Bug 6995

Summary: emacs missing update for security issue CVE-2012-0035, plus new security issue CVE-2012-3479
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: ed_rus099, remco, sysadmin-bugs, thierry.vignaud, tmb
Version: 2Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/477015/
Whiteboard: MGA1TOO MGA2-64-OK MGA2-32-OK
Source RPM: emacs-23.3-8.mga2.src.rpm CVE:
Status comment:

Description David Walser 2012-08-10 01:03:38 CEST 
Fedora has issued an advisory on January 14:
http://lists.fedoraproject.org/pipermail/package-announce/2012-January/072288.html

It was fixed upstream in 23.4, so Cauldron should not be vulnerable.

Mageia 1 should be vulnerable, but re-diffing the patch for 23.2 is non-trivial.

I have checked the patch for emacs 23.3 in to Mageia 2 SVN.
David Walser 2012-08-10 01:03:47 CEST

Whiteboard: (none) => MGA1TOO

Remco Rijnders 2012-08-11 04:42:34 CEST

CC: (none) => remco

Comment 1 David Walser 2012-08-16 21:28:43 CEST 
Slackware has issued an advisory on August 15:
http://lwn.net/Alerts/511810/

Apparently they have a patch for 23.3.

from http://lwn.net/Vulnerabilities/511823/

RedHat has links to patches from upstream for 23.4 and 24.1:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3479

Summary: emacs missing update for security issue CVE-2012-0035 => emacs missing update for security issue CVE-2012-0035, plus new security issue CVE-2012-3479

Comment 2 David Walser 2012-09-06 22:31:41 CEST 
Patched packages uploaded for Mageia 1, Mageia 2, and Cauldron.

Advisory:
========================

Updated emacs packages fix security vulnerabilities:

Untrusted search path vulnerability in EDE in CEDET before 1.0.1, as used
in GNU Emacs before 23.4 and other products, allows local users to gain
privileges via a crafted Lisp expression in a Project.ede file in the
directory, or a parent directory, of an opened file (CVE-2012-0035).

lisp/files.el in Emacs 23.2, 23.3, 23.4, and 24.1 automatically executes
eval forms in local-variable sections when the enable-local-variables
option is set to :safe, which allows user-assisted remote attackers to
execute arbitrary Emacs Lisp code via a crafted file (CVE-2012-3479).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0035
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3479
http://lists.fedoraproject.org/pipermail/package-announce/2012-January/072288.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-August/085474.html
========================

Updated packages in core/updates_testing:
========================
emacs-23.2-3.1.mga1
emacs-el-23.2-3.1.mga1
emacs-doc-23.2-3.1.mga1
emacs-leim-23.2-3.1.mga1
emacs-nox-23.2-3.1.mga1
emacs-common-23.2-3.1.mga1
emacs-23.3-8.1.mga2
emacs-el-23.3-8.1.mga2
emacs-doc-23.3-8.1.mga2
emacs-leim-23.3-8.1.mga2
emacs-nox-23.3-8.1.mga2
emacs-common-23.3-8.1.mga2

from SRPMS:
emacs-23.2-3.1.mga1.src.rpm
emacs-23.3-8.1.mga2.src.rpm

CC: (none) => thierry.vignaud
Assignee: thierry.vignaud => qa-bugs

Comment 3 Eduard Beliaev 2012-09-07 05:08:44 CEST 
Works ok on Mageia 2 x86_64 playing with some C stuff..

CC: (none) => ed_rus099
Whiteboard: MGA1TOO => MGA1TOO MGA2-64-OK

Comment 4 Eduard Beliaev 2012-09-09 00:01:49 CEST 
No problems with Mageia 2 i568/x86.

Could sysadmin please push from core/updates_testing to core/updates.

See comment 2 for srpm and advisory.

Thanks.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: MGA1TOO MGA2-64-OK => MGA1TOO MGA2-64-OK MGA2-32-OK

Comment 5 Thomas Backlund 2012-09-09 13:30:19 CEST 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0261

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED