Debian Bug report logs - #684695
emacs23: CVE-2012-3479: GNU Emacs file-local variables

version graph

Package: emacs23; Maintainer for emacs23 is Rob Browning <rlb@defaultvalue.org>; Source for emacs23 is src:emacs23.

Reported by: Henri Salo <henri@nerv.fi>

Date: Mon, 13 Aug 2012 07:00:02 UTC

Severity: important

Tags: fixed-upstream, security

Found in versions emacs23/23.4+1-3, emacs23/23.2+1-7

Fixed in versions emacs24/24.2+1-1, emacs23/23.4+1-4, emacs23/23.2+1-7+squeeze1

Done: Rob Browning <rlb@defaultvalue.org>

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Rob Browning <rlb@defaultvalue.org>:
Bug#684695; Package emacs23. (Mon, 13 Aug 2012 07:00:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Henri Salo <henri@nerv.fi>:
New Bug report received and forwarded. Copy sent to Rob Browning <rlb@defaultvalue.org>. (Mon, 13 Aug 2012 07:00:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Henri Salo <henri@nerv.fi>
To: submit@bugs.debian.org
Subject: emacs23: CVE-2012-3479: GNU Emacs file-local variables
Date: Mon, 13 Aug 2012 09:57:26 +0300
Package: emacs23
Version: 23.2+1-7
Severity: important
Tags: security, fixed-upstream

Paul Ling has found a security flaw in the file-local variables code in GNU Emacs. When the Emacs user option `enable-local-variables' is set to `:safe' (the default value is t), Emacs should automatically refuse to evaluate `eval' forms in file-local variable sections.  Due to the bug, Emacs instead automatically evaluates such `eval' forms.  Thus, if the user changes the value of `enable-local-variables' to `:safe', visiting a malicious file can cause automatic execution of arbitrary Emacs Lisp code with the permissions of the user. The bug is present in Emacs 23.2, 23.3, 23.4, and 24.1.

More details:
http://debbugs.gnu.org/cgi/bugreport.cgi?bug=12155
http://www.openwall.com/lists/oss-security/2012/08/13/1
http://www.openwall.com/lists/oss-security/2012/08/13/2

I haven't manually verified this in Debian packages. Please ask in case you want me to do it.

- Henri Salo
ps. another bug-report for emacs24



Marked as found in versions emacs23/23.4+1-3. Request was from Henri Salo <henri@nerv.fi> to control@bugs.debian.org. (Mon, 13 Aug 2012 07:21:03 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#684695; Package emacs23. (Tue, 14 Aug 2012 02:15:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Rob Browning <rlb@defaultvalue.org>:
Extra info received and forwarded to list. (Tue, 14 Aug 2012 02:15:05 GMT) Full text and rfc822 format available.

Message #12 received at 684695@bugs.debian.org (full text, mbox):

From: Rob Browning <rlb@defaultvalue.org>
To: Henri Salo <henri@nerv.fi>
Cc: 684694@bugs.debian.org, 684695@bugs.debian.org
Subject: Re: Bug#684695: emacs23: CVE-2012-3479: GNU Emacs file-local variables
Date: Mon, 13 Aug 2012 21:03:34 -0500
Henri Salo <henri@nerv.fi> writes:

> Paul Ling has found a security flaw in the file-local variables code
> in GNU Emacs. When the Emacs user option `enable-local-variables' is
> set to `:safe' (the default value is t), Emacs should automatically
> refuse to evaluate `eval' forms in file-local variable sections.  Due
> to the bug, Emacs instead automatically evaluates such `eval' forms.
> Thus, if the user changes the value of `enable-local-variables' to
> :safe', visiting a malicious file can cause automatic execution of
> arbitrary Emacs Lisp code with the permissions of the user. The bug is
> present in Emacs 23.2, 23.3, 23.4, and 24.1.
>
> More details:
> http://debbugs.gnu.org/cgi/bugreport.cgi?bug=12155
> http://www.openwall.com/lists/oss-security/2012/08/13/1
> http://www.openwall.com/lists/oss-security/2012/08/13/2
>
> I haven't manually verified this in Debian packages. Please ask in
> case you want me to do it.

I'll be happy to work on this, but I may not have much time until
Thu/Fri.

Thanks for the help
-- 
Rob Browning
rlb @defaultvalue.org and @debian.org
GPG as of 2002-11-03 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4



Information forwarded to debian-bugs-dist@lists.debian.org, Rob Browning <rlb@defaultvalue.org>:
Bug#684695; Package emacs23. (Wed, 05 Sep 2012 16:03:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Rob Browning <rlb@defaultvalue.org>. (Wed, 05 Sep 2012 16:03:08 GMT) Full text and rfc822 format available.

