Debian Bug report logs - #449008
emacs22-common: enable-local-variables :safe mode acts like :all

version graph

Package: emacs22-common; Maintainer for emacs22-common is (unknown);

Reported by: Drake Wilson <drake@begriffli.ch>

Date: Fri, 2 Nov 2007 10:00:01 UTC

Severity: grave

Tags: fixed-upstream, patch, security

Found in version emacs22/22.1+1-2

Fixed in versions emacs22/22.1+1-2.1, emacs22/22.1+1-3

Done: Romain Francoise <rfrancoise@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Rob Browning <rlb@defaultvalue.org>:
Bug#449008; Package emacs22-common. Full text and rfc822 format available.

Acknowledgement sent to Drake Wilson <drake@begriffli.ch>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Rob Browning <rlb@defaultvalue.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Drake Wilson <drake@begriffli.ch>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: emacs22-common: enable-local-variables :safe mode acts like :all
Date: Fri, 02 Nov 2007 04:56:52 -0500
[Message part 1 (text/plain, inline)]
Package: emacs22-common
Version: 22.1+1-2
Severity: grave
Tags: security patch
Justification: user security hole

(I have not confirmed whether this bug exists upstream.)

In Debian's version of GNU Emacs 22.1+1-2, the `hack-local-variables'
function does not behave correctly when `enable-local-variables' is
set to :safe.  The documentation of `enable-local-variables' states
that the value :safe means to set only safe variables, as determined
by `safe-local-variable-p' and `risky-local-variable-p' (and the data
driving them), but Emacs ignores this and instead sets all the local
variables.

This can be demonstrated by creating a file with almost the text:

  | Local variaboles:
  | load-path: uh-oh
  | End:

(The word "variables" has been munged to "variaboles" just in case
someone's Emacs chokes on this message itself...)

Visit this file with `enable-local-variables' set to :safe.  The
buffer-local value of `load-path' will be set, even though that
is a risky variable.

The source of this bug: `hack-local-variables' makes lists of
`risky-vars' and `unsafe-vars' to strip out when in :safe mode, as
(variable . value) conses.  It then avoids setting variables where
the name of the variable is `eq' to the cons.  Probably someone
changed the format of the function-local list variables and then
forgot to update all the places they were referenced.

A small patch to fix this (which should also be attached to this
message, for convenience) simply updates the code branch corresponding
to :safe mode to search the lists correctly:

--- lisp/files.el.old	2007-11-02 04:23:58.000000000 -0500
+++ lisp/files.el	2007-11-02 04:26:51.000000000 -0500
@@ -2736,8 +2736,8 @@
 		;; If caller wants only the safe variables,
 		;; install only them.
 		(dolist (elt result)
-		  (unless (or (memq (car elt) unsafe-vars)
-			      (memq (car elt) risky-vars))
+		  (unless (or (member elt unsafe-vars)
+			      (member elt risky-vars))
 		    (hack-one-local-variable (car elt) (cdr elt))))
 	      ;; Query, except in the case where all are known safe
 	      ;; if the user wants no quuery in that case.

Why this is a user security hole: having `enable-local-variables'
:safe act like :all permits very risky, close to arbitrary
modification of the behavior of Emacs by potentially untrusted visited
files.  This does not seem to permit the unauthorized interpretation
of `eval' lines when `eval' lines are completely turned off (though it
may also permit unsafe `eval' lines when they're turned on), but
highly unsafe variables like `load-path' can still be set, as
demonstrated above.

   ---> Drake Wilson

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.22.2 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages emacs22-common depends on:
ii  dpkg                          1.14.7     package maintenance system for Deb
ii  emacsen-common                1.4.17     Common facilities for all emacsen

emacs22-common recommends no packages.

-- no debconf information
[emacs22-files-el-20071102-dpw.patch (text/plain, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Rob Browning <rlb@defaultvalue.org>:
Bug#449008; Package emacs22-common. Full text and rfc822 format available.

Acknowledgement sent to Romain Francoise <romain@orebokech.com>:
Extra info received and forwarded to list. Copy sent to Rob Browning <rlb@defaultvalue.org>. Full text and rfc822 format available.

