Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 950285 - app-editors/emacs-{26.3-r22,27.2-r20,28.2-r16,29.4-r2} stable request
Summary: app-editors/emacs-{26.3-r22,27.2-r20,28.2-r16,29.4-r2} stable request
Status: IN_PROGRESS
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Stabilization (show other bugs)
Hardware: All Linux
: Normal enhancement
Assignee: GNU Emacs project
URL:
Whiteboard:
Keywords: CC-ARCHES, SECURITY
Depends on:
Blocks: CVE-2024-53920 CVE-2025-1244
  Show dependency tree
 
Reported: 2025-02-25 19:19 UTC by Ulrich Müller
Modified: 2025-02-27 08:52 UTC (History)
2 users (show)

See Also:
Package list:
app-editors/emacs-26.3-r22 app-editors/emacs-27.2-r20 app-editors/emacs-28.2-r16 app-editors/emacs-29.4-r2
Runtime testing required: ---
nattka: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ulrich Müller gentoo-dev 2025-02-25 19:19:08 UTC 
Test plan: <https://wiki.gentoo.org/wiki/Project:Emacs/Test_plans#GNU_Emacs_and_core_components>


If you want to test whether the unsafe macro-expansion vulnerability has been fixed, follow the recipes outlined in:
<https://eshelyaron.com/posts/2024-11-27-emacs-aritrary-code-execution-and-how-to-avoid-it.html>
<https://lists.gnu.org/archive/html/emacs-devel/2018-08/msg00502.html>

Recipe 1: Save the following code in a .el file, then visit the file with Emacs:

;; -*- eval: (flymake-mode 1) -*-
(rx (eval (call-process "touch" nil nil nil "/tmp/owned")))

Recipe 2: Paste the following code into the *scratch* buffer, place point immediately behind the symbol foo in the third line, and type "M-x completion-at point RET":

(let ((fooo (eval-when-compile
	      (call-process "touch" nil nil nil "/tmp/owned"))))
  foo
  )

For both recipes, a /tmp/owned file should _not_ be created.


Thanks in advance.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2025-02-25 22:50:22 UTC 
ppc64 done
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2025-02-25 22:50:28 UTC 
arm done
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2025-02-26 03:59:35 UTC 
x86 done
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2025-02-26 03:59:39 UTC 
amd64 done
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2025-02-27 06:31:29 UTC 
hppa done
Comment 6 Arthur Zamarin archtester Gentoo Infrastructure gentoo-dev Security 2025-02-27 08:52:41 UTC 
arm64 done