Message #17 received at 684695@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Rob Browning <rlb@defaultvalue.org>
Cc: Henri Salo <henri@nerv.fi>, 684694@bugs.debian.org, 684695@bugs.debian.org
Subject: Re: Bug#684695: emacs23: CVE-2012-3479: GNU Emacs file-local variables
Date: Wed, 5 Sep 2012 17:57:38 +0200
On Mon, Aug 13, 2012 at 09:03:34PM -0500, Rob Browning wrote:
> Henri Salo <henri@nerv.fi> writes:
> 
> > Paul Ling has found a security flaw in the file-local variables code
> > in GNU Emacs. When the Emacs user option `enable-local-variables' is
> > set to `:safe' (the default value is t), Emacs should automatically
> > refuse to evaluate `eval' forms in file-local variable sections.  Due
> > to the bug, Emacs instead automatically evaluates such `eval' forms.
> > Thus, if the user changes the value of `enable-local-variables' to
> > :safe', visiting a malicious file can cause automatic execution of
> > arbitrary Emacs Lisp code with the permissions of the user. The bug is
> > present in Emacs 23.2, 23.3, 23.4, and 24.1.
> >
> > More details:
> > http://debbugs.gnu.org/cgi/bugreport.cgi?bug=12155
> > http://www.openwall.com/lists/oss-security/2012/08/13/1
> > http://www.openwall.com/lists/oss-security/2012/08/13/2
> >
> > I haven't manually verified this in Debian packages. Please ask in
> > case you want me to do it.
> 
> I'll be happy to work on this, but I may not have much time until
> Thu/Fri.

What's the status?

Cheers,
        Moritz



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#684695; Package emacs23. (Thu, 06 Sep 2012 00:45:11 GMT) Full text and rfc822 format available.

Acknowledgement sent to Rob Browning <rlb@defaultvalue.org>:
Extra info received and forwarded to list. (Thu, 06 Sep 2012 00:45:11 GMT) Full text and rfc822 format available.

Message #22 received at 684695@bugs.debian.org (full text, mbox):

From: Rob Browning <rlb@defaultvalue.org>
To: Moritz Muehlenhoff <jmm@inutil.org>
Cc: Henri Salo <henri@nerv.fi>, 684694@bugs.debian.org, 684695@bugs.debian.org
Subject: Re: Bug#684695: emacs23: CVE-2012-3479: GNU Emacs file-local variables
Date: Wed, 05 Sep 2012 19:42:47 -0500
Moritz Muehlenhoff <jmm@inutil.org> writes:

> On Mon, Aug 13, 2012 at 09:03:34PM -0500, Rob Browning wrote:

>> I'll be happy to work on this, but I may not have much time until
>> Thu/Fri.
>
> What's the status?

For CVE-2012-3479 (#684695), I prepared the release and sent the debdiff
to rt.debian.org (#4005) on Aug 24th, asking if it was acceptable.
Since I haven't heard back, I haven't uploaded yet.

Thanks
-- 
Rob Browning
rlb @defaultvalue.org and @debian.org
GPG as of 2002-11-03 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4



Information forwarded to debian-bugs-dist@lists.debian.org, Rob Browning <rlb@defaultvalue.org>:
Bug#684695; Package emacs23. (Thu, 06 Sep 2012 07:21:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Rob Browning <rlb@defaultvalue.org>. (Thu, 06 Sep 2012 07:21:05 GMT) Full text and rfc822 format available.

Message #27 received at 684695@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Rob Browning <rlb@defaultvalue.org>
Cc: Henri Salo <henri@nerv.fi>, 684694@bugs.debian.org, 684695@bugs.debian.org
Subject: Re: Bug#684695: emacs23: CVE-2012-3479: GNU Emacs file-local variables
Date: Thu, 6 Sep 2012 09:16:49 +0200
On Wed, Sep 05, 2012 at 07:42:47PM -0500, Rob Browning wrote:
> Moritz Muehlenhoff <jmm@inutil.org> writes:
> 
> > On Mon, Aug 13, 2012 at 09:03:34PM -0500, Rob Browning wrote:
> 
> >> I'll be happy to work on this, but I may not have much time until
> >> Thu/Fri.
> >
> > What's the status?
> 
> For CVE-2012-3479 (#684695), I prepared the release and sent the debdiff
> to rt.debian.org (#4005) on Aug 24th, asking if it was acceptable.
> Since I haven't heard back, I haven't uploaded yet.

