Package: release.debian.org As discussed previously, I've finished and uploaded the packages to fix the emacs{23,24} binary metapackage problem. I've dropped the emacs binary package from emacs{23,24}, and created a new gcc-defaults-style emacs-defaults metapackage to provide it.
The emacs23 23.4+1-4 package also includes a fix for CVE-2012-3479. Please consider both packages for inclusion in wheezy, and let me know if you need me to fix anything. Here's the emacs23 debdiff:
diff -Nru emacs23-23.4+1/debian/.git-dpm emacs23-23.4+1/debian/.git-dpm --- emacs23-23.4+1/debian/.git-dpm 2012-04-07 14:34:57.000000000 -0500 +++ emacs23-23.4+1/debian/.git-dpm 2012-09-08 14:58:21.000000000 -0500 @@ -1,6 +1,6 @@ # see git-dpm(1) from git-dpm package -c566c20428a35fb0d29960819ef0034808f4cd12 -c566c20428a35fb0d29960819ef0034808f4cd12 +e53a987370a1ea362b4247d4a621257c28f35f52 +e53a987370a1ea362b4247d4a621257c28f35f52 4edc7f7569f39278c30a9a64da6e0b313bbed458 4edc7f7569f39278c30a9a64da6e0b313bbed458 emacs23_23.4+1.orig.tar.bz2 diff -Nru emacs23-23.4+1/debian/changelog emacs23-23.4+1/debian/changelog --- emacs23-23.4+1/debian/changelog 2012-04-07 14:36:04.000000000 -0500 +++ emacs23-23.4+1/debian/changelog 2012-09-08 15:01:04.000000000 -0500 @@ -1,3 +1,20 @@ +emacs23 (23.4+1-4) unstable; urgency=high + + * Add 0018-Don-t-eval-code-when-enable-local-variables-is-safe.patch. + Don't eval code when enable-local-variables is :safe. Previously, + Emacs might eval forms in file-local variable sections even when + the Emacs user option `enable-local-variables' was set to :safe + (CVE-2012-3479). Please see the patch for additional details. + Thanks to Henri Salo <he...@nerv.fi> for the report. + (Closes: #684695) + + * Stop producing the emacs binary metapackage. Move the emacs + binary metapackage to its own source package (emacs-defaults, + cf. gcc-defaults). This will prevent emacs23 and emacs24 from + producing the same binary package. + + -- Rob Browning <r...@defaultvalue.org> Sat, 08 Sep 2012 14:59:52 -0500 + emacs23 (23.4+1-3) unstable; urgency=low * Add 0017-Initialize-xgselect-in-function-xg_select-when-gfds_.patch. diff -Nru emacs23-23.4+1/debian/control emacs23-23.4+1/debian/control --- emacs23-23.4+1/debian/control 2012-04-07 14:36:40.000000000 -0500 +++ emacs23-23.4+1/debian/control 2012-09-08 15:04:44.000000000 -0500 @@ -12,15 +12,6 @@ Homepage: http://www.gnu.org/software/emacs/ Standards-Version: 3.7.2 -Package: emacs -Architecture: all -Depends: emacs23 | emacs23-lucid | emacs23-nox, ${misc:Depends} -Provides: emacsen, editor, mail-reader, news-reader -Description: The GNU Emacs editor (metapackage) - GNU Emacs is the extensible self-documenting text editor. - This is a metapackage which will always depend on the latest Emacs - release. - Package: emacs23-lucid Architecture: any Depends: emacs23-bin-common (= ${binary:Version}), ${shlibs:Depends}, ${misc:Depends} diff -Nru emacs23-23.4+1/debian/control.in emacs23-23.4+1/debian/control.in --- emacs23-23.4+1/debian/control.in 2012-04-07 14:34:56.000000000 -0500 +++ emacs23-23.4+1/debian/control.in 2012-09-08 14:59:26.000000000 -0500 @@ -12,15 +12,6 @@ Homepage: http://www.gnu.org/software/emacs/ Standards-Version: 3.7.2 -Package: emacs -Architecture: all -Depends: @DEB_FLAVOR@ | @DEB_FLAVOR@-lucid | @DEB_FLAVOR@-nox, ${misc:Depends} -Provides: emacsen, editor, mail-reader, news-reader -Description: The GNU Emacs editor (metapackage) - GNU Emacs is the extensible self-documenting text editor. - This is a metapackage which will always depend on the latest Emacs - release. - Package: @DEB_FLAVOR@-lucid