I've uploaded emacs22 22.2+2-4 unstable, which includes a CVE fix
along with two other fixes that involved minor changes. Please
consider this for lenny, and please let me know if I need to do
anything further.
Below are the debian/ diffs followed by the new debian/patches files.
The debian/patches files are separated from each other by pairs of
lines of equal signs. I included the patch files directly, so that
you wouldn't have to read a diff of a diff.
The xmlstarlet patch fixes a Debian specific problem (different binary
name), and the other two patches have already been incorporated
upstream.
Thanks for the help.
--- a/changelog
+++ b/changelog
@@ -1,8 +1,26 @@
+emacs22 (22.2+2-4) unstable; urgency=medium
+
+ * Fix a security problem related to the invocation of python
+ (CVE-2008-3949). Avoid including the current directory in the module
+ lookup path when invoking python from python.el. Thanks to Sven
+ Joachim <[EMAIL PROTECTED]> and Michael Berg <[EMAIL PROTECTED]>.
+ (closes: #499568)
+
+ * Invoke xmlstarlet from flymake as xmlstarlet rather than xml. Thanks
+ to Jussi Judin <[EMAIL PROTECTED]>. (closes: #447378)
+
+ * Fix vc-mode's handling of internal temporary buffers. This should
+ avoid failures when trying to open files under monotone version
+ control. Thanks to Sven Joachim <[EMAIL PROTECTED]> and Michael Berg
+ <[EMAIL PROTECTED]>. (closes: #476108)
+
+ -- Rob Browning <[EMAIL PROTECTED]> Tue, 14 Oct 2008 21:28:47 -0700
+
emacs22 (22.2+2-3) unstable; urgency=medium
* Fix an insecurity related to fast-lock-cache-directories
- (CVE-2008-2142). Thanks to Provided-by: Sven Joachim <[EMAIL PROTECTED]>
- and Morten Welinder <[EMAIL PROTECTED]>. (closes: #480885)
+ (CVE-2008-2142). Thanks to Sven Joachim <[EMAIL PROTECTED]> and Morten
+ Welinder <[EMAIL PROTECTED]>. (closes: #480885)
* Don't remove /usr/local/share/emacs/site-lisp in emacs22-common.
Leave that up to emacsen-common. Thanks to Sven Joachim
diff --git a/patches/series b/patches/series
index 232839f..4f7d095 100644
--- a/patches/series
+++ b/patches/series
@@ -12,4 +12,7 @@ make-fast-lock-cache-directories-risky-cve-2008-2142.diff
fix-mule-select-safe-coding.diff
look-for-news-to-find-etc.diff
fix-woman2-th.diff
+fix-python-module-handling-cve-2008-3949.diff
+fix-flymake-xmlstarlet-invocation.diff
+do-not-show-vc-internal-tmp-buffers.diff
autofiles.diff
Here are the new debian/patches files separated by line pairs like this:
===================================================================
===================================================================
* A problem with vc mode's handling of temporary buffers has been fixed.
Patch: do-not-show-vc-internal-tmp-buffers.diff
Provided-by: Sven Joachim <[EMAIL PROTECTED]>
Originally-reported-by: Michael Berg <[EMAIL PROTECTED]>
Date: Mon, 14 Apr 2008 14:36:05 UTC
Added-by: Rob Browning <[EMAIL PROTECTED]>
Status: incorporated upstream
Bug: 476108
Emacs should no longer fail when trying to open files under monotone
version control.
From the upstream ChangeLog:
2008-03-29 Stefan Monnier <[EMAIL PROTECTED]>
* vc.el (vc-do-command): Don't show internal temp buffers.
Index: sid/lisp/vc.el
===================================================================
--- sid.orig/lisp/vc.el
+++ sid/lisp/vc.el
@@ -1047,9 +1047,14 @@
(when (and (not (eq t okstatus))
(or (not (integerp status))
(and okstatus (< okstatus status))))
- (pop-to-buffer (current-buffer))
- (goto-char (point-min))
- (shrink-window-if-larger-than-buffer)
+ ;; Don't show internal temp buffers. Especially since, together
+ ;; with with-temp-buffer and pop-up-frames, this can result in
+ ;; bugs where with-temp-buffer ends up not preserving
+ ;; current-buffer (because kill-buffer doesn't preserve it).
