Your message dated Fri, 17 Oct 2008 02:02:07 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#499568: fixed in emacs22 22.2+2-4
has caused the Debian Bug report #499568,
regarding emacs22-common: CVE-2008-3949: Interactive Python Session loads
module from current directory
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
499568: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=499568
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: emacs22-common
Version: 22.2+2-3
Severity: important
Tags: security patch fixed-upstream
The following mail was sent to the emacs-devel mailing list shortly
after the release of Emacs 22.3:
--- Begin Message ---
Romain Francoise has found a security risk in a feature of GNU Emacs
related to how Emacs interacts with Python. Emacs version 22.3, which
was just released, contains a fix. A patch for earlier version of Emacs
is described below.
The vulnerability may allow an attacker to run malicious code if the
user runs the Emacs command `run-python' while the current directory is
world-writable, or if the user toggles `eldoc-mode' and visits a Python
source file in a world-writable directory.
Description of the vulnerability:
The Emacs command `run-python' launches an interactive Python
interpreter. After the Python process starts up, Emacs automatically
sends it the line
import emacs
which normally imports a script named emacs.py which is distributed with
Emacs. This script, which is typically located in a write-protected
installation directory with other Emacs program files, defines various
functions to help the Python process communicate with Emacs.
The vulnerability arises because Python, by default, prepends '' to the
module search path, so modules are looked for in the current directory.
If the current directory is world-writable, an attacker may insert
malicious code by adding a fake Python module named emacs.py into that
directory.
Furthermore, emacs.py imports other non-built-in Python modules, such as
`inspect'. The same vulnerability exists for these import statements.
By default, merely visiting and editing a *.py source file does not
launch a Python subprocess; you either have to call `M-x run-python', or
enable Emacs code that calls `run-python' automatically, such as
`eldoc-mode'.
The Python developers, in a private communication, have stated that they
do not regard this module-importing behavior as a security problem for
Python per se, because running a python script in a world-writable
directory is itself a security hazard. In the Emacs context, however,
it's much less obvious that it's unsafe to call `run-python' while the
current directory is world-writable; therefore, the problem discussed
here can be regarded as a security risk.
The following patch, against the Emacs 22.2 source tree, removes '' from
sys.path in the command-line arguments for invoking the Python process.
(Because `sys' is a "built-in module", an attacker cannot insert
malicious code by adding sys.py to the current directory.)
*** emacs/lisp/progmodes/python.el 8 May 2008 03:42:10 -0000 1.89
--- emacs/lisp/progmodes/python.el 24 Aug 2008 19:47:09 -0000 1.90
***************
*** 1547,1553 ****
;; invoked. Would support multiple processes better.
(when (or new (not (comint-check-proc python-buffer)))
(with-current-buffer
! (let* ((cmdlist (append (python-args-to-list cmd) '("-i")))
(path (getenv "PYTHONPATH"))
(process-environment ; to import emacs.py
(cons (concat
"PYTHONPATH="
--- 1547,1555 ----
;; invoked. Would support multiple processes better.
(when (or new (not (comint-check-proc python-buffer)))
(with-current-buffer
! (let* ((cmdlist
! (append (python-args-to-list cmd)
! '("-i" "-c" "import sys;
sys.path.remove('')")))
(path (getenv "PYTHONPATH"))
(process-environment ; to import emacs.py
(cons (concat
"PYTHONPATH="
--- End Message ---
If you fix this vulnerability please also include the CVE id
in your changelog entry.
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.26.5-libata
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages emacs22-common depends on:
ii dpkg 1.14.22 Debian package management system
ii emacsen-common 1.4.17 Common facilities for all emacsen
emacs22-common recommends no packages.
Versions of packages emacs22-common suggests:
pn emacs22-common-non-dfsg <none> (no description available)
ii emacs22-el 22.2+2-3 GNU Emacs LISP (.el) files
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: emacs22
Source-Version: 22.2+2-4
We believe that the bug you reported is fixed in the latest version of
emacs22, which is due to be installed in the Debian FTP archive:
emacs22-bin-common_22.2+2-4_i386.deb
to pool/main/e/emacs22/emacs22-bin-common_22.2+2-4_i386.deb
emacs22-common_22.2+2-4_all.deb
to pool/main/e/emacs22/emacs22-common_22.2+2-4_all.deb
emacs22-el_22.2+2-4_all.deb
to pool/main/e/emacs22/emacs22-el_22.2+2-4_all.deb
emacs22-gtk_22.2+2-4_i386.deb
to pool/main/e/emacs22/emacs22-gtk_22.2+2-4_i386.deb
emacs22-nox_22.2+2-4_i386.deb
to pool/main/e/emacs22/emacs22-nox_22.2+2-4_i386.deb
emacs22_22.2+2-4.diff.gz
to pool/main/e/emacs22/emacs22_22.2+2-4.diff.gz
emacs22_22.2+2-4.dsc
to pool/main/e/emacs22/emacs22_22.2+2-4.dsc
emacs22_22.2+2-4_i386.deb
to pool/main/e/emacs22/emacs22_22.2+2-4_i386.deb
emacs_22.2+2-4_all.deb
to pool/main/e/emacs22/emacs_22.2+2-4_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Rob Browning <[EMAIL PROTECTED]> (supplier of updated emacs22 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 14 Oct 2008 21:28:47 -0700
Source: emacs22
Binary: emacs emacs22 emacs22-nox emacs22-gtk emacs22-bin-common emacs22-common
emacs22-el
Architecture: source all i386
Version: 22.2+2-4
Distribution: unstable
Urgency: medium
Maintainer: Rob Browning <[EMAIL PROTECTED]>
Changed-By: Rob Browning <[EMAIL PROTECTED]>
Description:
emacs - The GNU Emacs editor (metapackage)
emacs22 - The GNU Emacs editor
emacs22-bin-common - The GNU Emacs editor's shared, architecture dependent
files
emacs22-common - The GNU Emacs editor's shared, architecture independent
infrastru
emacs22-el - GNU Emacs LISP (.el) files
emacs22-gtk - The GNU Emacs editor (with GTK user interface)
emacs22-nox - The GNU Emacs editor (without X support)
Closes: 447378 476108 499568
Changes:
emacs22 (22.2+2-4) unstable; urgency=medium
.
