[gentoo-announce] [ GLSA 200902-06 ] GNU Emacs, XEmacs: Multiple vulnerabilities - gentoo-announce

From:	Pierre-Yves Rofes <py@g.o>
To:	gentoo-announce@l.g.o
Cc:	full-disclosure@××××××××××××××.uk, bugtraq@×××××××××××××.com, security-alerts@×××××××××××××.com
Subject:	[gentoo-announce] [ GLSA 200902-06 ] GNU Emacs, XEmacs: Multiple vulnerabilities
Date:	Mon, 23 Feb 2009 22:03:10
Message-Id:	`49A31CEF.4050708@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 200902-06

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                            http://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

  Severity: Normal

8

     Title: GNU Emacs, XEmacs: Multiple vulnerabilities

9

      Date: February 23, 2009

10

      Bugs: #221197, #236498

11

        ID: 200902-06

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

Two vulnerabilities were found in GNU Emacs, possibly leading to

19

user-assisted execution of arbitrary code. One also affects edit-utils

20

in XEmacs.

21

22

Background

23

==========

24

25

GNU Emacs and XEmacs are highly extensible and customizable text

26

editors. edit-utils are miscellaneous extensions to XEmacs.

27

28

Affected packages

29

=================

30

31

    -------------------------------------------------------------------

32

     Package                /  Vulnerable  /                Unaffected

33

    -------------------------------------------------------------------

34

  1  app-editors/emacs          < 22.2-r3                   >= 22.2-r3

35

                                                          *>= 21.4-r17

36

                                                                  < 19

37

  2  app-xemacs/edit-utils       < 2.39                        >= 2.39

38

    -------------------------------------------------------------------

39

     2 affected packages on all of their supported architectures.

40

    -------------------------------------------------------------------

41

42

Description

43

===========

44

45

Morten Welinder reports about GNU Emacs and edit-utils in XEmacs: By

46

shipping a .flc accompanying a source file (.c for example) and setting

47

font-lock-support-mode to fast-lock-mode in the source file through

48

local variables, any Lisp code in the .flc file is executed without

49

warning (CVE-2008-2142).

50

51

Romain Francoise reported a security risk in a feature of GNU Emacs

52

related to interacting with Python. The vulnerability arises because

53

Python, by default, prepends the current directory to the module search

54

path, allowing for arbitrary code execution when launched from a

55

specially crafted directory (CVE-2008-3949).

56

57

Impact

58

======

59

60

Remote attackers could entice a user to open a specially crafted file

61

in GNU Emacs, possibly leading to the execution of arbitrary Emacs Lisp

62

code or arbitrary Python code with the privileges of the user running

63

GNU Emacs or XEmacs.

64

65

Workaround

66

==========

67

68

There is no known workaround at this time.

69

70

Resolution

71

==========

72

73

All GNU Emacs users should upgrade to the latest version:

74

75

    # emerge --sync

76

    # emerge --ask --oneshot --verbose ">=app-editors/emacs-22.2-r3"

77

78

All edit-utils users should upgrade to the latest version:

79

80

    # emerge --sync

81

    # emerge --ask --oneshot --verbose ">=app-xemacs/edit-utils-2.39"

82

83

References

84

==========

85

86

  [ 1 ] CVE-2008-2142

87

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2142

88

  [ 2 ] CVE-2008-3949

89

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3949

90

91

Availability

92

============

93

94

This GLSA and any updates to it are available for viewing at

95

the Gentoo Security Website:

96

97

  http://security.gentoo.org/glsa/glsa-200902-06.xml

98

99

Concerns?

100

=========

101

102

Security is a primary focus of Gentoo Linux and ensuring the

103

confidentiality and security of our users machines is of utmost

104

importance to us. Any security concerns should be addressed to

105

security@g.o or alternatively, you may file a bug at

106

http://bugs.gentoo.org.

107

108

License

109

=======

110

111

Copyright 2009 Gentoo Foundation, Inc; referenced text

112

belongs to its owner(s).

113

114

The contents of this document are licensed under the

115

Creative Commons - Attribution / Share Alike license.

116

117

http://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 200902-06
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	http://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: GNU Emacs, XEmacs: Multiple vulnerabilities
9	Date: February 23, 2009
10	Bugs: #221197, #236498
11	ID: 200902-06
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	Two vulnerabilities were found in GNU Emacs, possibly leading to
19	user-assisted execution of arbitrary code. One also affects edit-utils
20	in XEmacs.
21
22	Background
23	==========
24
25	GNU Emacs and XEmacs are highly extensible and customizable text
26	editors. edit-utils are miscellaneous extensions to XEmacs.
27
28	Affected packages
29	=================
30
31	-------------------------------------------------------------------
32	Package / Vulnerable / Unaffected
33	-------------------------------------------------------------------
34	1 app-editors/emacs < 22.2-r3 >= 22.2-r3
35	*>= 21.4-r17
36	< 19
37	2 app-xemacs/edit-utils < 2.39 >= 2.39
38	-------------------------------------------------------------------
39	2 affected packages on all of their supported architectures.
40	-------------------------------------------------------------------
41
42	Description
43	===========
44
45	Morten Welinder reports about GNU Emacs and edit-utils in XEmacs: By
46	shipping a .flc accompanying a source file (.c for example) and setting
47	font-lock-support-mode to fast-lock-mode in the source file through
48	local variables, any Lisp code in the .flc file is executed without
49	warning (CVE-2008-2142).
50
51	Romain Francoise reported a security risk in a feature of GNU Emacs
52	related to interacting with Python. The vulnerability arises because
53	Python, by default, prepends the current directory to the module search
54	path, allowing for arbitrary code execution when launched from a
55	specially crafted directory (CVE-2008-3949).
56
57	Impact
58	======
59
60	Remote attackers could entice a user to open a specially crafted file
61	in GNU Emacs, possibly leading to the execution of arbitrary Emacs Lisp
62	code or arbitrary Python code with the privileges of the user running
63	GNU Emacs or XEmacs.
64
65	Workaround
66	==========
67
68	There is no known workaround at this time.
69
70	Resolution
71	==========
72
73	All GNU Emacs users should upgrade to the latest version:
74
75	# emerge --sync
76	# emerge --ask --oneshot --verbose ">=app-editors/emacs-22.2-r3"
77
78	All edit-utils users should upgrade to the latest version:
79
80	# emerge --sync
81	# emerge --ask --oneshot --verbose ">=app-xemacs/edit-utils-2.39"
82
83	References
84	==========
85
86	[ 1 ] CVE-2008-2142
87	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2142
88	[ 2 ] CVE-2008-3949
89	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3949
90
91	Availability
92	============
93
94	This GLSA and any updates to it are available for viewing at
95	the Gentoo Security Website:
96
97	http://security.gentoo.org/glsa/glsa-200902-06.xml
98
99	Concerns?
100	=========
101
102	Security is a primary focus of Gentoo Linux and ensuring the
103	confidentiality and security of our users machines is of utmost
104	importance to us. Any security concerns should be addressed to
105	security@g.o or alternatively, you may file a bug at
106	http://bugs.gentoo.org.
107
108	License
109	=======
110
111	Copyright 2009 Gentoo Foundation, Inc; referenced text
112	belongs to its owner(s).
113
114	The contents of this document are licensed under the
115	Creative Commons - Attribution / Share Alike license.
116
117	http://creativecommons.org/licenses/by-sa/2.5