From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Chong Yidong Newsgroups: gmane.emacs.bugs Subject: bug#12155: [Kurt Seifried] Re: [oss-security] Security flaw in GNU Emacs file-local variables Date: Tue, 14 Aug 2012 11:16:50 +0800 Message-ID: <87r4rajh7h.fsf@gnu.org> References: <2E2AB09E-68D5-48FB-AAAC-B447921C6B38@btinternet.com> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: message/rfc822 Content-Transfer-Encoding: 8bit X-Trace: dough.gmane.org 1344914259 15110 80.91.229.3 (14 Aug 2012 03:17:39 GMT) X-Complaints-To: usenet@dough.gmane.org NNTP-Posting-Date: Tue, 14 Aug 2012 03:17:39 +0000 (UTC) To: 12155@debbugs.gnu.org Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Tue Aug 14 05:17:37 2012 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1T17dN-0004cn-S6 for geb-bug-gnu-emacs@m.gmane.org; Tue, 14 Aug 2012 05:17:34 +0200 Original-Received: from localhost ([::1]:47691 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1T17dM-0000ll-Ux for geb-bug-gnu-emacs@m.gmane.org; Mon, 13 Aug 2012 23:17:32 -0400 Original-Received: from eggs.gnu.org ([208.118.235.92]:55024) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1T17dI-0000lV-Fy for bug-gnu-emacs@gnu.org; Mon, 13 Aug 2012 23:17:30 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1T17dH-00014p-9w for bug-gnu-emacs@gnu.org; Mon, 13 Aug 2012 23:17:28 -0400 Original-Received: from debbugs.gnu.org ([140.186.70.43]:45055) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1T17dH-00014k-5w for bug-gnu-emacs@gnu.org; Mon, 13 Aug 2012 23:17:27 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.72) (envelope-from ) id 1T17la-0000ap-4D; Mon, 13 Aug 2012 23:26:02 -0400 X-Loop: help-debbugs@gnu.org In-Reply-To: <2E2AB09E-68D5-48FB-AAAC-B447921C6B38@btinternet.com> Resent-From: Chong Yidong Original-Sender: debbugs-submit-bounces@debbugs.gnu.org Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Tue, 14 Aug 2012 03:26:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 12155 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: Original-Received: via spool by 12155-submit@debbugs.gnu.org id=B12155.13449147342247 (code B ref 12155); Tue, 14 Aug 2012 03:26:02 +0000 Original-Received: (at 12155) by debbugs.gnu.org; 14 Aug 2012 03:25:34 +0000 Original-Received: from localhost ([127.0.0.1]:54600 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1T17l8-0000aB-8H for submit@debbugs.gnu.org; Mon, 13 Aug 2012 23:25:34 -0400 Original-Received: from mail-gh0-f172.google.com ([209.85.160.172]:47561) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1T17l5-0000a4-K0 for 12155@debbugs.gnu.org; Mon, 13 Aug 2012 23:25:32 -0400 Original-Received: by ghbg16 with SMTP id g16so4217226ghb.3 for <12155@debbugs.gnu.org>; Mon, 13 Aug 2012 20:16:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:from:to:subject:date:message-id:user-agent:mime-version :content-type:content-disposition:content-transfer-encoding; bh=NfZT/Vp5PXu2hKcdyuereQR2VEPp4uxEXCWArVef0mM=; b=s6PEtXO9oEk0HSLhtZAOFcG1T/FwyjYDoWwor4Fm9ORSt1iGnFhQpdg1OvIprMw6sM DfCkM5zwe86LS5nglE5eL7W9J1TRH/zB30Wy8T4bS5K1bNpA73bXyuNc6cyxLmEygjXq E2i21V+BstEevevMXW0X2xqHgn02gFLrX3BrbfNoeU/keV+e1V4TN570ukKAv5Bvks8W KJIhsaSkx41e3VxTA+Rziyd9DW66pfsez0DTAhq7TD6RjbOM/XEHLCu/CxPbmNUEfMa9 Gbq/bDUCw06oSkPpjzW4XF0EGsbTrUq5JZa1pVF5KHTDgZe+3JBYYFwoU5Biqok++LFb GxFw== Original-Received: by 10.50.149.134 with SMTP id ua6mr8869952igb.11.1344914215142; Mon, 13 Aug 2012 20:16:55 -0700 (PDT) Original-Received: from ulysses ([155.69.16.255]) by mx.google.com with ESMTPS id q1sm18291288igj.15.2012.08.13.20.16.52 (version=SSLv3 cipher=OTHER); Mon, 13 Aug 2012 20:16:54 -0700 (PDT) User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.1.50 (gnu/linux) Content-Disposition: inline X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.13 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 2) X-Received-From: 140.186.70.