Emacs security issues; XEmacs affected?
12 years, 1 month
Mike Kupfer
Mike Kupfer
Ubuntu just announced a couple security updates for Emacs 23.3. Does
anyone here know if XEmacs has similar issues?
* SECURITY UPDATE: untrusted search path vulnerability
- debian/patches/CVE-2012-0035.patch: add new option and use it in
lisp/cedet/ede/auto.el, lisp/cedet/ede.el, lisp/cedet/ede/simple.el.
- CVE-2012-0035
* SECURITY UPDATE: arbitrary lisp code execution via crafted file
- debian/patches/CVE-2012-3479.patch: ignore eval: forms that are not
known to be safe if enable-local-variables is set to :safe in
lisp/files.el.
- CVE-2012-3479
mike
_______________________________________________
XEmacs-Beta mailing list
XEmacs-Beta(a)xemacs.org
http://lists.xemacs.org/mailman/listinfo/xemacs-beta
- 3 participants
- 8 comments
Re: Emacs security issues; XEmacs affected?
12 years, 1 month
Stephen J. Turnbull
Stephen J. Turnbull
Eric M. Ludlam writes:
> The issue is that if a user enables ede-mode, it will attempt to
> automatically identify a project whenever you visit a file. The
> unpatched version of EDE will then load whatever file is called
> Project.ede in order to create the project file stored within.
I second Mike's "thank you".
It's possible to (relatively) safely do this by `read'ing sexps from
the file rather than `load'ing the file.[1] Users can still specify
executable code by using function symbols or lambdas, but they (and
you) have much finer control over if and when to evaluate it.
I think in the long run you should probably deprecate Project.ede-
style configuration and move to a format that is an alist or plist
that is read rather than loaded.
Footnotes:
[1] If you do it the easy way and just iterate over an alist
automatically setq'ing the cars to the cdrs, you still have an attack
by specifying a lambda as value for a hook variable or similar (eg,
`fill-paragraph-function' is reasonably certain be called soon).
Although desktop.el `read's its configuration rather than `load's it,
this is why I suspect it's possible to execute code from an
.emacs.desktop file. The user need not know unless they have their
own fill-paragraph-function, as the lambda can be something like
(lambda (&rest args)
(do-your-evil-thing)
(setq fill-paragraph-function nil)
(apply #'fill-paragraph args)))
A variant would let-bind `fill-paragraph-function', allowing the Evil
Thing to be repeated frequently.
_______________________________________________
XEmacs-Beta mailing list
XEmacs-Beta(a)xemacs.org
http://lists.xemacs.org/mailman/listinfo/xemacs-beta
- 2 participants
- 1 comments
Re: Emacs security issues; XEmacs affected?
12 years, 1 month
Mike Kupfer
Mike Kupfer
Eric M. Ludlam wrote:
> Let me shed a little light on the problem.
[...]
> Hope that helps.
It does; thanks!
mike
_______________________________________________
XEmacs-Beta mailing list
XEmacs-Beta(a)xemacs.org
http://lists.xemacs.org/mailman/listinfo/xemacs-beta
- 1 participants
- 0 comments
Summary of XEmacs Issue Tracking System Issues
12 years, 1 month
XEmacs Issue Tracking System
XEmacs Issue Tracking System
ACTIVITY SUMMARY (2012-09-25 - 2012-10-02)
XEmacs Issue Tracking System at http://tracker.xemacs.org/XEmacs/its/
To view or respond to any of the issues listed below, click on the issue
number. Do NOT respond to this message.
553 open ( +1) / 289 closed ( +0) / 842 total ( +1)
Open issues with patches: 13
Average duration of open issues: 1239 days.
Median duration of open issues: 1315 days.
Open Issues Breakdown
new 226 ( +1)
deferred 6 ( +0)
napping 3 ( +0)
verified 56 ( +0)
assigned 153 ( +0)
committed 19 ( +0)
documented 3 ( +0)
done/needs work 18 ( +0)
Issues Created Or Reopened (1)
______________________________
cc-mode parse errors on buffers that aren't source code 2012-10-02
http://tracker.xemacs.org/XEmacs/its/issue844 created mike.kupfer
_______________________________________________
XEmacs-Beta mailing list
XEmacs-Beta(a)xemacs.org
http://lists.xemacs.org/mailman/listinfo/xemacs-beta
- 1 participants
- 0 comments