Your message dated Sun, 09 Sep 2012 18:48:17 +0000
with message-id <[email protected]>
and subject line Bug#684695: fixed in emacs24 24.2+1-1
has caused the Debian Bug report #684695,
regarding emacs23: CVE-2012-3479: GNU Emacs file-local variables
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
684695: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684695
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: emacs23
Version: 23.2+1-7
Severity: important
Tags: security, fixed-upstream
Paul Ling has found a security flaw in the file-local variables code in GNU
Emacs. When the Emacs user option `enable-local-variables' is set to `:safe'
(the default value is t), Emacs should automatically refuse to evaluate `eval'
forms in file-local variable sections. Due to the bug, Emacs instead
automatically evaluates such `eval' forms. Thus, if the user changes the value
of `enable-local-variables' to `:safe', visiting a malicious file can cause
automatic execution of arbitrary Emacs Lisp code with the permissions of the
user. The bug is present in Emacs 23.2, 23.3, 23.4, and 24.1.
More details:
http://debbugs.gnu.org/cgi/bugreport.cgi?bug=12155
http://www.openwall.com/lists/oss-security/2012/08/13/1
http://www.openwall.com/lists/oss-security/2012/08/13/2
I haven't manually verified this in Debian packages. Please ask in case you
want me to do it.
- Henri Salo
ps. another bug-report for emacs24
--- End Message ---
--- Begin Message ---
Source: emacs24
Source-Version: 24.2+1-1
We believe that the bug you reported is fixed in the latest version of
emacs24, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Rob Browning <[email protected]> (supplier of updated emacs24 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 09 Sep 2012 12:03:31 -0500
Source: emacs24
Binary: emacs24-lucid emacs24-nox emacs24 emacs24-bin-common emacs24-common
emacs24-el
Architecture: source amd64 all
Version: 24.2+1-1
Distribution: unstable
Urgency: high
Maintainer: Rob Browning <[email protected]>
Changed-By: Rob Browning <[email protected]>
Description:
emacs24 - GNU Emacs editor (with GTK+ user interface)
emacs24-bin-common - GNU Emacs editor's shared, architecture dependent files
emacs24-common - GNU Emacs editor's shared, architecture independent
infrastructur
emacs24-el - GNU Emacs LISP (.el) files
emacs24-lucid - GNU Emacs editor
emacs24-nox - GNU Emacs editor (without X support)
Closes: 684695
Changes:
emacs24 (24.2+1-1) unstable; urgency=high
.
* Upgrade to upstream version 24.2 and update debian/patches.
.
* Remove patches that have been incorporated upstream:
0010-Rename-infodir-to-buildinfodir-in-doc-Makefile.in-GN.patch
.
* Stop producing the emacs binary metapackage.
Move the emacs binary metapackage to its own source package
(emacs-defaults, cf. gcc-defaults). This will prevent emacs23 and
emacs24 from producing the same binary package.
.
* Don't eval code when enable-local-variables is :safe. Previously,
Emacs might eval forms in file-local variable sections even when
the Emacs user option `enable-local-variables' was set to :safe
(CVE-2012-3479). Emacs 24.2 fixes the problem. Thanks to Henri
Salo <[email protected]> for the report. (Closes: #684695)
.
* Have debian/% depend on debian/rules since it now sets the
upstream_ver.
.
* Update debian/rules upstream_ver to 24.2 and run "debian/rules
debian-sync".
Checksums-Sha1:
f64a45a64d7f506aa19da5953d78ca99b1536acb 1854 emacs24_24.2+1-1.dsc
53d6d4e2cd589b588149a5cc48db11c518ccb98f 25179812 emacs24_24.2+1.orig.tar.bz2
e6d4e81b0d809d13ef5eb6c7a08b7638f75fc273 47948 emacs24_24.2+1-1.debian.tar.gz
89da3af4e68afbc4b4bedc3cfab56d1451066c86 3999156
emacs24-lucid_24.2+1-1_amd64.deb
39ca2551536d882148ad961ed10928436f437288 3632980 emacs24-nox_24.2+1-1_amd64.deb
de6720ca8c67486e18ef5238a96238eeae2dff3c 3988788 emacs24_24.2+1-1_amd64.deb
dd6338a39b1a0e053c05ce07de082e8f387c4a5d 289612
emacs24-bin-common_24.2+1-1_amd64.deb
03a77b854b599f5e86bddd58938b58b9e044b6fc 19925706
emacs24-common_24.2+1-1_all.deb
bc6593125833aef8862b637140d95b9eded75494 14523636 emacs24-el_24.2+1-1_all.deb
Checksums-Sha256:
984ce7ecf92cdd408d38559209a78cab3e16b72d6d293bc3bfc399ca8e2354c5 1854
emacs24_24.2+1-1.dsc
14c44525af5d14bf62425b6f6161adfbbc56df7bf6152d6eaff3a3726d0b096f 25179812
emacs24_24.2+1.orig.tar.bz2
6d60aa1558b06a3699ad35366dd3165a7506fb0275ceb09f3ef9f9f9eca2b9e2 47948
emacs24_24.2+1-1.debian.tar.gz
7db763ac3a04e573984f0dab6612586fb3fd3424ba4d36abc2842817e932e6d5 3999156
emacs24-lucid_24.2+1-1_amd64.deb
cd2a223f2627b9bb1bafdd42cbb217ec83eba9e1205758bb6800ccc5d572daaa 3632980
emacs24-nox_24.2+1-1_amd64.deb
8e696be565e5ee9a5c970ec080ed565eea7ea3a93f2094237755cb42b3f42b95 3988788
emacs24_24.2+1-1_amd64.deb
cdf69c6e3e7b89075c97f8982a3a3496499b78735f36f80a15e49e7ece328c0d 289612
emacs24-bin-common_24.2+1-1_amd64.deb
72f51c8eb9e944b2f92914e950a628d2045e231b6766a03327aad3d657443d34 19925706
emacs24-common_24.2+1-1_all.deb
ef2560432f551ecd40fd7594c421f423fbffa79acc4c563cb23a0e2248aa5db8 14523636
emacs24-el_24.2+1-1_all.deb
Files:
749d380bfb2d58c73434bd5a2e14b344 1854 editors optional emacs24_24.2+1-1.dsc
494f0bc0cdbe632708c9f783e591d35e 25179812 editors optional
emacs24_24.2+1.orig.tar.bz2
b196441e5be797e95f3baeda2c441727 47948 editors optional
emacs24_24.2+1-1.debian.tar.gz
2fe6291a70a24d9840460ddaea63b3d9 3999156 editors optional
emacs24-lucid_24.2+1-1_amd64.deb
30b6015ac64c6faf67fbf332c52ed025 3632980 editors optional
emacs24-nox_24.2+1-1_amd64.deb
78a55c92c4ec8659cc20e19fb33bd596 3988788 editors optional
emacs24_24.2+1-1_amd64.deb
1baf29e663b6fc86b89105bfd83caeaa 289612 editors optional
emacs24-bin-common_24.2+1-1_amd64.deb
e35f708397d389d13de342a6741d8116 19925706 editors optional
emacs24-common_24.2+1-1_all.deb
178df0817a4b5a1c331f8d414fbf73b7 14523636 editors optional
emacs24-el_24.2+1-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAlBM178ACgkQJcjTd4x+c6TnaQCg8idIgipGafO06LbcZLgWAni1
UqkAn3Pmpw9LZ5EtEvp57LOO/MoN2Ib0
=RsAu
-----END PGP SIGNATURE-----
--- End Message ---