Message #10 received at 449008@bugs.debian.org (full text, mbox):

From: Romain Francoise <romain@orebokech.com>
To: Drake Wilson <drake@begriffli.ch>
Cc: 449008@bugs.debian.org, control@bugs.debian.org
Subject: Re: Bug#449008: emacs22-common: enable-local-variables :safe mode acts like :all
Date: Fri, 02 Nov 2007 12:11:46 +0100
tags 449008 fixed-upstream
quit

Hi,

Drake Wilson <drake@begriffli.ch> writes:

> The source of this bug: `hack-local-variables' makes lists of
> `risky-vars' and `unsafe-vars' to strip out when in :safe mode, as
> (variable . value) conses.  It then avoids setting variables where
> the name of the variable is `eq' to the cons.  Probably someone
> changed the format of the function-local list variables and then
> forgot to update all the places they were referenced.

Thank you very much for finding and reporting this issue.  I've
confirmed that it still applies upstream and installed your patch in
the trunk and in the Emacs 22 release branch for the upcoming 22.2
release.




Tags added: fixed-upstream Request was from Romain Francoise <romain@orebokech.com> to control@bugs.debian.org. (Fri, 02 Nov 2007 11:15:03 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Rob Browning <rlb@defaultvalue.org>:
Bug#449008; Package emacs22-common. Full text and rfc822 format available.

Acknowledgement sent to Drake Wilson <drake@begriffli.ch>:
Extra info received and forwarded to list. Copy sent to Rob Browning <rlb@defaultvalue.org>. Full text and rfc822 format available.

Message #17 received at 449008@bugs.debian.org (full text, mbox):

From: Drake Wilson <drake@begriffli.ch>
To: 449008@bugs.debian.org
Subject: Upstream appears to also contain this bug
Date: Fri, 2 Nov 2007 06:12:18 -0500
FYI: now that I've checked, the official source of GNU Emacs 22.1
seems to contain this bug also, as well as the current Arch and CVS
repositories for the relevant Savannah project.  I have sent mail
to bug-gnu-emacs accordingly, pointing to this bug report and
replicating most of its content.  Hopefully that'll speed up
coordination with upstream.

   ---> Drake Wilson




Information forwarded to debian-bugs-dist@lists.debian.org, Rob Browning <rlb@defaultvalue.org>:
Bug#449008; Package emacs22-common. Full text and rfc822 format available.

Acknowledgement sent to Drake Wilson <drake@begriffli.ch>:
Extra info received and forwarded to list. Copy sent to Rob Browning <rlb@defaultvalue.org>. Full text and rfc822 format available.

Message #22 received at 449008@bugs.debian.org (full text, mbox):

From: Drake Wilson <drake@begriffli.ch>
To: Romain Francoise <romain@orebokech.com>
Cc: 449008@bugs.debian.org
Subject: Re: Bug#449008: emacs22-common: enable-local-variables :safe mode acts like :all
Date: Fri, 2 Nov 2007 06:18:38 -0500
Quoth Romain Francoise <romain@orebokech.com>, on 2007-11-02 12:11:46 +0100:
> Thank you very much for finding and reporting this issue.  I've
> confirmed that it still applies upstream and installed your patch in
> the trunk and in the Emacs 22 release branch for the upcoming 22.2
> release.

Aha, looks like we're up and reading mail at the same time.  (Sorry about
the near-simultaneous duplication.)  Good stuff; hopefully it'll get fixed
in Debian soon.  Thanks.  :-)

   ---> Drake Wilson




Information forwarded to debian-bugs-dist@lists.debian.org, Rob Browning <rlb@defaultvalue.org>:
Bug#449008; Package emacs22-common. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Rob Browning <rlb@defaultvalue.org>. Full text and rfc822 format available.

Message #27 received at 449008@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Drake Wilson <drake@begriffli.ch>, 449008@bugs.debian.org
Cc: team@security.debian.org
Subject: Re: Bug#449008: emacs22-common: enable-local-variables :safe mode acts like :all
Date: Fri, 2 Nov 2007 17:13:23 +0100
Drake Wilson wrote:
> Package: emacs22-common
> Version: 22.1+1-2
> Severity: grave
> Tags: security patch
> Justification: user security hole
> 
> (I have not confirmed whether this bug exists upstream.)
> 
> In Debian's version of GNU Emacs 22.1+1-2, the `hack-local-variables'
> function does not behave correctly when `enable-local-variables' is
> set to :safe.  The documentation of `enable-local-variables' states
> that the value :safe means to set only safe variables, as determined
> by `safe-local-variable-p' and `risky-local-variable-p' (and the data
> driving them), but Emacs ignores this and instead sets all the local
> variables.
> 
> This can be demonstrated by creating a file with almost the text:
> 
>   | Local variaboles:
>   | load-path: uh-oh
>   | End:

JFTR, emacs21 from Debian Etch is not affected, it correctly prints a
"Ignoring risky spec in the local variables list" warning.

Cheers,
        Moritz




Information forwarded to debian-bugs-dist@lists.debian.org, Rob Browning <rlb@defaultvalue.org>:
Bug#449008; Package emacs22-common. Full text and rfc822 format available.

Acknowledgement sent to Drake Wilson <drake@begriffli.ch>:
Extra info received and forwarded to list. Copy sent to Rob Browning <rlb@defaultvalue.org>. Full text and rfc822 format available.

Message #32 received at 449008@bugs.debian.org (full text, mbox):

From: Drake Wilson <drake@begriffli.ch>
To: Moritz Muehlenhoff <jmm@inutil.org>
Cc: 449008@bugs.debian.org
Subject: Re: Bug#449008: emacs22-common: enable-local-variables :safe mode acts like :all
Date: Fri, 2 Nov 2007 12:22:06 -0500
Quoth Moritz Muehlenhoff <jmm@inutil.org>, on 2007-11-02 17:13:23 +0100:
> JFTR, emacs21 from Debian Etch is not affected, it correctly prints a
> "Ignoring risky spec in the local variables list" warning.

This is true, yes.  It's mostly because the behavior of file local
variables in Emacs 21 is different in a way that makes the report not
applicable in the first place.  Primarily, the Emacs 21 definition of
`enable-local-variables' does not include :safe as a valid value with
the expected behavior being as in Emacs 22; it only provides t, nil,
and anything else meaning "query".  The code fragment that causes the
problem only occurs in the :safe case; the other three cases are not
affected.

Ironically, that feature was the main reason I wanted to try Emacs 22
in the first place.  :-)

> Cheers,
>         Moritz

   ---> Drake Wilson




Information forwarded to debian-bugs-dist@lists.debian.org, Rob Browning <rlb@defaultvalue.org>:
Bug#449008; Package emacs22-common. Full text and rfc822 format available.

Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Extra info received and forwarded to list. Copy sent to Rob Browning <rlb@defaultvalue.org>. Full text and rfc822 format available.

Message #37 received at 449008@bugs.debian.org (full text, mbox):

From: Steffen Joeris <steffen.joeris@skolelinux.de>
To: 449008@bugs.debian.org
Cc: Drake Wilson <drake@begriffli.ch>, Romain Francoise <romain@orebokech.com>
Subject: package upload?
Date: Sat, 3 Nov 2007 11:51:34 +1100
[Message part 1 (text/plain, inline)]
Hi

Anyone preparing a package upload or is a sponsor needed?

Cheers
Steffen
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Rob Browning <rlb@defaultvalue.org>:
Bug#449008; Package emacs22-common. Full text and rfc822 format available.

Acknowledgement sent to Romain Francoise <romain@orebokech.com>:
Extra info received and forwarded to list. Copy sent to Rob Browning <rlb@defaultvalue.org>. Full text and rfc822 format available.

Message #42 received at 449008@bugs.debian.org (full text, mbox):

From: Romain Francoise <romain@orebokech.com>
To: Steffen Joeris <steffen.joeris@skolelinux.de>
Cc: 449008@bugs.debian.org, Drake Wilson <drake@begriffli.ch>
Subject: Re: package upload?
Date: Sat, 03 Nov 2007 08:49:17 +0100
Steffen Joeris <steffen.joeris@skolelinux.de> writes:

> Anyone preparing a package upload or is a sponsor needed?

