Mageia alert MGASA-2012-0261 (emacs) [LWN.net]


From:
    	       Mageia Updates <buildsystem-daemon@mageia.org> 
To:
    	       updates-announce@ml.mageia.org 
Subject:
    	       [updates-announce] MGASA-2012-0261: emacs-23.2-3.1.mga1 (1/core),
 emacs-23.3-8.1.mga2 (2/core) 
Date:
    	       Sun, 9 Sep 2012 13:29:56 +0200
Message-ID:
    	       <20120909112956.GA26528@valstar.mageia.org>
Archive-link:
    	       Article, Thread
              
MGASA-2012-0261
Date: 	September 9th, 2012
Affected releases: 	1, 2


Description:
Updated emacs packages fix security vulnerabilities:

Untrusted search path vulnerability in EDE in CEDET before 1.0.1, as used
in GNU Emacs before 23.4 and other products, allows local users to gain
privileges via a crafted Lisp expression in a Project.ede file in the
directory, or a parent directory, of an opened file (CVE-2012-0035).

lisp/files.el in Emacs 23.2, 23.3, 23.4, and 24.1 automatically executes
eval forms in local-variable sections when the enable-local-variables
option is set to :safe, which allows user-assisted remote attackers to
execute arbitrary Emacs Lisp code via a crafted file (CVE-2012-3479).


Updated Packages:
Mageia 1:
emacs-23.2-3.1.mga1
emacs-common-23.2-3.1.mga1
emacs-doc-23.2-3.1.mga1
emacs-el-23.2-3.1.mga1
emacs-leim-23.2-3.1.mga1
emacs-nox-23.2-3.1.mga1

Mageia 2:
emacs-23.3-8.1.mga2
emacs-common-23.3-8.1.mga2
emacs-doc-23.3-8.1.mga2
emacs-el-23.3-8.1.mga2
emacs-leim-23.3-8.1.mga2
emacs-nox-23.3-8.1.mga2


References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0035
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3479
http://lists.fedoraproject.org/pipermail/package-announce...
http://lists.fedoraproject.org/pipermail/package-announce...
https://bugs.mageia.org/show_bug.cgi?id=6995
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-...
(Log in to post comments)