Bugzilla – Bug 65237
VUL-0: CVE-2005-0100: emacs: format string bugs in helper application
Last modified: 2021-11-08 10:17:01 UTC
Hello Werner, we received this on through vendor-sec. (therefore not public) From: Martin Schulze <joey@infodrom.org> To: Free Software Distribution Vendors <vendor-sec@lst.de> User-Agent: Mutt/1.5.6+20040907i Subject: [vendor-sec] CAN-2005-0100: Arbitrary code execution in *emacs* Errors-To: vendor-sec-admin@lst.de Date: Thu, 27 Jan 2005 10:09:03 +0100 Max Vozeler discovered several format string vulnerabilities in the movemail utility of Emacs, the well-known editor. Via connecting to a malicious POP server an attacker can execute arbitrary code under the privileges of group mail (or worse, depending on the permissions of the movemail binary). I propose to disclose this on February 10th as well. I'm attaching the patches for emacs21 and xemacs21 by Max. Upstream is informed as well. Regards, Joey -- --- emacs21-21.3+1/lib-src/movemail.c.orig 2005-01-16 09:08:52.000000000 +0100 +++ emacs21-21.3+1/lib-src/movemail.c 2005-01-16 09:11:40.000000000 +0100 @@ -787,7 +787,7 @@ mbx_delimit_begin (mbf); if (pop_retr (server, i, mbf) != OK) { - error (Errmsg, 0, 0); + error ("%s", Errmsg, 0); close (mbfi); return (1); } --- xemacs21-21.4.16/lib-src/movemail.c.orig 2005-01-16 09:05:05.000000000 +0100 +++ xemacs21-21.4.16/lib-src/movemail.c 2005-01-16 09:07:04.000000000 +0100 @@ -741,14 +741,14 @@ server = pop_open (0, user, password, POP_NO_GETPASS); if (! server) { - error (pop_error, NULL, NULL); + error ("%s", pop_error, NULL); return (1); } VERBOSE(("stat'ing messages\n")); if (pop_stat (server, &nmsgs, &nbytes)) { - error (pop_error, NULL, NULL); + error ("%s", pop_error, NULL); return (1); } @@ -796,7 +796,7 @@ mbx_delimit_begin (mbf); if (pop_retr (server, i, mbx_write, mbf) != POP_RETRIEVED) { - error (Errmsg, NULL, NULL); + error ("%s", Errmsg, NULL); close (mbfi); return (1); } @@ -844,7 +844,7 @@ VERBOSE(("deleting message %d \n", i)); if (pop_delete (server, i)) { - error (pop_error, NULL, NULL); + error ("%s", pop_error, NULL); pop_close (server); return (1); } @@ -855,7 +855,7 @@ VERBOSE(("closing server \n")); if (pop_quit (server)) { - error (pop_error, NULL, NULL); + error ("%s", pop_error, NULL); return (1); }
<!-- SBZ_reproduce --> -
Do we ever (since 8.1) shipped movemail set[ug]id? Even if not we have to fix it b/c it's remotely exploitable.
CAN-2005-0100:
SM-Tracker-254
Info about CRD: From: Martin Schulze <joey@infodrom.org> To: Free Software Distribution Vendors <vendor-sec@lst.de> User-Agent: Mutt/1.5.6+20040907i Subject: [vendor-sec] DATE MOVED (was: CAN-2005-0100: Arbitrary code execution in *emacs*) Errors-To: vendor-sec-admin@lst.de Date: Mon, 31 Jan 2005 08:02:08 +0100 Martin Schulze wrote: > Max Vozeler discovered several format string vulnerabilities in the > movemail utility of Emacs, the well-known editor. Via connecting to a > malicious POP server an attacker can execute arbitrary code under the > privileges of group mail (or worse, depending on the permissions of > the movemail binary). > > I propose to disclose this on February 10th as well. This timeline was moved a bit to February 6th. On the same day XEmacs21 21.4.17 will be released. Regards, Joey --
> I propose to disclose this on February 10th as well. The date has been moved to February 6th and XEmacs21 21.4.17 will be released including the correction on the same day. Regards, Joey
Args ... I'm currently not able to fork.
Please update your kernel. ;)
emacs is fixed and submitted to STABLE, 8.1, 8,2, 9.0, 9.1, and 9.2 I've also provided the patchinfos for the box and the SLES, feel free to change them.
xemacs is fixed and submitted to STABLE, 8.1, 8,2, 9.0, 9.1, and 9.2 I've also provided the patchinfos for the box and the SLES, feel free to change them.
FIXED
<!-- SBZ_reopen -->Reopened by meissner@suse.de at Fri Feb 4 17:33:32 2005, took initial reporter thomas@suse.de to cc
reopen for tracking
make public, and for QA to look at too.
updates approved.
CVE-2005-0100: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)