I was more thinking about unstable, where this is still unfixed for emacs23.

Hopefully someone will have time to release the stable-security update
soon.

Cheers,
        Moritz



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#684695; Package emacs23. (Thu, 06 Sep 2012 15:54:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Rob Browning <rlb@defaultvalue.org>:
Extra info received and forwarded to list. (Thu, 06 Sep 2012 15:54:05 GMT) Full text and rfc822 format available.

Message #32 received at 684695@bugs.debian.org (full text, mbox):

From: Rob Browning <rlb@defaultvalue.org>
To: Moritz Muehlenhoff <jmm@inutil.org>
Cc: 684695@bugs.debian.org, Henri Salo <henri@nerv.fi>, 684694@bugs.debian.org
Subject: Re: Bug#684695: emacs23: CVE-2012-3479: GNU Emacs file-local variables
Date: Thu, 06 Sep 2012 10:52:30 -0500
Moritz Muehlenhoff <jmm@inutil.org> writes:

> I was more thinking about unstable, where this is still unfixed for emacs23.

In that case I've had to take some time to finish working out another
problem (that requires simultaneous changes to emacs23/24 in both wheezy
and sid) -- it's an issue with the emacs metapackage binary that
involves the creation of a new gcc-defaults-style source package.

At this point, I think I've finished discussing that with the release
team, but haven't had time since then (until today) to finish the work.
I expect to have uploads for both before Monday.

> Hopefully someone will have time to release the stable-security update
> soon.

How does that work?  I have the packages ready to go, but was just
waiting for approval to upload -- or does the security team handle
building stable packages?

Thanks
-- 
Rob Browning
rlb @defaultvalue.org and @debian.org
GPG as of 2002-11-03 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4



Reply sent to Rob Browning <rlb@defaultvalue.org>:
You have taken responsibility. (Sun, 09 Sep 2012 18:51:29 GMT) Full text and rfc822 format available.

Notification sent to Henri Salo <henri@nerv.fi>:
Bug acknowledged by developer. (Sun, 09 Sep 2012 18:51:29 GMT) Full text and rfc822 format available.

Message #37 received at 684695-close@bugs.debian.org (full text, mbox):

From: Rob Browning <rlb@defaultvalue.org>
To: 684695-close@bugs.debian.org
Subject: Bug#684695: fixed in emacs24 24.2+1-1
Date: Sun, 09 Sep 2012 18:48:17 +0000
Source: emacs24
Source-Version: 24.2+1-1

