Re: Emacs security issues; XEmacs affected?
Stephen J. Turnbull wrote:
Mike Kupfer writes:
> Ubuntu just announced a couple security updates for Emacs 23.3. Does
> anyone here know if XEmacs has similar issues?
>
> * SECURITY UPDATE: untrusted search path vulnerability
I don't know exactly what this is, but I'm sure we have it. ;-)
Heh, okay, I'll take a look at the EDE patch when I'm feeling more
with it (just came down with a cold).
> * SECURITY UPDATE: arbitrary lisp code execution via crafted
file
> - debian/patches/CVE-2012-3479.patch: ignore eval: forms that are not
> known to be safe if enable-local-variables is set to :safe in
> lisp/files.el.
We don't support :safe. It is interpreted as "query the user."
Ah, good, that sounds fine to me.
The only thing I would consider cause for concern on
our part is security of passwords in comint-like modes.
Well, the Ubuntu announcement text for the first one says
If a user were tricked into opening a file with Emacs, a local
attacker could execute arbitrary Lisp code with the privileges of
the user invoking the program.
If a user can protect themselves against this by having a suitably
cautious configuration (e.g., having enable-local-eval set to something
other than t), then I'm not concerned. On the other hand, if the only
way to avoid this problem is to not use EDE, then I think we should fix
EDE.
mike
_______________________________________________
XEmacs-Beta mailing list
XEmacs-Beta(a)xemacs.org
http://lists.xemacs.org/mailman/listinfo/xemacs-beta