[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#687108: marked as done (Request freeze exception for emacs23 23.4+1-4 and emacs-defaults 45.0 )

Your message dated Wed, 12 Sep 2012 21:10:19 +0100
with message-id <1347480619.13151.11.camel@jacala.jungle.funky-badger.org>
and subject line Re: Bug#687108: Request freeze exception for emacs23 23.4+1-4 and emacs-defaults 45.0
has caused the Debian Bug report #687108,
regarding Request freeze exception for emacs23 23.4+1-4 and emacs-defaults 45.0 
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
687108: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=687108
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org

As discussed previously, I've finished and uploaded the packages to fix
the emacs{23,24} binary metapackage problem.  I've dropped the emacs
binary package from emacs{23,24}, and created a new gcc-defaults-style
emacs-defaults metapackage to provide it.

The emacs23 23.4+1-4 package also includes a fix for CVE-2012-3479.
Please consider both packages for inclusion in wheezy, and let me know
if you need me to fix anything.

Here's the emacs23 debdiff:


diff -Nru emacs23-23.4+1/debian/.git-dpm emacs23-23.4+1/debian/.git-dpm
--- emacs23-23.4+1/debian/.git-dpm	2012-04-07 14:34:57.000000000 -0500
+++ emacs23-23.4+1/debian/.git-dpm	2012-09-08 14:58:21.000000000 -0500
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-c566c20428a35fb0d29960819ef0034808f4cd12
-c566c20428a35fb0d29960819ef0034808f4cd12
+e53a987370a1ea362b4247d4a621257c28f35f52
+e53a987370a1ea362b4247d4a621257c28f35f52
 4edc7f7569f39278c30a9a64da6e0b313bbed458
 4edc7f7569f39278c30a9a64da6e0b313bbed458
 emacs23_23.4+1.orig.tar.bz2
diff -Nru emacs23-23.4+1/debian/changelog emacs23-23.4+1/debian/changelog
--- emacs23-23.4+1/debian/changelog	2012-04-07 14:36:04.000000000 -0500
+++ emacs23-23.4+1/debian/changelog	2012-09-08 15:01:04.000000000 -0500
@@ -1,3 +1,20 @@
+emacs23 (23.4+1-4) unstable; urgency=high
+
+  * Add 0018-Don-t-eval-code-when-enable-local-variables-is-safe.patch.
+    Don't eval code when enable-local-variables is :safe.  Previously,
+    Emacs might eval forms in file-local variable sections even when
+    the Emacs user option `enable-local-variables' was set to :safe
+    (CVE-2012-3479).  Please see the patch for additional details.
+    Thanks to Henri Salo <henri@nerv.fi> for the report.
+    (Closes: #684695)
+
+  * Stop producing the emacs binary metapackage.  Move the emacs
+    binary metapackage to its own source package (emacs-defaults,
+    cf. gcc-defaults).  This will prevent emacs23 and emacs24 from
+    producing the same binary package.
+
+ -- Rob Browning <rlb@defaultvalue.org>  Sat, 08 Sep 2012 14:59:52 -0500
+
 emacs23 (23.4+1-3) unstable; urgency=low
 
   * Add 0017-Initialize-xgselect-in-function-xg_select-when-gfds_.patch.
diff -Nru emacs23-23.4+1/debian/control emacs23-23.4+1/debian/control
--- emacs23-23.4+1/debian/control	2012-04-07 14:36:40.000000000 -0500
+++ emacs23-23.4+1/debian/control	2012-09-08 15:04:44.000000000 -0500
@@ -12,15 +12,6 @@
 Homepage: http://www.gnu.org/software/emacs/
 Standards-Version: 3.7.2
 
-Package: emacs
-Architecture: all
-Depends: emacs23 | emacs23-lucid | emacs23-nox, ${misc:Depends}
-Provides: emacsen, editor, mail-reader, news-reader
-Description: The GNU Emacs editor (metapackage)
- GNU Emacs is the extensible self-documenting text editor.
- This is a metapackage which will always depend on the latest Emacs
- release.
-
 Package: emacs23-lucid
 Architecture: any
 Depends: emacs23-bin-common (= ${binary:Version}), ${shlibs:Depends}, ${misc:Depends}
diff -Nru emacs23-23.4+1/debian/control.in emacs23-23.4+1/debian/control.in
--- emacs23-23.4+1/debian/control.in	2012-04-07 14:34:56.000000000 -0500
+++ emacs23-23.4+1/debian/control.in	2012-09-08 14:59:26.000000000 -0500
@@ -12,15 +12,6 @@
 Homepage: http://www.gnu.org/software/emacs/
 Standards-Version: 3.7.2
 
