The lists.gnu.org link which is in the CVE doesn't work for me right now, but http://old.nabble.com/Emacs-22.3-released-td19335279.html appears to be the same thread. This states that Emacs 22.3 fixed this problem, and hence the patch only seems to be necessary for Emacs 22.2 and older.
Perhaps Ubuntu should update emacs22 to version 22.3 instead? (Currently 22.2 is still everywhere, except Hardy which has the even older 22.1, although 22.3 was released in September 2008. Debian has a similar situation, but Ubuntu's emacs22 is not built from Debian sources.) Why does the patch still need work? It seems to have been fine for upstream Emacs, Suse, Red Hat, and a bunch of others. Current emacs23 still has the same fix: http://git.savannah.gnu.org/cgit/emacs.git/tree/lisp/progmodes/python.el#n1554 (sorry, could not link to the official bzr repo at this time). -- CVE-2008-3949: python execution from current directory https://bugs.launchpad.net/bugs/274514 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
