RUS-CERT Advisory 2000-04:01 – Several vulnerabilities in GNU Emacs 20
Several vulnerabilities were discovered in all Emacs versions up to 20.6, namely:
- Under certain circumstances, unprivileged local users can eavesdrop the communication between Emacs and its subprocesses.
- It is impossible to safely create temporary files in a public directory from Emacs Lisp.
- The history of recently typed keys may expose passwords.
Especially the first two vulnerabilities seriously impact the use of tools like
mailcrypt in a multi-user environment.
1. Improper permissions on slave PTYs
- GNU/Linux (both GNU libc 2.x and libc5)
- FreeBSD (and probably other *BSD variants)
- HP-UX 10.x, 11.00
- AIX 4
- Solaris (The Solaris runtime system automatically adjusts the PTY permissions.)
Data General’s DG/UX seems to be unaffected, according to the source code. Other systems have not been examined.
High in multi-user environments, low otherwise.
On the systems listed above, when a new subprocess is created using the builtin Lisp function start-process, Emacs doesn’t set proper permissions for the slave PTY device.
Unprivileged local users can eavesdrop the data which Emacs sends to its subprocess and fake responses from the subprocess. This impacts Emacs packages such as Mailcrypt, which transmit (among other things) PGP passphrases over this data channel.
At Emacs Lisp level, the only workaround is to use
call-process instead of
start-process. Of course, this is not always an option because the functionality provided by these functions is not the same (synchronous vs. asynchronous subprocesses).
The real solution requires modification of the Emacs C source code. A patch for Emacs 20.6 is included below which enables Emacs to Unix98 PTYs. The patch is known to work on the following systems:
- GNU/Linux with GNU libc 2.1
- AIX 4.2
- HP-UX 11.00
It is expected to work on HP-UX 10.x as well. (Under some versions of HP-UX,
grantpt() does not behave as specified. The patch contains a suitable workaround.)
Unfortunately, systems lacking Unix98 support (such as Linux with libc5 and GNU libc 2.0, FreeBSD and AIX 3) require a completely different fix and a setuid root binary to change the PTY permissions (in other words: some kind of userspace Unix 98 PTY emulation). There are no plans to provide this emulation; Unix 98 PTYs are already widely adopted and most Unix derivatives provide them (with the notable exception of several *BSD variants). For FreeBSD, an enhancement to
openpty() has been proposed which sets proper permissions on the slave TTY device (see problem report
bin/9770). The proposal has yet to be adopted, though.
Future Emacs releases will contain a similar fix.
2. Unsafe creation of temporary files
All Unix-like Emacs platforms on which public directories are used to store temporary files.
High in multi-user environments, low otherwise.
Emacs Lisp does not provide any functionality to create a file in a publicly writable directory in a safe way.
Many Emacs packages use the make-temp-name Lisp function to create names for temporary files. These names are not very hard to guess. Because it is impossible to create the actual temporary file in a safe manner, the usual symlink attacks are likely successful.
Emacs 21 will provide a new make-temp-file function (which creates the file in question in safe way) and the functionality to safely create temporary files. In the meantime, until Emacs 21 is released and package maintainers adopt the new function, private directories for temporary files should be used. Most packages provide variables for that. For example, for Mailcrypt, the variable mc-temp-directory has to be set, and for Python Mode, it’s py-temp-directory.
3. Passwords are stored in the key history
Functions like read-passwd do not clear the the history of recently typed keys. In fact, there is no way to do that from Emacs Lisp.
Passwords might be recovered by someone who has got access to the console on which Emacs is running, subverting password expiring as, for example, provided by Mailcrypt. (Usually, there are many other ways to obtain passwords if you can type C-h l inside a foreign Emacs, though.)
The patch below adds code to clear-this-command-keys which will erase the vector containing the last 100 events. In the past, this function was already used as if it behaved that way.
Helmut Waitzmann for rediscovering the PTY permissions problem and testing the HP-UX patch. Gerd Moellmann of the Emacs development team for the patch to clear-this-command-keys and helpful comments.
Patch against Emacs 20.6
The patch below is against GNU Emacs 20.6, as available at GNU FTP mirrors. Note that you have to run autoconf to recreate the configure script (including it would have enormously increased the size of the patch).
- Download the patch. (not available anymore)
RUS-CERT is the Computer Emergency Response Team located at the Computing Center (RUS) of the University of Stuttgart, Germany.