LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

emacs: code execution

Package(s):emacs CVE #(s):CVE-2012-3479
Created:August 16, 2012 Updated:January 10, 2013
Description:

From the Slackware advisory:

Patched to fix a security flaw in the file-local variables code. When the Emacs user option `enable-local-variables' is set to `:safe' (the default value is t), Emacs should automatically refuse to evaluate `eval' forms in file-local variable sections. Due to the bug, Emacs instead automatically evaluates such `eval' forms. Thus, if the user changes the value of `enable-local-variables' to `:safe', visiting a malicious file can cause automatic execution of arbitrary Emacs Lisp code with the permissions of the user. Bug discovered by Paul Ling.

Alerts:
Slackware SSA:2012-228-02 2012-08-15
Fedora FEDORA-2012-11872 2012-08-22
Fedora FEDORA-2012-11876 2012-08-22
Mageia MGASA-2012-0261 2012-09-09
Ubuntu USN-1586-1 2012-09-27
openSUSE openSUSE-SU-2012:1348-1 2012-10-15
Debian DSA-2603-1 2013-01-09
Mandriva MDVSA-2013:076 2013-04-08
(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds