Your message dated Sat, 12 Jan 2013 15:47:07 +0000
with message-id <[email protected]>
and subject line Bug#684695: fixed in emacs23 23.2+1-7+squeeze1
has caused the Debian Bug report #684695,
regarding emacs23: CVE-2012-3479: GNU Emacs file-local variables
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
684695: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684695
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: emacs23
Version: 23.2+1-7
Severity: important
Tags: security, fixed-upstream
Paul Ling has found a security flaw in the file-local variables code in GNU
Emacs. When the Emacs user option `enable-local-variables' is set to `:safe'
(the default value is t), Emacs should automatically refuse to evaluate `eval'
forms in file-local variable sections. Due to the bug, Emacs instead
automatically evaluates such `eval' forms. Thus, if the user changes the value
of `enable-local-variables' to `:safe', visiting a malicious file can cause
automatic execution of arbitrary Emacs Lisp code with the permissions of the
user. The bug is present in Emacs 23.2, 23.3, 23.4, and 24.1.
More details:
http://debbugs.gnu.org/cgi/bugreport.cgi?bug=12155
http://www.openwall.com/lists/oss-security/2012/08/13/1
http://www.openwall.com/lists/oss-security/2012/08/13/2
I haven't manually verified this in Debian packages. Please ask in case you
want me to do it.
- Henri Salo
ps. another bug-report for emacs24
--- End Message ---
--- Begin Message ---
Source: emacs23
Source-Version: 23.2+1-7+squeeze1
We believe that the bug you reported is fixed in the latest version of
emacs23, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Rob Browning <[email protected]> (supplier of updated emacs23 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 24 Aug 2012 12:34:17 -0500
Source: emacs23
Binary: emacs emacs23-lucid emacs23-nox emacs23 emacs23-bin-common
emacs23-common emacs23-el
Architecture: source all amd64
Version: 23.2+1-7+squeeze1
Distribution: stable-security
Urgency: high
Maintainer: Rob Browning <[email protected]>
Changed-By: Rob Browning <[email protected]>
Description:
emacs - The GNU Emacs editor (metapackage)
emacs23 - The GNU Emacs editor (with GTK+ user interface)
emacs23-bin-common - The GNU Emacs editor's shared, architecture dependent
files
emacs23-common - The GNU Emacs editor's shared, architecture independent
infrastru
emacs23-el - GNU Emacs LISP (.el) files
emacs23-lucid - The GNU Emacs editor
emacs23-nox - The GNU Emacs editor (without X support)
Closes: 594320 684695
Changes:
emacs23 (23.2+1-7+squeeze1) stable-security; urgency=high
.
* Mention the fullscreen "maximized" value in the emacs man page.
Thanks to Peter Eisentraut <[email protected]> for the report and
Sven Joachim <[email protected]> for the patch. (closes: #594320)
.
* Add hack-local-variables-filter-fix-for-bug-12155.diff. Don't
eval code when enable-local-variables is :safe. Previously, Emacs
might eval forms in file-local variable sections even when the
Emacs user option `enable-local-variables' was set to :safe
(CVE-2012-3479). Please see the patch for additional details.
Thanks to Henri Salo <[email protected]> for the report.
(Closes: #684695)
Checksums-Sha1:
6884b4b23c97ef4dbde33cffdd4113729b4420f4 2269 emacs23_23.2+1-7+squeeze1.dsc
41418b900fc088a5a34d0b493d0d6b731a499f06 23319578 emacs23_23.2+1.orig.tar.bz2
c746bca7253c4345c8c2ea567c8a4e8cf4287c6e 55182
emacs23_23.2+1-7+squeeze1.debian.tar.gz
