ISS X-Force Database: emacs-hacklocalvariables-security-bypass(38263): GNU Emacs hack-local-variables function security bypass

GNU Emacs hack-local-variables function security bypass

emacs-hacklocalvariables-security-bypass (38263)

Medium Risk

Description:

GNU Emacs could allow a remote attacker to bypass security restrictions, caused by an error in the hack-local-variables function. By persuading a victim to open a file with the "enable-local-variables" set to ":safe", a remote attacker could exploit this vulnerability to bypass security restrictions and execute arbitrary Emacs Lisp code on the vulnerable system.

Platforms Affected:

Apple, Mac OS X 10.5.2
Apple, Mac OS X Server 10.5.2
Application Security, AppDetective
Canonical, Ubuntu 7.10
Gentoo, Linux
GNU, emacs 20.0
GNU, emacs 20.1
GNU, emacs 20.2
GNU, emacs 20.3
GNU, emacs 20.4
GNU, emacs 20.5
GNU, emacs 20.6
GNU, emacs 21
GNU, emacs 21.2.1
GNU, emacs 21.3
GNU, emacs 21.3.1
GNU, emacs 21.4a
GNU, emacs 22.1
MandrakeSoft, Mandrake Linux 2007
MandrakeSoft, Mandrake Linux 2007 X86_64
MandrakeSoft, Mandrake Linux 2007.1
MandrakeSoft, Mandrake Linux 2007.1 X86_64
MandrakeSoft, Mandrake Linux 2008.0 X86_64
MandrakeSoft, Mandrake Linux 2008.0
MandrakeSoft, Mandrake Linux Corporate Server 3.0
MandrakeSoft, Mandrake Linux Corporate Server 3.0 X86_64
MandrakeSoft, Mandrake Linux Corporate Server 4.0
MandrakeSoft, Mandrake Linux Corporate Server 4.0 X86_64

Remedy:

Apply patch available from the GNU Emacs CVS Repository. See References.

For Mac OS X:
Apply Security Update 2008-002, available from the Apple Web site. See References.

For other distributions:
Apply the appropriate upgrade for your system. See References.

Consequences:

Bypass Security

References:

Apple Web site, About Security Update 2008-002 at http://docs.info.apple.com/article.html?artnum=307562.
Debian Bug report logs - #449008, emacs22-common: enable-local-variables :safe mode acts like :all at http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=449008.
GNU Emacs CVS Repository, GNU Emacs at http://cvs.savannah.gnu.org/viewvc/emacs/emacs/lisp/files.el?r1=1.896.2.28&r2=1.896.2.29.
GNU Project Web site, GNU Emacs at http://www.gnu.org/software/emacs/emacs.html.
BID-26327: GNU Emacs Local Variable Handling Code Execution Vulnerability
CVE-2007-5795: The hack-local-variables function in Emacs before 22.2, when enable-local-variables is set to :safe, does not properly search lists of unsafe or risky variables, which might allow user-assisted attackers to bypass intended restrictions and modify critical program variables via a file containing a Local variables declaration.
GLSA-200712-03: GNU Emacs: Multiple vulnerabilities
MDVSA-2008:034: Updated emacs packages fix vulnerabilities
SA27508: GNU Emacs Local Variable Processing Vulnerability
SA29420: Mac OS X Security Update Fixes Multiple Vulnerabilities
USN-541-1: Emacs vulnerability
VUPEN/ADV-2007-3715: GNU Emacs Local Variable Processing Security Bypass Vulnerability
VUPEN/ADV-2008-0924: Apple Mac OS X Command Execution and Security Bypass Issues

Reported:

Nov 02, 2007

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page