usata: if you have ebuilds, you can attach them to the bug so that we can call some arch people to test them.
Created attachment 50337 [details] emacs-21.3-r6.ebuild Patched version of Emacs ebuild.
rac: could you make a patched ebuild for XEmacs? (I'm not a member of XEmacs herd)
Now public. Emacs/xemacs teams, please commit ebuilds to CVS.
*** Bug 81098 has been marked as a duplicate of this bug. ***
I've just committed emacs-21.4.ebuild (upstream released 21.4) to CVS. The only difference between 21.3 and 21.4 is the movemail patch. Arch maintainers: please test and keyword it stable.
ppc-macos: please test and keyword emacs-21.4 ~ppc-macos if you can. Other arches, please test and mark emacs-21.4 stable. xemacs herd, please commit an updated xemacs ebuild.
Emacs 21.4 won't compile on ppc-macos (21.4 is only 21.3 + movemail patch). I'll create updated another cvs snapshot ebuild for ppc-macos.
sparc stable.
emacs stable on x86..
emacs is stable on ppc64.
Compiles and runs for me emerge --info Portage 2.0.51-r15 (default-linux/amd64/2005.0, gcc-3.4.3, glibc-2.3.4.20041102-r0, 2.6.10-gentoo-r6 x86_64) ================================================================= System uname: 2.6.10-gentoo-r6 x86_64 AMD Athlon(tm) 64 Processor 3200+ Gentoo Base System version 1.6.9 Python: dev-lang/python-2.3.4 [2.3.4 (#1, Jan 30 2005, 21:39:15)] dev-lang/python: 2.3.4 sys-devel/autoconf: 2.13, 2.59-r6 sys-devel/automake: 1.5, 1.6.3, 1.7.9-r1, 1.4_p6, 1.9.4, 1.8.5-r3 sys-devel/binutils: 2.15.90.0.1.1-r3, 2.15.92.0.2-r2 sys-devel/libtool: 1.5.10-r4 virtual/os-headers: 2.6.8.1-r4 ACCEPT_KEYWORDS="amd64 ~amd64" AUTOCLEAN="yes" CFLAGS="-march=k8 -fomit-frame-pointer -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/lib/X11/xkb /usr/lib/mozilla/defaults/pref /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-march=k8 -fomit-frame-pointer -O2 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs autoconfig ccache distlocks fixpackages sandbox" GENTOO_MIRRORS="ftp://gentoo.netnitco.net/pub/mirrors/gentoo/source/ ftp://mirrors.tds.net/gentoo ftp://gentoo.ccccom.com" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="amd64 X acpi alsa bash-completion berkdb bitmap-fonts bonobo bzip2 bzlib cdr crypt css cups dga directfb divx4linux dvd dvdread encode esd ethereal exif f77 fam fbcon flac foomaticdb fortran gdbm geoip gif gimpprint gmp gnome gnomedb gphoto2 gps gstreamer gtk gtk2 gtkhtml howl icq ieee1394 imagemagick imap imlib jabber jp2 jpeg lzw lzw-tiff memlimit mozilla moznocompose moznoirc moznomail mpeg mpi msession msn ncurses nls no-old-linux nodrm nptl nptlonly offensive oggvorbis opengl oscar oss pam pcmcia pcntl pcre pdflib perl pic png pnp posix ppds pthreads python quicktime readline samba sasl sdl session slp speex spell ssl sysvipc szip tcltk tcpd tidy tiff truetype truetype-fonts type1-fonts usb userlocales vim-with-x wxwindows xml2 xmms xpm xrandr xv xvid xvmc yahoo zlib" Unset: ASFLAGS, CBUILD, CTARGET, LANG, LC_ALL, LDFLAGS
emacs-21.4 stable on amd64.
Stable on ppc.
emacs-21.4 stable on alpha.
Sent en email to rac, would be a pity to mask xemacs because it's late :)
I created xemacs-21.4.15-r3 which includes the fix and committed it to CVS. Since its stable on all archs I didn't apply it to all previous ebuilds. Should we package.mask as follows? <=app-editors/xemacs-21.4.15-r2
No need to package.mask, but you can remove old versions if you want. Committed stable on all arches by maintainer, so ready for a GLSA.
GLSA 200502-20