SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Generic)  >   Emacs Vendors:   GNU [multiple authors]
GNU Emacs Automatically Executes Code in Fast Lock (.flc) Files
SecurityTracker Alert ID:  1020019
SecurityTracker URL:  http://securitytracker.com/id/1020019
CVE Reference:   CVE-2008-2142   (Links to External Site)
Date:  May 14 2008
Impact:   Execution of arbitrary code via local system, Execution of arbitrary code via network, User access via local system, User access via network
Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 21.3.1
Description:   A vulnerability was reported in GNU Emacs. A user can cause arbitrary code to be executed on the target user's system.

A user can create a specially crafted fast lock (.flc) file. When a file of the same name (less the '.flc' extension) in the same directory is edited by the target user, the code in the fast lock file will be executed. The code will run with the privileges of the target user.

Morten Welinder reported this vulnerability.

Impact:   A user can create a file that, when edited by the target user, will execute arbitrary code on the target user's system in certain cases.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.gnu.org/software/emacs/emacs.html (Links to External Site)
Cause:   State error
Underlying OS:   Linux (Any)

Message History:   None.


 Source Message Contents

Date:  Sat, 10 May 2008 00:44:44 +0300
Subject:  [mwelinder@bogus.example.com: Emacs security bug]

------- Start of forwarded message -------
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00 autolearn=ham 
        version=3.1.0
Date: Fri, 9 May 2008 12:45:25 -0400
From: "Morten Welinder" <address@hidden>
To: address@hidden
Subject: Emacs security bug

Hi there,

it's been a while or two -- DJGPP was hot, new technology when we last
spoke, :-)

It's unclear to me where to send Emacs security concerns, so I am sending
this one to you.  Please forward appropriately.

1. Create .emacs with contents
    (global-font-lock-mode t)
    (seq font-lock-support-mode 'fast-lock-mode)

2. Create foo.c with contents /* Nothing to see here */

3. Create foo.c.flc with contents (message "Something to see here!")

4. Start Emacs and load foo.c

- --> Observe that code from foo.c.flc is run.  Not good.
(This is with Emacs 21.3.1; XEmacs is also affected, although step 1 needs to
be adjusted.)

Suggestions:

a. Remove "." from fast-lock-cache-directories.  Littering little
files everywhere
    is not a good idea anyway.

b. Don't use load to handle the .flc file.  Instead read it into a
buffer and read
    one s-expression at a time and verify that it is sane before evaluating it.

c. Don't use files owned by anyone else.  This cannot stand alone, though, as
    it has a race condition.

Morten Welinder
------- End of forwarded message -------




 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC