On Mon, Aug 13, 2012 at 09:03:34PM -0500, Rob Browning wrote:
> Henri Salo <[email protected]> writes:
>
> > Paul Ling has found a security flaw in the file-local variables code
> > in GNU Emacs. When the Emacs user option `enable-local-variables' is
> > set to `:safe' (the default value is t), Emacs should automatically
> > refuse to evaluate `eval' forms in file-local variable sections. Due
> > to the bug, Emacs instead automatically evaluates such `eval' forms.
> > Thus, if the user changes the value of `enable-local-variables' to
> > :safe', visiting a malicious file can cause automatic execution of
> > arbitrary Emacs Lisp code with the permissions of the user. The bug is
> > present in Emacs 23.2, 23.3, 23.4, and 24.1.
> >
> > More details:
> > http://debbugs.gnu.org/cgi/bugreport.cgi?bug=12155
> > http://www.openwall.com/lists/oss-security/2012/08/13/1
> > http://www.openwall.com/lists/oss-security/2012/08/13/2
> >
> > I haven't manually verified this in Debian packages. Please ask in
> > case you want me to do it.
>
> I'll be happy to work on this, but I may not have much time until
> Thu/Fri.
What's the status?
Cheers,
Moritz
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
