Re: [Bug: 21.5-b28] .flc files can run arbitrary code automatically
On Thu, 05 Jun 2008 21:31:19 +0300, Ville Skyttä wrote:
On Saturday 10 May 2008, Stephen J. Turnbull wrote:
> The attached message was seen on emacs-devel. Claimed to affect XEmacs
> too.
Patch in Gentoo bug tracker looks sane to me, I haven't tested it
though.
http://bugs.gentoo.org/show_bug.cgi?id=221197#c15
The new security explanation in the docstring could be improved though -
using the file's current dir is just one bad choice. Maybe better:
"This list should contain only trusted directories in order to avoid
reading/executing potentially malicious cache files."
Norbert, WDYT?
It would be great to get a new package released with a fix for this bug
ASAP.
Given the status of the security bug for Gentoo something needs to happen
soon, and without a released new package that means either dropping edit-
utils (not a real option), or creating a Gentoo-specific new package.
While the latter is feasible I'd much rather just use a new XEmacs
package.
Kind regards,
Hans
_______________________________________________
XEmacs-Beta mailing list
XEmacs-Beta(a)xemacs.org
http://calypso.tux.org/cgi-bin/mailman/listinfo/xemacs-beta