Your message dated Fri, 25 Jul 2008 04:17:08 +0000 with message-id <[EMAIL PROTECTED]> and subject line Bug#480885: fixed in emacs22 22.2+2-3 has caused the Debian Bug report #480885, regarding emacs22: arbitrary code execution in fast-lock-mode to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [EMAIL PROTECTED] immediately.) -- 480885: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=480885 Debian Bug Tracking System Contact [EMAIL PROTECTED] with problems
--- Begin Message ---Package: emacs21 Version: 21.4a+1-5.4 Severity: important Tags: security The following message was forwarded to the emacs-devel mailing list, see [1]. It is currently still under discussion there. ------- Start of forwarded message ------- X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00 autolearn=ham version=3.1.0 Date: Fri, 9 May 2008 12:45:25 -0400 From: "Morten Welinder" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Emacs security bug Hi there, it's been a while or two -- DJGPP was hot, new technology when we last spoke, :-) It's unclear to me where to send Emacs security concerns, so I am sending this one to you. Please forward appropriately. 1. Create .emacs with contents (global-font-lock-mode t) (seq font-lock-support-mode 'fast-lock-mode) 2. Create foo.c with contents /* Nothing to see here */ 3. Create foo.c.flc with contents (message "Something to see here!") 4. Start Emacs and load foo.c - --> Observe that code from foo.c.flc is run. Not good. (This is with Emacs 21.3.1; XEmacs is also affected, although step 1 needs to be adjusted.) Suggestions: a. Remove "." from fast-lock-cache-directories. Littering little files everywhere is not a good idea anyway. b. Don't use load to handle the .flc file. Instead read it into a buffer and read one s-expression at a time and verify that it is sane before evaluating it. c. Don't use files owned by anyone else. This cannot stand alone, though, as it has a race condition. Morten Welinder ------- End of forwarded message ------- Since fast-lock-mode is not the default font-lock-support-mode and probably few people use it, I set the severity to important rather than grave. Nevertheless it should be fixed in one of the ways Morten outlined. [1] http://lists.gnu.org/archive/html/emacs-devel/2008-05/msg00645.html
--- End Message ---
--- Begin Message ---Source: emacs22 Source-Version: 22.2+2-3 We believe that the bug you reported is fixed in the latest version of emacs22, which is due to be installed in the Debian FTP archive: emacs22-bin-common_22.2+2-3_i386.deb to pool/main/e/emacs22/emacs22-bin-common_22.2+2-3_i386.deb emacs22-common_22.2+2-3_all.deb to pool/main/e/emacs22/emacs22-common_22.2+2-3_all.deb emacs22-el_22.2+2-3_all.deb to pool/main/e/emacs22/emacs22-el_22.2+2-3_all.deb emacs22-gtk_22.2+2-3_i386.deb to pool/main/e/emacs22/emacs22-gtk_22.2+2-3_i386.deb emacs22-nox_22.2+2-3_i386.deb to pool/main/e/emacs22/emacs22-nox_22.2+2-3_i386.deb emacs22_22.2+2-3.diff.gz to pool/main/e/emacs22/emacs22_22.2+2-3.diff.gz emacs22_22.2+2-3.dsc to pool/main/e/emacs22/emacs22_22.2+2-3.dsc emacs22_22.2+2-3_i386.deb to pool/main/e/emacs22/emacs22_22.2+2-3_i386.deb emacs_22.2+2-3_all.deb to pool/main/e/emacs22/emacs_22.2+2-3_all.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Rob Browning <[EMAIL PROTECTED]> (supplier of updated emacs22 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Wed, 23 Jul 2008 20:56:33 -0700 Source: emacs22 Binary: emacs emacs22 emacs22-nox emacs22-gtk emacs22-bin-common emacs22-common emacs22-el Architecture: source all i386 Version: 22.2+2-3 Distribution: unstable Urgency: medium Maintainer: Rob Browning <[EMAIL PROTECTED]> Changed-By: Rob Browning <[EMAIL PROTECTED]> Description: emacs - The GNU Emacs editor (metapackage) emacs22 - The GNU Emacs editor emacs22-bin-common - The GNU Emacs editor's shared, architecture dependent files emacs22-common - The GNU Emacs editor's shared, architecture independent infrastru emacs22-el - GNU Emacs LISP (.el) files emacs22-gtk - The GNU Emacs editor (with GTK user interface) emacs22-nox - The GNU Emacs editor (without X support) Closes: 476223 478240 480885 488427 490524 Changes: emacs22 (22.2+2-3) unstable; urgency=medium . * Fix an insecurity related to fast-lock-cache-directories (CVE-2008-2142). Thanks to Provided-by: Sven Joachim <[EMAIL PROTECTED]> and Morten Welinder <[EMAIL PROTECTED]>. (closes: #480885) . * Don't remove /usr/local/share/emacs/site-lisp in emacs22-common. Leave that up to emacsen-common. Thanks to Sven Joachim <[EMAIL PROTECTED]>. (closes: #490524) . * Don't prematurely raise an error when trying to save a non-ASCII buffer when select-safe-coding-system-accept-default-p is set to a function. Thanks to Jun Inoue <[EMAIL PROTECTED]>. (closes: #488427) . * Don't look for GNU to find etc/. Look for NEWS instead. Thanks to "Bernhard Michler" <[EMAIL PROTECTED]> for the report and Sven Joachim <[EMAIL PROTECTED]> for the fix. (closes: #478240) . * Fix a problem in WoMan which caused it to raise an error for a number of manpages. Thanks to Sven Joachim <[EMAIL PROTECTED]>. (closes: #476223) Checksums-Sha1: 41ca68cb683342cbfbcbde7ea878840297fce23e 1340 emacs22_22.2+2-3.dsc de9a1138e3958a4808f1aa3c42fff7628772e6b1 43367 emacs22_22.2+2-3.diff.gz 7bebebf5df8cc0a20ef4ce9dd1dab481e29a877f 19564 emacs_22.2+2-3_all.deb 40829ae17750c11f890c253d3c2ffddaac45092c 14626278 emacs22-common_22.2+2-3_all.deb 9b1bf23b74bb32178681d709134e863c2dcb4762 11356744 emacs22-el_22.2+2-3_all.deb 7092a628c7f8278f42886f88d89e3deed8886d13 2607986 emacs22_22.2+2-3_i386.deb 34eead330b41f1ee6315962b0e6f381eb2b8438e 2339314 emacs22-nox_22.2+2-3_i386.deb 655eeb7f73afc8f55695e74cc2655ccb22f91350 2595826 emacs22-gtk_22.2+2-3_i386.deb 742ae630c7c43bffa2818bff8b6c71753c917536 164996 emacs22-bin-common_22.2+2-3_i386.deb Checksums-Sha256: 0725d6416d08d336c2be489a6d6d449e9aad26a0034b182f7fcaa2c0e363aa58 1340 emacs22_22.2+2-3.dsc 20be36db9b0537742429e50ab69d19a06f3e38d518eb0b6aedb8abb4ca55f88f 43367 emacs22_22.2+2-3.diff.gz 52727b53d384248e00f681079804b15428bf0df49854bddcbada2e9bd49c55db 19564 emacs_22.2+2-3_all.deb d5da069ac673ca12d578a0366b3dcaeafb39c15863bf1964ed02e556ecf49508 14626278 emacs22-common_22.2+2-3_all.deb 2756945a068310cb58d797b09708a13e867364c01793d2795998af7e867cfdd1 11356744 emacs22-el_22.2+2-3_all.deb 90c23367b49f9d08871514d0183bf01340f014e5cb02107bedd6f05333adb1ee 2607986 emacs22_22.2+2-3_i386.deb 7fe6c24bc387189f8792fef5aa875d786e5ab9c6087afb790545721d26f14e44 2339314 emacs22-nox_22.2+2-3_i386.deb ca49f458ba803ac60d675141f11f28edcdd70f38b3619c151de0da16a108cc98 2595826 emacs22-gtk_22.2+2-3_i386.deb 8519c7cf7115819eb00f303b1f9c8cc738149df302535bda4294cc47e48b1ac1 164996 emacs22-bin-common_22.2+2-3_i386.deb Files: f230c4bc171b82b6ee223fdd419d0bb0 1340 editors optional emacs22_22.2+2-3.dsc 9a3823b06737a35a8451d1e6586fd7ba 43367 editors optional emacs22_22.2+2-3.diff.gz d5f21152b0b334a3f6fe7ba622d7f602 19564 editors optional emacs_22.2+2-3_all.deb 02893ca251b0822636f6285c6afc13ed 14626278 editors optional emacs22-common_22.2+2-3_all.deb f88e07e76ab4a2391a33b73e049a0fab 11356744 editors optional emacs22-el_22.2+2-3_all.deb a13c394ba4f1bb41e66dccf60f454ede 2607986 editors optional emacs22_22.2+2-3_i386.deb ed79baf2aec9738eb9d3924a38ed64d4 2339314 editors optional emacs22-nox_22.2+2-3_i386.deb 3e6713bb215d5d681ae3e16fe5e761e4 2595826 editors optional emacs22-gtk_22.2+2-3_i386.deb 777058a2431bfbb6be062324e8e5363b 164996 editors optional emacs22-bin-common_22.2+2-3_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkiJTy0ACgkQJcjTd4x+c6Sr6wCePUDv8473ou8j3wP8mqMifruf SgQAoIi4LsElswOJQd+Mgj0rvkWnCHtt =Bq0o -----END PGP SIGNATURE-----
--- End Message ---