I can NMU if necessary.  Do we have a CVE id for this?




Information forwarded to debian-bugs-dist@lists.debian.org, Rob Browning <rlb@defaultvalue.org>:
Bug#449008; Package emacs22-common. Full text and rfc822 format available.

Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Extra info received and forwarded to list. Copy sent to Rob Browning <rlb@defaultvalue.org>. Full text and rfc822 format available.

Message #47 received at 449008@bugs.debian.org (full text, mbox):

From: Steffen Joeris <steffen.joeris@skolelinux.de>
To: Romain Francoise <romain@orebokech.com>
Cc: 449008@bugs.debian.org, Drake Wilson <drake@begriffli.ch>
Subject: Re: package upload?
Date: Sat, 3 Nov 2007 19:05:00 +1100
[Message part 1 (text/plain, inline)]
On Sat, 3 Nov 2007 06:49:17 pm Romain Francoise wrote:
> Steffen Joeris <steffen.joeris@skolelinux.de> writes:
> > Anyone preparing a package upload or is a sponsor needed?
>
> I can NMU if necessary.  Do we have a CVE id for this?
Please go for it, saves me some time :)
Number is CVE-2007-5795.
Please just ping me (white on IRC oftc and freenode) or drop me a mail, when 
it is done.
Thanks a lot for the offer.

Cheers
Steffen
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Rob Browning <rlb@defaultvalue.org>:
Bug#449008; Package emacs22-common. Full text and rfc822 format available.

Acknowledgement sent to Romain Francoise <rfrancoise@debian.org>:
Extra info received and forwarded to list. Copy sent to Rob Browning <rlb@defaultvalue.org>. Full text and rfc822 format available.

Message #52 received at 449008@bugs.debian.org (full text, mbox):

From: Romain Francoise <rfrancoise@debian.org>
To: 449008@bugs.debian.org
Subject: NMU diff
Date: Sat, 03 Nov 2007 11:22:51 +0100
Here's the diff for the 22.1+1-2.1 NMU:

diff -u emacs22-22.1+1/debian/changelog emacs22-22.1+1/debian/changelog
--- emacs22-22.1+1/debian/changelog
+++ emacs22-22.1+1/debian/changelog
@@ -1,3 +1,12 @@
+emacs22 (22.1+1-2.1) unstable; urgency=high
+
+  * NMU
+  * Incorporate patch from Drake Wilson <drake@begriffli.ch> fixing a
+    vulnerability in the handling of file local variables (CVE-2007-5795)
+    (closes: #449008).
+
+ -- Romain Francoise <rfrancoise@debian.org>  Sat, 03 Nov 2007 09:31:51 +0100
+
 emacs22 (22.1+1-2) unstable; urgency=low
 
   * Fix mail locking patch for Debian's non-Linux architectures.  Thanks
diff -u emacs22-22.1+1/debian/patches/series emacs22-22.1+1/debian/patches/series
--- emacs22-22.1+1/debian/patches/series
+++ emacs22-22.1+1/debian/patches/series
@@ -13,0 +14 @@
+cve-2007-5795.diff
only in patch2:
unchanged:
--- emacs22-22.1+1.orig/debian/patches/cve-2007-5795.diff
+++ emacs22-22.1+1/debian/patches/cve-2007-5795.diff
@@ -0,0 +1,28 @@
+* A security vulnerability in the handling of local variables has been fixed.
+  Patch: cve-2007-5795.diff
+  Provided-by: Drake Wilson <drake@begriffli.ch>
+  Date: Sat, 03 Nov 2007 09:25:50 +0100
+  Added-by: Romain Francoise <rfrancoise@debian.org>
+  Status: merged upstream
+
+  Upstream changelog entry:
+
+  2007-11-02  Drake Wilson  <drake@begriffli.ch>  (tiny change)
+
+        * files.el (hack-local-variables): Fix membership tests to avoid
+        treating all variables as safe if `enable-local-variables' is
+        set to :safe.
+
+--- a/lisp/files.el
++++ b/lisp/files.el
+@@ -2736,8 +2736,8 @@
+ 		;; If caller wants only the safe variables,
+ 		;; install only them.
+ 		(dolist (elt result)
+-		  (unless (or (memq (car elt) unsafe-vars)
+-			      (memq (car elt) risky-vars))
++		  (unless (or (member elt unsafe-vars)
++			      (member elt risky-vars))
+ 		    (hack-one-local-variable (car elt) (cdr elt))))
+ 	      ;; Query, except in the case where all are known safe
+ 	      ;; if the user wants no quuery in that case.

