"Paul Ling has found a security flaw in the file-local variables code in
GNU Emacs. When the user option `enable-local-variables' is set to
`:safe' (the default value is t), Emacs should automatically refuse to
evaluate `eval' forms in file-local variable sections. Due to the bug,
Emacs instead automatically evaluates such `eval' forms.
Thus, if the user changes the value of `enable-local-variables' to
`:safe', visiting a malicious file can cause automatic execution of
arbitrary Emacs Lisp code with the permissions of the user.
The bug is present in Emacs 23.2, 23.3, 23.4, and 24.1."
Fixed in emacs-23.4-r4 and emacs-24.1-r1.
Vulnerable versions: < 24.1-r1
Unaffected versions: >= 24.1-r1, revision >= 23.4-r4, < 23.2
Architecture(s): All supported architectures
Arch teams, please stabilise:
emacs-23.4-r4: alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86
emacs-24.1-r1: amd64 arm hppa ppc64 x86
Arch teams, please test and mark stable:
Stable KEYWORDS : alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86
Stable KEYWORDS : amd64 arm hppa ppc64 x86
Stable for HPPA.
lisp/files.el in Emacs 23.2, 23.3, 23.4, and 24.1 automatically executes
eval forms in local-variable sections when the enable-local-variables option
is set to :safe, which allows user-assisted remote attackers to execute
arbitrary Emacs Lisp code via a crafted file.
(In reply to comment #11)
> ppc: ping
pong! stable ppc, closing
Stable on all supported arches, vulnerable versions removed from tree.
Added to existing GLSA request.
This issue was resolved and addressed in
GLSA 201403-05 at http://security.gentoo.org/glsa/glsa-201403-05.xml
by GLSA coordinator Sergey Popov (pinkbyte).