Mageia Bugzilla – Bug 6995
emacs missing update for security issue CVE-2012-0035, plus new security issue CVE-2012-3479
Last modified: 2012-09-09 13:30:19 CEST
Fedora has issued an advisory on January 14:
It was fixed upstream in 23.4, so Cauldron should not be vulnerable.
Mageia 1 should be vulnerable, but re-diffing the patch for 23.2 is non-trivial.
I have checked the patch for emacs 23.3 in to Mageia 2 SVN.
Slackware has issued an advisory on August 15:
Apparently they have a patch for 23.3.
RedHat has links to patches from upstream for 23.4 and 24.1:
Patched packages uploaded for Mageia 1, Mageia 2, and Cauldron.
Updated emacs packages fix security vulnerabilities:
Untrusted search path vulnerability in EDE in CEDET before 1.0.1, as used
in GNU Emacs before 23.4 and other products, allows local users to gain
privileges via a crafted Lisp expression in a Project.ede file in the
directory, or a parent directory, of an opened file (CVE-2012-0035).
lisp/files.el in Emacs 23.2, 23.3, 23.4, and 24.1 automatically executes
eval forms in local-variable sections when the enable-local-variables
option is set to :safe, which allows user-assisted remote attackers to
execute arbitrary Emacs Lisp code via a crafted file (CVE-2012-3479).
Updated packages in core/updates_testing:
Works ok on Mageia 2 x86_64 playing with some C stuff..
No problems with Mageia 2 i568/x86.
Could sysadmin please push from core/updates_testing to core/updates.
See comment 2 for srpm and advisory.