--- Begin Message ---
Package: release.debian.org
As discussed previously, I've finished and uploaded the packages to fix
the emacs{23,24} binary metapackage problem. I've dropped the emacs
binary package from emacs{23,24}, and created a new gcc-defaults-style
emacs-defaults metapackage to provide it.
The emacs23 23.4+1-4 package also includes a fix for CVE-2012-3479.
Please consider both packages for inclusion in wheezy, and let me know
if you need me to fix anything.
Here's the emacs23 debdiff:
diff -Nru emacs23-23.4+1/debian/.git-dpm emacs23-23.4+1/debian/.git-dpm
--- emacs23-23.4+1/debian/.git-dpm 2012-04-07 14:34:57.000000000 -0500
+++ emacs23-23.4+1/debian/.git-dpm 2012-09-08 14:58:21.000000000 -0500
@@ -1,6 +1,6 @@
# see git-dpm(1) from git-dpm package
-c566c20428a35fb0d29960819ef0034808f4cd12
-c566c20428a35fb0d29960819ef0034808f4cd12
+e53a987370a1ea362b4247d4a621257c28f35f52
+e53a987370a1ea362b4247d4a621257c28f35f52
4edc7f7569f39278c30a9a64da6e0b313bbed458
4edc7f7569f39278c30a9a64da6e0b313bbed458
emacs23_23.4+1.orig.tar.bz2
diff -Nru emacs23-23.4+1/debian/changelog emacs23-23.4+1/debian/changelog
--- emacs23-23.4+1/debian/changelog 2012-04-07 14:36:04.000000000 -0500
+++ emacs23-23.4+1/debian/changelog 2012-09-08 15:01:04.000000000 -0500
@@ -1,3 +1,20 @@
+emacs23 (23.4+1-4) unstable; urgency=high
+
+ * Add 0018-Don-t-eval-code-when-enable-local-variables-is-safe.patch.
+ Don't eval code when enable-local-variables is :safe. Previously,
+ Emacs might eval forms in file-local variable sections even when
+ the Emacs user option `enable-local-variables' was set to :safe
+ (CVE-2012-3479). Please see the patch for additional details.
+ Thanks to Henri Salo <henri@nerv.fi> for the report.
+ (Closes: #684695)
+
+ * Stop producing the emacs binary metapackage. Move the emacs
+ binary metapackage to its own source package (emacs-defaults,
+ cf. gcc-defaults). This will prevent emacs23 and emacs24 from
+ producing the same binary package.
+
+ -- Rob Browning <rlb@defaultvalue.org> Sat, 08 Sep 2012 14:59:52 -0500
+
emacs23 (23.4+1-3) unstable; urgency=low
* Add 0017-Initialize-xgselect-in-function-xg_select-when-gfds_.patch.
diff -Nru emacs23-23.4+1/debian/control emacs23-23.4+1/debian/control
--- emacs23-23.4+1/debian/control 2012-04-07 14:36:40.000000000 -0500
+++ emacs23-23.4+1/debian/control 2012-09-08 15:04:44.000000000 -0500
@@ -12,15 +12,6 @@
Homepage: http://www.gnu.org/software/emacs/
Standards-Version: 3.7.2
-Package: emacs
-Architecture: all
-Depends: emacs23 | emacs23-lucid | emacs23-nox, ${misc:Depends}
-Provides: emacsen, editor, mail-reader, news-reader
-Description: The GNU Emacs editor (metapackage)
- GNU Emacs is the extensible self-documenting text editor.
- This is a metapackage which will always depend on the latest Emacs
- release.
-
Package: emacs23-lucid
Architecture: any
Depends: emacs23-bin-common (= ${binary:Version}), ${shlibs:Depends}, ${misc:Depends}
diff -Nru emacs23-23.4+1/debian/control.in emacs23-23.4+1/debian/control.in
--- emacs23-23.4+1/debian/control.in 2012-04-07 14:34:56.000000000 -0500
+++ emacs23-23.4+1/debian/control.in 2012-09-08 14:59:26.000000000 -0500
@@ -12,15 +12,6 @@
Homepage: http://www.gnu.org/software/emacs/
Standards-Version: 3.7.2
-Package: emacs
-Architecture: all
-Depends: @DEB_FLAVOR@ | @DEB_FLAVOR@-lucid | @DEB_FLAVOR@-nox, ${misc:Depends}
-Provides: emacsen, editor, mail-reader, news-reader
-Description: The GNU Emacs editor (metapackage)
- GNU Emacs is the extensible self-documenting text editor.
- This is a metapackage which will always depend on the latest Emacs
- release.
