Date: Fri, 9 Mar 2001 09:51:24 +0100
From: Martin Schulze firstname.lastname@example.org
To: Debian Security Announcements
Subject: [SECURITY] [DSA 042-1] New XEmacs and gnuserv packages
Packages : gnuserv, xemacs21
Vulnerability : buffer overflow and weak security
Type : remote vulnerability
Fixed version : gnuserv 2.1alpha-5.1 (potato) and 2.1alpha-5.1.1 (unstable)
xemacs 21.1.10-5 (potato) and xemacs 21.1.14-1 (unstable)
Klaus Frank has found a vulnerability in the way gnuserv handled
remote connections. Gnuserv is a remote control facility for
Emacsen which is available as standalone program as well as
included in XEmacs21. Gnuserv has a buffer for which insufficient
boundary checks were made. Unfortunately this buffer affected
access control to gnuserv which is using a MIT-MAGIC-COOCKIE based
system. It is possible to overflow the buffer containing the cookie
and foozle cookie comparison.
Gnuserv was derived from emacsserver which is part of GNU Emacs.
It's was reworked completely and not much is to be left over from
its time as part of GNU Emacs. Therefore the versions of
emacssserver in both Emacs19 and Emacs20 doesn't look vulnerable to
this bug, they don't even provide a MIT-MAGIC-COOKIE based
This could lead into a remote user issue commands under the UID
of the person running gnuserv.
We recommend you upgrade your xemacs21 and gnuserv packages
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 2.2 alias potato
Potato was released for the alpha, arm, i386, m68k, powerpc and
Some of the products that appear on this site are from companies from which QuinStreet receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. QuinStreet does not include all companies or all types of products available in the marketplace.