CVE-2012-0035: CEDET global-ede-mode file loading vulnerability (rhbz#773024)

2012-01-12 20:27:23 +01:00 · 2012-01-12 20:27:23 +01:00 · 198f28a4fa
parent bb940a5c28
commit 198f28a4fa
2 changed files with 490 additions and 1 deletions
--- a/emacs-ede-cve-2012-0035.patch
+++ b/emacs-ede-cve-2012-0035.patch
@ -0,0 +1,483 @@
+diff -r -c emacs-23.3-old/lisp/cedet/ede/auto.el emacs-23.3/lisp/cedet/ede/auto.el
+*** emacs-23.3-old/lisp/cedet/ede/auto.el	2011-01-09 01:45:14.000000000 +0800
+--- emacs-23.3/lisp/cedet/ede/auto.el	2012-01-09 13:20:12.410502713 +0800
+***************
+*** 58,63 ****
+--- 58,70 ----
+  	  :initform t
+  	  :documentation
+  	  "Non-nil if this is an option when a user creates a project.")
+    (safe-p :initarg :safe-p
+ 	   :initform t
+ 	   :documentation
+ 	   "Non-nil if the project load files are \"safe\".
+ An unsafe project is one that loads project variables via Emacs
+ Lisp code.  A safe project is one that loads project variables by
+ scanning files without loading Lisp code from them.")
+     )
+    "Class representing minimal knowledge set to run preliminary EDE functions.
+  When more advanced functionality is needed from a project type, that projects
+***************
+*** 69,81 ****
+  			 :name "Make" :file 'ede/proj
+  			 :proj-file "Project.ede"
+  			 :load-type 'ede-proj-load
+! 			 :class-sym 'ede-proj-project)
+     (ede-project-autoload "edeproject-automake"
+  			 :name "Automake" :file 'ede/proj
+  			 :proj-file "Project.ede"
+  			 :initializers '(:makefile-type Makefile.am)
+  			 :load-type 'ede-proj-load
+! 			 :class-sym 'ede-proj-project)
+     (ede-project-autoload "automake"
+  			 :name "automake" :file 'ede/project-am
+  			 :proj-file "Makefile.am"
+--- 76,90 ----
+  			 :name "Make" :file 'ede/proj
+  			 :proj-file "Project.ede"
+  			 :load-type 'ede-proj-load
+! 			 :class-sym 'ede-proj-project
+! 			 :safe-p nil)
+     (ede-project-autoload "edeproject-automake"
+  			 :name "Automake" :file 'ede/proj
+  			 :proj-file "Project.ede"
+  			 :initializers '(:makefile-type Makefile.am)
+  			 :load-type 'ede-proj-load
+! 			 :class-sym 'ede-proj-project
+! 			 :safe-p nil)
+     (ede-project-autoload "automake"
+  			 :name "automake" :file 'ede/project-am
+  			 :proj-file "Makefile.am"
+***************
+*** 84,89 ****
+--- 93,100 ----
+  			 :new-p nil))
+    "List of vectors defining how to determine what type of projects exist.")
+  
+ (put 'ede-project-class-files 'risky-local-variable t)
+ 
+  ;;; EDE project-autoload methods
+  ;;
+  (defmethod ede-project-root ((this ede-project-autoload))
+***************
+*** 122,127 ****
+--- 133,151 ----
+      (when (and f (file-exists-p f))
+        f)))
+  
+ (defmethod ede-auto-load-project ((this ede-project-autoload) dir)
+   "Load in the project associated with THIS project autoload description.
+ THIS project description should be valid for DIR, where the project will
+ be loaded."
+   ;; Last line of defense: don't load unsafe projects.
+   (when (not (or (oref this :safe-p)
+ 		 (ede-directory-safe-p dir)))
+     (error "Attempt to load an unsafe project (bug elsewhere in EDE)"))
+   ;; Things are good - so load the project.
+   (let ((o (funcall (oref this load-type) dir)))
+     (when (not o)
+       (error "Project type error: :load-type failed to create a project"))
+     (ede-add-project-to-global-list o)))
+  
+  (provide 'ede/auto)
+  
+diff -r -c emacs-23.3-old/lisp/cedet/ede/simple.el emacs-23.3/lisp/cedet/ede/simple.el
+*** emacs-23.3-old/lisp/cedet/ede/simple.el	2011-01-09 01:45:14.000000000 +0800
+--- emacs-23.3/lisp/cedet/ede/simple.el	2012-01-09 13:17:20.010502312 +0800
+***************
+*** 50,56 ****
+  	      :name "Simple" :file 'ede/simple
+  	      :proj-file 'ede-simple-projectfile-for-dir
+  	      :load-type 'ede-simple-load
+! 	      :class-sym 'ede-simple-project)
+  	     t)
+  
+  (defcustom ede-simple-save-directory "~/.ede"
+--- 50,57 ----
+  	      :name "Simple" :file 'ede/simple
+  	      :proj-file 'ede-simple-projectfile-for-dir
+  	      :load-type 'ede-simple-load
+! 	      :class-sym 'ede-simple-project
+! 	      :safe-p nil)
+  	     t)
+  
+  (defcustom ede-simple-save-directory "~/.ede"
+diff -r -c emacs-23.3-old/lisp/cedet/ede.el emacs-23.3/lisp/cedet/ede.el
+*** emacs-23.3-old/lisp/cedet/ede.el	2011-01-09 01:45:14.000000000 +0800
+--- emacs-23.3/lisp/cedet/ede.el	2012-01-09 13:24:44.854503349 +0800
+***************
+*** 94,99 ****
+--- 94,135 ----
+    :group 'ede
+    :type 'sexp) ; make this be a list of options some day
+  
+ (defcustom ede-project-directories nil
+   "Directories in which EDE may search for project files.
+ If the value is t, EDE may search in any directory.
+ 
+ If the value is a function, EDE calls that function with one
+ argument, the directory name; the function should return t iff
+ EDE should look for project files in the directory.
+ 
+ Otherwise, the value should be a list of fully-expanded directory
+ names.  EDE searches for project files only in those directories.
+ If you invoke the commands \\[ede] or \\[ede-new] on a directory
+ that is not listed, Emacs will offer to add it to the list.
+ 
+ Any other value disables searching for EDE project files."
+   :group 'ede
+   :type '(choice (const :tag "Any directory" t)
+ 		 (repeat :tag "List of directories"
+ 			 (directory))
+ 		 (function :tag "Predicate"))
+   :version "23.4"
+   :risky t)
+ 
+ (defun ede-directory-safe-p (dir)
+   "Return non-nil if DIR is a safe directory to load projects from.
+ Projects that do not load a project definition as Emacs Lisp code
+ are safe, and can be loaded automatically.  Other project types,
+ such as those created with Project.ede files, are safe only if
+ specified by `ede-project-directories'."
+   (setq dir (directory-file-name (expand-file-name dir)))
+   ;; Load only if allowed by `ede-project-directories'.
+   (or (eq ede-project-directories t)
+       (and (functionp ede-project-directories)
+ 	   (funcall ede-project-directories dir))
+       (and (listp ede-project-directories)
+ 	   (member dir ede-project-directories))))
+ 
+  
+  ;;; Management variables
+  
+***************
+*** 419,442 ****
+  Sets buffer local variables for EDE."
+    (let* ((ROOT nil)
+  	 (proj (ede-directory-get-open-project default-directory
+! 					       'ROOT)))
+      (when (or proj ROOT
+! 	      (ede-directory-project-p default-directory t))
+  
+!       (when (not proj)
+! 	;; @todo - this could be wasteful.
+! 	(setq proj (ede-load-project-file default-directory 'ROOT)))
+  
+!       (setq ede-object (ede-buffer-object (current-buffer)
+  					  'ede-object-project))
+  
+!       (setq ede-object-root-project
+! 	    (or ROOT (ede-project-root ede-object-project)))
+  
+!       (if (and (not ede-object) ede-object-project)
+! 	  (ede-auto-add-to-target))
+  
+!       (ede-apply-target-options))))
+  
+  (defun ede-reset-all-buffers (onoff)
+    "Reset all the buffers due to change in EDE.
+--- 455,496 ----
+  Sets buffer local variables for EDE."
+    (let* ((ROOT nil)
+  	 (proj (ede-directory-get-open-project default-directory
+! 					       'ROOT))
+! 	 (projauto nil))
+! 
+      (when (or proj ROOT
+! 	      ;; If there is no open project, look up the project
+! 	      ;; autoloader to see if we should initialize.
+! 	      (setq projauto (ede-directory-project-p default-directory t)))
+! 
+!       (when (and (not proj) projauto)
+! 
+! 	;; No project was loaded, but we have a project description
+! 	;; object.  This means that we can check if it is a safe
+! 	;; project to load before requesting it to be loaded.
+! 
+! 	(when (or (oref projauto safe-p)
+! 		  ;; The project style is not safe, so check if it is
+! 		  ;; in `ede-project-directories'.
+! 		  (let ((top (ede-toplevel-project default-directory)))
+! 		    (ede-directory-safe-p top)))
+  
+! 	  ;; The project is safe, so load it in.
+! 	  (setq proj (ede-load-project-file default-directory 'ROOT))))
+  
+!       ;; Only initialize EDE state in this buffer if we found a project.
+!       (when proj
+! 
+! 	(setq ede-object (ede-buffer-object (current-buffer)
+  					  'ede-object-project))
+  
+! 	(setq ede-object-root-project
+! 	      (or ROOT (ede-project-root ede-object-project)))
+  
+! 	(if (and (not ede-object) ede-object-project)
+! 	    (ede-auto-add-to-target))
+  
+! 	(ede-apply-target-options)))))
+  
+  (defun ede-reset-all-buffers (onoff)
+    "Reset all the buffers due to change in EDE.
+***************
+*** 555,567 ****
+  
+  ;;; Interactive method invocations
+  ;;
+! (defun ede (file)
+!   "Start up EDE on something.
+! Argument FILE is the file or directory to load a project from."
+!   (interactive "fProject File: ")
+!   (if (not (file-exists-p file))
+!       (ede-new file)
+!     (ede-load-project-file (file-name-directory file))))
+  
+  (defun ede-new (type &optional name)
+    "Create a new project starting of project type TYPE.
+--- 609,681 ----
+  
+  ;;; Interactive method invocations
+  ;;
+! (defun ede (dir)
+!   "Start up EDE for directory DIR.
+! If DIR has an existing project file, load it.
+! Otherwise, create a new project for DIR."
+!   (interactive
+!    ;; When choosing a directory to turn on, and we see some directory here,
+!    ;; provide that as the default.
+!    (let* ((top (ede-toplevel-project default-directory))
+! 	  (promptdflt (or top default-directory)))
+!      (list (read-directory-name "Project directory: "
+! 				promptdflt promptdflt t))))
+!   (unless (file-directory-p dir)
+!     (error "%s is not a directory" dir))
+!   (when (ede-directory-get-open-project dir)
+!     (error "%s already has an open project associated with it" dir))
+! 
+!   ;; Check if the directory has been added to the list of safe
+!   ;; directories.  It can also add the directory to the safe list if
+!   ;; the user chooses.
+!   (if (ede-check-project-directory dir)
+!       (progn
+! 	;; If there is a project in DIR, load it, otherwise do
+! 	;; nothing.
+! 	(ede-load-project-file dir)
+! 
+! 	;; Check if we loaded anything on the previous line.
+! 	(if (ede-current-project dir)
+! 
+! 	    ;; We successfully opened an existing project.  Some open
+! 	    ;; buffers may also be referring to this project.
+! 	    ;; Resetting all the buffers will get them to also point
+! 	    ;; at this new open project.
+! 	    (ede-reset-all-buffers 1)
+! 
+! 	  ;; ELSE
+! 	  ;; There was no project, so switch to `ede-new' which is how
+! 	  ;; a user can select a new kind of project to create.
+! 	  (let ((default-directory (expand-file-name dir)))
+! 	    (call-interactively 'ede-new))))
+! 
+!     ;; If the proposed directory isn't safe, then say so.
+!     (error "%s is not an allowed project directory in `ede-project-directories'"
+! 	   dir)))
+! 
+! (defun ede-check-project-directory (dir)
+!   "Check if DIR should be in `ede-project-directories'.
+! If it is not, try asking the user if it should be added; if so,
+! add it and save `ede-project-directories' via Customize.
+! Return nil iff DIR should not be in `ede-project-directories'."
+!   (setq dir (directory-file-name (expand-file-name dir))) ; strip trailing /
+!   (or (eq ede-project-directories t)
+!       (and (functionp ede-project-directories)
+! 	   (funcall ede-project-directories dir))
+!       ;; If `ede-project-directories' is a list, maybe add it.
+!       (when (listp ede-project-directories)
+! 	(or (member dir ede-project-directories)
+! 	    (when (y-or-n-p (format "`%s' is not listed in `ede-project-directories'.
+! Add it to the list of allowed project directories? "
+! 				    dir))
+! 	      (push dir ede-project-directories)
+! 	      ;; If possible, save `ede-project-directories'.
+! 	      (if (or custom-file user-init-file)
+! 		  (let ((coding-system-for-read nil))
+! 		    (customize-save-variable
+! 		     'ede-project-directories
+! 		     ede-project-directories)))
+! 	      t)))))
+  
+  (defun ede-new (type &optional name)
+    "Create a new project starting of project type TYPE.