-Package: emacs
-Architecture: all
-Depends: @DEB_FLAVOR@ | @DEB_FLAVOR@-lucid | @DEB_FLAVOR@-nox, ${misc:Depends}
-Provides: emacsen, editor, mail-reader, news-reader
-Description: The GNU Emacs editor (metapackage)
- GNU Emacs is the extensible self-documenting text editor.
- This is a metapackage which will always depend on the latest Emacs
- release.
-
 Package: @DEB_FLAVOR@-lucid
 Architecture: any
 Depends: @DEB_FLAVOR@-bin-common (= ${binary:Version}), ${shlibs:Depends}, ${misc:Depends}
diff -Nru emacs23-23.4+1/debian/patches/0018-Don-t-eval-code-when-enable-local-variables-is-safe.patch emacs23-23.4+1/debian/patches/0018-Don-t-eval-code-when-enable-local-variables-is-safe.patch
--- emacs23-23.4+1/debian/patches/0018-Don-t-eval-code-when-enable-local-variables-is-safe.patch	1969-12-31 18:00:00.000000000 -0600
+++ emacs23-23.4+1/debian/patches/0018-Don-t-eval-code-when-enable-local-variables-is-safe.patch	2012-09-08 14:58:21.000000000 -0500
@@ -0,0 +1,63 @@
+From e53a987370a1ea362b4247d4a621257c28f35f52 Mon Sep 17 00:00:00 2001
+From: Glenn Morris <rgm@gnu.org>
+Date: Tue, 7 Aug 2012 14:41:39 -0400
+Subject: Don't eval code when enable-local-variables is :safe.
+
+Emacs should no longer eval code when enable-local-variables is :safe.
+
+Previously, Emacs might eval forms in file-local variable sections
+even when the Emacs user option `enable-local-variables' was set to
+:safe.  This patch fixes CVE-2012-3479:
+
+  http://security-tracker.debian.org/tracker/CVE-2012-3479
+
+Origin: upstream, commit: 108092 (90c310d22c6f06332257c816253c642fd2bf90aa)
+Added-by: Rob Browning <rlb@defaultvalue.org>
+Provided-By: Glenn Morris  <rgm@gnu.org>
+Bug: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=12155
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684695
+---
+ lisp/ChangeLog |    6 ++++++
+ lisp/files.el  |   15 ++++++++++-----
+ 2 files changed, 16 insertions(+), 5 deletions(-)
+
+diff --git a/lisp/ChangeLog b/lisp/ChangeLog
+index 6d780e9..791092d 100644
+--- a/lisp/ChangeLog
++++ b/lisp/ChangeLog
+@@ -1,3 +1,9 @@
++2012-08-07  Glenn Morris  <rgm@gnu.org>
++
++	* files.el (hack-local-variables-filter): If an eval: form is not
++	known to be safe, and enable-local-variables is :safe, then ignore
++	the form totally, as is done for non-eval forms.  (Bug#12155)
++
+ 2012-01-19  Chong Yidong  <cyd@gnu.org>
+ 
+ 	* Version 23.4 released.
+diff --git a/lisp/files.el b/lisp/files.el
+index ed1a69d..113968d 100644
+--- a/lisp/files.el
++++ b/lisp/files.el
+@@ -2986,11 +2986,16 @@ DIR-NAME is a directory name if these settings come from
+ 	      ;; Obey `enable-local-eval'.
+ 	      ((eq var 'eval)
+ 	       (when enable-local-eval
+-		 (push elt all-vars)
+-		 (or (eq enable-local-eval t)
+-		     (hack-one-local-variable-eval-safep (eval (quote val)))
+-		     (safe-local-variable-p var val)
+-		     (push elt unsafe-vars))))
++		 (let ((safe (or (hack-one-local-variable-eval-safep
++				  (eval (quote val)))
++				 ;; In case previously marked safe (bug#5636).
++				 (safe-local-variable-p var val))))
++		   ;; If not safe and e-l-v = :safe, ignore totally.
++		   (when (or safe (not (eq enable-local-variables :safe)))
++		     (push elt all-vars)
++		     (or (eq enable-local-eval t)
++			 safe
++			 (push elt unsafe-vars))))))
+ 	      ;; Ignore duplicates (except `mode') in the present list.
+ 	      ((and (assq var all-vars) (not (eq var 'mode))) nil)
+ 	      ;; Accept known-safe variables.
diff -Nru emacs23-23.4+1/debian/patches/series emacs23-23.4+1/debian/patches/series
--- emacs23-23.4+1/debian/patches/series	2012-04-07 14:34:57.000000000 -0500
+++ emacs23-23.4+1/debian/patches/series	2012-09-08 14:58:21.000000000 -0500
@@ -15,3 +15,4 @@
 0015-coding.c-produce_chars-Fix-updating-of-src_end-Bug-1.patch
 0016-quail-indian.el-indian-tlg-base-table-Fix-typo-dev-t.patch
 0017-Initialize-xgselect-in-function-xg_select-when-gfds_.patch
+0018-Don-t-eval-code-when-enable-local-variables-is-safe.patch

Thanks
-- 
Rob Browning
rlb @defaultvalue.org and @debian.org
GPG as of 2002-11-03 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4

--- End Message ---
--- Begin Message --- 
user release.debian.org@packages.debian.org
usertag 687108 + unblock
thanks

On Sun, 2012-09-09 at 13:55 -0500, Rob Browning wrote:
> As discussed previously, I've finished and uploaded the packages to fix
> the emacs{23,24} binary metapackage problem.  I've dropped the emacs
> binary package from emacs{23,24}, and created a new gcc-defaults-style
> emacs-defaults metapackage to provide it.
> 
> The emacs23 23.4+1-4 package also includes a fix for CVE-2012-3479.
> Please consider both packages for inclusion in wheezy, and let me know
> if you need me to fix anything.

Both unblocked; thanks.

Regards,

Adam

--- End Message ---
Reply to: