Ubuntu
emacs22 package

CVE-2008-3949: python execution from current directory

Bug #274514 reported by Kees Cook
260
Affects Status Importance Assigned to Milestone
emacs22 (Ubuntu)
Won't Fix
Low
Unassigned

Bug Description

Binary package hint: emacs22

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3949

Ubuntu emacs22 seems to have the same code as in SuSE.

CVE References

Revision history for this message
Kees Cook (kees) wrote :
Jamie Strandboge (jdstrand)
Changed in emacs22:
status: New → Confirmed
importance: Undecided → Low
Steve Beattie (sbeattie)
tags: added: patch-needswork
Revision history for this message
era (era) wrote :

The lists.gnu.org link which is in the CVE doesn't work for me right now, but http://old.nabble.com/Emacs-22.3-released-td19335279.html appears to be the same thread. This states that Emacs 22.3 fixed this problem, and hence the patch only seems to be necessary for Emacs 22.2 and older.

Perhaps Ubuntu should update emacs22 to version 22.3 instead? (Currently 22.2 is still everywhere, except Hardy which has the even older 22.1, although 22.3 was released in September 2008. Debian has a similar situation, but Ubuntu's emacs22 is not built from Debian sources.)

Why does the patch still need work? It seems to have been fine for upstream Emacs, Suse, Red Hat, and a bunch of others. Current emacs23 still has the same fix: http://git.savannah.gnu.org/cgit/emacs.git/tree/lisp/progmodes/python.el#n1554 (sorry, could not link to the official bzr repo at this time).

Revision history for this message
Steve Beattie (sbeattie) wrote :

There are no supported versions of Ubuntu that include emacs22 anymore, closing.

Changed in emacs22 (Ubuntu):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.