CVE-2008-4191 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4191): extract-table.pl in Emacspeak 26 and 28 allows local users to overwrite arbitrary files via a symlink attack on the extract-table.csv temporary file.
I have emailed upstream to ask about this issue; I am waiting for a response.
All, Upstream has notified me that this is fixed in their svn repository. Should I do an svn snapshot or wait until upstream does another release?
29.0 is out, please bump.
All, emacspeak 29.0 is now in the tree. Should I remove the older versions immediately in this situation?
This also affected our stable 24. William, is 29.0 ok to go stable? You can simply remove the ~arch versions now and the arch ebuild once we pushed the latest version to stable.
All, I just did a quick test on 29.0, and let's go ahead and push it to stable. Thanks, William
Adding arches. ppc and x86, please stabilize this on your arch. Thanks, William
This call is for =app-accessibility/emacspeak-29.0
ppc stable
x86 stable, all arches done.
Ready for voting, I vote NO.
i vote no too. Feel free to reopen if you disagree.