Drake Wilson wrote:
> Package: emacs22-common
> Version: 22.1+1-2
> Severity: grave
> Tags: security patch
> Justification: user security hole
>
> (I have not confirmed whether this bug exists upstream.)
>
> In Debian's version of GNU Emacs 22.1+1-2, the `hack-local-variables'
> function does not behave correctly when `enable-local-variables' is
> set to :safe. The documentation of `enable-local-variables' states
> that the value :safe means to set only safe variables, as determined
> by `safe-local-variable-p' and `risky-local-variable-p' (and the data
> driving them), but Emacs ignores this and instead sets all the local
> variables.
>
> This can be demonstrated by creating a file with almost the text:
>
> | Local variaboles:
> | load-path: uh-oh
> | End:
JFTR, emacs21 from Debian Etch is not affected, it correctly prints a
"Ignoring risky spec in the local variables list" warning.
Cheers,
Moritz
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
