FreeBSD : emacs -- run-python vulnerability (66657bd5-ac92-11dd-b541-001f3b19d541)

This script is Copyright (C) 2008-2013 Tenable Network Security, Inc.


Synopsis :

The remote FreeBSD host is missing a security-related update.

Description :

Emacs developers report :

The Emacs command `run-python' launches an interactive Python
interpreter. After the Python process starts up, Emacs automatically
sends it the line :

import emacs

which normally imports a script named emacs.py which is distributed
with Emacs. This script, which is typically located in a
write-protected installation directory with other Emacs program files,
defines various functions to help the Python process communicate with
Emacs.

The vulnerability arises because Python, by default, prepends '' to
the module search path, so modules are looked for in the current
directory. If the current directory is world-writable, an attacker may
insert malicious code by adding a fake Python module named emacs.py
into that directory.

See also :

http://lists.gnu.org/archive/html/emacs-devel/2008-09/msg00215.html
http://www.nessus.org/u?e4c6ac72

Solution :

Update the affected package.

Risk factor :

High / CVSS Base Score : 7.2
(CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C)

Family: FreeBSD Local Security Checks

Nessus Plugin ID: 34732 (freebsd_pkg_66657bd5ac9211ddb541001f3b19d541.nasl)

Bugtraq ID:

CVE ID: CVE-2008-3949

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now