* Emacs 22.3 released
@ 2008-09-05 16:47 Chong Yidong
2008-09-05 17:16 ` Vulnerability in Emacs python integration Chong Yidong
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: Chong Yidong @ 2008-09-05 16:47 UTC (permalink / raw)
To: emacs-devel
GNU Emacs 22.3 has been released, and is now available at
ftp.gnu.org/gnu/emacs/ and the GNU FTP mirrors (see
http://www.gnu.org/order/ftp.html).
The MD5 check-sum for the source tarball is:
aa8ba34f548cd78b35914ae5a7bb87eb emacs-22.3.tar.gz
Please send any bug reports to bug-gnu-emacs@gnu.org. Within Emacs, you
can do this using the command M-x report-emacs-bug.
Emacs 22.3 is a bugfix release.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Vulnerability in Emacs python integration
2008-09-05 16:47 Emacs 22.3 released Chong Yidong
@ 2008-09-05 17:16 ` Chong Yidong
2008-09-05 17:21 ` Emacs 22.3 released Christian Faulhammer
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Chong Yidong @ 2008-09-05 17:16 UTC (permalink / raw)
To: emacs-devel
Romain Francoise has found a security risk in a feature of GNU Emacs
related to how Emacs interacts with Python. Emacs version 22.3, which
was just released, contains a fix. A patch for earlier version of Emacs
is described below.
The vulnerability may allow an attacker to run malicious code if the
user runs the Emacs command `run-python' while the current directory is
world-writable, or if the user toggles `eldoc-mode' and visits a Python
source file in a world-writable directory.
Description of the vulnerability:
The Emacs command `run-python' launches an interactive Python
interpreter. After the Python process starts up, Emacs automatically
sends it the line
import emacs
which normally imports a script named emacs.py which is distributed with
Emacs. This script, which is typically located in a write-protected
installation directory with other Emacs program files, defines various
functions to help the Python process communicate with Emacs.
The vulnerability arises because Python, by default, prepends '' to the
module search path, so modules are looked for in the current directory.
If the current directory is world-writable, an attacker may insert
malicious code by adding a fake Python module named emacs.py into that
directory.
Furthermore, emacs.py imports other non-built-in Python modules, such as
`inspect'. The same vulnerability exists for these import statements.
By default, merely visiting and editing a *.py source file does not
launch a Python subprocess; you either have to call `M-x run-python', or
enable Emacs code that calls `run-python' automatically, such as
`eldoc-mode'.
The Python developers, in a private communication, have stated that they
do not regard this module-importing behavior as a security problem for
Python per se, because running a python script in a world-writable
directory is itself a security hazard. In the Emacs context, however,
it's much less obvious that it's unsafe to call `run-python' while the
current directory is world-writable; therefore, the problem discussed
here can be regarded as a security risk.
The following patch, against the Emacs 22.2 source tree, removes '' from
sys.path in the command-line arguments for invoking the Python process.
(Because `sys' is a "built-in module", an attacker cannot insert
malicious code by adding sys.py to the current directory.)
*** emacs/lisp/progmodes/python.el 8 May 2008 03:42:10 -0000 1.89
--- emacs/lisp/progmodes/python.el 24 Aug 2008 19:47:09 -0000 1.90
***************
*** 1547,1553 ****
;; invoked. Would support multiple processes better.
(when (or new (not (comint-check-proc python-buffer)))
(with-current-buffer
! (let* ((cmdlist (append (python-args-to-list cmd) '("-i")))
(path (getenv "PYTHONPATH"))
(process-environment ; to import emacs.py
(cons (concat
"PYTHONPATH="
--- 1547,1555 ----
;; invoked. Would support multiple processes better.
