Fedora has issued an advisory on January 14: http://lists.fedoraproject.org/pipermail/package-announce/2012-January/072288.html It was fixed upstream in 23.4, so Cauldron should not be vulnerable. Mageia 1 should be vulnerable, but re-diffing the patch for 23.2 is non-trivial. I have checked the patch for emacs 23.3 in to Mageia 2 SVN.
Whiteboard: (none) => MGA1TOO
CC: (none) => remco
Slackware has issued an advisory on August 15: http://lwn.net/Alerts/511810/ Apparently they have a patch for 23.3. from http://lwn.net/Vulnerabilities/511823/ RedHat has links to patches from upstream for 23.4 and 24.1: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3479
Summary: emacs missing update for security issue CVE-2012-0035 => emacs missing update for security issue CVE-2012-0035, plus new security issue CVE-2012-3479
Patched packages uploaded for Mageia 1, Mageia 2, and Cauldron. Advisory: ======================== Updated emacs packages fix security vulnerabilities: Untrusted search path vulnerability in EDE in CEDET before 1.0.1, as used in GNU Emacs before 23.4 and other products, allows local users to gain privileges via a crafted Lisp expression in a Project.ede file in the directory, or a parent directory, of an opened file (CVE-2012-0035). lisp/files.el in Emacs 23.2, 23.3, 23.4, and 24.1 automatically executes eval forms in local-variable sections when the enable-local-variables option is set to :safe, which allows user-assisted remote attackers to execute arbitrary Emacs Lisp code via a crafted file (CVE-2012-3479). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0035 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3479 http://lists.fedoraproject.org/pipermail/package-announce/2012-January/072288.html http://lists.fedoraproject.org/pipermail/package-announce/2012-August/085474.html ======================== Updated packages in core/updates_testing: ======================== emacs-23.2-3.1.mga1 emacs-el-23.2-3.1.mga1 emacs-doc-23.2-3.1.mga1 emacs-leim-23.2-3.1.mga1 emacs-nox-23.2-3.1.mga1 emacs-common-23.2-3.1.mga1 emacs-23.3-8.1.mga2 emacs-el-23.3-8.1.mga2 emacs-doc-23.3-8.1.mga2 emacs-leim-23.3-8.1.mga2 emacs-nox-23.3-8.1.mga2 emacs-common-23.3-8.1.mga2 from SRPMS: emacs-23.2-3.1.mga1.src.rpm emacs-23.3-8.1.mga2.src.rpm
CC: (none) => thierry.vignaudAssignee: thierry.vignaud => qa-bugs
Works ok on Mageia 2 x86_64 playing with some C stuff..
CC: (none) => ed_rus099Whiteboard: MGA1TOO => MGA1TOO MGA2-64-OK
No problems with Mageia 2 i568/x86. Could sysadmin please push from core/updates_testing to core/updates. See comment 2 for srpm and advisory. Thanks.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: MGA1TOO MGA2-64-OK => MGA1TOO MGA2-64-OK MGA2-32-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0261
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED