Your message dated Thu, 19 Mar 2009 21:38:54 +0100
with message-id <[email protected]>
and subject line Fixed in xemacs21-packages 2009.02.17-1
has caused the Debian Bug report #480886,
regarding xemacs21: arbitrary code execution in fast-lock-mode
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
480886: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=480886
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: emacs21
Version: 21.4a+1-5.4
Severity: important
Tags: security
The following message was forwarded to the emacs-devel mailing list, see
[1]. It is currently still under discussion there.
------- Start of forwarded message -------
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00 autolearn=ham
version=3.1.0
Date: Fri, 9 May 2008 12:45:25 -0400
From: "Morten Welinder" <[email protected]>
To: [email protected]
Subject: Emacs security bug
Hi there,
it's been a while or two -- DJGPP was hot, new technology when we last
spoke, :-)
It's unclear to me where to send Emacs security concerns, so I am sending
this one to you. Please forward appropriately.
1. Create .emacs with contents
(global-font-lock-mode t)
(seq font-lock-support-mode 'fast-lock-mode)
2. Create foo.c with contents /* Nothing to see here */
3. Create foo.c.flc with contents (message "Something to see here!")
4. Start Emacs and load foo.c
- --> Observe that code from foo.c.flc is run. Not good.
(This is with Emacs 21.3.1; XEmacs is also affected, although step 1 needs to
be adjusted.)
Suggestions:
a. Remove "." from fast-lock-cache-directories. Littering little
files everywhere
is not a good idea anyway.
b. Don't use load to handle the .flc file. Instead read it into a
buffer and read
one s-expression at a time and verify that it is sane before evaluating it.
c. Don't use files owned by anyone else. This cannot stand alone, though, as
it has a race condition.
Morten Welinder
------- End of forwarded message -------
Since fast-lock-mode is not the default font-lock-support-mode and
probably few people use it, I set the severity to important rather than
grave. Nevertheless it should be fixed in one of the ways Morten
outlined.
[1] http://lists.gnu.org/archive/html/emacs-devel/2008-05/msg00645.html
--- End Message ---
--- Begin Message ---
Package: xemacs21-packages
Version: 2009.02.17-1
This bug has been fixed in edit-utils 2.40 which is included in this
version.
Closing the bug,
Sven
--- End Message ---
