Henri Salo <he...@nerv.fi> writes: > Paul Ling has found a security flaw in the file-local variables code > in GNU Emacs. When the Emacs user option `enable-local-variables' is > set to `:safe' (the default value is t), Emacs should automatically > refuse to evaluate `eval' forms in file-local variable sections. Due > to the bug, Emacs instead automatically evaluates such `eval' forms. > Thus, if the user changes the value of `enable-local-variables' to > :safe', visiting a malicious file can cause automatic execution of > arbitrary Emacs Lisp code with the permissions of the user. The bug is > present in Emacs 23.2, 23.3, 23.4, and 24.1. > > More details: > http://debbugs.gnu.org/cgi/bugreport.cgi?bug=12155 > http://www.openwall.com/lists/oss-security/2012/08/13/1 > http://www.openwall.com/lists/oss-security/2012/08/13/2 > > I haven't manually verified this in Debian packages. Please ask in > case you want me to do it.
I'll be happy to work on this, but I may not have much time until Thu/Fri. Thanks for the help -- Rob Browning rlb @defaultvalue.org and @debian.org GPG as of 2002-11-03 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org