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.bugs:63129 Archived-At: Delivered-To: seewhydee@gmail.com Received: by 10.223.171.132 with SMTP id h4csp142692faz; Sun, 12 Aug 2012 22:42:42 -0700 (PDT) Received: by 10.236.72.103 with SMTP id s67mr9548985yhd.78.1344836562071; Sun, 12 Aug 2012 22:42:42 -0700 (PDT) Return-Path: Received: from fencepost.gnu.org (fencepost.gnu.org. [2001:4830:134:3::e]) by mx.google.com with ESMTPS id l13si2299943anh.141.2012.08.12.22.42.41 (version=TLSv1/SSLv3 cipher=OTHER); Sun, 12 Aug 2012 22:42:41 -0700 (PDT) Received-SPF: fail (google.com: domain of kseifried@redhat.com does not designate 2001:4830:134:3::e as permitted sender) client-ip=2001:4830:134:3::e; Authentication-Results: mx.google.com; spf=hardfail (google.com: domain of kseifried@redhat.com does not designate 2001:4830:134:3::e as permitted sender) smtp.mail=kseifried@redhat.com Received: from eggs.gnu.org ([208.118.235.92]:37016) by fencepost.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1T0nQH-0007XG-6M for cyd@gnu.org; Mon, 13 Aug 2012 01:42:41 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1T0nQF-0004so-Qc for cyd@gnu.org; Mon, 13 Aug 2012 01:42:41 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_HI, T_RP_MATCHES_RCVD autolearn=ham version=3.3.2 Received: from mx1.redhat.com ([209.132.183.28]:33700) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1T0nQF-0004sY-IS for cyd@gnu.org; Mon, 13 Aug 2012 01:42:39 -0400 Received: from int-mx01.intmail.prod.int.phx2.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id q7D5gbe9029719 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 13 Aug 2012 01:42:37 -0400 Received: from seif-rht-f16.edm.seifried.org (ovpn-113-25.phx2.redhat.com [10.3.113.25]) by int-mx01.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id q7D5gaVL003903; Mon, 13 Aug 2012 01:42:37 -0400 Message-ID: <502893CC.8090709@redhat.com> Date: Sun, 12 Aug 2012 23:42:36 -0600 From: Kurt Seifried User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:14.0) Gecko/20120717 Thunderbird/14.0 MIME-Version: 1.0 To: oss-security@lists.openwall.com CC: Chong Yidong Subject: Re: [oss-security] Security flaw in GNU Emacs file-local variables References: <87lihjscfo.fsf@gnu.org> In-Reply-To: <87lihjscfo.fsf@gnu.org> X-Enigmail-Version: 1.4.3 OpenPGP: id=5E267993 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.67 on 10.5.11.11 X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 209.132.183.28 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08/12/2012 09:22 PM, Chong Yidong wrote: > Paul Ling has found a security flaw in the file-local variables > code in GNU Emacs. We are preparing a new Emacs release to address > this flaw, and would like to request a CVE. > > When the Emacs user option `enable-local-variables' is set to > `:safe' (the default value is t), Emacs should automatically refuse > to evaluate `eval' forms in file-local variable sections. Due to > the bug, Emacs instead automatically evaluates such `eval' forms. > Thus, if the user changes the value of `enable-local-variables' to > `:safe', visiting a malicious file can cause automatic execution of > arbitrary Emacs Lisp code with the permissions of the user. > > The bug is present in Emacs 23.2, 23.3, 23.4, and 24.1. > > Attached are patches to fix this bug for Emacs 23.4 and Emacs > 24.1, written by Glenn Morris. (The 23.4 patch should apply to the > rest of the Emacs 23.x series.) > > Bug tracker ref: > http://debbugs.gnu.org/cgi/bugreport.cgi?bug=12155 Please use CVE-2012-3479 for this issue. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJQKJPMAAoJEBYNRVNeJnmTfa8QAMp9laqz/ihbWisZWmHk5kkQ 1afhhPxgSOauIPnuc2myWIP53lu8buJOgXOCo1Tl6fvfjMGu8zWJ3gr3xnqRyYjr m1EbiUZtrqdlyukvkReU08CVWmW8lXkn6W3znc3S6JQNq+eRxgBXMvcbAtNnJzKA ri6ApmMIqKZkbV9p8hqyHeNcdCdfi4nrjBr4vff6UX4SM1hqe05P6DOa8FCoRDIj Wt81d3zUenGwuVyFaRknuqw0dwQ6svwjCpcpsZnEiwjPZG+8IDlo8aCrvuThKh+x DTcD3Lt8Vr7+6QhAf7a20PDwJvM1KcinkHDQ1qE6ZvmxcdTJmoY0R+2wZqdnX2UZ f7mlqS8GPxH4V173ypz98eM0IhI/E4ZXSlTHg0vThq33QJ9NNjQ0OuDJhM5fuikF vY/s2n2TymrEAIjP6CMwZjZfSe56SzcJadR3Pq56H7RD+zSJYJmfasWbK56acjHA qE5xxvunO7UZPMAsYqUMGIqVCv5EsiDmmoFF/Xtlk98/at8AWfKNt27IGqPU+io3 ShpGjDcptN8yitOPaPcEaAim6ndfObL4LlLozNv85M71oJ7tcDGiVBPaPRIjB0AJ bXpunXMcEigQlazVy/T4CIv7r2P2ZR64at16t0LKiR4XiTL016rjUkhSuHdPSdU3 FS+YTLukIBYRDIFbbJss =jFS2 -----END PGP SIGNATURE-----