Emacs security issues; XEmacs affected?
Mike Kupfer writes:
Ubuntu just announced a couple security updates for Emacs 23.3.
Does
anyone here know if XEmacs has similar issues?
* SECURITY UPDATE: untrusted search path vulnerability
I don't know exactly what this is, but I'm sure we have it. ;-)
* SECURITY UPDATE: arbitrary lisp code execution via crafted file
- debian/patches/CVE-2012-3479.patch: ignore eval: forms that are not
known to be safe if enable-local-variables is set to :safe in
lisp/files.el.
We don't support :safe. It is interpreted as "query the user."
Do we really need to worry about these CVEs? I mean, I would consider
Emacsen rather unsafe by default, and anybody who needs to worry about
:safe :eval forms is probably in trouble if they use Emacsen in that
context at all. The only thing I would consider cause for concern on
our part is security of passwords in comint-like modes.
_______________________________________________
XEmacs-Beta mailing list
XEmacs-Beta(a)xemacs.org
http://lists.xemacs.org/mailman/listinfo/xemacs-beta