From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Chong Yidong Newsgroups: gmane.emacs.devel Subject: Vulnerability in Emacs python integration Date: Fri, 05 Sep 2008 13:16:38 -0400 Message-ID: <874p4u5x8p.fsf@cyd.mit.edu> References: <87iqta5yl5.fsf@cyd.mit.edu> NNTP-Posting-Host: lo.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Trace: ger.gmane.org 1220634873 23766 80.91.229.12 (5 Sep 2008 17:14:33 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Fri, 5 Sep 2008 17:14:33 +0000 (UTC) To: emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Fri Sep 05 19:15:28 2008 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([199.232.76.165]) by lo.gmane.org with esmtp (Exim 4.50) id 1Kbetw-0007VK-7y for ged-emacs-devel@m.gmane.org; Fri, 05 Sep 2008 19:15:16 +0200 Original-Received: from localhost ([127.0.0.1]:56371 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1Kbesx-0007Zi-1h for ged-emacs-devel@m.gmane.org; Fri, 05 Sep 2008 13:14:15 -0400 Original-Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1Kbesk-0007V9-S9 for emacs-devel@gnu.org; Fri, 05 Sep 2008 13:14:02 -0400 Original-Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1Kbesk-0007Ub-1L for emacs-devel@gnu.org; Fri, 05 Sep 2008 13:14:02 -0400 Original-Received: from [199.232.76.173] (port=53839 helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1Kbesj-0007UW-Lm for emacs-devel@gnu.org; Fri, 05 Sep 2008 13:14:01 -0400 Original-Received: from cyd.mit.edu ([18.115.2.24]:58034) by monty-python.gnu.org with esmtp (Exim 4.60) (envelope-from ) id 1Kbesj-0000XD-5t for emacs-devel@gnu.org; Fri, 05 Sep 2008 13:14:01 -0400 Original-Received: by cyd.mit.edu (Postfix, from userid 1000) id 2258B57E18A; Fri, 5 Sep 2008 13:16:38 -0400 (EDT) In-Reply-To: <87iqta5yl5.fsf@cyd.mit.edu> (Chong Yidong's message of "Fri\, 05 Sep 2008 12\:47\:34 -0400") User-Agent: Gnus/5.11 (Gnus v5.11) Emacs/22.3 (gnu/linux) X-detected-kernel: by monty-python.gnu.org: Linux 2.6 (newer, 3) X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:103569 Archived-At: Romain Francoise has found a security risk in a feature of GNU Emacs related to how Emacs interacts with Python. Emacs version 22.3, which was just released, contains a fix. A patch for earlier version of Emacs is described below. The vulnerability may allow an attacker to run malicious code if the user runs the Emacs command `run-python' while the current directory is world-writable, or if the user toggles `eldoc-mode' and visits a Python source file in a world-writable directory. Description of the vulnerability: The Emacs command `run-python' launches an interactive Python interpreter. After the Python process starts up, Emacs automatically sends it the line import emacs which normally imports a script named emacs.py which is distributed with Emacs. This script, which is typically located in a write-protected installation directory with other Emacs program files, defines various functions to help the Python process communicate with Emacs. The vulnerability arises because Python, by default, prepends '' to the module search path, so modules are looked for in the current directory. If the current directory is world-writable, an attacker may insert malicious code by adding a fake Python module named emacs.py into that directory. Furthermore, emacs.py imports other non-built-in Python modules, such as `inspect'. The same vulnerability exists for these import statements. By default, merely visiting and editing a *.py source file does not launch a Python subprocess; you either have to call `M-x run-python', or enable Emacs code that calls `run-python' automatically, such as `eldoc-mode'. The Python developers, in a private communication, have stated that they do not regard this module-importing behavior as a security problem for Python per se, because running a python script in a world-writable directory is itself a security hazard. In the Emacs context, however, it's much less obvious that it's unsafe to call `run-python' while the current directory is world-writable; therefore, the problem discussed here can be regarded as a security risk. The following patch, against the Emacs 22.2 source tree, removes '' from sys.path in the command-line arguments for invoking the Python process. (Because `sys' is a "built-in module", an attacker cannot insert malicious code by adding sys.py to the current directory.) *** emacs/lisp/progmodes/python.el 8 May 2008 03:42:10 -0000 1.89 --- emacs/lisp/progmodes/python.el 24 Aug 2008 19:47:09 -0000 1.90 *************** *** 1547,1553 **** ;; invoked. Would support multiple processes better. (when (or new (not (comint-check-proc python-buffer))) (with-current-buffer ! (let* ((cmdlist (append (python-args-to-list cmd) '("-i"))) (path (getenv "PYTHONPATH")) (process-environment ; to import emacs.py (cons (concat "PYTHONPATH=" --- 1547,1555 ---- ;; invoked. Would support multiple processes better. (when (or new (not (comint-check-proc python-buffer))) (with-current-buffer ! (let* ((cmdlist ! (append (python-args-to-list cmd) ! '("-i" "-c" "import sys; sys.path.remove('')"))) (path (getenv "PYTHONPATH")) (process-environment ; to import emacs.py (cons (concat "PYTHONPATH="