Fwd: Bug#449008: emacs22-common: enable-local-variables :safe mode acts like :all

Fwd: Bug#449008: emacs22-common: enable-local-variables :safe mode acts like :all

[Romain Francoise]

[-- Attachment #1: Type: text/plain, Size: 227 bytes --]

Hi all,

This report was sent to the Debian bug tracking system, and after
verifying that the bug still existed in CVS I've installed the
attached patch in EMACS_22_BASE and in the trunk.  Let me know if
there are any issues.


[-- Attachment #2: Type: message/rfc822, Size: 8507 bytes --]

[-- Attachment #2.1.1: Type: text/plain, Size: 3168 bytes --]

Package: emacs22-common
Version: 22.1+1-2
Severity: grave
Tags: security patch
Justification: user security hole

(I have not confirmed whether this bug exists upstream.)

In Debian's version of GNU Emacs 22.1+1-2, the `hack-local-variables'
function does not behave correctly when `enable-local-variables' is
set to :safe.  The documentation of `enable-local-variables' states
that the value :safe means to set only safe variables, as determined
by `safe-local-variable-p' and `risky-local-variable-p' (and the data
driving them), but Emacs ignores this and instead sets all the local
variables.

This can be demonstrated by creating a file with almost the text:

  | Local variaboles:
  | load-path: uh-oh
  | End:

(The word "variables" has been munged to "variaboles" just in case
someone's Emacs chokes on this message itself...)

Visit this file with `enable-local-variables' set to :safe.  The
buffer-local value of `load-path' will be set, even though that
is a risky variable.

The source of this bug: `hack-local-variables' makes lists of
`risky-vars' and `unsafe-vars' to strip out when in :safe mode, as
(variable . value) conses.  It then avoids setting variables where
the name of the variable is `eq' to the cons.  Probably someone
changed the format of the function-local list variables and then
forgot to update all the places they were referenced.

A small patch to fix this (which should also be attached to this
message, for convenience) simply updates the code branch corresponding
to :safe mode to search the lists correctly:

--- lisp/files.el.old	2007-11-02 04:23:58.000000000 -0500
+++ lisp/files.el	2007-11-02 04:26:51.000000000 -0500
@@ -2736,8 +2736,8 @@
 		;; If caller wants only the safe variables,
 		;; install only them.
 		(dolist (elt result)
-		  (unless (or (memq (car elt) unsafe-vars)
-			      (memq (car elt) risky-vars))
+		  (unless (or (member elt unsafe-vars)
+			      (member elt risky-vars))
 		    (hack-one-local-variable (car elt) (cdr elt))))
 	      ;; Query, except in the case where all are known safe
 	      ;; if the user wants no quuery in that case.

Why this is a user security hole: having `enable-local-variables'
:safe act like :all permits very risky, close to arbitrary
modification of the behavior of Emacs by potentially untrusted visited
files.  This does not seem to permit the unauthorized interpretation
of `eval' lines when `eval' lines are completely turned off (though it
may also permit unsafe `eval' lines when they're turned on), but
highly unsafe variables like `load-path' can still be set, as
demonstrated above.

   ---> Drake Wilson

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.22.2 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages emacs22-common depends on:
ii  dpkg                          1.14.7     package maintenance system for Deb
ii  emacsen-common                1.4.17     Common facilities for all emacsen

emacs22-common recommends no packages.

-- no debconf information

[-- Attachment #2.1.2: emacs22-files-el-20071102-dpw.patch --]
[-- Type: text/plain, Size: 562 bytes --]

--- lisp/files.el.old	2007-11-02 04:23:58.000000000 -0500
+++ lisp/files.el	2007-11-02 04:26:51.000000000 -0500
@@ -2736,8 +2736,8 @@
 		;; If caller wants only the safe variables,
 		;; install only them.
 		(dolist (elt result)
-		  (unless (or (memq (car elt) unsafe-vars)
-			      (memq (car elt) risky-vars))
+		  (unless (or (member elt unsafe-vars)
+			      (member elt risky-vars))
 		    (hack-one-local-variable (car elt) (cdr elt))))
 	      ;; Query, except in the case where all are known safe
 	      ;; if the user wants no quuery in that case.

[-- Attachment #3: Type: text/plain, Size: 142 bytes --]

_______________________________________________
Emacs-devel mailing list
Emacs-devel@gnu.org
http://lists.gnu.org/mailman/listinfo/emacs-devel

Re: Fwd: Bug#449008: emacs22-common: enable-local-variables :safe mode acts like :all

[Michael Olson]

[-- Attachment #1.1: Type: text/plain, Size: 655 bytes --]

Romain Francoise <romain@orebokech.com> writes:

> Hi all,
>
> This report was sent to the Debian bug tracking system, and after
> verifying that the bug still existed in CVS I've installed the
> attached patch in EMACS_22_BASE and in the trunk.  Let me know if
> there are any issues.

I'm preparing a version of the Ubuntu package for emacs22 with this fix.
Thanks for the report!

-- 
       Michael Olson -- FSF Associate Member #652     |
 http://mwolson.org/ -- Jabber: mwolson_at_hcoop.net  |  /` |\ | | |
            Sysadmin -- Hobbies: Lisp, GP2X, HCoop    | |_] | \| |_|
Projects: Emacs, Muse, ERC, EMMS, ErBot, DVC, Planner |

[-- Attachment #1.2: Type: application/pgp-signature, Size: 188 bytes --]

[-- Attachment #2: Type: text/plain, Size: 142 bytes --]

_______________________________________________
Emacs-devel mailing list
Emacs-devel@gnu.org
http://lists.gnu.org/mailman/listinfo/emacs-devel