220e8974192092a086c0a007cc1abd5e6591d95f 88922 emacs_23.2+1-7+squeeze1_all.deb
0438bf88350f9a291243901d7f3593c7618dc5ae 3407022
emacs23-lucid_23.2+1-7+squeeze1_amd64.deb
ae24beab845694046cc1addedd90286ceacaeef2 3066088
emacs23-nox_23.2+1-7+squeeze1_amd64.deb
1eae55b375fe15e2505878890443a6b42627a79f 3405726
emacs23_23.2+1-7+squeeze1_amd64.deb
5d7c86560f143ea26bf9618997bac678ccdf526c 256948
emacs23-bin-common_23.2+1-7+squeeze1_amd64.deb
1f156ca62a1effbca7b46a071b7d299ffff0243b 18514612
emacs23-common_23.2+1-7+squeeze1_all.deb
3d81b9da7d840be65ac272e8e609266cbee6ade3 13706036
emacs23-el_23.2+1-7+squeeze1_all.deb
Checksums-Sha256:
835c5f483aefb946dacc04af53dd85e7331230775a73cf88bc791605e284a7d2 2269
emacs23_23.2+1-7+squeeze1.dsc
0212360624a078cf0a2a8681bd0a1aaa8b4e37d058e7d81707e6dfca7c6a9b59 23319578
emacs23_23.2+1.orig.tar.bz2
2f6b0180927ca284419aaa14200b5bdf81ca58e75042469463c975c83d94f578 55182
emacs23_23.2+1-7+squeeze1.debian.tar.gz
7bfd2d0eb56891f3d1a0eaeb43df85f1d9ec42db1513d5e7d4b70adc98be7618 88922
emacs_23.2+1-7+squeeze1_all.deb
3232db82e577d963ed1339f87ad27bcee87a5dc2fa4792574f33b314bfb1a958 3407022
emacs23-lucid_23.2+1-7+squeeze1_amd64.deb
ab984090c6fd5c4b4653a43d93e7da0837dd04907eca969abc038f52ccd728ba 3066088
emacs23-nox_23.2+1-7+squeeze1_amd64.deb
bd059cea4e8d7bbf63e29b9772a18d87c625010dc304a7162ee603ae8038ebfe 3405726
emacs23_23.2+1-7+squeeze1_amd64.deb
427391fbaa3b30eaa0c68231eaa264fe97644f1262e90e455f320f78051d5c9e 256948
emacs23-bin-common_23.2+1-7+squeeze1_amd64.deb
b8fea6021d71538f7b391ba510f439c4f553dda58d59233f9a7fb90a6a1473e4 18514612
emacs23-common_23.2+1-7+squeeze1_all.deb
8a4c61174c6a0ef84f8773a8706710dcd8ba207e89941f1a2c3fb4ae1daf561a 13706036
emacs23-el_23.2+1-7+squeeze1_all.deb
Files:
b2b8fb1aeeed184a3035aa1b4bec9ce3 2269 editors optional
emacs23_23.2+1-7+squeeze1.dsc
11350b687e3819350e2fbdf971084eba 23319578 editors optional
emacs23_23.2+1.orig.tar.bz2
459d6f0941faeb78b860774c733d1e48 55182 editors optional
emacs23_23.2+1-7+squeeze1.debian.tar.gz
2f1e89af263f6d267aa81b32a1b928b8 88922 editors optional
emacs_23.2+1-7+squeeze1_all.deb
760e7ecb28ea4c0b574f93af96fea6ab 3407022 editors optional
emacs23-lucid_23.2+1-7+squeeze1_amd64.deb
03bc994eca3718bb85af89b1c1023a5b 3066088 editors optional
emacs23-nox_23.2+1-7+squeeze1_amd64.deb
ae8140b9de79af730fe85284c429d88b 3405726 editors optional
emacs23_23.2+1-7+squeeze1_amd64.deb
d0bedff3f355a00f6b9bc8ecc747e511 256948 editors optional
emacs23-bin-common_23.2+1-7+squeeze1_amd64.deb
49cdd17a726848fa374f9184e917d486 18514612 editors optional
emacs23-common_23.2+1-7+squeeze1_all.deb
18d752a5db8ad381e06878e24d89cbbe 13706036 editors optional
emacs23-el_23.2+1-7+squeeze1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJQ7LoTAAoJEO7xFsVaWkLxu3sQAJgYUdCQJv3GPD96qIgFpdB1
1JLO2fxYYR4mz2gF7pCrU5njFIx6M8jJuUQzrqMB8evq27pXQJu0pWbn70SL11J9
LO+lFQM9kP+5w3sG4FI9ezG5hlDo0u/GI3oZ7eYLoGJW08NIi+bBIkx/tTyn8vl+
9a/IdKYlr7AmKc4MQJFsaNefoCIh3XtCRtx0toIALnJ6P+4bn1SVwY6BXAG2Mgp+
pDQs9p0LWQpmHP5Px3GUihit4+hTcYkOxt8k4SUTbj9eOokwnSRY4fd0mXd+nGOc
9cj/Nlobihu9OFvVyG9LJ5E3N2qINdqBK+wRmRJxiEznB0bwqIPUxw3UtbPKzpq4
r64cE2SraX0cPAExcAKJ4E2PJFC0xktwcXY91vAVYIvW0ta6/xTSw8xe2iz1ZoN7
/IVLX2h5hAT/MK4C9/9XtWTqRCPSx82htRughfRSN2ucm393Mzn5kuYwnpHrGTlI
WDXjqU3WO8HFUzYMSPbaJRErsb8i1V7tEErPetAv2TDDSY+keHR7sIrcDnrZ7n/s
hWlI4ryGMGqJttHU7H1R7UmFxAv5qagwfYHSMdu5yDj4CVi7+M/tcH1gM6LNu3so
/BtqdnWfa8EYSs6anUqygAOpq5yrfAnwMRPnXNd0iMbCsQMiEcCj1259EbI7wh4A
NrdDzw7vYE2s392lYGLN
=s7TS
-----END PGP SIGNATURE-----
--- End Message ---