On Sat, Dec 18, 2004 at 06:37:01PM -0600, Rob Browning wrote:
> Rob Browning <email address hidden> writes:
>=20
> > Security team summary: opening the emacs1.emacs file in the
> > indicated google link with a stable emacs will result in yes being
> > launched many times without any advance warning to the user. I
> > presume arbitrary other code might be substituted. I'm not yet sure
> > how this was changed in 21.3+1, but that version (the one in
> > testing/unsable) doesn't appear to execute the code provided in
> > either the emacs1.emacs or emacs2.emacs sample exploits. I'm going
> > to see if I can locate the relevant diff.
>=20
> I've culled a patch from the diff between 21.2 and 21.3 which appears
> to fix the problem. I'll wait to hear from the security team, and I
> may also run it by emacs-devel.
Other emacs and xemacs packages might/probably are affected as well. I
am not familiar with emacs packages in debian (or emacs at all),
therefore someone else will have to check this.
Message-ID: <email address hidden>
Date: Sun, 19 Dec 2004 14:06:55 +0000
From: Jan Minar <email address hidden>
To: Rob Browning <email address hidden>
Cc: <email address hidden>, <email address hidden>
Subject: Re: Bug#286183: emacs21: Arbitrary code execution when opening malicious file (local
variables)
--YZ5djTAD1cGYuMQK Disposition: inline Transfer- Encoding: quoted-printable
Content-Type: text/plain; charset=iso-8859-2
Content-
Content-
On Sat, Dec 18, 2004 at 06:37:01PM -0600, Rob Browning wrote:
> Rob Browning <email address hidden> writes:
>=20
> > Security team summary: opening the emacs1.emacs file in the
> > indicated google link with a stable emacs will result in yes being
> > launched many times without any advance warning to the user. I
> > presume arbitrary other code might be substituted. I'm not yet sure
> > how this was changed in 21.3+1, but that version (the one in
> > testing/unsable) doesn't appear to execute the code provided in
> > either the emacs1.emacs or emacs2.emacs sample exploits. I'm going
> > to see if I can locate the relevant diff.
>=20
> I've culled a patch from the diff between 21.2 and 21.3 which appears
> to fix the problem. I'll wait to hear from the security team, and I
> may also run it by emacs-devel.
Other emacs and xemacs packages might/probably are affected as well. I
am not familiar with emacs packages in debian (or emacs at all),
therefore someone else will have to check this.
--=20
)^o-o^| jabber: <email address hidden>
| .v K e-mail: jjminar FastMail FM
` - .' phone: +44(0)7981 738 696
\ __/Jan icq: 345 355 493
__|o|__Min=E1=F8 irc: <email address hidden>
--YZ5djTAD1cGYuMQK pgp-signature Disposition: inline
Content-Type: application/
Content-
-----BEGIN PGP SIGNATURE----- www.gnupg. org
+uczK20Fa5cRAlJ mAKDbbuWe5O8hfC YRWWvo4Jwxjtqus gCgvhCU AWaH+YGs=
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://
iD8DBQFBxYr/
rLiqKNWssiPtUmu
=Hi5Z
-----END PGP SIGNATURE-----
--YZ5djTAD1cGYu MQK--