Re: Emacs security issues; XEmacs affected?
On 10/04/2012 02:47 PM, Mike Kupfer wrote:
Stephen J. Turnbull wrote:
> The thing is that there are scads of ways that random evil can invade
> your Emacs. ftp://random.evil.com/lisp-pkg.tar.el, .emacs.desktop,
> ~user/.emacs, C-c C-c in many modes, and I'm sure there are others.
Yes, but are those comparable to the EDE vulnerability? The
announcement said
Hiroshi Oota discovered that Emacs incorrectly handled search
paths. If a user were tricked into opening a file with Emacs, a
local attacker could execute arbitrary Lisp code with the privileges
of the user invoking the program. (CVE-2012-0035)
I'd hope that just visiting a random evil file would be safe, assuming a
default configuration for things like local variables. (I'm assuming
this is an accurate description of the attack vector. I haven't studied
the patch or EDE enough to say for sure. And my apologies for not
quoting the above paragraph earlier.)
Hi,
Let me shed a little light on the problem.
The issue is that if a user enables ede-mode, it will attempt to
automatically identify a project whenever you visit a file. The
purpose, of course, is that that EDE then knows how to build the file,
or provide other support. One particular type of project saves files in
a lisp file called Project.ede. The unpatched version of EDE will then
load whatever file is called Project.ede in order to create the project
file stored within. It checks to make sure it is a project, but by
then, it has run the code.
The patched version of EDE asks first before loading, but also has a
safe load that "reads" the file first, and then checks the contents.
Hope that helps.
Eric
_______________________________________________
XEmacs-Beta mailing list
XEmacs-Beta(a)xemacs.org
http://lists.xemacs.org/mailman/listinfo/xemacs-beta