21695 – emacs new security issue fixed upstream (CVE-2017-14482)

Bug 21695 - emacs new security issue fixed upstream (CVE-2017-14482)

Summary: emacs new security issue fixed upstream (CVE-2017-14482)

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	6
Hardware:	All Linux

Priority:	Normal Severity: critical
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA5TOO MGA6-64-OK MGA5-64-OK MGA5-32-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2017-09-12 13:26 CEST by David Walser
Modified:	2017-12-31 01:11 CET (History)
CC List:	6 users (show)

See Also:
Source RPM:	emacs-25.1-1.mga7.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2017-09-12 13:26:12 CEST

A security issue fixed upstream in Emacs has been announced:
http://openwall.com/lists/oss-security/2017/09/11/1

The upstream patch to fix the issue is linked in the message above.

Mageia 5 and Mageia 6 are also affected.

David Walser 2017-09-12 13:26:23 CEST

Whiteboard: (none) => MGA6TOO, MGA5TOO

Comment 1 Marja Van Waes 2017-09-13 11:50:36 CEST

Assigning to the registered maintainer.

CC'ing all packagers collectively, in case tv needs his scarce free time for more important things.

Assignee: bugsquad => thierry.vignaud
CC: (none) => marja11, pkg-bugs

Comment 2 David Walser 2017-09-14 13:14:56 CEST

Debian has issued an advisory for this on September 12:
https://www.debian.org/security/2017/dsa-3970

Comment 3 David Walser 2017-09-14 13:21:00 CEST

Fedora has issued an advisory for this on September 13:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/J6MFCEUDBQENGJJPSDRXLCRTOHLTTOJB/

Severity: normal => critical

Comment 4 David Walser 2017-09-15 19:41:15 CEST

CVE-2017-14482 has been assigned for this issue:
http://openwall.com/lists/oss-security/2017/09/14/19

Summary: emacs new security issue fixed upstream => emacs new security issue fixed upstream (CVE-2017-14482)

Comment 5 David Walser 2017-09-19 22:14:41 CEST

RedHat has issued an advisory for this today (September 19):
https://access.redhat.com/errata/RHSA-2017:2771

Comment 6 David Walser 2017-12-28 22:24:22 CET

The fix was included in 25.3 upstream, which zezinho updated to on October 14.

Version: Cauldron => 6
Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO

Comment 7 David Walser 2017-12-28 23:31:53 CET

Advisory:
========================

Updated emacs packages fix security vulnerability:

Charles A. Roelli discovered that Emacs is vulnerable to arbitrary code
execution when rendering text/enriched MIME data (e.g. when using Emacs-based
mail clients) (CVE-2017-14482).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14482
https://www.debian.org/security/2017/dsa-3970
========================

Updated packages in core/updates_testing:
========================
emacs-24.3-10.1.mga5
emacs-el-24.3-10.1.mga5
emacs-doc-24.3-10.1.mga5
emacs-leim-24.3-10.1.mga5
emacs-nox-24.3-10.1.mga5
emacs-common-24.3-10.1.mga5
emacs-24.5-8.1.mga6
emacs-el-24.5-8.1.mga6
emacs-doc-24.5-8.1.mga6
emacs-leim-24.5-8.1.mga6
emacs-nox-24.5-8.1.mga6
emacs-common-24.5-8.1.mga6

from SRPMS:
emacs-24.3-10.1.mga5.src.rpm
emacs-24.5-8.1.mga6.src.rpm

Assignee: thierry.vignaud => qa-bugs

Comment 8 Len Lawrence 2017-12-29 10:44:27 CET

Mageia 6 :: x86_64

Using this fifty times a day.
Installed the packages as listed and edited some dummy files.
emacs is an application development environment in itself but I use it for editing only and for that function this version works fine.

Invoked here with user's .emacs resource file which defines actions on certain keyboard keys like yank, repetitive search, split window, write selected text to external file, and import an external file.  These all work still.  emacs continues to recognize different file types such as ruby and python and uses colour highlights as appropriate in code.

Good for 64-bits on mga6.

CC: (none) => tarazed25
Whiteboard: MGA5TOO => MGA5TOO MGA6-64-OK

Comment 9 Len Lawrence 2017-12-29 13:58:01 CET

Mageia 5 :: x86_64

Updated the six packages and edited different sorts of files as before.  No regressions that I could see.

Good for mga5 on 64 bits.
Shall test the 32-bit versions in virtualbox later.

Whiteboard: MGA5TOO MGA6-64-OK => MGA5TOO MGA6-64-OK MGA5-64-OK

Comment 10 Lewis Smith 2017-12-29 17:10:32 CET

(In reply to Len Lawrence from comment #8)
> Using this fifty times a day.
I should have guessed!

(In reply to Len Lawrence from comment #9)
> Shall test the 32-bit versions in virtualbox later.
If you want to, but if you have not done so by tomorrow (Sat) morning, I will validate it with both releases x64 OK; thanks to you. So if you do a 32-bit test before then, please *do* validate the update after your OK.
Just done the advisory.

Keywords: (none) => advisory
CC: (none) => lewyssmith

Comment 11 Thomas Andrews 2017-12-29 17:32:36 CET

I had to install this and try it before I could check the update. I usually use kwrite for this sort of thing, so I don't know how to use all the "features."

Installed in Mga5-32 on real hardware: Intel Core2Duo, Intel graphics.

Edited an old, no longer relevant text file, and saved it. It saved it, plus a copy of the old file for backup.

Looks good here. Adding the Mga5-32 OK. Not validating, as I've done nothing with the Mga6 version.

CC: (none) => andrewsfarm
Whiteboard: MGA5TOO MGA6-64-OK MGA5-64-OK => MGA5TOO MGA6-64-OK MGA5-64-OK MGA5-32-OK

Lewis Smith 2017-12-30 11:29:27 CET

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 12 Mageia Robot 2017-12-31 01:11:17 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2017-0476.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.