[Bug 159525] Re: Security hole in handling of local variables
Uploaded packaging fix to Hardy. ** Changed in: emacs22 (Ubuntu) Status: Fix Committed = Fix Released -- Security hole in handling of local variables https://bugs.launchpad.net/bugs/159525 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 159525] Re: Security hole in handling of local variables
Thanks for the reproduction steps. The :safe settings is what I needed. I have uploaded this for gutsy. Thanks! -- Security hole in handling of local variables https://bugs.launchpad.net/bugs/159525 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 159525] Re: Security hole in handling of local variables
Gutsy fix published as USN-541-1. Thanks again! ** Changed in: emacs22 (Ubuntu Gutsy) Status: Fix Committed = Fix Released -- Security hole in handling of local variables https://bugs.launchpad.net/bugs/159525 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 159525] Re: Security hole in handling of local variables
Using the Debian bug's PoC, I was not able to reproduce this problem in Gutsy. Is this actually vulnerable? Is there some local configuration I need to have set first? -- Security hole in handling of local variables https://bugs.launchpad.net/bugs/159525 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 159525] Re: Security hole in handling of local variables
I tested it just now with -0ubuntu5 from gutsy. The exploit worked, so it is definitely vulnerable. I'll go into more exact details to replicate the exploit. - Download the file. Save it to ~/hack.txt. - Copy your ~/.emacs file, if you have one, to ~/testme. If you don't have one, just touch ~/testme. - Do M-: (setq user-init-file ~/testme) RET. This way, changes that the exploit makes will go to ~/testme rather than your init file. - Do M-: (setq enable-local-variables t). This is the default value. The exploit does not work with it, but adding this step will allow me to make a point later on. - Open ~/hack.txt with Emacs. Change Local variaboles to Local variables. Save. - Now from the hack.txt buffer, do M-x revert-buffer RET yes RET. Emacs will warn you that risky local variables exist. This is the correct behavior, which we will contrast to the incorrect behavior, later on. Choose n. - Do M-: (setq enable-local-variables :safe) RET. This disables the prompt, and causes safe variables to be set automatically and unsafe variables to be ignored automatically. But it doesn't ignore unsafe variables! - From the hack.txt buffer, do M-x revert-buffer RET yes RET. This time, it will not prompt you, and the exploit will run. Since the hack-local-variables-hook variable is not marked as safe, this ought to have ignored the variable instead, and *not* set it, which would have made the exploit ineffective. - The exploit removes the mention of itself from hack.txt (a very cute choice -- it causes the screen to flash quickly enough that the user might not notice the existence of something sinister in that buffer), and adds a line to the end of ~/testme. -- Security hole in handling of local variables https://bugs.launchpad.net/bugs/159525 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 159525] Re: Security hole in handling of local variables
** Changed in: emacs22 (Debian) Status: Confirmed = Fix Released -- Security hole in handling of local variables https://bugs.launchpad.net/bugs/159525 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 159525] Re: Security hole in handling of local variables
** Visibility changed to: Public -- Security hole in handling of local variables https://bugs.launchpad.net/bugs/159525 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 159525] Re: Security hole in handling of local variables
And here's one for hardy. ** Attachment added: security-6.debdiff http://launchpadlibrarian.net/10262241/security-6.debdiff -- Security hole in handling of local variables https://bugs.launchpad.net/bugs/159525 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 159525] Re: Security hole in handling of local variables
Here's a debdiff for gutsy-security. ** Attachment added: security-5.1.debdiff http://launchpadlibrarian.net/10262225/security-5.1.debdiff -- Security hole in handling of local variables https://bugs.launchpad.net/bugs/159525 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 159525] Re: Security hole in handling of local variables
Here's the debdiff for feisty-backports. ** Attachment added: security-42.debdiff http://launchpadlibrarian.net/10262291/security-42.debdiff -- Security hole in handling of local variables https://bugs.launchpad.net/bugs/159525 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 159525] Re: Security hole in handling of local variables
