Package: emacs23 Version: 23.2+1-7 Severity: important Tags: security, fixed-upstream
Paul Ling has found a security flaw in the file-local variables code in GNU Emacs. When the Emacs user option `enable-local-variables' is set to `:safe' (the default value is t), Emacs should automatically refuse to evaluate `eval' forms in file-local variable sections. Due to the bug, Emacs instead automatically evaluates such `eval' forms. Thus, if the user changes the value of `enable-local-variables' to `:safe', visiting a malicious file can cause automatic execution of arbitrary Emacs Lisp code with the permissions of the user. The bug is present in Emacs 23.2, 23.3, 23.4, and 24.1. More details: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=12155 http://www.openwall.com/lists/oss-security/2012/08/13/1 http://www.openwall.com/lists/oss-security/2012/08/13/2 I haven't manually verified this in Debian packages. Please ask in case you want me to do it. - Henri Salo ps. another bug-report for emacs24 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
