197958 – (CVE-2007-5795) app-editors/emacs hack-local-variables Security bypass (CVE-2007-5795)

Bug 197958 (CVE-2007-5795) - app-editors/emacs hack-local-variables Security bypass (CVE-2007-5795)

Summary: app-editors/emacs hack-local-variables Security bypass (CVE-2007-5795)

Status:	RESOLVED FIXED

Alias:	CVE-2007-5795

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High minor
Assignee:	Gentoo Security

URL:	http://bugs.debian.org/cgi-bin/bugrep...
Whiteboard:	B3 [glsa]
Keywords:

Depends on:
Blocks:

Reported:	2007-11-03 13:44 UTC by Robert Buchholz (RETIRED)
Modified:	2007-12-09 19:53 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robert Buchholz (RETIRED) gentoo-dev

2007-11-03 13:44:07 UTC

CVE-2007-5795 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5795):
  The hack-local-variables function in Emacs before 22.2, when
  enable-local-variables is set to :safe, does not properly search lists of
  unsafe or risky variables, which might allow user-assisted attackers to
  bypass intended restrictions and modify critical program variables via a file
  containing a Local variables declaration.

Comment 1 Robert Buchholz (RETIRED) gentoo-dev

2007-11-03 13:46:47 UTC

Emacs, please advise.
Is any of our ebuilds affected, or maybe other packages than app-editors/emacs?

Comment 2 Ulrich Müller gentoo-dev

2007-11-03 15:05:46 UTC

Fixed in emacs-22.1-r2. Decreasing severity to B4 since the issue doesn't affect the default configuration.

Vulnerable versions: <22.1-r2
Unaffected versions: >=22.1-r2, <22

Arch teams: Please stabilise app-editors/emacs-22.1-r2.

Comment 3 Raúl Porcel (RETIRED) gentoo-dev

2007-11-03 17:33:18 UTC

alpha/ia64/stable

Comment 4 Dawid Węgliński (RETIRED) gentoo-dev

2007-11-03 19:12:32 UTC

Stable on x86

Comment 5 Markus Rothe (RETIRED) gentoo-dev

2007-11-03 22:28:01 UTC

ppc64 stable

Comment 6 Tobias Scherbaum (RETIRED) gentoo-dev

2007-11-05 18:53:36 UTC

ppc stable

Comment 7 Mike Doty (RETIRED) gentoo-dev

2007-11-06 23:14:41 UTC

amd64 done(committed by wolf31o2 for me)

Comment 8 Chris Gianelloni (RETIRED) gentoo-dev

2007-11-06 23:15:12 UTC

You'll probably want to back-port this to the latest SLOT=21 version, too.

Comment 9 Ulrich Müller gentoo-dev

2007-11-06 23:58:03 UTC

Vulnerable revision emacs-22.1-r1 removed.

(In reply to comment #8)
> You'll probably want to back-port this to the latest SLOT=21 version, too.

Emacs 21 is not affected; the relevant code is new in version 22.

Comment 10 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2007-11-07 09:41:31 UTC

I tend to vote NO.

Comment 11 Robert Buchholz (RETIRED) gentoo-dev

2007-11-12 21:59:33 UTC

Setting to B3 and voting
  YES

This vulnerability, if emacs is configured as described above, allows execution of arbitrary LISP (not shell) code, therefore can overwrite files writable by emacs. See last comment on the Debian report in URL.

Comment 12 Pierre-Yves Rofes (RETIRED) gentoo-dev

2007-11-20 22:13:04 UTC

yes too, request filed.

Comment 13 Pierre-Yves Rofes (RETIRED) gentoo-dev

2007-12-09 19:53:54 UTC

GLSA 200712-03