-
Package: @DEB_FLAVOR@-lucid
Architecture: any
Depends: @DEB_FLAVOR@-bin-common (= ${binary:Version}), ${shlibs:Depends}, ${misc:Depends}
diff -Nru emacs23-23.4+1/debian/patches/0018-Don-t-eval-code-when-enable-local-variables-is-safe.patch emacs23-23.4+1/debian/patches/0018-Don-t-eval-code-when-enable-local-variables-is-safe.patch
--- emacs23-23.4+1/debian/patches/0018-Don-t-eval-code-when-enable-local-variables-is-safe.patch 1969-12-31 18:00:00.000000000 -0600
+++ emacs23-23.4+1/debian/patches/0018-Don-t-eval-code-when-enable-local-variables-is-safe.patch 2012-09-08 14:58:21.000000000 -0500
@@ -0,0 +1,63 @@
+From e53a987370a1ea362b4247d4a621257c28f35f52 Mon Sep 17 00:00:00 2001
+From: Glenn Morris <rgm@gnu.org>
+Date: Tue, 7 Aug 2012 14:41:39 -0400
+Subject: Don't eval code when enable-local-variables is :safe.
+
+Emacs should no longer eval code when enable-local-variables is :safe.
+
+Previously, Emacs might eval forms in file-local variable sections
+even when the Emacs user option `enable-local-variables' was set to
+:safe. This patch fixes CVE-2012-3479:
+
+ http://security-tracker.debian.org/tracker/CVE-2012-3479
+
+Origin: upstream, commit: 108092 (90c310d22c6f06332257c816253c642fd2bf90aa)
+Added-by: Rob Browning <rlb@defaultvalue.org>
+Provided-By: Glenn Morris <rgm@gnu.org>
+Bug: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=12155
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684695
+---
+ lisp/ChangeLog | 6 ++++++
+ lisp/files.el | 15 ++++++++++-----
+ 2 files changed, 16 insertions(+), 5 deletions(-)
+
+diff --git a/lisp/ChangeLog b/lisp/ChangeLog
+index 6d780e9..791092d 100644
+--- a/lisp/ChangeLog
++++ b/lisp/ChangeLog
+@@ -1,3 +1,9 @@
++2012-08-07 Glenn Morris <rgm@gnu.org>
++
++ * files.el (hack-local-variables-filter): If an eval: form is not
++ known to be safe, and enable-local-variables is :safe, then ignore
++ the form totally, as is done for non-eval forms. (Bug#12155)
++
+ 2012-01-19 Chong Yidong <cyd@gnu.org>
+
+ * Version 23.4 released.
+diff --git a/lisp/files.el b/lisp/files.el
+index ed1a69d..113968d 100644
+--- a/lisp/files.el
++++ b/lisp/files.el
+@@ -2986,11 +2986,16 @@ DIR-NAME is a directory name if these settings come from
+ ;; Obey `enable-local-eval'.
+ ((eq var 'eval)
+ (when enable-local-eval
+- (push elt all-vars)
+- (or (eq enable-local-eval t)
+- (hack-one-local-variable-eval-safep (eval (quote val)))
+- (safe-local-variable-p var val)
+- (push elt unsafe-vars))))
++ (let ((safe (or (hack-one-local-variable-eval-safep
++ (eval (quote val)))
++ ;; In case previously marked safe (bug#5636).
++ (safe-local-variable-p var val))))
++ ;; If not safe and e-l-v = :safe, ignore totally.
++ (when (or safe (not (eq enable-local-variables :safe)))
++ (push elt all-vars)
++ (or (eq enable-local-eval t)
++ safe
++ (push elt unsafe-vars))))))
+ ;; Ignore duplicates (except `mode') in the present list.
+ ((and (assq var all-vars) (not (eq var 'mode))) nil)
+ ;; Accept known-safe variables.
diff -Nru emacs23-23.4+1/debian/patches/series emacs23-23.4+1/debian/patches/series
--- emacs23-23.4+1/debian/patches/series 2012-04-07 14:34:57.000000000 -0500
+++ emacs23-23.4+1/debian/patches/series 2012-09-08 14:58:21.000000000 -0500
@@ -15,3 +15,4 @@
0015-coding.c-produce_chars-Fix-updating-of-src_end-Bug-1.patch
0016-quail-indian.el-indian-tlg-base-table-Fix-typo-dev-t.patch
0017-Initialize-xgselect-in-function-xg_select-when-gfds_.patch
+0018-Don-t-eval-code-when-enable-local-variables-is-safe.patch
Thanks
--
Rob Browning
rlb @defaultvalue.org and @debian.org
GPG as of 2002-11-03 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4
--- End Message ---
--- Begin Message ---
user release.debian.org@packages.debian.org
usertag 687108 + unblock
thanks
On Sun, 2012-09-09 at 13:55 -0500, Rob Browning wrote:
> As discussed previously, I've finished and uploaded the packages to fix
> the emacs{23,24} binary metapackage problem. I've dropped the emacs
> binary package from emacs{23,24}, and created a new gcc-defaults-style
> emacs-defaults metapackage to provide it.
>
> The emacs23 23.4+1-4 package also includes a fix for CVE-2012-3479.
> Please consider both packages for inclusion in wheezy, and let me know
> if you need me to fix anything.
Both unblocked; thanks.
Regards,
Adam
--- End Message ---