+***************
+*** 596,601 ****
+--- 710,720 ----
+      (error "Cannot create project in non-existent directory %s" default-directory))
+    (when (not (file-writable-p default-directory))
+      (error "No write permissions for %s" default-directory))
+   (unless (ede-check-project-directory default-directory)
+     (error "%s is not an allowed project directory in `ede-project-directories'"
+ 	   default-directory))
+   ;; Make sure the project directory is loadable in the future.
+   (ede-check-project-directory default-directory)
+    ;; Create the project
+    (let* ((obj (object-assoc type 'name ede-project-class-files))
+  	 (nobj (let ((f (oref obj file))
+***************
+*** 629,634 ****
+--- 748,757 ----
+  	(ede-add-subproject pp nobj)
+  	(ede-commit-project pp)))
+      (ede-commit-project nobj))
+   ;; Once the project is created, load it again.  This used to happen
+   ;; lazily, but with project loading occurring less often and with
+   ;; security in mind, this is now the safe time to reload.
+   (ede-load-project-file default-directory)
+    ;; Have the menu appear
+    (setq ede-minor-mode t)
+    ;; Allert the user
+***************
+*** 651,661 ****
+  (defun ede-rescan-toplevel ()
+    "Rescan all project files."
+    (interactive)
+!   (let ((toppath (ede-toplevel-project default-directory))
+! 	(ede-deep-rescan t))
+!     (project-rescan (ede-load-project-file toppath))
+!     (ede-reset-all-buffers 1)
+!     ))
+  
+  (defun ede-new-target (&rest args)
+    "Create a new target specific to this type of project file.
+--- 774,789 ----
+  (defun ede-rescan-toplevel ()
+    "Rescan all project files."
+    (interactive)
+!   (if (not (ede-directory-get-open-project default-directory))
+!       ;; This directory isn't open.  Can't rescan.
+!       (error "Attempt to rescan a project that isn't open")
+! 
+!     ;; Continue
+!     (let ((toppath (ede-toplevel-project default-directory))
+! 	  (ede-deep-rescan t))
+! 
+!       (project-rescan (ede-load-project-file toppath))
+!       (ede-reset-all-buffers 1))))
+  
+  (defun ede-new-target (&rest args)
+    "Create a new target specific to this type of project file.
+***************
+*** 891,897 ****
+    ;; Do the load
+    ;;(message "EDE LOAD : %S" file)
+    (let* ((file dir)
+! 	 (path (expand-file-name (file-name-directory file)))
+  	 (pfc (ede-directory-project-p path))
+  	 (toppath nil)
+  	 (o nil))
+--- 1019,1025 ----
+    ;; Do the load
+    ;;(message "EDE LOAD : %S" file)
+    (let* ((file dir)
+! 	 (path (file-name-as-directory (expand-file-name dir)))
+  	 (pfc (ede-directory-project-p path))
+  	 (toppath nil)
+  	 (o nil))
+***************
+*** 920,932 ****
+        ;; See if it's been loaded before
+        (setq o (object-assoc (ede-dir-to-projectfile pfc toppath) 'file
+  			    ede-projects))
+!       (if (not o)
+! 	  ;; If not, get it now.
+! 	  (let ((ede-constructing pfc))
+! 	    (setq o (funcall (oref pfc load-type) toppath))
+! 	    (when (not o)
+! 	      (error "Project type error: :load-type failed to create a project"))
+! 	    (ede-add-project-to-global-list o)))
+  
+        ;; Return the found root project.
+        (when rootreturn (set rootreturn o))
+--- 1048,1058 ----
+        ;; See if it's been loaded before
+        (setq o (object-assoc (ede-dir-to-projectfile pfc toppath) 'file
+  			    ede-projects))
+! 
+!       ;; If not open yet, load it.
+!       (unless o
+! 	(let ((ede-constructing pfc))
+! 	  (setq o (ede-auto-load-project pfc toppath))))
+  
+        ;; Return the found root project.
+        (when rootreturn (set rootreturn o))
+***************
+*** 980,992 ****
+  	     (and root
+  		  (ede-find-subproject-for-directory root updir))
+  	     ;; Try the all structure based search.
+! 	     (ede-directory-get-open-project updir)
+! 	     ;; Load up the project file as a last resort.
+! 	     ;; Last resort since it uses file-truename, and other
+! 	     ;; slow features.
+! 	     (and (ede-directory-project-p updir)
+! 		  (ede-load-project-file
+! 		   (file-name-as-directory updir))))))))))
+  
+  (defun ede-current-project (&optional dir)
+    "Return the current project file.
+--- 1106,1112 ----
+  	     (and root
+  		  (ede-find-subproject-for-directory root updir))
+  	     ;; Try the all structure based search.
+! 	     (ede-directory-get-open-project updir))))))))
+  
+  (defun ede-current-project (&optional dir)
+    "Return the current project file.
+***************
+*** 1000,1010 ****
+      ;; No current project.
+      (when (not ans)
+        (let* ((ldir (or dir default-directory)))
+! 	(setq ans (ede-directory-get-open-project ldir))
+! 	(or ans
+! 	    ;; No open project, if this dir pass project-p, then load.
+! 	    (when (ede-directory-project-p ldir)
+! 	      (setq ans (ede-load-project-file ldir))))))
+      ;; Return what we found.
+      ans))
+  
+--- 1120,1126 ----
+      ;; No current project.
+      (when (not ans)
+        (let* ((ldir (or dir default-directory)))
+! 	(setq ans (ede-directory-get-open-project ldir))))
+      ;; Return what we found.
+      ans))
+  
+***************
+*** 1059,1070 ****
+    "Return the project which is the parent of TARGET.
+  It is recommended you track the project a different way as this function
+  could become slow in time."
+!   ;; @todo - use ede-object-project as a starting point.
+!   (let ((ans nil) (projs ede-projects))
+!     (while (and (not ans) projs)
+!       (setq ans (ede-target-in-project-p (car projs) target)
+! 	    projs (cdr projs)))
+!     ans))
+  
+  (defmethod ede-find-target ((proj ede-project) buffer)
+    "Fetch the target in PROJ belonging to BUFFER or nil."
+--- 1175,1187 ----
+    "Return the project which is the parent of TARGET.
+  It is recommended you track the project a different way as this function
+  could become slow in time."
+!   (or ede-object-project
+!       ;; If not cached, derive it from the current directory of the target.
+!       (let ((ans nil) (projs ede-projects))
+! 	(while (and (not ans) projs)
+! 	  (setq ans (ede-target-in-project-p (car projs) target)
+! 		projs (cdr projs)))
+! 	ans)))
+  
+  (defmethod ede-find-target ((proj ede-project) buffer)
+    "Fetch the target in PROJ belonging to BUFFER or nil."
--- a/emacs.spec
+++ b/emacs.spec
@ -3,7 +3,7 @@ Summary: GNU Emacs text editor
 Name: emacs
 Epoch: 1
 Version: 23.3
-Release: 18%{?dist}
+Release: 19%{?dist}
 License: GPLv3+
 URL: http://www.gnu.org/software/emacs/
 Group: Applications/Editors
@ -40,6 +40,8 @@ Patch8: emacs-wm-state-hidden.patch
 Patch9: emacs-xgselect.patch
 # http://bzr.savannah.gnu.org/lh/emacs/trunk/revision/103228
 Patch10: 103228_103227.diff
+# http://lists.gnu.org/archive/html/emacs-devel/2012-01/msg00387.html
+Patch11: emacs-ede-cve-2012-0035.patch

 BuildRequires: atk-devel, cairo-devel, freetype-devel, fontconfig-devel, dbus-devel, giflib-devel, glibc-devel, gtk2-devel, libpng-devel
 BuildRequires: libjpeg-devel, libtiff-devel, libX11-devel, libXau-devel, libXdmcp-devel, libXrender-devel, libXt-devel
@ -166,6 +168,7 @@ packages that add functionality to Emacs.
 %patch8 -p1 -b .wm-state-hidden
 %patch9 -p1 -b .xgselect
 %patch10 -p0 -b .svn17
+%patch11 -p1 -b .ede-cve-2012-0035

 # Install site-lisp files
 cp %SOURCE7 %SOURCE10 site-lisp
@ -446,6 +449,9 @@ update-desktop-database &> /dev/null || :
 %dir %{_datadir}/emacs/site-lisp/site-start.d

 %changelog
+* Thu Jan 12 2012 Karel Klíč <kklic@redhat.com> - 1:23.3-19
+- Added patch to handle CVE-2012-0035: CEDET global-ede-mode file loading vulnerability (rhbz#773024)
+
 * Sun Nov 27 2011 Ville Skyttä <ville.skytta@iki.fi> - 1:23.3-18
 - Apply upstream Subversion >= 1.7 dir structure fix for vc-svn.el.