-- 
  ,''`.
 : :' :        Romain Francoise <rfrancoise@debian.org>
 `. `'         http://people.debian.org/~rfrancoise/
   `-




Reply sent to Romain Francoise <rfrancoise@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Drake Wilson <drake@begriffli.ch>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #57 received at 449008-close@bugs.debian.org (full text, mbox):

From: Romain Francoise <rfrancoise@debian.org>
To: 449008-close@bugs.debian.org
Subject: Bug#449008: fixed in emacs22 22.1+1-2.1
Date: Sat, 03 Nov 2007 10:17:08 +0000
Source: emacs22
Source-Version: 22.1+1-2.1

We believe that the bug you reported is fixed in the latest version of
emacs22, which is due to be installed in the Debian FTP archive:

emacs22-bin-common_22.1+1-2.1_i386.deb
  to pool/main/e/emacs22/emacs22-bin-common_22.1+1-2.1_i386.deb
emacs22-common_22.1+1-2.1_all.deb
  to pool/main/e/emacs22/emacs22-common_22.1+1-2.1_all.deb
emacs22-el_22.1+1-2.1_all.deb
  to pool/main/e/emacs22/emacs22-el_22.1+1-2.1_all.deb
emacs22-gtk_22.1+1-2.1_i386.deb
  to pool/main/e/emacs22/emacs22-gtk_22.1+1-2.1_i386.deb
emacs22-nox_22.1+1-2.1_i386.deb
  to pool/main/e/emacs22/emacs22-nox_22.1+1-2.1_i386.deb
emacs22_22.1+1-2.1.diff.gz
  to pool/main/e/emacs22/emacs22_22.1+1-2.1.diff.gz
emacs22_22.1+1-2.1.dsc
  to pool/main/e/emacs22/emacs22_22.1+1-2.1.dsc
emacs22_22.1+1-2.1_i386.deb
  to pool/main/e/emacs22/emacs22_22.1+1-2.1_i386.deb
emacs_22.1+1-2.1_all.deb
  to pool/main/e/emacs22/emacs_22.1+1-2.1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 449008@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Romain Francoise <rfrancoise@debian.org> (supplier of updated emacs22 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 03 Nov 2007 09:31:51 +0100
Source: emacs22
Binary: emacs22-el emacs22-gtk emacs22-bin-common emacs22-nox emacs22 emacs22-common emacs
Architecture: source all i386
Version: 22.1+1-2.1
Distribution: unstable
Urgency: high
Maintainer: Rob Browning <rlb@defaultvalue.org>
Changed-By: Romain Francoise <rfrancoise@debian.org>
Description: 
 emacs      - The GNU Emacs editor (metapackage)
 emacs22    - The GNU Emacs editor
 emacs22-bin-common - The GNU Emacs editor's shared, architecture dependent files
 emacs22-common - The GNU Emacs editor's shared, architecture independent infrastru
 emacs22-el - GNU Emacs LISP (.el) files
 emacs22-gtk - The GNU Emacs editor (with GTK user interface)
 emacs22-nox - The GNU Emacs editor (without X support)
Closes: 449008
Changes: 
 emacs22 (22.1+1-2.1) unstable; urgency=high
 .
   * NMU
   * Incorporate patch from Drake Wilson <drake@begriffli.ch> fixing a
     vulnerability in the handling of file local variables (CVE-2007-5795)
     (closes: #449008).
Files: 
 c6fe096d1a30fe8b8656c34e74aa605a 937 editors optional emacs22_22.1+1-2.1.dsc
 3d40ec0eedb7f11456fa4eead3533b68 48107 editors optional emacs22_22.1+1-2.1.diff.gz
 b0859caa68812d219bc61375ff016623 18756 editors optional emacs_22.1+1-2.1_all.deb
 13e3eee288210ae9738bfe1eba77da90 14276492 editors optional emacs22-common_22.1+1-2.1_all.deb
 f136301b510f82da463c4b461ca42be5 11185940 editors optional emacs22-el_22.1+1-2.1_all.deb
 92517f403e54fa55e32a34c2e3aad463 2564948 editors optional emacs22_22.1+1-2.1_i386.deb
 30c4a4f76b388fc0942f877031f20e8a 2319432 editors optional emacs22-nox_22.1+1-2.1_i386.deb
 f8b05baf1be9a442244c35a410954524 2562452 editors optional emacs22-gtk_22.1+1-2.1_i386.deb
 f281533954c548b8331b396ef0d1351d 159210 editors optional emacs22-bin-common_22.1+1-2.1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHLD9iogN2vsA8Vt8RAg38AJ49xlqhMkCMlpnWai+ECV2dZKm5fgCgqkeD
nQi0zq6C7bjsD25jJxIbBTY=
=ow0P
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Rob Browning <rlb@defaultvalue.org>:
Bug#449008; Package emacs22-common. Full text and rfc822 format available.

