Bug 65237 (CVE-2005-0100)

Summary: VUL-0: CVE-2005-0100: emacs: format string bugs in helper application
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: heiko.rommel, patch-request, security-team, thomas, werner
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: CVE-2005-0100: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Thomas Biege 2005-01-27 20:37:16 UTC 
Hello Werner, 
we received this on through vendor-sec. (therefore not public) 
 
From: Martin Schulze <joey@infodrom.org> 
To: Free Software Distribution Vendors <vendor-sec@lst.de> 
User-Agent: Mutt/1.5.6+20040907i 
Subject: [vendor-sec] CAN-2005-0100: Arbitrary code execution in *emacs* 
Errors-To: vendor-sec-admin@lst.de 
Date: Thu, 27 Jan 2005 10:09:03 +0100 
 
Max Vozeler discovered several format string vulnerabilities in the 
movemail utility of Emacs, the well-known editor.  Via connecting to a 
malicious POP server an attacker can execute arbitrary code under the 
privileges of group mail (or worse, depending on the permissions of 
the movemail binary). 
 
I propose to disclose this on February 10th as well. 
 
I'm attaching the patches for emacs21 and xemacs21 by Max. 
 
Upstream is informed as well. 
 
Regards, 
 
        Joey 
 
-- 
 
--- emacs21-21.3+1/lib-src/movemail.c.orig      2005-01-16 09:08:52.000000000 
+0100 
+++ emacs21-21.3+1/lib-src/movemail.c   2005-01-16 09:11:40.000000000 +0100 
@@ -787,7 +787,7 @@ 
       mbx_delimit_begin (mbf); 
       if (pop_retr (server, i, mbf) != OK) 
        { 
-         error (Errmsg, 0, 0); 
+         error ("%s", Errmsg, 0); 
          close (mbfi); 
          return (1); 
        } 
 
--- xemacs21-21.4.16/lib-src/movemail.c.orig    2005-01-16 09:05:05.000000000 
+0100 
+++ xemacs21-21.4.16/lib-src/movemail.c 2005-01-16 09:07:04.000000000 +0100 
@@ -741,14 +741,14 @@ 
   server = pop_open (0, user, password, POP_NO_GETPASS); 
   if (! server) 
     { 
-      error (pop_error, NULL, NULL); 
+      error ("%s", pop_error, NULL); 
       return (1); 
     } 
 
   VERBOSE(("stat'ing messages\n")); 
   if (pop_stat (server, &nmsgs, &nbytes)) 
     { 
-      error (pop_error, NULL, NULL); 
+      error ("%s", pop_error, NULL); 
       return (1); 
     } 
 
@@ -796,7 +796,7 @@ 
           mbx_delimit_begin (mbf); 
          if (pop_retr (server, i, mbx_write, mbf) != POP_RETRIEVED) 
            { 
-             error (Errmsg, NULL, NULL); 
+             error ("%s", Errmsg, NULL); 
              close (mbfi); 
              return (1); 
            } 
@@ -844,7 +844,7 @@ 
              VERBOSE(("deleting message %d     \n", i)); 
              if (pop_delete (server, i)) 
                { 
-                 error (pop_error, NULL, NULL); 
+                 error ("%s", pop_error, NULL); 
                  pop_close (server); 
                  return (1); 
                } 
@@ -855,7 +855,7 @@ 
   VERBOSE(("closing server             \n")); 
   if (pop_quit (server)) 
     { 
-      error (pop_error, NULL, NULL); 
+      error ("%s", pop_error, NULL); 
       return (1); 
     }
Comment 1 Thomas Biege 2005-01-27 20:37:17 UTC 
<!-- SBZ_reproduce  -->
-
Comment 2 Thomas Biege 2005-01-27 20:39:02 UTC 
Do we ever (since 8.1) shipped movemail set[ug]id? 
 
Even if not we have to fix it b/c it's remotely exploitable.
Comment 3 Thomas Biege 2005-01-27 20:39:36 UTC 
CAN-2005-0100:
Comment 4 Thomas Biege 2005-01-27 21:16:59 UTC 
 SM-Tracker-254
Comment 5 Thomas Biege 2005-01-31 17:10:01 UTC 
Info about CRD: 
 
From: Martin Schulze <joey@infodrom.org> 
To: Free Software Distribution Vendors <vendor-sec@lst.de> 
User-Agent: Mutt/1.5.6+20040907i 
Subject: [vendor-sec] DATE MOVED (was: CAN-2005-0100: Arbitrary code 
execution in *emacs*) 
Errors-To: vendor-sec-admin@lst.de 
Date: Mon, 31 Jan 2005 08:02:08 +0100 
 
Martin Schulze wrote: 
> Max Vozeler discovered several format string vulnerabilities in the 
> movemail utility of Emacs, the well-known editor.  Via connecting to a 
> malicious POP server an attacker can execute arbitrary code under the 
> privileges of group mail (or worse, depending on the permissions of 
> the movemail binary). 
> 
> I propose to disclose this on February 10th as well. 
 
This timeline was moved a bit to February 6th.  On the same day 
XEmacs21 21.4.17 will be released. 
 
Regards, 
 
        Joey 
 
--
Comment 6 Thomas Biege 2005-02-01 18:30:34 UTC 
> I propose to disclose this on February 10th as well. 
 
The date has been moved to February 6th and XEmacs21 21.4.17 will 
be released including the correction on the same day. 
 
Regards, 
 
        Joey
Comment 7 Dr. Werner Fink 2005-02-01 18:34:38 UTC 
Args ... I'm currently not able to fork.
Comment 8 Thomas Biege 2005-02-01 19:57:07 UTC 
Please update your kernel. ;)
Comment 9 Dr. Werner Fink 2005-02-05 00:13:58 UTC 
emacs is fixed and submitted to STABLE, 8.1, 8,2, 9.0, 9.1, and 9.2
I've also provided the patchinfos for the box and the SLES,
feel free to change them.
Comment 10 Dr. Werner Fink 2005-02-05 00:31:21 UTC 
xemacs is fixed and submitted to STABLE, 8.1, 8,2, 9.0, 9.1, and 9.2
I've also provided the patchinfos for the box and the SLES,
feel free to change them.
Comment 11 Dr. Werner Fink 2005-02-05 00:31:36 UTC 
FIXED
Comment 12 Marcus Meissner 2005-02-05 00:33:32 UTC 
<!-- SBZ_reopen -->Reopened by meissner@suse.de at Fri Feb  4 17:33:32 2005, took initial reporter thomas@suse.de to cc
Comment 13 Marcus Meissner 2005-02-05 00:33:32 UTC 
reopen for tracking
Comment 14 Marcus Meissner 2005-02-16 19:58:08 UTC 
make public, and for QA to look at too.
Comment 15 Marcus Meissner 2005-02-21 15:38:15 UTC 
updates approved.
Comment 16 Thomas Biege 2009-10-13 21:00:36 UTC 
CVE-2005-0100: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)