Vulnerabilities > CVE-2012-0035
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Untrusted search path vulnerability in EDE in CEDET before 1.0.1, as used in GNU Emacs before 23.4 and other products, allows local users to gain privileges via a crafted Lisp expression in a Project.ede file in the directory, or a parent directory, of an opened file. Per: http://cwe.mitre.org/data/definitions/426.html 'CWE-426: Untrusted Search Path'
Vulnerable Configurations
Nessus
NASL family Fedora Local Security Checks NASL id FEDORA_2012-0494.NASL description CVE-2012-0035 emacs: CEDET global-ede-mode file loading vulnerability Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2012-01-24 plugin id 57645 published 2012-01-24 reporter This script is Copyright (C) 2012-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/57645 title Fedora 16 : emacs-23.3-9.fc16 (2012-0494) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2012-0494. # include("compat.inc"); if (description) { script_id(57645); script_version("1.10"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2012-0035"); script_bugtraq_id(51354); script_xref(name:"FEDORA", value:"2012-0494"); script_name(english:"Fedora 16 : emacs-23.3-9.fc16 (2012-0494)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "CVE-2012-0035 emacs: CEDET global-ede-mode file loading vulnerability Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=773023" ); # https://lists.fedoraproject.org/pipermail/package-announce/2012-January/072288.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?1085618f" ); script_set_attribute(attribute:"solution", value:"Update the affected emacs package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:emacs"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:16"); script_set_attribute(attribute:"patch_publication_date", value:"2012/01/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/01/24"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2012-2020 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^16([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 16.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC16", reference:"emacs-23.3-9.fc16")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "emacs"); }NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2013-076.NASL description Updated emacs packages fix security vulnerabilities : Untrusted search path vulnerability in EDE in CEDET before 1.0.1, as used in GNU Emacs before 23.4 and other products, allows local users to gain privileges via a crafted Lisp expression in a Project.ede file in the directory, or a parent directory, of an opened file (CVE-2012-0035). lisp/files.el in Emacs 23.2, 23.3, 23.4, and 24.1 automatically executes eval forms in local-variable sections when the enable-local-variables option is set to :safe, which allows user-assisted remote attackers to execute arbitrary Emacs Lisp code via a crafted file (CVE-2012-3479). Additionally a problem was fixed reading xz compressed files (mga#7759). last seen 2020-06-01 modified 2020-06-02 plugin id 66090 published 2013-04-20 reporter This script is Copyright (C) 2013-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/66090 title Mandriva Linux Security Advisory : emacs (MDVSA-2013:076) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201401-31.NASL description The remote host is affected by the vulnerability described in GLSA-201401-31 (CEDET: Privilege escalation) An untrusted search path vulnerability was discovered in CEDET. Impact : A local attacker could escalate his privileges via a specially crafted Lisp expression in a Project.ede file in the directory or a parent directory of an opened file. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 72158 published 2014-01-28 reporter This script is Copyright (C) 2014-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/72158 title GLSA-201401-31 : CEDET: Privilege escalation NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201403-05.NASL description The remote host is affected by the vulnerability described in GLSA-201403-05 (GNU Emacs: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in GNU Emacs: When ‘global-ede-mode’ is enabled, EDE in Emacs automatically loads a Project.ede file from the project directory (CVE-2012-0035). When ‘enable-local-variables’’ is set to ‘:safe’, Emacs automatically processes eval forms (CVE-2012-3479). Impact : A remote attacker could entice a user to open a specially crafted file, possibly resulting in execution of arbitrary code with the privileges of the process or a Denial of Service condition. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 73127 published 2014-03-21 reporter This script is Copyright (C) 2014-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/73127 title GLSA-201403-05 : GNU Emacs: Multiple vulnerabilities NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201812-05.NASL description The remote host is affected by the vulnerability described in GLSA-201812-05 (EDE: Privilege escalation) An untrusted search path vulnerability was discovered in EDE. Impact : A local attacker could escalate his privileges via a specially crafted Lisp expression in a Project.ede file in the directory or a parent directory of an opened file. Workaround : There is no known workaround at this time. last seen 2020-05-22 modified 2018-12-07 plugin id 119483 published 2018-12-07 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/119483 title GLSA-201812-05 : EDE: Privilege escalation NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1586-1.NASL description Hiroshi Oota discovered that Emacs incorrectly handled search paths. If a user were tricked into opening a file with Emacs, a local attacker could execute arbitrary Lisp code with the privileges of the user invoking the program. (CVE-2012-0035) Paul Ling discovered that Emacs incorrectly handled certain eval forms in local-variable sections. If a user were tricked into opening a specially crafted file with Emacs, a remote attacker could execute arbitrary Lisp code with the privileges of the user invoking the program. (CVE-2012-3479). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 62365 published 2012-09-28 reporter Ubuntu Security Notice (C) 2012-2019 Canonical, Inc. / NASL script (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/62365 title Ubuntu 11.10 / 12.04 LTS : emacs23 vulnerabilities (USN-1586-1) NASL family Fedora Local Security Checks NASL id FEDORA_2012-0462.NASL description CVE-2012-0035 emacs: CEDET global-ede-mode file loading vulnerability Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2012-01-24 plugin id 57644 published 2012-01-24 reporter This script is Copyright (C) 2012-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/57644 title Fedora 15 : emacs-23.3-8.fc15 (2012-0462)
References
- http://lists.fedoraproject.org/pipermail/package-announce/2012-January/072285.html
- http://lists.fedoraproject.org/pipermail/package-announce/2012-January/072288.html
- http://lists.gnu.org/archive/html/emacs-devel/2012-01/msg00387.html
- http://openwall.com/lists/oss-security/2012/01/10/2
- http://openwall.com/lists/oss-security/2012/01/10/4
- http://secunia.com/advisories/47311
- http://secunia.com/advisories/47515
- http://secunia.com/advisories/50801
- http://sourceforge.net/mailarchive/message.php?msg_id=28649762
- http://sourceforge.net/mailarchive/message.php?msg_id=28657612
- http://www.mandriva.com/security/advisories?name=MDVSA-2013:076
- http://www.ubuntu.com/usn/USN-1586-1
- https://security.gentoo.org/glsa/201812-05