Emacs 22.3 released

Emacs 22.3 released

[Chong Yidong]

GNU Emacs 22.3 has been released, and is now available at
ftp.gnu.org/gnu/emacs/ and the GNU FTP mirrors (see
http://www.gnu.org/order/ftp.html).

The MD5 check-sum for the source tarball is:

  aa8ba34f548cd78b35914ae5a7bb87eb  emacs-22.3.tar.gz

Please send any bug reports to bug-gnu-emacs@gnu.org.  Within Emacs, you
can do this using the command M-x report-emacs-bug.

Emacs 22.3 is a bugfix release.

Vulnerability in Emacs python integration

[Chong Yidong]

Romain Francoise has found a security risk in a feature of GNU Emacs
related to how Emacs interacts with Python.  Emacs version 22.3, which
was just released, contains a fix.  A patch for earlier version of Emacs
is described below.

The vulnerability may allow an attacker to run malicious code if the
user runs the Emacs command `run-python' while the current directory is
world-writable, or if the user toggles `eldoc-mode' and visits a Python
source file in a world-writable directory.


Description of the vulnerability:

The Emacs command `run-python' launches an interactive Python
interpreter.  After the Python process starts up, Emacs automatically
sends it the line

import emacs

which normally imports a script named emacs.py which is distributed with
Emacs.  This script, which is typically located in a write-protected
installation directory with other Emacs program files, defines various
functions to help the Python process communicate with Emacs.

The vulnerability arises because Python, by default, prepends '' to the
module search path, so modules are looked for in the current directory.
If the current directory is world-writable, an attacker may insert
malicious code by adding a fake Python module named emacs.py into that
directory.

Furthermore, emacs.py imports other non-built-in Python modules, such as
`inspect'.  The same vulnerability exists for these import statements.

By default, merely visiting and editing a *.py source file does not
launch a Python subprocess; you either have to call `M-x run-python', or
enable Emacs code that calls `run-python' automatically, such as
`eldoc-mode'.

The Python developers, in a private communication, have stated that they
do not regard this module-importing behavior as a security problem for
Python per se, because running a python script in a world-writable
directory is itself a security hazard.  In the Emacs context, however,
it's much less obvious that it's unsafe to call `run-python' while the
current directory is world-writable; therefore, the problem discussed
here can be regarded as a security risk.

The following patch, against the Emacs 22.2 source tree, removes '' from
sys.path in the command-line arguments for invoking the Python process.
(Because `sys' is a "built-in module", an attacker cannot insert
malicious code by adding sys.py to the current directory.)

*** emacs/lisp/progmodes/python.el    8 May 2008 03:42:10 -0000      1.89
--- emacs/lisp/progmodes/python.el    24 Aug 2008 19:47:09 -0000     1.90
***************
*** 1547,1553 ****
    ;; invoked.  Would support multiple processes better.
    (when (or new (not (comint-check-proc python-buffer)))
      (with-current-buffer
!     (let* ((cmdlist (append (python-args-to-list cmd) '("-i")))
             (path (getenv "PYTHONPATH"))
                    (process-environment        ; to import emacs.py
                                                (cons (concat
                                                "PYTHONPATH="
--- 1547,1555 ----
    ;; invoked.  Would support multiple processes better.
    (when (or new (not (comint-check-proc python-buffer)))
      (with-current-buffer
!     (let* ((cmdlist
!           (append (python-args-to-list cmd)
!                                        '("-i" "-c" "import sys; sys.path.remove('')")))
               (path (getenv "PYTHONPATH"))
                      (process-environment      ; to import emacs.py
                                                (cons (concat
                                                "PYTHONPATH="

Re: Emacs 22.3 released

[Christian Faulhammer]

[-- Attachment #1: Type: text/plain, Size: 496 bytes --]

Hi,

Chong Yidong <cyd@stupidchicken.com>:

> GNU Emacs 22.3 has been released, and is now available at
> ftp.gnu.org/gnu/emacs/ and the GNU FTP mirrors (see

 And now we play the old game: First!  Gentoo has it in its
repositories..thanks for the work and we will see Emacs 22.3 in stable
branch in about 30 days, I hope.

V-Li

-- 
Christian Faulhammer, Gentoo Lisp project
<URL:http://www.gentoo.org/proj/en/lisp/>, #gentoo-lisp on FreeNode

<URL:http://www.faulhammer.org/>

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

NEWS.22.3 missing (was: Emacs 22.3 released)

[Daniel Clemente]

Chong Yidong <cyd@stupidchicken.com> writes:

> GNU Emacs 22.3 has been released, and is now available at
> ftp.gnu.org/gnu/emacs/ and the GNU FTP mirrors (see
> http://www.gnu.org/order/ftp.html).
>

  The main page is linking the file NEWS.22.2 instead of NEWS.22.3 (which is still not there).

Re: Emacs 22.3 released

[Giorgos Keramidas]

On Fri, 05 Sep 2008 12:47:34 -0400, Chong Yidong <cyd@stupidchicken.com> wrote:
> GNU Emacs 22.3 has been released, and is now available at
> ftp.gnu.org/gnu/emacs/ and the GNU FTP mirrors (see
> http://www.gnu.org/order/ftp.html).
>
> The MD5 check-sum for the source tarball is:
>
>   aa8ba34f548cd78b35914ae5a7bb87eb  emacs-22.3.tar.gz

Thank you!

I've just submitted an update to the FreeBSD port editors/emacs to bring
it up to this version of GNU Emacs.

Congratulations to everyone who contributed to this release :-)