We believe that the bug you reported is fixed in the latest version of
emacs24, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 684695@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Rob Browning <rlb@defaultvalue.org> (supplier of updated emacs24 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 09 Sep 2012 12:03:31 -0500
Source: emacs24
Binary: emacs24-lucid emacs24-nox emacs24 emacs24-bin-common emacs24-common emacs24-el
Architecture: source amd64 all
Version: 24.2+1-1
Distribution: unstable
Urgency: high
Maintainer: Rob Browning <rlb@defaultvalue.org>
Changed-By: Rob Browning <rlb@defaultvalue.org>
Description: 
 emacs24    - GNU Emacs editor (with GTK+ user interface)
 emacs24-bin-common - GNU Emacs editor's shared, architecture dependent files
 emacs24-common - GNU Emacs editor's shared, architecture independent infrastructur
 emacs24-el - GNU Emacs LISP (.el) files
 emacs24-lucid - GNU Emacs editor
 emacs24-nox - GNU Emacs editor (without X support)
Closes: 684695
Changes: 
 emacs24 (24.2+1-1) unstable; urgency=high
 .
   * Upgrade to upstream version 24.2 and update debian/patches.
 .
   * Remove patches that have been incorporated upstream:
       0010-Rename-infodir-to-buildinfodir-in-doc-Makefile.in-GN.patch
 .
   * Stop producing the emacs binary metapackage.
     Move the emacs binary metapackage to its own source package
     (emacs-defaults, cf. gcc-defaults).  This will prevent emacs23 and
     emacs24 from producing the same binary package.
 .
   * Don't eval code when enable-local-variables is :safe.  Previously,
     Emacs might eval forms in file-local variable sections even when
     the Emacs user option `enable-local-variables' was set to :safe
     (CVE-2012-3479).  Emacs 24.2 fixes the problem.  Thanks to Henri
     Salo <henri@nerv.fi> for the report.  (Closes: #684695)
 .
   * Have debian/% depend on debian/rules since it now sets the
     upstream_ver.
 .
   * Update debian/rules upstream_ver to 24.2 and run "debian/rules
     debian-sync".
Checksums-Sha1: 
 f64a45a64d7f506aa19da5953d78ca99b1536acb 1854 emacs24_24.2+1-1.dsc
 53d6d4e2cd589b588149a5cc48db11c518ccb98f 25179812 emacs24_24.2+1.orig.tar.bz2
 e6d4e81b0d809d13ef5eb6c7a08b7638f75fc273 47948 emacs24_24.2+1-1.debian.tar.gz
 89da3af4e68afbc4b4bedc3cfab56d1451066c86 3999156 emacs24-lucid_24.2+1-1_amd64.deb
 39ca2551536d882148ad961ed10928436f437288 3632980 emacs24-nox_24.2+1-1_amd64.deb
 de6720ca8c67486e18ef5238a96238eeae2dff3c 3988788 emacs24_24.2+1-1_amd64.deb
 dd6338a39b1a0e053c05ce07de082e8f387c4a5d 289612 emacs24-bin-common_24.2+1-1_amd64.deb
 03a77b854b599f5e86bddd58938b58b9e044b6fc 19925706 emacs24-common_24.2+1-1_all.deb
 bc6593125833aef8862b637140d95b9eded75494 14523636 emacs24-el_24.2+1-1_all.deb
Checksums-Sha256: 
 984ce7ecf92cdd408d38559209a78cab3e16b72d6d293bc3bfc399ca8e2354c5 1854 emacs24_24.2+1-1.dsc
 14c44525af5d14bf62425b6f6161adfbbc56df7bf6152d6eaff3a3726d0b096f 25179812 emacs24_24.2+1.orig.tar.bz2
 6d60aa1558b06a3699ad35366dd3165a7506fb0275ceb09f3ef9f9f9eca2b9e2 47948 emacs24_24.2+1-1.debian.tar.gz
 7db763ac3a04e573984f0dab6612586fb3fd3424ba4d36abc2842817e932e6d5 3999156 emacs24-lucid_24.2+1-1_amd64.deb
 cd2a223f2627b9bb1bafdd42cbb217ec83eba9e1205758bb6800ccc5d572daaa 3632980 emacs24-nox_24.2+1-1_amd64.deb
 8e696be565e5ee9a5c970ec080ed565eea7ea3a93f2094237755cb42b3f42b95 3988788 emacs24_24.2+1-1_amd64.deb
 cdf69c6e3e7b89075c97f8982a3a3496499b78735f36f80a15e49e7ece328c0d 289612 emacs24-bin-common_24.2+1-1_amd64.deb
 72f51c8eb9e944b2f92914e950a628d2045e231b6766a03327aad3d657443d34 19925706 emacs24-common_24.2+1-1_all.deb
 ef2560432f551ecd40fd7594c421f423fbffa79acc4c563cb23a0e2248aa5db8 14523636 emacs24-el_24.2+1-1_all.deb
Files: 
 749d380bfb2d58c73434bd5a2e14b344 1854 editors optional emacs24_24.2+1-1.dsc
 494f0bc0cdbe632708c9f783e591d35e 25179812 editors optional emacs24_24.2+1.orig.tar.bz2
 b196441e5be797e95f3baeda2c441727 47948 editors optional emacs24_24.2+1-1.debian.tar.gz
 2fe6291a70a24d9840460ddaea63b3d9 3999156 editors optional emacs24-lucid_24.2+1-1_amd64.deb
 30b6015ac64c6faf67fbf332c52ed025 3632980 editors optional emacs24-nox_24.2+1-1_amd64.deb
 78a55c92c4ec8659cc20e19fb33bd596 3988788 editors optional emacs24_24.2+1-1_amd64.deb
 1baf29e663b6fc86b89105bfd83caeaa 289612 editors optional emacs24-bin-common_24.2+1-1_amd64.deb
 e35f708397d389d13de342a6741d8116 19925706 editors optional emacs24-common_24.2+1-1_all.deb
 178df0817a4b5a1c331f8d414fbf73b7 14523636 editors optional emacs24-el_24.2+1-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlBM178ACgkQJcjTd4x+c6TnaQCg8idIgipGafO06LbcZLgWAni1
UqkAn3Pmpw9LZ5EtEvp57LOO/MoN2Ib0
=RsAu
-----END PGP SIGNATURE-----




Reply sent to Rob Browning <rlb@defaultvalue.org>:
You have taken responsibility. (Sun, 09 Sep 2012 19:06:03 GMT) Full text and rfc822 format available.

Notification sent to Henri Salo <henri@nerv.fi>:
Bug acknowledged by developer. (Sun, 09 Sep 2012 19:06:03 GMT) Full text and rfc822 format available.

Message #42 received at 684695-close@bugs.debian.org (full text, mbox):

From: Rob Browning <rlb@defaultvalue.org>
To: 684695-close@bugs.debian.org
Subject: Bug#684695: fixed in emacs23 23.4+1-4
Date: Sun, 09 Sep 2012 19:03:00 +0000
Source: emacs23
Source-Version: 23.4+1-4

We believe that the bug you reported is fixed in the latest version of
emacs23, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 684695@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Rob Browning <rlb@defaultvalue.org> (supplier of updated emacs23 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 08 Sep 2012 14:59:52 -0500
Source: emacs23
Binary: emacs23-lucid emacs23-nox emacs23 emacs23-bin-common emacs23-common emacs23-el
Architecture: source amd64 all
Version: 23.4+1-4
Distribution: unstable
Urgency: high
Maintainer: Rob Browning <rlb@defaultvalue.org>
Changed-By: Rob Browning <rlb@defaultvalue.org>
Description: 
 emacs23    - The GNU Emacs editor (with GTK+ user interface)
 emacs23-bin-common - The GNU Emacs editor's shared, architecture dependent files
 emacs23-common - The GNU Emacs editor's shared, architecture independent infrastru
 emacs23-el - GNU Emacs LISP (.el) files
 emacs23-lucid - The GNU Emacs editor
 emacs23-nox - The GNU Emacs editor (without X support)
Closes: 684695
Changes: 
 emacs23 (23.4+1-4) unstable; urgency=high
 .
   * Add 0018-Don-t-eval-code-when-enable-local-variables-is-safe.patch.
     Don't eval code when enable-local-variables is :safe.  Previously,
     Emacs might eval forms in file-local variable sections even when
     the Emacs user option `enable-local-variables' was set to :safe
     (CVE-2012-3479).  Please see the patch for additional details.
     Thanks to Henri Salo <henri@nerv.fi> for the report.
     (Closes: #684695)
 .
   * Stop producing the emacs binary metapackage.  Move the emacs
     binary metapackage to its own source package (emacs-defaults,
     cf. gcc-defaults).  This will prevent emacs23 and emacs24 from
     producing the same binary package.
Checksums-Sha1: 
 3015c18ee0a5e0e146ffe751e48fbfe96cb7d649 1780 emacs23_23.4+1-4.dsc
 a0772af139e1892bdd7ae6ea874bb3c74c61c850 57740 emacs23_23.4+1-4.debian.tar.gz
 83fbb5b6f9b958412cf50f910cad5c93fb39d7bc 3439440 emacs23-lucid_23.4+1-4_amd64.deb
 5bf6e501c480b9f4e62bff50e84d04fd83ad431f 3091532 emacs23-nox_23.4+1-4_amd64.deb
 f1c9f8c4ddd164911f2a03322ac8ece276197b9c 3431646 emacs23_23.4+1-4_amd64.deb
 3b83c60357783a546ec770a131520a8d39a6603d 262966 emacs23-bin-common_23.4+1-4_amd64.deb
 e9cfb6b09c2ecf7767b70f635357f9c552357219 18648436 emacs23-common_23.4+1-4_all.deb
 c40b1262368ea6c7cf032a91e28f45039bf3bac7 13795132 emacs23-el_23.4+1-4_all.deb
Checksums-Sha256: 
 3e393b002a79d72d285750466cd668bc95a38363d0ec76942a9cec8132d6cebc 1780 emacs23_23.4+1-4.dsc
 0e1db1b9eaf0edeca02c84d1101e2b0aafdb09b7f908c4517007ef5510e44aaf 57740 emacs23_23.4+1-4.debian.tar.gz
 fb2bd96e2c688218fc516551bf7c1e3b8655b3f6603c3717157c3a2d01e4b0fa 3439440 emacs23-lucid_23.4+1-4_amd64.deb
 d6bfbaf6cd8718e9d5c00a3d615a744751365821268e1a949d436e170e1583be 3091532 emacs23-nox_23.4+1-4_amd64.deb
 16afc283ab7f2102220a06082650d6d4040e069347b912d005134ce09c578d21 3431646 emacs23_23.4+1-4_amd64.deb
 950e3dc9e69b69478f3c5336ab21c840d4bf1cdcce8ce42b3a26de44aec5c8b2 262966 emacs23-bin-common_23.4+1-4_amd64.deb
 d6a7ed542ff3067d5f17150eeabed85fcc864cffd88f0ec6e4f61f5f493cbc6e 18648436 emacs23-common_23.4+1-4_all.deb
 9128ff3f749c41045ede80af2dc3f51dce9e53aaec182fde2a89701667c06c40 13795132 emacs23-el_23.4+1-4_all.deb
Files: 
 7f0a54c3cfdbf98f6becc6dc67acafcb 1780 editors optional emacs23_23.4+1-4.dsc
 d5e464c3752449c789db85926cc44b3a 57740 editors optional emacs23_23.4+1-4.debian.tar.gz
 24701956eaf736b0c2e8b5821ef2567e 3439440 editors optional emacs23-lucid_23.4+1-4_amd64.deb
 268788bc859b4d460f894b2700dfacdd 3091532 editors optional emacs23-nox_23.4+1-4_amd64.deb
 5cd8a72e8512eb1659b6b8cb1b9c60f2 3431646 editors optional emacs23_23.4+1-4_amd64.deb
 7862ed4777a9f80e203ae7405c0051fa 262966 editors optional emacs23-bin-common_23.4+1-4_amd64.deb
 95768b06978c04b25ff103e91fefc315 18648436 editors optional emacs23-common_23.4+1-4_all.deb
 8403b642e371d7a6dddde259c3f3e8ff 13795132 editors optional emacs23-el_23.4+1-4_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlBLrs4ACgkQJcjTd4x+c6QMDwCgnhBYMN3mJHTquzBOBBIS2u7Z
UvcAnRma7ieThSDogHkrq7hB243rKcbz
=7RCY
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Rob Browning <rlb@defaultvalue.org>:
Bug#684695; Package emacs23. (Wed, 03 Oct 2012 09:48:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Rob Browning <rlb@defaultvalue.org>. (Wed, 03 Oct 2012 09:48:08 GMT) Full text and rfc822 format available.

Message #47 received at 684695@bugs.debian.org (full text, mbox):

From: Moritz Mühlenhoff <jmm@inutil.org>
To: Rob Browning <rlb@defaultvalue.org>
Cc: Moritz Muehlenhoff <jmm@inutil.org>, 684695@bugs.debian.org, Henri Salo <henri@nerv.fi>, 684694@bugs.debian.org
Subject: Re: Bug#684695: emacs23: CVE-2012-3479: GNU Emacs file-local variables
Date: Wed, 3 Oct 2012 11:44:29 +0200
On Thu, Sep 06, 2012 at 10:52:30AM -0500, Rob Browning wrote:
> Moritz Muehlenhoff <jmm@inutil.org> writes:
> 
> > I was more thinking about unstable, where this is still unfixed for emacs23.
> 
> In that case I've had to take some time to finish working out another
> problem (that requires simultaneous changes to emacs23/24 in both wheezy
> and sid) -- it's an issue with the emacs metapackage binary that
> involves the creation of a new gcc-defaults-style source package.
> 
> At this point, I think I've finished discussing that with the release
> team, but haven't had time since then (until today) to finish the work.
> I expect to have uploads for both before Monday.
> 
> > Hopefully someone will have time to release the stable-security update
> > soon.
> 
> How does that work?  I have the packages ready to go, but was just
> waiting for approval to upload -- or does the security team handle
> building stable packages?

Hi Rob,

Sorry the late response. I'm very short of time the last months and
apparently noone else chimed in on this thread.

Please upload your build to security-master (it needs to be build with
-sa, since emacs23 is new in the stable-security suite (otherwise
the security buildd network will trigger strange errors)

As for the other security issues (untrusted search path in CEDET):
I had a look at the Ubuntu security update for Emacs, which the released
a few days ago; they also ignored the CEDET issue since they couldn't
create a backport for the releases based on releases older than 23.3.

Also, since the vulnerability is rather far-fetched we can ignore it 
for Squeeze IMHO.

Cheers,
        Moritz



Reply sent to Rob Browning <rlb@defaultvalue.org>:
You have taken responsibility. (Sat, 12 Jan 2013 15:48:18 GMT) Full text and rfc822 format available.

Notification sent to Henri Salo <henri@nerv.fi>:
Bug acknowledged by developer. (Sat, 12 Jan 2013 15:48:18 GMT) Full text and rfc822 format available.