** Changed in: emacs22 (Ubuntu Gutsy) Status: New = In Progress ** Changed in: emacs22 (Ubuntu) Status: Confirmed = In Progress ** Changed in: emacs22 (Ubuntu) Status: In Progress = Fix Committed -- Security hole in handling of local variables https://bugs.launchpad.net/bugs/159525 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 159525] Re: Security hole in handling of local variables
Improved gutsy-security debdiff that includes CVE #. ** Attachment removed: security-5.1.debdiff http://launchpadlibrarian.net/10262225/security-5.1.debdiff ** Attachment added: security-5.1.debdiff http://launchpadlibrarian.net/10262441/security-5.1.debdiff -- Security hole in handling of local variables https://bugs.launchpad.net/bugs/159525 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 159525] Re: Security hole in handling of local variables
This for getting this ready! I'm getting it uploaded to the security queue now. ** Changed in: emacs22 (Ubuntu Gutsy) Assignee: (unassigned) = Kees Cook (keescook) Status: In Progress = Fix Committed -- Security hole in handling of local variables https://bugs.launchpad.net/bugs/159525 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 159525] Re: Security hole in handling of local variables
I'm sorry; I completely loused up the debian/rules file after all -- it isn't applying the patches (and hence, the fix isn't being applied either). I will be supplying new debdiffs shortly. -- Security hole in handling of local variables https://bugs.launchpad.net/bugs/159525 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 159525] Re: Security hole in handling of local variables
** Changed in: emacs22 (Ubuntu Gutsy) Status: Fix Committed = In Progress ** Changed in: emacs22 (Ubuntu) Status: Fix Committed = In Progress -- Security hole in handling of local variables https://bugs.launchpad.net/bugs/159525 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 159525] Re: Security hole in handling of local variables
No worries; I had to extract your patch -- I can't publish the kinds of major packaging changes you have in your debdiff. :) We need to follow the Security Update Process[1] for these kinds of things. [1] https://wiki.ubuntu.com/SecurityUpdateProcedures -- Security hole in handling of local variables https://bugs.launchpad.net/bugs/159525 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 159525] Re: Security hole in handling of local variables
I've bookmarked that page in case another security issue comes up in the future. Good to know that the erroneous package didn't hit gutsy- security. Here's the corrected debdiff for hardy, based on -0ubuntu6. ** Attachment added: hardy http://launchpadlibrarian.net/10264692/security-7.debdiff -- Security hole in handling of local variables https://bugs.launchpad.net/bugs/159525 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 159525] Re: Security hole in handling of local variables
Resetting the gutsy part back to Fix Committed. ** Changed in: emacs22 (Ubuntu Gutsy) Status: In Progress = Fix Committed -- Security hole in handling of local variables https://bugs.launchpad.net/bugs/159525 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 159525] Re: Security hole in handling of local variables
** Attachment removed: security-6.debdiff http://launchpadlibrarian.net/10262241/security-6.debdiff ** Attachment removed: security-5.1.debdiff http://launchpadlibrarian.net/10262441/security-5.1.debdiff -- Security hole in handling of local variables https://bugs.launchpad.net/bugs/159525 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 159525] Re: Security hole in handling of local variables
Here's the updated feisty-backports debdiff. ** Attachment removed: security-42.debdiff http://launchpadlibrarian.net/10262291/security-42.debdiff ** Attachment added: feisty-backports http://launchpadlibrarian.net/10264940/security-42.debdiff -- Security hole in handling of local variables https://bugs.launchpad.net/bugs/159525 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 159525] Re: Security hole in handling of local variables
The updated fix is now available for both hardy and feisty-backports, so setting the generic part of this bug back to Fix Committed. ** Changed in: emacs22 (Ubuntu) Status: In Progress = Fix Committed -- Security hole in handling of local variables https://bugs.launchpad.net/bugs/159525 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs