From c2990ebb60993d31f6fc5c85ba88850733805b36 Mon Sep 17 00:00:00 2001
From: Rob Browning <rlb@defaultvalue.org>
Date: Tue, 14 Oct 2008 21:21:31 -0700
Subject: [PATCH] Fix a security problem related to the invocation of python
 (CVE-2008-3949).

---
 debian/changelog                              | 10 +++
 ...-python-module-handling-cve-2008-3949.diff | 66 +++++++++++++++++++
 debian/patches/series                         |  1 +
 3 files changed, 77 insertions(+)
 create mode 100644 debian/patches/fix-python-module-handling-cve-2008-3949.diff

diff --git a/debian/changelog b/debian/changelog
index d7da4f7033f..5a315feb388 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+emacs22 (22.2+2-4) unstable; urgency=medium
+
+  * Fix a security problem related to the invocation of python
+    (CVE-2008-3949).  Avoid including the current directory in the module
+    lookup path when invoking python from python.el.  Thanks to Sven
+    Joachim <svenjoac@gmx.de> and Michael Berg <michaeljberg@gmail.com>.
+    (closes: #499568)
+
+ -- Rob Browning <rlb@defaultvalue.org>  Tue, 14 Oct 2008 21:15:42 -0700
+
 emacs22 (22.2+2-3) unstable; urgency=medium
 
   * Fix an insecurity related to fast-lock-cache-directories
diff --git a/debian/patches/fix-python-module-handling-cve-2008-3949.diff b/debian/patches/fix-python-module-handling-cve-2008-3949.diff
new file mode 100644
index 00000000000..817bf10e5d2
--- /dev/null
+++ b/debian/patches/fix-python-module-handling-cve-2008-3949.diff
@@ -0,0 +1,66 @@
+* Python mode will not inappropriately load modules in the current directory.
+  Patch: fix-python-module-handling-cve-2008-3949.diff
+  Provided-by: Chong Yidong <cyd@stupidchicken.com>
+  Originally-reported-by: Sven Joachim <svenjoac@gmx.de>
+  Date: Fri, 19 Sep 2008 23:06:33 +0200
+  Added-by: Rob Browning <rlb@defaultvalue.org>
+  Status: incorporated upstream
+
+  Chong Yidong <cyd@stupidchicken.com> describes the problem as
+  follows:
+
+    The Emacs command `run-python' launches an interactive Python
+    interpreter.  After the Python process starts up, Emacs
+    automatically sends it the line
+
+    import emacs
+
+    which normally imports a script named emacs.py which is
+    distributed with Emacs.  This script, which is typically located
+    in a write-protected installation directory with other Emacs
+    program files, defines various functions to help the Python
+    process communicate with Emacs.
+
+    The vulnerability arises because Python, by default, prepends ''
+    to the module search path, so modules are looked for in the
+    current directory.  If the current directory is world-writable, an
+    attacker may insert malicious code by adding a fake Python module
+    named emacs.py into that directory.
+
+    Furthermore, emacs.py imports other non-built-in Python modules,
+    such as `inspect'.  The same vulnerability exists for these import
+    statements.
+
+    By default, merely visiting and editing a *.py source file does
+    not launch a Python subprocess; you either have to call `M-x
+    run-python', or enable Emacs code that calls `run-python'
+    automatically, such as `eldoc-mode'.
+
+    The Python developers, in a private communication, have stated
+    that they do not regard this module-importing behavior as a
+    security problem for Python per se, because running a python
+    script in a world-writable directory is itself a security hazard.
+    In the Emacs context, however, it's much less obvious that it's
+    unsafe to call `run-python' while the current directory is
+    world-writable; therefore, the problem discussed here can be
+    regarded as a security risk.
+
+  The fix adds arguments to the invocation of Python which remove ''
+  from sys.path.  Since sys is a built-in module, it cannot be
+  overriden via the current directory before this code executes.
+
+Index: sid/lisp/progmodes/python.el
+===================================================================
+--- sid.orig/lisp/progmodes/python.el
++++ sid/lisp/progmodes/python.el
+@@ -1355,7 +1355,9 @@
+   ;; invoked.  Would support multiple processes better.
+   (when (or new (not (comint-check-proc python-buffer)))
+     (with-current-buffer
+-        (let* ((cmdlist (append (python-args-to-list cmd) '("-i")))
++        (let* ((cmdlist
++                (append (python-args-to-list cmd)
++                        '("-i" "-c" "import sys; sys.path.remove('')")))
+                (path (getenv "PYTHONPATH"))
+                (process-environment	; to import emacs.py
+                 (cons (concat "PYTHONPATH=" data-directory
diff --git a/debian/patches/series b/debian/patches/series
index 232839f5b51..85887617b46 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -12,4 +12,5 @@ make-fast-lock-cache-directories-risky-cve-2008-2142.diff
 fix-mule-select-safe-coding.diff
 look-for-news-to-find-etc.diff
 fix-woman2-th.diff
+fix-python-module-handling-cve-2008-3949.diff
 autofiles.diff
-- 
2.30.2