The Lisp reader syntax in recent Emacs versions allows for circular objects. This can be exploited for a denial-of-service attack (remove the "*" from the word "Variables" below to enable it): $ cat testfile Local Variab*les: byte-compile-warnings: #1=("circular" "object" . #1#) End: $ emacs -Q testfile Now Emacs will hang and consume all CPU time. Variant of the attack (requires emacs-cvs for the "--daemon" option): $ emacs -Q --daemon $ emacsclient testfile Again, Emacs will hang and consume CPU time, and as far as I can see there is no way to regain control. Similar attacks are also possible for variables "epa-file-encrypt-to", "tex-verbatim-environments", and maybe others, too. These variables have in common that their "save-local-variable" properties point to custom functions that check for a valid value of the respective variable. If that value is a list, the functions try to verify each element, which will fail if the list contains circular structures. Affected by the problem are app-editors/emacs >=22 and app-editors/emacs-cvs. I haven't reported the issue upstream yet.
> These variables have in common that their "save-local-variable" properties > point to custom functions Correction: The property is called "safe-local-variable" (not "save").
Reassigning to Emacs team, since it is a user assisted DOS attack, and neither rbu nor upstream consider this as security issue.
public via http://thread.gmane.org/gmane.emacs.devel/107726
Fixed in CVS upstream.
