Vulnerabilities > CVE-2007-5795 - Local Variable Handling Code Execution vulnerability in GNU Emacs
Attack vector
LOCAL Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
NONE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
The hack-local-variables function in Emacs before 22.2, when enable-local-variables is set to :safe, does not properly search lists of unsafe or risky variables, which might allow user-assisted attackers to bypass intended restrictions and modify critical program variables via a file containing a Local variables declaration.
Vulnerable Configurations
Exploit-Db
| description | GNU Emacs 22.1 Local Variable Handling Code Execution Vulnerability. CVE-2007-5795. Remote exploit for linux platform |
| id | EDB-ID:30736 |
| last seen | 2016-02-03 |
| modified | 2007-11-02 |
| published | 2007-11-02 |
| reporter | Drake Wilson |
| source | https://www.exploit-db.com/download/30736/ |
| title | GNU Emacs 22.1 - Local Variable Handling Code Execution Vulnerability |
Nessus
NASL family Fedora Local Security Checks NASL id FEDORA_2007-2946.NASL description - Tue Nov 6 2007 Chip Coldwell <coldwell at redhat.com> 22.1-8 - fix insufficient safe-mode checks (Resolves: bz367591) - Thu Nov 1 2007 Chip Coldwell <coldwell at redhat.com> 22.1-7 - Update rpm-spec-mode to the current upstream, drop compat patch (bz306841) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 28254 published 2007-11-20 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/28254 title Fedora 8 : emacs-22.1-8.fc8 (2007-2946) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200712-03.NASL description The remote host is affected by the vulnerability described in GLSA-200712-03 (GNU Emacs: Multiple vulnerabilities) Drake Wilson reported that the hack-local-variables() function in GNU Emacs 22 does not properly match assignments of local variables in a file against a list of unsafe or risky variables, allowing to override them (CVE-2007-5795). Andreas Schwab (SUSE) discovered a stack-based buffer overflow in the format function when handling values with high precision (CVE-2007-6109). Impact : Remote attackers could entice a user to open a specially crafted file in GNU Emacs, possibly leading to the execution of arbitrary Emacs Lisp code (via CVE-2007-5795) or arbitrary code (via CVE-2007-6109) with the privileges of the user running GNU Emacs. Workaround : The first vulnerability can be worked around by setting the last seen 2020-06-01 modified 2020-06-02 plugin id 29290 published 2007-12-11 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/29290 title GLSA-200712-03 : GNU Emacs: Multiple vulnerabilities NASL family Fedora Local Security Checks NASL id FEDORA_2007-3056.NASL description - Tue Nov 6 2007 Chip Coldwell <coldwell at redhat.com> - 22.1-5 - fix insufficient safe-mode checks (Resolves: bz367581) - Update rpm-spec-mode to the current upstream, drop compat patch (bz306841) - Wed Sep 12 2007 Chip Coldwell <coldwell at redhat.com> - 22.1-4 - require xorg-x11-fonts-ISO8859-1-100dpi instead of 75dpi (Resolves: bz281861) - drop broken python mode (Resolves: bz262801) - use macro instead of variable style for buildroot. - add pkgconfig file. - Mon Aug 13 2007 Chip Coldwell <coldwell at redhat.com> - 22.1-3 - add pkgconfig file for emacs-common and virtual provides (Resolves: bz242176) - glibc-open-macro.patch to deal with glibc turning last seen 2020-06-01 modified 2020-06-02 plugin id 28255 published 2007-11-20 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/28255 title Fedora 7 : emacs-22.1-5.fc7 (2007-3056) NASL family MacOS X Local Security Checks NASL id MACOSX_SECUPD2008-002.NASL description The remote host is running a version of Mac OS X 10.5 or 10.4 that does not have the security update 2008-002 applied. This update contains several security fixes for a number of programs. last seen 2020-06-01 modified 2020-06-02 plugin id 31605 published 2008-03-19 reporter This script is Copyright (C) 2008-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/31605 title Mac OS X Multiple Vulnerabilities (Security Update 2008-002) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2008-034.NASL description The hack-local-variable function in Emacs 22 prior to version 22.2, when enable-local-variables is set to last seen 2020-06-01 modified 2020-06-02 plugin id 36420 published 2009-04-23 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/36420 title Mandriva Linux Security Advisory : emacs (MDVSA-2008:034) NASL family SuSE Local Security Checks NASL id SUSE_EMACS-4620.NASL description The setting last seen 2020-06-01 modified 2020-06-02 plugin id 27647 published 2007-11-06 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/27647 title openSUSE 10 Security Update : emacs (emacs-4620) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-541-1.NASL description Drake Wilson discovered that Emacs did not correctly handle the safe mode of last seen 2020-06-01 modified 2020-06-02 plugin id 28209 published 2007-11-14 reporter Ubuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/28209 title Ubuntu 7.10 : emacs22 vulnerability (USN-541-1)
Statements
| contributor | Mark J Cox |
| lastmodified | 2007-11-09 |
| organization | Red Hat |
| statement | Not vulnerable. This issue did not affect versions of Emacs as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. |
References
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=449008
- http://bugs.gentoo.org/show_bug.cgi?id=197958
- http://cvs.savannah.gnu.org/viewvc/emacs/emacs/lisp/files.el?r1=1.896.2.28&r2=1.896.2.29
- http://docs.info.apple.com/article.html?artnum=307562
- http://lists.apple.com/archives/security-announce/2008/Mar/msg00001.html
- http://osvdb.org/42060
- http://secunia.com/advisories/27508
- http://secunia.com/advisories/27627
- http://secunia.com/advisories/27728
- http://secunia.com/advisories/27984
- http://secunia.com/advisories/29420
- http://security.gentoo.org/glsa/glsa-200712-03.xml
- http://www.mandriva.com/security/advisories?name=MDVSA-2008:034
- http://www.securityfocus.com/bid/26327
- http://www.ubuntu.com/usn/usn-541-1
- http://www.vupen.com/english/advisories/2007/3715
- http://www.vupen.com/english/advisories/2008/0924/references
- https://exchange.xforce.ibmcloud.com/vulnerabilities/38263
- https://www.redhat.com/archives/fedora-package-announce/2007-November/msg00524.html