GNU Emacs hack-local-variables function security bypass

emacs-hacklocalvariables-security-bypass (38263)

Medium Risk

Description:

GNU Emacs could allow a remote attacker to bypass security restrictions, caused by an error in the hack-local-variables function. By persuading a victim to open a file with the "enable-local-variables" set to ":safe", a remote attacker could exploit this vulnerability to bypass security restrictions and execute arbitrary Emacs Lisp code on the vulnerable system.

Platforms Affected:

• Apple, Mac OS X 10.5.2
• Apple, Mac OS X Server 10.5.2
• Application Security, AppDetective
• Canonical, Ubuntu 7.10
• Gentoo, Linux
• GNU, emacs 22.1
• Mandriva, Corporate Server 3.0
• Mandriva, Corporate Server 3.0 X86_64
• Mandriva, Corporate Server 4.0
• Mandriva, Corporate Server 4.0 X86_64
• Mandriva, Linux 2007 X86_64
• Mandriva, Linux 2007
• Mandriva, Linux 2007.1
• Mandriva, Linux 2007.1 X86_64
• Mandriva, Linux 2008.0 X86_64
• Mandriva, Linux 2008.0

Remedy:

Apply patch available from the GNU Emacs CVS Repository. See References.

For Mac OS X:
Apply Security Update 2008-002, available from the Apple Web site. See References.

For other distributions:
Apply the appropriate upgrade for your system. See References.

Consequences:

Bypass Security

References:

• Apple Web site, About Security Update 2008-002 at http://docs.info.apple.com/article.html?artnum=307562.
• Debian Bug report logs - #449008, emacs22-common: enable-local-variables :safe mode acts like :all at http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=449008.
• GNU Emacs CVS Repository, GNU Emacs at http://cvs.savannah.gnu.org/viewvc/emacs/emacs/lisp/files.el?r1=1.896.2.28&r2=1.896.2.29.
• GNU Project Web site, GNU Emacs at http://www.gnu.org/software/emacs/emacs.html.
• BID-26327: GNU Emacs Local Variable Handling Code Execution Vulnerability
• CVE-2007-5795: The hack-local-variables function in Emacs before 22.2, when enable-local-variables is set to :safe, does not properly search lists of unsafe or risky variables, which might allow user-assisted attackers to bypass intended restrictions and modify critical program variables via a file containing a Local variables declaration.
• FrSIRT/ADV-2007-3715: GNU Emacs Local Variable Processing Security Bypass Vulnerability
• FrSIRT/ADV-2008-0924: Apple Mac OS X Command Execution and Security Bypass Issues
• GLSA-200712-03: GNU Emacs: Multiple vulnerabilities
• MDVSA-2008:034: Updated emacs packages fix vulnerabilities
• SA27508: GNU Emacs Local Variable Processing Vulnerability
• SA29420: Mac OS X Security Update Fixes Multiple Vulnerabilities
• USN-541-1: Emacs vulnerability

Reported:

Nov 02, 2007

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page