Message #52 received at 684695-close@bugs.debian.org (full text, mbox):

From: Rob Browning <rlb@defaultvalue.org>
To: 684695-close@bugs.debian.org
Subject: Bug#684695: fixed in emacs23 23.2+1-7+squeeze1
Date: Sat, 12 Jan 2013 15:47:07 +0000
Source: emacs23
Source-Version: 23.2+1-7+squeeze1

We believe that the bug you reported is fixed in the latest version of
emacs23, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 684695@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Rob Browning <rlb@defaultvalue.org> (supplier of updated emacs23 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 24 Aug 2012 12:34:17 -0500
Source: emacs23
Binary: emacs emacs23-lucid emacs23-nox emacs23 emacs23-bin-common emacs23-common emacs23-el
Architecture: source all amd64
Version: 23.2+1-7+squeeze1
Distribution: stable-security
Urgency: high
Maintainer: Rob Browning <rlb@defaultvalue.org>
Changed-By: Rob Browning <rlb@defaultvalue.org>
Description: 
 emacs      - The GNU Emacs editor (metapackage)
 emacs23    - The GNU Emacs editor (with GTK+ user interface)
 emacs23-bin-common - The GNU Emacs editor's shared, architecture dependent files
 emacs23-common - The GNU Emacs editor's shared, architecture independent infrastru
 emacs23-el - GNU Emacs LISP (.el) files
 emacs23-lucid - The GNU Emacs editor
 emacs23-nox - The GNU Emacs editor (without X support)
Closes: 594320 684695
Changes: 
 emacs23 (23.2+1-7+squeeze1) stable-security; urgency=high
 .
   * Mention the fullscreen "maximized" value in the emacs man page.
     Thanks to Peter Eisentraut <petere@debian.org> for the report and
     Sven Joachim <svenjoac@gmx.de> for the patch. (closes: #594320)
 .
   * Add hack-local-variables-filter-fix-for-bug-12155.diff.  Don't
     eval code when enable-local-variables is :safe.  Previously, Emacs
     might eval forms in file-local variable sections even when the
     Emacs user option `enable-local-variables' was set to :safe
     (CVE-2012-3479).  Please see the patch for additional details.
     Thanks to Henri Salo <henri@nerv.fi> for the report.
     (Closes: #684695)
Checksums-Sha1: 
 6884b4b23c97ef4dbde33cffdd4113729b4420f4 2269 emacs23_23.2+1-7+squeeze1.dsc
 41418b900fc088a5a34d0b493d0d6b731a499f06 23319578 emacs23_23.2+1.orig.tar.bz2
 c746bca7253c4345c8c2ea567c8a4e8cf4287c6e 55182 emacs23_23.2+1-7+squeeze1.debian.tar.gz
 220e8974192092a086c0a007cc1abd5e6591d95f 88922 emacs_23.2+1-7+squeeze1_all.deb
 0438bf88350f9a291243901d7f3593c7618dc5ae 3407022 emacs23-lucid_23.2+1-7+squeeze1_amd64.deb
 ae24beab845694046cc1addedd90286ceacaeef2 3066088 emacs23-nox_23.2+1-7+squeeze1_amd64.deb
 1eae55b375fe15e2505878890443a6b42627a79f 3405726 emacs23_23.2+1-7+squeeze1_amd64.deb
 5d7c86560f143ea26bf9618997bac678ccdf526c 256948 emacs23-bin-common_23.2+1-7+squeeze1_amd64.deb
 1f156ca62a1effbca7b46a071b7d299ffff0243b 18514612 emacs23-common_23.2+1-7+squeeze1_all.deb
 3d81b9da7d840be65ac272e8e609266cbee6ade3 13706036 emacs23-el_23.2+1-7+squeeze1_all.deb
Checksums-Sha256: 
