I tested it just now with -0ubuntu5 from gutsy. The exploit worked, so it is definitely vulnerable. I'll go into more exact details to replicate the exploit.
- Download the file. Save it to ~/hack.txt. - Copy your ~/.emacs file, if you have one, to ~/testme. If you don't have one, just touch ~/testme. - Do M-: (setq user-init-file "~/testme") RET. This way, changes that the exploit makes will go to ~/testme rather than your init file. - Do M-: (setq enable-local-variables t). This is the default value. The exploit does not work with it, but adding this step will allow me to make a point later on. - Open ~/hack.txt with Emacs. Change "Local variaboles" to "Local variables". Save. - Now from the hack.txt buffer, do M-x revert-buffer RET yes RET. Emacs will warn you that risky local variables exist. This is the correct behavior, which we will contrast to the incorrect behavior, later on. Choose "n". - Do M-: (setq enable-local-variables :safe) RET. This disables the prompt, and causes safe variables to be set automatically and unsafe variables to be ignored automatically. But it doesn't ignore unsafe variables! - From the hack.txt buffer, do M-x revert-buffer RET yes RET. This time, it will not prompt you, and the exploit will run. Since the "hack-local-variables-hook" variable is not marked as safe, this ought to have ignored the variable instead, and *not* set it, which would have made the exploit ineffective. - The exploit removes the mention of itself from hack.txt (a very cute choice -- it causes the screen to flash quickly enough that the user might not notice the existence of something sinister in that buffer), and adds a line to the end of ~/testme. -- Security hole in handling of local variables https://bugs.launchpad.net/bugs/159525 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
