Bug 152898 - CAN-2005-0100 Emacs string format issue
CAN-2005-0100 Emacs string format issue
Status: CLOSED ERRATA
Product: Fedora Legacy
Classification: Retired
Component: emacs (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
https://rhn.redhat.com/errata/RHSA-20...
1, LEGACY, rh73, rh90
: Security
: 164471 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-02-10 13:58 EST by Marc Deslauriers
Modified: 2007-04-18 13:22 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-05-12 20:51:09 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Possibly better emacs.spec file (30.48 KB, text/plain)
2006-03-14 16:55 EST, David Eisenstein
no flags Details
Log-file of build on FC1 system of emacs-21.3-8.legacy.src.rpm (44.83 KB, text/plain)
2006-03-15 07:07 EST, David Eisenstein
no flags Details
emacs.spec file for emacs-21.3-9.1.legacy; works (31.05 KB, text/plain)
2006-03-15 07:23 EST, David Eisenstein
no flags Details
Corrected emacs.spec for FC1 (31.31 KB, text/plain; content-encoding: utf-8)
2006-03-16 00:40 EST, David Eisenstein
no flags Details
Logfile from build of emacs-21.3-9.2.legacy on my FC1 machine. (61.83 KB, application/x-gzip)
2006-03-16 01:07 EST, David Eisenstein
no flags Details

  None (edit)
Description David Lawrence 2005-03-30 18:31:23 EST
Max Vozeler discovered several format string vulnerabilities in the
movemail utility of Emacs. If a user connects to a malicious POP server, an
attacker can execute arbitrary code as the user running emacs. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2005-0100 to this issue.

Info:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0100
https://rhn.redhat.com/errata/RHSA-2005-112.html



------- Additional Comments From bishop@platypus.bc.ca 2005-02-28 23:30:05 ----

Marc, Jesse,

I see the patch.  It rolls cleanly on my RH9 chroot.  I can test the roll for
RH73 on a chroot too, if you want.  I cannot test the exploit, however.

It looks like the same patch went into this past month's release - character for
character - of emacs for RHEL2.1, 3 and just 4.  It's a one-line fix.

 - bish



------- Bug moved to this database by dkl@redhat.com 2005-03-30 18:31 -------

This bug previously known as bug 2422 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=2422
Originally filed under the Fedora Legacy product and Package request component.

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.

Comment 1 Marc Bejarano 2005-07-27 23:55:02 EDT
*** Bug 164471 has been marked as a duplicate of this bug. ***
Comment 3 Jesse Keating 2006-03-13 01:55:46 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Fixing emacs bug.

http://geek.j2solutions.net/rpms/legacy/

Used patches from RHEL4, FC2

http://geek.j2solutions.net/rpms/legacy/emacs/fc1/emacs-21.3-8.legacy.src.rpm
http://geek.j2solutions.net/rpms/legacy/emacs/7.3/emacs-21.2-3.legacy.src.rpm
http://geek.j2solutions.net/rpms/legacy/emacs/9/emacs-21.2-34.legacy.src.rpm


ebcf4de9912221b01ead941fb0f522f4e2972b42  emacs/7.3/emacs-21.2-3.legacy.src.rpm
f20a97003cd04827fa0283bf404ad664c4ee0552  emacs/9/emacs-21.2-34.legacy.src.rpm
beaed519dad5eab0cba7f0b2ce20fe122a60f8c6  emacs/fc1/emacs-21.3-8.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFEFRa14v2HLvE71NURAmn4AKCnNxQQQHm35IADe/gfuuHBhsM+GwCeNY5R
MC86z9Vqzrfwmh+RxfvKKLc=
=VPQA
-----END PGP SIGNATURE-----
Comment 4 Pekka Savola 2006-03-13 11:02:55 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA w/ rpm-build-compare.sh:
 - source integrity good
 - spec file changes minimal, though maybe setarch stuff in fc1 didn't need
to change
 - patches verified to be based on RHEL3

+PUBLISH RHL73, RHL9, FC1

f20a97003cd04827fa0283bf404ad664c4ee0552  emacs-21.2-34.legacy.src.rpm
ebcf4de9912221b01ead941fb0f522f4e2972b42  emacs-21.2-3.legacy.src.rpm
beaed519dad5eab0cba7f0b2ce20fe122a60f8c6  emacs-21.3-8.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFEFZjvGHbTkzxSL7QRAo56AJ9T5hXmnwOGtYLUsF4Apya0m59RygCgxWwf
8GrYUAXGvTjuTAdQtEGbugk=
=oYzs
-----END PGP SIGNATURE-----
Comment 5 Jesse Keating 2006-03-13 11:07:04 EST
I had to change the setarch stuff, or else it wouldn't build in the build
system.  Lets just say that FC1's setarch is a little broken when being called
from the same arch.  *sigh*

I'll work up some packages for publish QA
Comment 6 David Eisenstein 2006-03-14 16:55:31 EST
Created attachment 126123 [details]
Possibly better emacs.spec file

I wonder if just taking out the setarch stuff will break building emacs 
for FC1 when building for the X86_64 architecture?  Or when building it
on a true Fedora Core 1 system?

