CVE-2008-3949: python execution from current directory
Bug #274514 reported by
Kees Cook
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
emacs22 (Ubuntu) |
Won't Fix
|
Low
|
Unassigned |
Bug Description
Binary package hint: emacs22
http://
Ubuntu emacs22 seems to have the same code as in SuSE.
CVE References
Changed in emacs22: | |
status: | New → Confirmed |
importance: | Undecided → Low |
tags: | added: patch-needswork |
To post a comment you must log in.
The lists.gnu.org link which is in the CVE doesn't work for me right now, but http:// old.nabble. com/Emacs- 22.3-released- td19335279. html appears to be the same thread. This states that Emacs 22.3 fixed this problem, and hence the patch only seems to be necessary for Emacs 22.2 and older.
Perhaps Ubuntu should update emacs22 to version 22.3 instead? (Currently 22.2 is still everywhere, except Hardy which has the even older 22.1, although 22.3 was released in September 2008. Debian has a similar situation, but Ubuntu's emacs22 is not built from Debian sources.)
Why does the patch still need work? It seems to have been fine for upstream Emacs, Suse, Red Hat, and a bunch of others. Current emacs23 still has the same fix: http:// git.savannah. gnu.org/ cgit/emacs. git/tree/ lisp/progmodes/ python. el#n1554 (sorry, could not link to the official bzr repo at this time).