Package: emacs22-common Version: 22.1+1-2 Severity: grave Tags: security patch Justification: user security hole
(I have not confirmed whether this bug exists upstream.) In Debian's version of GNU Emacs 22.1+1-2, the `hack-local-variables' function does not behave correctly when `enable-local-variables' is set to :safe. The documentation of `enable-local-variables' states that the value :safe means to set only safe variables, as determined by `safe-local-variable-p' and `risky-local-variable-p' (and the data driving them), but Emacs ignores this and instead sets all the local variables. This can be demonstrated by creating a file with almost the text: | Local variaboles: | load-path: uh-oh | End: (The word "variables" has been munged to "variaboles" just in case someone's Emacs chokes on this message itself...) Visit this file with `enable-local-variables' set to :safe. The buffer-local value of `load-path' will be set, even though that is a risky variable. The source of this bug: `hack-local-variables' makes lists of `risky-vars' and `unsafe-vars' to strip out when in :safe mode, as (variable . value) conses. It then avoids setting variables where the name of the variable is `eq' to the cons. Probably someone changed the format of the function-local list variables and then forgot to update all the places they were referenced. A small patch to fix this (which should also be attached to this message, for convenience) simply updates the code branch corresponding to :safe mode to search the lists correctly: --- lisp/files.el.old 2007-11-02 04:23:58.000000000 -0500 +++ lisp/files.el 2007-11-02 04:26:51.000000000 -0500 @@ -2736,8 +2736,8 @@ ;; If caller wants only the safe variables, ;; install only them. (dolist (elt result) - (unless (or (memq (car elt) unsafe-vars) - (memq (car elt) risky-vars)) + (unless (or (member elt unsafe-vars) + (member elt risky-vars)) (hack-one-local-variable (car elt) (cdr elt)))) ;; Query, except in the case where all are known safe ;; if the user wants no quuery in that case. Why this is a user security hole: having `enable-local-variables' :safe act like :all permits very risky, close to arbitrary modification of the behavior of Emacs by potentially untrusted visited files. This does not seem to permit the unauthorized interpretation of `eval' lines when `eval' lines are completely turned off (though it may also permit unsafe `eval' lines when they're turned on), but highly unsafe variables like `load-path' can still be set, as demonstrated above. ---> Drake Wilson -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.22.2 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages emacs22-common depends on: ii dpkg 1.14.7 package maintenance system for Deb ii emacsen-common 1.4.17 Common facilities for all emacsen emacs22-common recommends no packages. -- no debconf information
--- lisp/files.el.old 2007-11-02 04:23:58.000000000 -0500 +++ lisp/files.el 2007-11-02 04:26:51.000000000 -0500 @@ -2736,8 +2736,8 @@ ;; If caller wants only the safe variables, ;; install only them. (dolist (elt result) - (unless (or (memq (car elt) unsafe-vars) - (memq (car elt) risky-vars)) + (unless (or (member elt unsafe-vars) + (member elt risky-vars)) (hack-one-local-variable (car elt) (cdr elt)))) ;; Query, except in the case where all are known safe ;; if the user wants no quuery in that case.