Architecture: any Depends: @DEB_FLAVOR@-bin-common (= ${binary:Version}), ${shlibs:Depends}, ${misc:Depends} diff -Nru emacs23-23.4+1/debian/patches/0018-Don-t-eval-code-when-enable-local-variables-is-safe.patch emacs23-23.4+1/debian/patches/0018-Don-t-eval-code-when-enable-local-variables-is-safe.patch --- emacs23-23.4+1/debian/patches/0018-Don-t-eval-code-when-enable-local-variables-is-safe.patch 1969-12-31 18:00:00.000000000 -0600 +++ emacs23-23.4+1/debian/patches/0018-Don-t-eval-code-when-enable-local-variables-is-safe.patch 2012-09-08 14:58:21.000000000 -0500 @@ -0,0 +1,63 @@ +From e53a987370a1ea362b4247d4a621257c28f35f52 Mon Sep 17 00:00:00 2001 +From: Glenn Morris <r...@gnu.org> +Date: Tue, 7 Aug 2012 14:41:39 -0400 +Subject: Don't eval code when enable-local-variables is :safe. + +Emacs should no longer eval code when enable-local-variables is :safe. + +Previously, Emacs might eval forms in file-local variable sections +even when the Emacs user option `enable-local-variables' was set to +:safe. This patch fixes CVE-2012-3479: + + http://security-tracker.debian.org/tracker/CVE-2012-3479 + +Origin: upstream, commit: 108092 (90c310d22c6f06332257c816253c642fd2bf90aa) +Added-by: Rob Browning <r...@defaultvalue.org> +Provided-By: Glenn Morris <r...@gnu.org> +Bug: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=12155 +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684695 +--- + lisp/ChangeLog | 6 ++++++ + lisp/files.el | 15 ++++++++++----- + 2 files changed, 16 insertions(+), 5 deletions(-) + +diff --git a/lisp/ChangeLog b/lisp/ChangeLog +index 6d780e9..791092d 100644 +--- a/lisp/ChangeLog ++++ b/lisp/ChangeLog +@@ -1,3 +1,9 @@ ++2012-08-07 Glenn Morris <r...@gnu.org> ++ ++ * files.el (hack-local-variables-filter): If an eval: form is not ++ known to be safe, and enable-local-variables is :safe, then ignore ++ the form totally, as is done for non-eval forms. (Bug#12155) ++ + 2012-01-19 Chong Yidong <c...@gnu.org> + + * Version 23.4 released. +diff --git a/lisp/files.el b/lisp/files.el +index ed1a69d..113968d 100644 +--- a/lisp/files.el ++++ b/lisp/files.el +@@ -2986,11 +2986,16 @@ DIR-NAME is a directory name if these settings come from + ;; Obey `enable-local-eval'. + ((eq var 'eval) + (when enable-local-eval +- (push elt all-vars) +- (or (eq enable-local-eval t) +- (hack-one-local-variable-eval-safep (eval (quote val))) +- (safe-local-variable-p var val) +- (push elt unsafe-vars)))) ++ (let ((safe (or (hack-one-local-variable-eval-safep ++ (eval (quote val))) ++ ;; In case previously marked safe (bug#5636). ++ (safe-local-variable-p var val)))) ++ ;; If not safe and e-l-v = :safe, ignore totally. ++ (when (or safe (not (eq enable-local-variables :safe))) ++ (push elt all-vars) ++ (or (eq enable-local-eval t) ++ safe ++ (push elt unsafe-vars)))))) + ;; Ignore duplicates (except `mode') in the present list. + ((and (assq var all-vars) (not (eq var 'mode))) nil) + ;; Accept known-safe variables. diff -Nru emacs23-23.4+1/debian/patches/series emacs23-23.4+1/debian/patches/series --- emacs23-23.4+1/debian/patches/series 2012-04-07 14:34:57.000000000 -0500 +++ emacs23-23.4+1/debian/patches/series 2012-09-08 14:58:21.000000000 -0500 @@ -15,3 +15,4 @@ 0015-coding.c-produce_chars-Fix-updating-of-src_end-Bug-1.patch 0016-quail-indian.el-indian-tlg-base-table-Fix-typo-dev-t.patch 0017-Initialize-xgselect-in-function-xg_select-when-gfds_.patch +0018-Don-t-eval-code-when-enable-local-variables-is-safe.patch
Thanks -- Rob Browning rlb @defaultvalue.org and @debian.org GPG as of 2002-11-03 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4