Bug 462694 (CVE-2008-3949)

Summary: CVE-2008-3949 emacs: Python interactive shell arbitrary code execution
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: coughlan, james.antill, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-04-19 22:01:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Lieskovsky 2008-09-18 12:19:15 UTC 
Chong Yidong has reported the following security vulnerability present
in Emacs Python mode (Emacs mode allowing to launch interactive Python 
shell):

Emacs allows the user to launch an interactive Python process.  When
this process is started, Emacs automatically sends it the line

import emacs

which imports a script named emacs.py which is distributed with Emacs.
This script is typically located in a write-protected installation
directory, together with other Emacs program files; it provides various
functions to help the Python process communicate with Emacs.  Upon
running, emacs.py imports other Python modules which are not built-in:

import os, sys, traceback, inspect, __main__


The vulnerability arises because Python, by default, prepends '' to the
module search path, so modules are looked for in the current directory.
If the user opens a Python file in a world-writable directory, an
attacker could insert malicious code by adding fake modules to that
directory, such as a fake emacs.py or inspect.py.

Affected versions: emacs-22.*. +

Proposed patch: 

http://cvs.savannah.gnu.org/viewvc/emacs/lisp/progmodes/python.el?root=emacs&r1=1.89&r2=1.90
Comment 1 Jan Lieskovsky 2008-09-18 12:21:19 UTC 
This issue does NOT affect the versions of the emacs package, as shipped
with Red Hat Enterprise Linux 2.1, 3, 4 and 5.

This issue AFFECTS the versions of the emacs packages, as shipped within
Fedora releases of 8, 9 and 10.
Comment 2 Tomas Hoger 2008-09-30 09:13:42 UTC 
Issue was addressed upstream in version 22.3:
http://lists.gnu.org/archive/html/emacs-devel/2008-09/msg00215.html
Comment 3 Vincent Danen 2010-04-19 22:01:04 UTC 
Fedora 11 and higher contain Emacs 23.1, so this issue has been corrected.