 835c5f483aefb946dacc04af53dd85e7331230775a73cf88bc791605e284a7d2 2269 emacs23_23.2+1-7+squeeze1.dsc
 0212360624a078cf0a2a8681bd0a1aaa8b4e37d058e7d81707e6dfca7c6a9b59 23319578 emacs23_23.2+1.orig.tar.bz2
 2f6b0180927ca284419aaa14200b5bdf81ca58e75042469463c975c83d94f578 55182 emacs23_23.2+1-7+squeeze1.debian.tar.gz
 7bfd2d0eb56891f3d1a0eaeb43df85f1d9ec42db1513d5e7d4b70adc98be7618 88922 emacs_23.2+1-7+squeeze1_all.deb
 3232db82e577d963ed1339f87ad27bcee87a5dc2fa4792574f33b314bfb1a958 3407022 emacs23-lucid_23.2+1-7+squeeze1_amd64.deb
 ab984090c6fd5c4b4653a43d93e7da0837dd04907eca969abc038f52ccd728ba 3066088 emacs23-nox_23.2+1-7+squeeze1_amd64.deb
 bd059cea4e8d7bbf63e29b9772a18d87c625010dc304a7162ee603ae8038ebfe 3405726 emacs23_23.2+1-7+squeeze1_amd64.deb
 427391fbaa3b30eaa0c68231eaa264fe97644f1262e90e455f320f78051d5c9e 256948 emacs23-bin-common_23.2+1-7+squeeze1_amd64.deb
 b8fea6021d71538f7b391ba510f439c4f553dda58d59233f9a7fb90a6a1473e4 18514612 emacs23-common_23.2+1-7+squeeze1_all.deb
 8a4c61174c6a0ef84f8773a8706710dcd8ba207e89941f1a2c3fb4ae1daf561a 13706036 emacs23-el_23.2+1-7+squeeze1_all.deb
Files: 
 b2b8fb1aeeed184a3035aa1b4bec9ce3 2269 editors optional emacs23_23.2+1-7+squeeze1.dsc
 11350b687e3819350e2fbdf971084eba 23319578 editors optional emacs23_23.2+1.orig.tar.bz2
 459d6f0941faeb78b860774c733d1e48 55182 editors optional emacs23_23.2+1-7+squeeze1.debian.tar.gz
 2f1e89af263f6d267aa81b32a1b928b8 88922 editors optional emacs_23.2+1-7+squeeze1_all.deb
 760e7ecb28ea4c0b574f93af96fea6ab 3407022 editors optional emacs23-lucid_23.2+1-7+squeeze1_amd64.deb
 03bc994eca3718bb85af89b1c1023a5b 3066088 editors optional emacs23-nox_23.2+1-7+squeeze1_amd64.deb
 ae8140b9de79af730fe85284c429d88b 3405726 editors optional emacs23_23.2+1-7+squeeze1_amd64.deb
 d0bedff3f355a00f6b9bc8ecc747e511 256948 editors optional emacs23-bin-common_23.2+1-7+squeeze1_amd64.deb
 49cdd17a726848fa374f9184e917d486 18514612 editors optional emacs23-common_23.2+1-7+squeeze1_all.deb
 18d752a5db8ad381e06878e24d89cbbe 13706036 editors optional emacs23-el_23.2+1-7+squeeze1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJQ7LoTAAoJEO7xFsVaWkLxu3sQAJgYUdCQJv3GPD96qIgFpdB1
1JLO2fxYYR4mz2gF7pCrU5njFIx6M8jJuUQzrqMB8evq27pXQJu0pWbn70SL11J9
LO+lFQM9kP+5w3sG4FI9ezG5hlDo0u/GI3oZ7eYLoGJW08NIi+bBIkx/tTyn8vl+
9a/IdKYlr7AmKc4MQJFsaNefoCIh3XtCRtx0toIALnJ6P+4bn1SVwY6BXAG2Mgp+
pDQs9p0LWQpmHP5Px3GUihit4+hTcYkOxt8k4SUTbj9eOokwnSRY4fd0mXd+nGOc
9cj/Nlobihu9OFvVyG9LJ5E3N2qINdqBK+wRmRJxiEznB0bwqIPUxw3UtbPKzpq4
r64cE2SraX0cPAExcAKJ4E2PJFC0xktwcXY91vAVYIvW0ta6/xTSw8xe2iz1ZoN7
/IVLX2h5hAT/MK4C9/9XtWTqRCPSx82htRughfRSN2ucm393Mzn5kuYwnpHrGTlI
WDXjqU3WO8HFUzYMSPbaJRErsb8i1V7tEErPetAv2TDDSY+keHR7sIrcDnrZ7n/s
hWlI4ryGMGqJttHU7H1R7UmFxAv5qagwfYHSMdu5yDj4CVi7+M/tcH1gM6LNu3so
/BtqdnWfa8EYSs6anUqygAOpq5yrfAnwMRPnXNd0iMbCsQMiEcCj1259EbI7wh4A
NrdDzw7vYE2s392lYGLN
=s7TS
-----END PGP SIGNATURE-----




Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 21:49:21 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.