+ (unless (eq ?\s (aref (buffer-name (current-buffer)) 0))
+ (pop-to-buffer (current-buffer))
+ (goto-char (point-min))
+ (shrink-window-if-larger-than-buffer))
(error "Running %s...FAILED (%s)" command
(if (integerp status) (format "status %d" status) status))))
(if vc-command-messages
===================================================================
===================================================================
* Emacs now invokes the correct xmlstarlet executable on Debian systems.
Patch: fix-flymake-xmlstarlet-invocation.diff
Provided-by: Jussi Judin <[EMAIL PROTECTED]>
Date: Sat, 20 Oct 2007 14:42:02 UTC
Added-by: Rob Browning <[EMAIL PROTECTED]>
Status: Debian specific
Bug: 447378
Emacs invokes xmlstarlet rather than xml, which is the correct
executable name on Debian systems.
Index: sid/lisp/progmodes/flymake.el
===================================================================
--- sid.orig/lisp/progmodes/flymake.el
+++ sid/lisp/progmodes/flymake.el
@@ -1756,7 +1756,7 @@
;;;; xml-specific init-cleanup routines
(defun flymake-xml-init ()
- (list "xml" (list "val" (flymake-init-create-temp-buffer-copy
'flymake-create-temp-inplace))))
+ (list "xmlstarlet" (list "val" (flymake-init-create-temp-buffer-copy
'flymake-create-temp-inplace))))
(provide 'flymake)
===================================================================
===================================================================
* Python mode will not inappropriately load modules in the current directory.
Patch: fix-python-module-handling-cve-2008-3949.diff
Provided-by: Chong Yidong <[EMAIL PROTECTED]>
Originally-reported-by: Sven Joachim <[EMAIL PROTECTED]>
Date: Fri, 19 Sep 2008 23:06:33 +0200
Added-by: Rob Browning <[EMAIL PROTECTED]>
Status: incorporated upstream
Chong Yidong <[EMAIL PROTECTED]> describes the problem as
follows:
The Emacs command `run-python' launches an interactive Python
interpreter. After the Python process starts up, Emacs
automatically sends it the line
import emacs
which normally imports a script named emacs.py which is
distributed with Emacs. This script, which is typically located
in a write-protected installation directory with other Emacs
program files, defines various functions to help the Python
process communicate with Emacs.
The vulnerability arises because Python, by default, prepends ''
to the module search path, so modules are looked for in the
current directory. If the current directory is world-writable, an
attacker may insert malicious code by adding a fake Python module
named emacs.py into that directory.
Furthermore, emacs.py imports other non-built-in Python modules,
such as `inspect'. The same vulnerability exists for these import
statements.
By default, merely visiting and editing a *.py source file does
not launch a Python subprocess; you either have to call `M-x
run-python', or enable Emacs code that calls `run-python'
automatically, such as `eldoc-mode'.
The Python developers, in a private communication, have stated
that they do not regard this module-importing behavior as a
security problem for Python per se, because running a python
script in a world-writable directory is itself a security hazard.
In the Emacs context, however, it's much less obvious that it's
unsafe to call `run-python' while the current directory is
world-writable; therefore, the problem discussed here can be
regarded as a security risk.
The fix adds arguments to the invocation of Python which remove ''
from sys.path. Since sys is a built-in module, it cannot be
overriden via the current directory before this code executes.
Index: sid/lisp/progmodes/python.el
===================================================================
--- sid.orig/lisp/progmodes/python.el
+++ sid/lisp/progmodes/python.el
@@ -1355,7 +1355,9 @@
;; invoked. Would support multiple processes better.
(when (or new (not (comint-check-proc python-buffer)))
(with-current-buffer
- (let* ((cmdlist (append (python-args-to-list cmd) '("-i")))
+ (let* ((cmdlist
+ (append (python-args-to-list cmd)
+ '("-i" "-c" "import sys; sys.path.remove('')")))
(path (getenv "PYTHONPATH"))
(process-environment ; to import emacs.py
(cons (concat "PYTHONPATH=" data-directory
===================================================================
===================================================================
--
Rob Browning
rlb @defaultvalue.org and @debian.org; previously @cs.utexas.edu
GPG as of 2002-11-03 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
