Your message dated Sat, 03 Nov 2007 10:17:08 +0000 with message-id <[EMAIL PROTECTED]> and subject line Bug#449008: fixed in emacs22 22.1+1-2.1 has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database)
--- Begin Message ---Package: emacs22-common Version: 22.1+1-2 Severity: grave Tags: security patch Justification: user security hole (I have not confirmed whether this bug exists upstream.) In Debian's version of GNU Emacs 22.1+1-2, the `hack-local-variables' function does not behave correctly when `enable-local-variables' is set to :safe. The documentation of `enable-local-variables' states that the value :safe means to set only safe variables, as determined by `safe-local-variable-p' and `risky-local-variable-p' (and the data driving them), but Emacs ignores this and instead sets all the local variables. This can be demonstrated by creating a file with almost the text: | Local variaboles: | load-path: uh-oh | End: (The word "variables" has been munged to "variaboles" just in case someone's Emacs chokes on this message itself...) Visit this file with `enable-local-variables' set to :safe. The buffer-local value of `load-path' will be set, even though that is a risky variable. The source of this bug: `hack-local-variables' makes lists of `risky-vars' and `unsafe-vars' to strip out when in :safe mode, as (variable . value) conses. It then avoids setting variables where the name of the variable is `eq' to the cons. Probably someone changed the format of the function-local list variables and then forgot to update all the places they were referenced. A small patch to fix this (which should also be attached to this message, for convenience) simply updates the code branch corresponding to :safe mode to search the lists correctly: --- lisp/files.el.old 2007-11-02 04:23:58.000000000 -0500 +++ lisp/files.el 2007-11-02 04:26:51.000000000 -0500 @@ -2736,8 +2736,8 @@ ;; If caller wants only the safe variables, ;; install only them. (dolist (elt result) - (unless (or (memq (car elt) unsafe-vars) - (memq (car elt) risky-vars)) + (unless (or (member elt unsafe-vars) + (member elt risky-vars)) (hack-one-local-variable (car elt) (cdr elt)))) ;; Query, except in the case where all are known safe ;; if the user wants no quuery in that case. Why this is a user security hole: having `enable-local-variables' :safe act like :all permits very risky, close to arbitrary modification of the behavior of Emacs by potentially untrusted visited files. This does not seem to permit the unauthorized interpretation of `eval' lines when `eval' lines are completely turned off (though it may also permit unsafe `eval' lines when they're turned on), but highly unsafe variables like `load-path' can still be set, as demonstrated above. ---> Drake Wilson -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.22.2 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages emacs22-common depends on: ii dpkg 1.14.7 package maintenance system for Deb ii emacsen-common 1.4.17 Common facilities for all emacsen emacs22-common recommends no packages. -- no debconf information--- lisp/files.el.old 2007-11-02 04:23:58.000000000 -0500 +++ lisp/files.el 2007-11-02 04:26:51.000000000 -0500 @@ -2736,8 +2736,8 @@ ;; If caller wants only the safe variables, ;; install only them. (dolist (elt result) - (unless (or (memq (car elt) unsafe-vars) - (memq (car elt) risky-vars)) + (unless (or (member elt unsafe-vars) + (member elt risky-vars)) (hack-one-local-variable (car elt) (cdr elt)))) ;; Query, except in the case where all are known safe ;; if the user wants no quuery in that case.
--- End Message ---
--- Begin Message ---Source: emacs22 Source-Version: 22.1+1-2.1 We believe that the bug you reported is fixed in the latest version of emacs22, which is due to be installed in the Debian FTP archive: emacs22-bin-common_22.1+1-2.1_i386.deb to pool/main/e/emacs22/emacs22-bin-common_22.1+1-2.1_i386.deb emacs22-common_22.1+1-2.1_all.deb to pool/main/e/emacs22/emacs22-common_22.1+1-2.1_all.deb emacs22-el_22.1+1-2.1_all.deb to pool/main/e/emacs22/emacs22-el_22.1+1-2.1_all.deb emacs22-gtk_22.1+1-2.1_i386.deb to pool/main/e/emacs22/emacs22-gtk_22.1+1-2.1_i386.deb emacs22-nox_22.1+1-2.1_i386.deb to pool/main/e/emacs22/emacs22-nox_22.1+1-2.1_i386.deb emacs22_22.1+1-2.1.diff.gz to pool/main/e/emacs22/emacs22_22.1+1-2.1.diff.gz emacs22_22.1+1-2.1.dsc to pool/main/e/emacs22/emacs22_22.1+1-2.1.dsc emacs22_22.1+1-2.1_i386.deb to pool/main/e/emacs22/emacs22_22.1+1-2.1_i386.deb emacs_22.1+1-2.1_all.deb to pool/main/e/emacs22/emacs_22.1+1-2.1_all.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Romain Francoise <[EMAIL PROTECTED]> (supplier of updated emacs22 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Sat, 03 Nov 2007 09:31:51 +0100 Source: emacs22 Binary: emacs22-el emacs22-gtk emacs22-bin-common emacs22-nox emacs22 emacs22-common emacs Architecture: source all i386 Version: 22.1+1-2.1 Distribution: unstable Urgency: high Maintainer: Rob Browning <[EMAIL PROTECTED]> Changed-By: Romain Francoise <[EMAIL PROTECTED]> Description: emacs - The GNU Emacs editor (metapackage) emacs22 - The GNU Emacs editor emacs22-bin-common - The GNU Emacs editor's shared, architecture dependent files emacs22-common - The GNU Emacs editor's shared, architecture independent infrastru emacs22-el - GNU Emacs LISP (.el) files emacs22-gtk - The GNU Emacs editor (with GTK user interface) emacs22-nox - The GNU Emacs editor (without X support) Closes: 449008 Changes: emacs22 (22.1+1-2.1) unstable; urgency=high . * NMU * Incorporate patch from Drake Wilson <[EMAIL PROTECTED]> fixing a vulnerability in the handling of file local variables (CVE-2007-5795) (closes: #449008). Files: c6fe096d1a30fe8b8656c34e74aa605a 937 editors optional emacs22_22.1+1-2.1.dsc 3d40ec0eedb7f11456fa4eead3533b68 48107 editors optional emacs22_22.1+1-2.1.diff.gz b0859caa68812d219bc61375ff016623 18756 editors optional emacs_22.1+1-2.1_all.deb 13e3eee288210ae9738bfe1eba77da90 14276492 editors optional emacs22-common_22.1+1-2.1_all.deb f136301b510f82da463c4b461ca42be5 11185940 editors optional emacs22-el_22.1+1-2.1_all.deb 92517f403e54fa55e32a34c2e3aad463 2564948 editors optional emacs22_22.1+1-2.1_i386.deb 30c4a4f76b388fc0942f877031f20e8a 2319432 editors optional emacs22-nox_22.1+1-2.1_i386.deb f8b05baf1be9a442244c35a410954524 2562452 editors optional emacs22-gtk_22.1+1-2.1_i386.deb f281533954c548b8331b396ef0d1351d 159210 editors optional emacs22-bin-common_22.1+1-2.1_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHLD9iogN2vsA8Vt8RAg38AJ49xlqhMkCMlpnWai+ECV2dZKm5fgCgqkeD nQi0zq6C7bjsD25jJxIbBTY= =ow0P -----END PGP SIGNATURE-----
--- End Message ---