(when (or new (not (comint-check-proc python-buffer)))
(with-current-buffer
! (let* ((cmdlist
! (append (python-args-to-list cmd)
! '("-i" "-c" "import sys; sys.path.remove('')")))
(path (getenv "PYTHONPATH"))
(process-environment ; to import emacs.py
(cons (concat
"PYTHONPATH="
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Emacs 22.3 released
2008-09-05 16:47 Emacs 22.3 released Chong Yidong
2008-09-05 17:16 ` Vulnerability in Emacs python integration Chong Yidong
@ 2008-09-05 17:21 ` Christian Faulhammer
2008-09-06 7:38 ` NEWS.22.3 missing (was: Emacs 22.3 released) Daniel Clemente
2008-09-07 3:10 ` Emacs 22.3 released Giorgos Keramidas
3 siblings, 0 replies; 5+ messages in thread
From: Christian Faulhammer @ 2008-09-05 17:21 UTC (permalink / raw)
To: emacs-devel
[-- Attachment #1: Type: text/plain, Size: 496 bytes --]
Hi,
Chong Yidong <cyd@stupidchicken.com>:
> GNU Emacs 22.3 has been released, and is now available at
> ftp.gnu.org/gnu/emacs/ and the GNU FTP mirrors (see
And now we play the old game: First! Gentoo has it in its
repositories..thanks for the work and we will see Emacs 22.3 in stable
branch in about 30 days, I hope.
V-Li
--
Christian Faulhammer, Gentoo Lisp project
<URL:http://www.gentoo.org/proj/en/lisp/>, #gentoo-lisp on FreeNode
<URL:http://www.faulhammer.org/>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 197 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* NEWS.22.3 missing (was: Emacs 22.3 released)
2008-09-05 16:47 Emacs 22.3 released Chong Yidong
2008-09-05 17:16 ` Vulnerability in Emacs python integration Chong Yidong
2008-09-05 17:21 ` Emacs 22.3 released Christian Faulhammer
@ 2008-09-06 7:38 ` Daniel Clemente
2008-09-07 3:10 ` Emacs 22.3 released Giorgos Keramidas
3 siblings, 0 replies; 5+ messages in thread
From: Daniel Clemente @ 2008-09-06 7:38 UTC (permalink / raw)
To: emacs-devel
Chong Yidong <cyd@stupidchicken.com> writes:
> GNU Emacs 22.3 has been released, and is now available at
> ftp.gnu.org/gnu/emacs/ and the GNU FTP mirrors (see
> http://www.gnu.org/order/ftp.html).
>
The main page is linking the file NEWS.22.2 instead of NEWS.22.3 (which is still not there).
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Emacs 22.3 released
2008-09-05 16:47 Emacs 22.3 released Chong Yidong
` (2 preceding siblings ...)
2008-09-06 7:38 ` NEWS.22.3 missing (was: Emacs 22.3 released) Daniel Clemente
@ 2008-09-07 3:10 ` Giorgos Keramidas
3 siblings, 0 replies; 5+ messages in thread
From: Giorgos Keramidas @ 2008-09-07 3:10 UTC (permalink / raw)
To: Chong Yidong; +Cc: emacs-devel
On Fri, 05 Sep 2008 12:47:34 -0400, Chong Yidong <cyd@stupidchicken.com> wrote:
> GNU Emacs 22.3 has been released, and is now available at
> ftp.gnu.org/gnu/emacs/ and the GNU FTP mirrors (see
> http://www.gnu.org/order/ftp.html).
>
> The MD5 check-sum for the source tarball is:
>
> aa8ba34f548cd78b35914ae5a7bb87eb emacs-22.3.tar.gz
Thank you!
I've just submitted an update to the FreeBSD port editors/emacs to bring
it up to this version of GNU Emacs.
Congratulations to everyone who contributed to this release :-)
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2008-09-07 3:10 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-09-05 16:47 Emacs 22.3 released Chong Yidong
2008-09-05 17:16 ` Vulnerability in Emacs python integration Chong Yidong
2008-09-05 17:21 ` Emacs 22.3 released Christian Faulhammer
2008-09-06 7:38 ` NEWS.22.3 missing (was: Emacs 22.3 released) Daniel Clemente
2008-09-07 3:10 ` Emacs 22.3 released Giorgos Keramidas
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).