Your message dated Sun, 09 Sep 2012 19:03:00 +0000
with message-id <[email protected]>
and subject line Bug#684695: fixed in emacs23 23.4+1-4
has caused the Debian Bug report #684695,
regarding emacs23: CVE-2012-3479: GNU Emacs file-local variables
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
684695: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684695
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: emacs23
Version: 23.2+1-7
Severity: important
Tags: security, fixed-upstream
Paul Ling has found a security flaw in the file-local variables code in GNU
Emacs. When the Emacs user option `enable-local-variables' is set to `:safe'
(the default value is t), Emacs should automatically refuse to evaluate `eval'
forms in file-local variable sections. Due to the bug, Emacs instead
automatically evaluates such `eval' forms. Thus, if the user changes the value
of `enable-local-variables' to `:safe', visiting a malicious file can cause
automatic execution of arbitrary Emacs Lisp code with the permissions of the
user. The bug is present in Emacs 23.2, 23.3, 23.4, and 24.1.
More details:
http://debbugs.gnu.org/cgi/bugreport.cgi?bug=12155
http://www.openwall.com/lists/oss-security/2012/08/13/1
http://www.openwall.com/lists/oss-security/2012/08/13/2
I haven't manually verified this in Debian packages. Please ask in case you
want me to do it.
- Henri Salo
ps. another bug-report for emacs24
--- End Message ---
--- Begin Message ---
Source: emacs23
Source-Version: 23.4+1-4
We believe that the bug you reported is fixed in the latest version of
emacs23, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Rob Browning <[email protected]> (supplier of updated emacs23 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 08 Sep 2012 14:59:52 -0500
Source: emacs23
Binary: emacs23-lucid emacs23-nox emacs23 emacs23-bin-common emacs23-common
emacs23-el
Architecture: source amd64 all
Version: 23.4+1-4
Distribution: unstable
Urgency: high
Maintainer: Rob Browning <[email protected]>
Changed-By: Rob Browning <[email protected]>
Description:
emacs23 - The GNU Emacs editor (with GTK+ user interface)
emacs23-bin-common - The GNU Emacs editor's shared, architecture dependent
files
emacs23-common - The GNU Emacs editor's shared, architecture independent
infrastru
emacs23-el - GNU Emacs LISP (.el) files
emacs23-lucid - The GNU Emacs editor
emacs23-nox - The GNU Emacs editor (without X support)
Closes: 684695
Changes:
emacs23 (23.4+1-4) unstable; urgency=high
.
* Add 0018-Don-t-eval-code-when-enable-local-variables-is-safe.patch.
Don't eval code when enable-local-variables is :safe. Previously,
Emacs might eval forms in file-local variable sections even when
the Emacs user option `enable-local-variables' was set to :safe
(CVE-2012-3479). Please see the patch for additional details.
Thanks to Henri Salo <[email protected]> for the report.
(Closes: #684695)
.
* Stop producing the emacs binary metapackage. Move the emacs
binary metapackage to its own source package (emacs-defaults,
cf. gcc-defaults). This will prevent emacs23 and emacs24 from
producing the same binary package.
Checksums-Sha1:
3015c18ee0a5e0e146ffe751e48fbfe96cb7d649 1780 emacs23_23.4+1-4.dsc
a0772af139e1892bdd7ae6ea874bb3c74c61c850 57740 emacs23_23.4+1-4.debian.tar.gz
83fbb5b6f9b958412cf50f910cad5c93fb39d7bc 3439440
emacs23-lucid_23.4+1-4_amd64.deb
5bf6e501c480b9f4e62bff50e84d04fd83ad431f 3091532 emacs23-nox_23.4+1-4_amd64.deb
f1c9f8c4ddd164911f2a03322ac8ece276197b9c 3431646 emacs23_23.4+1-4_amd64.deb
3b83c60357783a546ec770a131520a8d39a6603d 262966
emacs23-bin-common_23.4+1-4_amd64.deb
e9cfb6b09c2ecf7767b70f635357f9c552357219 18648436
emacs23-common_23.4+1-4_all.deb
c40b1262368ea6c7cf032a91e28f45039bf3bac7 13795132 emacs23-el_23.4+1-4_all.deb
Checksums-Sha256:
3e393b002a79d72d285750466cd668bc95a38363d0ec76942a9cec8132d6cebc 1780
emacs23_23.4+1-4.dsc
0e1db1b9eaf0edeca02c84d1101e2b0aafdb09b7f908c4517007ef5510e44aaf 57740
emacs23_23.4+1-4.debian.tar.gz
fb2bd96e2c688218fc516551bf7c1e3b8655b3f6603c3717157c3a2d01e4b0fa 3439440
emacs23-lucid_23.4+1-4_amd64.deb
d6bfbaf6cd8718e9d5c00a3d615a744751365821268e1a949d436e170e1583be 3091532
emacs23-nox_23.4+1-4_amd64.deb
16afc283ab7f2102220a06082650d6d4040e069347b912d005134ce09c578d21 3431646
emacs23_23.4+1-4_amd64.deb
950e3dc9e69b69478f3c5336ab21c840d4bf1cdcce8ce42b3a26de44aec5c8b2 262966
emacs23-bin-common_23.4+1-4_amd64.deb
d6a7ed542ff3067d5f17150eeabed85fcc864cffd88f0ec6e4f61f5f493cbc6e 18648436
emacs23-common_23.4+1-4_all.deb
9128ff3f749c41045ede80af2dc3f51dce9e53aaec182fde2a89701667c06c40 13795132
emacs23-el_23.4+1-4_all.deb
Files:
7f0a54c3cfdbf98f6becc6dc67acafcb 1780 editors optional emacs23_23.4+1-4.dsc
d5e464c3752449c789db85926cc44b3a 57740 editors optional
emacs23_23.4+1-4.debian.tar.gz
24701956eaf736b0c2e8b5821ef2567e 3439440 editors optional
emacs23-lucid_23.4+1-4_amd64.deb
268788bc859b4d460f894b2700dfacdd 3091532 editors optional
emacs23-nox_23.4+1-4_amd64.deb
5cd8a72e8512eb1659b6b8cb1b9c60f2 3431646 editors optional
emacs23_23.4+1-4_amd64.deb
7862ed4777a9f80e203ae7405c0051fa 262966 editors optional
emacs23-bin-common_23.4+1-4_amd64.deb
95768b06978c04b25ff103e91fefc315 18648436 editors optional
emacs23-common_23.4+1-4_all.deb
8403b642e371d7a6dddde259c3f3e8ff 13795132 editors optional
emacs23-el_23.4+1-4_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAlBLrs4ACgkQJcjTd4x+c6QMDwCgnhBYMN3mJHTquzBOBBIS2u7Z
UvcAnRma7ieThSDogHkrq7hB243rKcbz
=7RCY
-----END PGP SIGNATURE-----
--- End Message ---
