Package: emacs-gtk Version: 1:27.1+1-3.1+b1 Severity: grave Tags: security Justification: user security hole X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>
After wondering why Emacs was hanging on startup after a reinstallation of machines with Debian 11 at my lab, I looked at the strace output (strace -o str.out -f /usr/bin/emacs-gtk -Q) and could see: [...] 380295 openat(AT_FDCWD, "/usr/share/X11/POSIX/app-defaults/Emacs", O_RDONLY) = -1 ENOENT (No such file or directory) 380295 openat(AT_FDCWD, "/usr/share/X11/POSIX/app-defaults/Emacs", O_RDONLY) = -1 ENOENT (No such file or directory) 380295 openat(AT_FDCWD, "/usr/share/X11/app-defaults/Emacs", O_RDONLY) = -1 ENOENT (No such file or directory) 380295 openat(AT_FDCWD, "/usr/share/X11/POSIX/app-defaults/Emacs", O_RDONLY) = -1 ENOENT (No such file or directory) 380295 openat(AT_FDCWD, "/usr/share/X11/POSIX/app-defaults/Emacs", O_RDONLY) = -1 ENOENT (No such file or directory) 380295 openat(AT_FDCWD, "/usr/share/X11/app-defaults/Emacs", O_RDONLY) = -1 ENOENT (No such file or directory) 380295 openat(AT_FDCWD, "/usr/lib/X11/POSIX/app-defaults/Emacs", O_RDONLY) = -1 ENOENT (No such file or directory) 380295 openat(AT_FDCWD, "/usr/lib/X11/POSIX/app-defaults/Emacs", O_RDONLY) = -1 ENOENT (No such file or directory) 380295 openat(AT_FDCWD, "/usr/lib/X11/app-defaults/Emacs", O_RDONLY) = -1 ENOENT (No such file or directory) 380295 openat(AT_FDCWD, "/usr/lib/X11/POSIX/app-defaults/Emacs", O_RDONLY) = -1 ENOENT (No such file or directory) 380295 openat(AT_FDCWD, "/usr/lib/X11/POSIX/app-defaults/Emacs", O_RDONLY) = -1 ENOENT (No such file or directory) 380295 openat(AT_FDCWD, "/usr/lib/X11/app-defaults/Emacs", O_RDONLY) = -1 ENOENT (No such file or directory) 380295 openat(AT_FDCWD, "/home/vlefevre/.app-defaults/POSIX/Emacs", O_RDONLY) = -1 ENOENT (No such file or directory) 380295 openat(AT_FDCWD, "/home/vlefevre/.app-defaults/Emacs", O_RDONLY) = -1 ENOENT (No such file or directory) 380295 openat(AT_FDCWD, "/home/vlefevrePOSIX/Emacs", O_RDONLY) = -1 ENOENT (No such file or directory) 380295 openat(AT_FDCWD, "/home/vlefevreEmacs", O_RDONLY) = -1 ENOENT (No such file or directory) [...] So, Emacs tries to open /home/vlefevrePOSIX/Emacs and /home/vlefevreEmacs, which potentially belong to other users! Moreover, here, this makes Emacs hang for several dozens of seconds possibly due to a timeout in the automounter or something like that. -- System Information: Debian Release: bookworm/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'stable-updates'), (500, 'stable-security'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.17.0-1-amd64 (SMP w/12 CPU threads; PREEMPT) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=POSIX, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages emacs-gtk depends on: ii emacs-bin-common 1:27.1+1-3.1+b1 ii emacs-common 1:27.1+1-3.1 ii libacl1 2.3.1-1 ii libasound2 1.2.6.1-2+b1 ii libc6 2.33-7 ii libcairo2 1.16.0-5 ii libdbus-1-3 1.14.0-1 ii libfontconfig1 2.13.1-4.4 ii libfreetype6 2.11.1+dfsg-1 ii libgdk-pixbuf-2.0-0 2.42.8+dfsg-1 ii libgif7 5.1.9-2.1 ii libglib2.0-0 2.72.1-1 ii libgmp10 2:6.2.1+dfsg-3 ii libgnutls30 3.7.4-2 ii libgpm2 1.20.7-10 ii libgtk-3-0 3.24.33-1 ii libharfbuzz0b 2.7.4-1+b1 ii libice6 2:1.0.10-1 ii libjansson4 2.14-2 ii libjpeg62-turbo 1:2.1.2-1 ii liblcms2-2 2.12~rc1-2 ii libm17n-0 1.8.0-4 ii libotf1 0.9.16-3 ii libpango-1.0-0 1.50.6+ds-2 ii libpng16-16 1.6.37-4 ii librsvg2-2 2.52.5+dfsg-3+b1 ii libselinux1 3.3-1+b2 ii libsm6 2:1.2.3-1 ii libsystemd0 250.4-1 ii libtiff5 4.3.0-6 ii libtinfo6 6.3-2 ii libx11-6 2:1.7.5-1 ii libxext6 2:1.3.4-1 ii libxfixes3 1:6.0.0-1 ii libxml2 2.9.13+dfsg-1+b1 ii libxrender1 1:0.9.10-1 ii zlib1g 1:1.2.11.dfsg-4 emacs-gtk recommends no packages. Versions of packages emacs-gtk suggests: ii emacs-common-non-dfsg 1:27.1+1-2 -- no debconf information -- Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
