Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 950285 - app-editors/emacs-{26.3-r23,27.2-r21,28.2-r17,29.4-r3} stable request
Summary: app-editors/emacs-{26.3-r23,27.2-r21,28.2-r17,29.4-r3} stable request
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Stabilization (show other bugs)
Hardware: All Linux
: Normal enhancement
Assignee: GNU Emacs project
URL:
Whiteboard:
Keywords: CC-ARCHES, SECURITY
Depends on: 953775
Blocks: CVE-2024-53920 CVE-2025-1244
  Show dependency tree
 
Reported: 2025-02-25 19:19 UTC by Ulrich Müller
Modified: 2025-04-13 12:30 UTC (History)
0 users

See Also:
Package list:
app-editors/emacs-26.3-r23 app-editors/emacs-27.2-r21 app-editors/emacs-28.2-r17 app-editors/emacs-29.4-r3
Runtime testing required: ---
nattka: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ulrich Müller gentoo-dev 2025-02-25 19:19:08 UTC 
Test plan: <https://wiki.gentoo.org/wiki/Project:Emacs/Test_plans#GNU_Emacs_and_core_components>


If you want to test whether the unsafe macro-expansion vulnerability has been fixed, follow the recipes outlined in:
<https://eshelyaron.com/posts/2024-11-27-emacs-aritrary-code-execution-and-how-to-avoid-it.html>
<https://lists.gnu.org/archive/html/emacs-devel/2018-08/msg00502.html>

Recipe 1: Save the following code in a .el file, then visit the file with Emacs:

;; -*- eval: (flymake-mode 1) -*-
(rx (eval (call-process "touch" nil nil nil "/tmp/owned")))

Recipe 2: Paste the following code into the *scratch* buffer, place point immediately behind the symbol foo in the third line, and type "M-x completion-at point RET":

(let ((fooo (eval-when-compile
	      (call-process "touch" nil nil nil "/tmp/owned"))))
  foo
  )

For both recipes, a /tmp/owned file should _not_ be created.


Thanks in advance.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2025-02-25 22:50:22 UTC 
ppc64 done
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2025-02-25 22:50:28 UTC 
arm done
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2025-02-26 03:59:35 UTC 
x86 done
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2025-02-26 03:59:39 UTC 
amd64 done
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2025-02-27 06:31:29 UTC 
hppa done
Comment 6 Arthur Zamarin archtester Gentoo Infrastructure gentoo-dev Security 2025-02-27 08:52:41 UTC 
arm64 done
Comment 7 Arthur Zamarin archtester Gentoo Infrastructure gentoo-dev Security 2025-03-23 12:51:28 UTC 
ppc done
Comment 8 Ulrich Müller gentoo-dev 2025-03-31 13:27:26 UTC 
ping
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2025-04-12 12:23:19 UTC 
Looking at sparc.
Comment 10 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2025-04-12 22:30:44 UTC 
The sparc issue is going to take a bit more time. I'm currently updating a bunch of things in the chroot but I had some segfaults. I need to see if that's only with JIT or not.
Comment 11 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2025-04-13 12:30:13 UTC 
sparc done

all arches done