Therefore, I suggest we use the attached spec-file, which re-instates
the setarch stuff, but uses it only if setarch isn't broken in a given
invocation of rpmbuild.

The reason we want to do this is that we don't want to break the build
process for our end-users, in case they will want to rebuild emacs for
their own FC1 systems on an actual FC1 system.	We cannot expect our end-
users to be using mock under FC4.  This change is less invasive in that 
it makes it more likely end-users will be able to build it, based upon
the workaround needed for Bug #101818.
Comment 7 Jesse Keating 2006-03-14 16:58:32 EST
I had tried the patch you sent to builders, but that failed to build.  We won't
be building it for x86_64, and if we were, setarch i386 on make doesn't seem
like it would make a x86_64 package, so that seems broken period.  For our end
users, they can always do 'setarch i386 rpmbuild ' and the whole process will be
of the right arch.
Comment 8 David Eisenstein 2006-03-14 17:45:08 EST
Ah, I had an error in that patch.  Sorry.

1)  I thought we would be building *everything* for x86_64, including FC1.

2)  If setarch i386 in selected places in rpmbuild wouldn't build x86_64, 
    then where did 
<http://download.fedora.redhat.com/pub/fedora/linux/core/1/x86_64/os/Fedora/RPMS/emacs-21.3-7.x86_64.rpm>
    come from?

3)  Yes, we can let users do 'setarch i386 rpmbuild' -- but will that really 
    have the same effect that individual setarch statements inside the rpmbuild
    process have?

This probably isn't a big deal, but I guess I would feel remiss if I didn't
bring up my concerns.
Comment 9 Jesse Keating 2006-03-14 17:49:26 EST
So the FC1 x86_64 was a port that was done after FC1 released.  A lot of the
srpms changed between the 32bit and the 64bit build.  It is entirely possible
that the srpm that was used for emacs on x86_64 has something different going on.

As far as x86_64 for everything, we've made the decision (based on user input on
list) to just go forward w/ FC3 for x86_64 stuff.
Comment 10 David Eisenstein 2006-03-15 07:07:11 EST
Created attachment 126148 [details]
Log-file of build on FC1 system of emacs-21.3-8.legacy.src.rpm

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

beaed519dad5eab0cba7f0b2ce20fe122a60f8c6  emacs-21.3-8.legacy.src.rpm

Attached is a log-file of a failed build of emacs-21.3-8.legacy.src.rpm
on my FC1 system, an AMD K6-2/500 (i586 compatible).  It fails in the same
way as the build did for the reporter in Bug 101818 (see attachment #93479 [details]
from that bug report) at exactly the same point.  The setarch workaround is
not present in the emacs.spec file in this source package.

  PUBLISH--  FC1

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFEGARVxou1V/j9XZwRAjgxAJ4uDTTbbUCe90LFx7dvy4ecdYpfrACeLvzN
gWsNNSJhgLqcsVtUzUyFFJQ=
=fErS
-----END PGP SIGNATURE-----
Comment 11 Jesse Keating 2006-03-15 07:11:02 EST
and what if you do 'setarch i386 rpmbuild' ?
Comment 12 David Eisenstein 2006-03-15 07:23:06 EST
Created attachment 126152 [details]
emacs.spec file for emacs-21.3-9.1.legacy; works

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Attached is a proposed emacs.spec file for emacs-21.3-9.1.legacy.  It super-
sedes the emacs.spec I submitted in comment 6, as that one was incorrect.
It includes conditional applications of the 'setarch' command to various
'make' commands both in the %build and in the %install sections of this
spec-file.

I have used this spec-file in combination with all the other source and
patches in Jesse's emacs-21.3-8.legacy.src.rpm to compile emacs successfully
both on my FC1 box (the AMD K6-2/500) and on petra.

4e2c4838c31a6b0de75ac4b29e9c77b5413baf69  emacs.spec

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFEGAgnxou1V/j9XZwRAhIKAJ9USyapta7KlJ7W70cbDxoP4LOBaQCg7ybh
VYOGuxUeItlNd4wFhapTTuA=
=vF/q
-----END PGP SIGNATURE-----
Comment 13 David Eisenstein 2006-03-15 07:55:34 EST
(In reply to comment #11)
> and what if you do 'setarch i386 rpmbuild' ?

I did not try that.  I imagine it would work.

To me, to require end-users to know that they have to type 
'setarch i386 rpmbuild <spec-file>' rather than 'rpmbuild <spec-file>'
to make it compile is not providing them with what they need.  Even if
the requirement to 'setarch i386 rpmbuild' is documented in the spec file
in the .src.rpm, someone could get bitten, and might not know where to look
to get it to build.  This is why I have put work into this.
Comment 14 David Eisenstein 2006-03-15 23:35:26 EST
Jesse Keating and I discussed FC1 emacs on IRC, and we went over the spec file
posted in comment 12.  Although it worked to build FC1 emacs in both instances,
he pointed out some problems with it.  It had to do with awkward construction
of bash if and specfile %if statements surrounding the setarch problem and a
potential use of the setarch program without its being among the BuildRequres.

I am going to submit an updated spec file for FC1's emacs that should address
the shortcomings in the prior attempt, attachment 126152 [details].
Comment 15 David Eisenstein 2006-03-16 00:40:18 EST
Created attachment 126195 [details]
Corrected emacs.spec for FC1

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Attached is an updated emacs.spec file, which hopefully will take care of
the issues.  It builds ok in all instances of its use to build FC1 emacs,
both on my FC1 machine and on petra.

(For petra's results, please see
<http://petra.fedoralegacy.org/logs/fedora-1-core/186-emacs-21.3-9.2.legacy/i386/>.)


It will build 'emacs-21.3-9.2.legacy' src.rpm and .rpms.

Please have a look at this and let us know what you think.  Thanks!

SHA1SUM:

19e77f536025bbd7e610d2823d930c2e2e0a74d8  emacs.spec

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFEGPshxou1V/j9XZwRAqLEAJ4hS0k+Rm6AHeb22p+yuPL5pEaxxwCg8Hw+
KroIWT64TkL4RUm9gFx7fKc=
=sWTT
-----END PGP SIGNATURE-----
Comment 16 David Eisenstein 2006-03-16 01:07:16 EST
Created attachment 126198 [details]
Logfile from build of emacs-21.3-9.2.legacy on my FC1 machine.

Attached, FYI, is the (gzipped) log-file from building emacs-21.3-9.2.legacy 
on my FC1 machine.
Comment 17 Pekka Savola 2006-03-17 01:20:54 EST
The emacs spec file attached to #15 seems OK to me, though quite complex; can't
be avoided I fear..

I guess this can go to build stage with that modification, unless there are
objections?
Comment 18 David Eisenstein 2006-03-19 11:03:52 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'll go ahead and make this official, unless anyone objects ...

Submitting these for PUBLISH QA.  The .src.rpm has the emacs.spec file
mentioned in comment #15.

The FC1 packages and log files that were made on petra are available at
http://petra.fedoralegacy.org/logs/fedora-1-core/186-emacs-21.3-9.2.legacy/i386/

Source RPM:
5a95b72fb8b5119789be9410dff02dfd9309388e__emacs-21.3-9.2.legacy.src.rpm

Binary RPMs:
a9f59eb0d2a4cfb5fac9bc4e621ab514b6b0f4d8__emacs-21.3-9.2.legacy.i386.rpm
e737be4d4670c67d0504f5a8707028475c4d8280__emacs-el-21.3-9.2.legacy.i386.rpm
abfed33a96d4f339c8a249a0a00b83a7b9a06750__emacs-leim-21.3-9.2.legacy.i386.rpm


The RPMs are also signed by my 0x7910794f gpg key (Legacy package signature
key).

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFEHYHLxou1V/j9XZwRAl8LAJ4/VwHubAVABK1qDmpu0Q935de35QCePKiz
Ehe/CA+Bh7OfbT3m9/A7PVI=
=rKpI
-----END PGP SIGNATURE-----
Comment 19 David Eisenstein 2006-03-22 12:05:30 EST
Pekkas, or someone, can you take a look at this one so it can be moved to 
updates-testing?  Jesse, maybe you could look at it and see if it is suitable?

Thanks!
Comment 20 Pekka Savola 2006-03-31 00:29:46 EST
I think there has already been silent agreement that this is good to go..
Comment 21 David Eisenstein 2006-03-31 06:44:45 EST
Thanks, Pekka.
Comment 22 David Eisenstein 2006-04-08 00:49:12 EDT
I have started a build for emacs-21.3-9.2.legacy on jane.  Job 76.  Once
it is built, then we should have all the packages built that need building
here, and they will need pushing to updates-testing.

Will you do that, Marc or Jesse?  Thanks.
Comment 23 David Eisenstein 2006-04-08 01:21:42 EDT
Oh, also built for RHL7.3 and RHL9.  So the packages ready to be pushed to
updates-testing are here on jane/turbosphere:

  /build/plague/repodir/redhat-7.3-core/emacs/21.2-3.legacy
  /build/plague/repodir/redhat-9-core/emacs/21.2-34.legacy
  /build/plague/repodir/fedora-1-core/emacs/21.3-9.2.legacy

Thanks.
Comment 24 Marc Deslauriers 2006-04-26 20:01:05 EDT
Packages were pushed to updates-testing
Comment 25 Pekka Savola 2006-05-02 14:40:47 EDT
Timeout 2 weeks from packages being pushed to updates-testing.
Comment 26 Pekka Savola 2006-05-11 01:52:30 EDT
Timeout over.
Comment 27 Marc Deslauriers 2006-05-12 20:51:09 EDT
Packages were released to updates.

Note You need to log in before you can comment on or make changes to this bug.