Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 398227 (CVE-2012-0035) - <app-emacs/cedet-1.0.1 : security flaw in EDE, local execution of arbitrary code (CVE-2012-0035)
Summary: <app-emacs/cedet-1.0.1 : security flaw in EDE, local execution of arbitrary c...
Alias: CVE-2012-0035
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa]
Depends on:
Reported: 2012-01-09 09:35 UTC by Ulrich Müller
Modified: 2014-01-27 10:40 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Ulrich Müller gentoo-dev 2012-01-09 09:35:03 UTC
"Hiroshi Oota has found a security flaw in EDE (part of CEDET), a development tool included in Emacs. EDE can store various information about a project, such as how to build the project, in a file named Project.ede in the project directory tree. When the minor mode `global-ede-mode' is enabled, visiting a file causes Emacs to look for Project.ede in the file's directory or one of its parent directories. If Project.ede is present, Emacs automatically reads and evaluates the first Lisp expression in it.

This design exposes EDE users to the danger of loading malicious code from one file (Project.ede), simply by visiting another file in the same directory tree."

This affects app-editors/emacs-23.2* and -23.3* (CEDET was added in Emacs 23.2). Most probably the stand-alone app-emacs/cedet is also affected; I have to investigate though.

Adding xemacs team to CC for app-xemacs/cedet-common.
Comment 1 Ulrich Müller gentoo-dev 2012-01-09 09:50:11 UTC
An updated patchball for Emacs is on its way to Gentoo mirrors; I'll commit the ebuild later today.

(In reply to comment #0)
> Adding xemacs team to CC for app-xemacs/cedet-common.

Sorry, this was wrong. The package (potentially) affected is app-xemacs/ede.
Comment 2 Ulrich Müller gentoo-dev 2012-01-09 12:16:02 UTC
app-editors/emacs and app-xemacs/ede issues split off to bug 398239 and bug 398241 (after being told in #gentoo-security to do so).

Fixed in app-emacs/cedet-1.0-r1.
CCing arch teams, please stabilise.
Comment 3 Agostino Sarubbo gentoo-dev 2012-01-09 21:05:03 UTC
amd64 stable
Comment 4 Ulrich Müller gentoo-dev 2012-01-11 18:19:41 UTC
cedet-1.0.1 has been released upstream, with the security fix included.
Please stabilise this version instead.
Comment 5 Tim Sammut (RETIRED) gentoo-dev 2012-01-11 18:52:05 UTC
(In reply to comment #4)
> cedet-1.0.1 has been released upstream, with the security fix included.
> Please stabilise this version instead.

Ok, thanks. Readded amd64 (sorry, guys).

Arches, please test and mark stable:
Target keywords : "amd64 ppc sparc x86"
Comment 6 Michael Harrison 2012-01-11 22:40:34 UTC
amd64 ok
Comment 7 Agostino Sarubbo gentoo-dev 2012-01-11 22:43:38 UTC
amd64 stable, thanks Michael
Comment 8 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2012-01-12 17:30:37 UTC
x86 stable
Comment 9 Raúl Porcel (RETIRED) gentoo-dev 2012-01-14 18:33:53 UTC
sparc keywords dropped
Comment 10 Brent Baude (RETIRED) gentoo-dev 2012-02-01 17:17:54 UTC
ppc done; closing as last arch
Comment 11 Agostino Sarubbo gentoo-dev 2012-02-01 17:22:52 UTC
filed new glsa request.
Comment 12 Ulrich Müller gentoo-dev 2012-02-01 17:28:39 UTC
Vulnerable version cedet-1.0 removed.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2012-02-20 15:35:55 UTC
CVE-2012-0035 (
  Untrusted search path vulnerability in EDE in CEDET before 1.0.1, as used in
  GNU Emacs before 23.4 and other products, allows local users to gain
  privileges via a crafted Lisp expression in a Project.ede file in the
  directory, or a parent directory, of an opened file.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2014-01-27 10:40:47 UTC
This issue was resolved and addressed in
 GLSA 201401-31 at
by GLSA coordinator Mikle Kolyada (Zlogene).