Acknowledgement sent to Drake Wilson <drake@begriffli.ch>:
Extra info received and forwarded to list. Copy sent to Rob Browning <rlb@defaultvalue.org>. Full text and rfc822 format available.

Message #62 received at 449008@bugs.debian.org (full text, mbox):

From: Drake Wilson <drake@begriffli.ch>
To: 449008@bugs.debian.org, team@security.debian.org
Cc: steffen.joeris@skolelinux.de, romain@orebokech.com, mwolson@gnu.org, drake@begriffli.ch
Subject: Exploit escalation of hack-local-variables flaw
Date: Sat, 3 Nov 2007 05:48:12 -0500
[Message part 1 (text/plain, inline)]
Just as a followup, I can confirm that this flaw permits the execution
of arbitrary Emacs Lisp code.  Attached is a file that is almost such
an evil file, but with the local variables list neutered similarly to
the above.  Read the file to see what it does.  Once you can execute
arbitrary Emacs Lisp code, of course, you can modify arbitrary files
that can be written by the Emacs process, and once you can do that,
you pretty much have full control over the user's account.  Whee.

(Not Cc'ing to the Emacs lists at gnu.org to avoid flooding them with
mail from non-subscribed persons; those of you more closely associated
can forward if you feel like it.)

   ---> Drake Wilson
[emacs-22.1-files-el-exploit.evil (text/plain, attachment)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 03 Jan 2008 07:27:20 GMT) Full text and rfc822 format available.

Bug unarchived. Request was from Lucas Nussbaum <lucas@lucas-nussbaum.net> to controlbugs.debian.org. (Sat, 09 Aug 2008 18:02:46 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Rob Browning <rlb@defaultvalue.org>:
Bug#449008; Package emacs22-common. Full text and rfc822 format available.

Acknowledgement sent to Frank Lichtenheld <djpig@debian.org>:
Extra info received and forwarded to list. Copy sent to Rob Browning <rlb@defaultvalue.org>. Full text and rfc822 format available.

Message #71 received at 449008@bugs.debian.org (full text, mbox):

From: Frank Lichtenheld <djpig@debian.org>
To: control@bugs.debian.org
Cc: 449008@bugs.debian.org
Subject: fixed 449008 in emacs22/22.1+1-3
Date: Mon, 11 Aug 2008 18:35:33 -0300
# Automatically generated email from bts, devscripts version 2.10.35
# according to changelog
fixed 449008 emacs22/22.1+1-3





Bug marked as fixed in version emacs22/22.1+1-3. Request was from Frank Lichtenheld <djpig@debian.org> to controlbugs.debian.org. (Mon, 11 Aug 2008 21:39:06 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 09 Sep 2008 07:26:30 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 13:35:38 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.