GLSA Bodhisattva
Joined: 17 Apr 2002 Posts: 2602 Location: Baltimore, MD
|
Posted: Tue Feb 15, 2005 9:45 pm Post subject: [ GLSA 200502-20 ] Emacs, XEmacs: Format string vulnerabilit |
|
|
Gentoo Linux Security Advisory
Title: Emacs, XEmacs: Format string vulnerabilities in movemail (GLSA 200502-20)
Severity: normal
Exploitable: remote
Date: February 15, 2005
Updated: July 23, 2006
Bug(s): #79686
ID: 200502-20
Synopsis
The movemail utility shipped with Emacs and XEmacs contains several format
string vulnerabilities, potentially leading to the execution of arbitrary
code.
Background
GNU Emacs and XEmacs are highly extensible and customizable text
editors. movemail is an Emacs utility that can fetch mail on remote
mail servers.
Affected Packages
Package: app-editors/emacs
Vulnerable: < 21.4
Unaffected: >= 21.4
Unaffected: < 19
Architectures: All supported architectures
Package: app-editors/xemacs
Vulnerable: < 21.4.15-r3
Unaffected: >= 21.4.15-r3
Architectures: All supported architectures
Description
Max Vozeler discovered that the movemail utility contains several
format string errors.
Impact
An attacker could set up a malicious POP server and entice a user to
connect to it using movemail, resulting in the execution of arbitrary
code with the rights of the victim user.
Workaround
There is no known workaround at this time.
Resolution
All Emacs users should upgrade to the latest version:
Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=app-editors/emacs-21.4" |
All XEmacs users should upgrade to the latest version:
Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=app-editors/xemacs-21.4.15-r3" |
References
CAN-2005-0100
Last edited by GLSA on Mon Apr 16, 2012 4:18 am; edited 6 times in total |
|