Summary: | app-editors/emacs hack-local-variables Security bypass (CVE-2007-5795) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Robert Buchholz (RETIRED) <rbu> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | emacs |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=449008 | ||
Whiteboard: | B3 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Robert Buchholz (RETIRED)
2007-11-03 13:44:07 UTC
Emacs, please advise. Is any of our ebuilds affected, or maybe other packages than app-editors/emacs? Fixed in emacs-22.1-r2. Decreasing severity to B4 since the issue doesn't affect the default configuration. Vulnerable versions: <22.1-r2 Unaffected versions: >=22.1-r2, <22 Arch teams: Please stabilise app-editors/emacs-22.1-r2. alpha/ia64/stable Stable on x86 ppc64 stable ppc stable amd64 done(committed by wolf31o2 for me) You'll probably want to back-port this to the latest SLOT=21 version, too. Vulnerable revision emacs-22.1-r1 removed. (In reply to comment #8) > You'll probably want to back-port this to the latest SLOT=21 version, too. Emacs 21 is not affected; the relevant code is new in version 22. I tend to vote NO. Setting to B3 and voting YES This vulnerability, if emacs is configured as described above, allows execution of arbitrary LISP (not shell) code, therefore can overwrite files writable by emacs. See last comment on the Debian report in URL. yes too, request filed. GLSA 200712-03 |