* Fix a security problem related to the invocation of python
(CVE-2008-3949). Avoid including the current directory in the module
lookup path when invoking python from python.el. Thanks to Sven
Joachim <[EMAIL PROTECTED]> and Michael Berg <[EMAIL PROTECTED]>.
(closes: #499568)
.
* Invoke xmlstarlet from flymake as xmlstarlet rather than xml. Thanks
to Jussi Judin <[EMAIL PROTECTED]>. (closes: #447378)
.
* Fix vc-mode's handling of internal temporary buffers. This should
avoid failures when trying to open files under monotone version
control. Thanks to Sven Joachim <[EMAIL PROTECTED]> and Michael Berg
<[EMAIL PROTECTED]>. (closes: #476108)
Checksums-Sha1:
69718012718c33b073142c79f7fe054ed846c202 1340 emacs22_22.2+2-4.dsc
c87ec6f1735aff3f21a393cd1de367c465c2b38b 45460 emacs22_22.2+2-4.diff.gz
19cbb5ea528f335bb167f11105948b28662f81d6 19778 emacs_22.2+2-4_all.deb
9184cfc7436fb7164cc3c90685979a56b9ae2591 14628030
emacs22-common_22.2+2-4_all.deb
a232ad7c72c7db2fd8d43683063366ce1ebf4e6a 11357252 emacs22-el_22.2+2-4_all.deb
fa9fb9a9b1cfe63d7f4df66e5f4d30df6968d13f 2606864 emacs22_22.2+2-4_i386.deb
60a8d575cd43bdf6d70f8d77bcf641d1c51bae12 2339278 emacs22-nox_22.2+2-4_i386.deb
7ad563330e1e2a2d595baa74dfb197410f61bd03 2596376 emacs22-gtk_22.2+2-4_i386.deb
ce5d0f5fc57164a05009d3fad0a2c911a323d72d 165122
emacs22-bin-common_22.2+2-4_i386.deb
Checksums-Sha256:
5c46f7e73d53edf286317380b79183023533cc29d1db0fca6ee02a386a984357 1340
emacs22_22.2+2-4.dsc
85f4293d1f9a47b169873bcaf5461ed751f391be3b76bfc8e4565274b24ea1c9 45460
emacs22_22.2+2-4.diff.gz
525c7db3703a49b4fe8976d837e484bd9e9f0f53de7afc6a258858b12f5a62bc 19778
emacs_22.2+2-4_all.deb
36fad4ba39cc319f2be34185bb8ce264c96f251c3ce04be0a977b459f876cc6b 14628030
emacs22-common_22.2+2-4_all.deb
26cfe3f2c66fdbbd5741554563ad34c9ce4757371bee7222d3a29fc0731507e6 11357252
emacs22-el_22.2+2-4_all.deb
00af5e124348c0f38327616201013b32c028e709b980cfdcc99dbe5c66ed80f4 2606864
emacs22_22.2+2-4_i386.deb
600995816fbd7d3c947b5990e39bb5ceee9de59cba496753ba0f2417ae87851a 2339278
emacs22-nox_22.2+2-4_i386.deb
50aa87ee8a185043e7b30a4c72190836bfbe078a05f1042b8a895b1ab736b0d2 2596376
emacs22-gtk_22.2+2-4_i386.deb
17b7fa8ae0ccd3f7caa6b6eec7fe6998b14c7ac74544a32d1d6513f4cc498f38 165122
emacs22-bin-common_22.2+2-4_i386.deb
Files:
c1f78bfc9a2dbfdb9ed3d99abc25a6b2 1340 editors optional emacs22_22.2+2-4.dsc
aaf04d992f617f1848d628cccc0ac25f 45460 editors optional
emacs22_22.2+2-4.diff.gz
f91f0e83a2b8fbcc610c024486bf28c5 19778 editors optional emacs_22.2+2-4_all.deb
f16d905a5c083104ce3a86d730610a01 14628030 editors optional
emacs22-common_22.2+2-4_all.deb
886c564698c6d0bb5ae1ca1c3996e34d 11357252 editors optional
emacs22-el_22.2+2-4_all.deb
099862d5c04036fae01310fd2976bc69 2606864 editors optional
emacs22_22.2+2-4_i386.deb
b0bb50be3c80eb631d7b4740aa4b4b7f 2339278 editors optional
emacs22-nox_22.2+2-4_i386.deb
147952f1dcbf1a997253677d4bfd692a 2596376 editors optional
emacs22-gtk_22.2+2-4_i386.deb
84c4cd358a10c49d952d450927631580 165122 editors optional
emacs22-bin-common_22.2+2-4_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkj37vgACgkQJcjTd4x+c6QGagCgqvTWqrn4mThlWurlNvROAuEi
3D8An2qKrY7ZvCl/L/Pd3gV9yaMkBaBN
=uOl+
-----END PGP SIGNATURE-----
--- End Message ---
