Paul Ling has found a security flaw in the file-local variables code in
GNU Emacs.  When the user option `enable-local-variables' is set to
`:safe' (the default value is t), Emacs should automatically refuse to
evaluate `eval' forms in file-local variable sections.  Due to the bug,
Emacs instead automatically evaluates such `eval' forms.

Thus, if the user changes the value of `enable-local-variables' to
`:safe', visiting a malicious file can cause automatic execution of
arbitrary Emacs Lisp code with the permissions of the user.

The bug is present in Emacs 23.2, 23.3, 23.4, and 24.1.

Attached are patches to fix this bug for Emacs 23.4 and Emacs 24.1,
written by Glenn Morris.  (The 23.4 patch should apply to the rest of
the Emacs 23.x series.)

Due to this problem, I plan to make a 24.2 release from the emacs-24
development branch.  The fix has already been committed to the emacs-24
branch, as well as the trunk.  I would like to make the release in a few
days; say, by the end of the week.  If there are any obviously-safe
bugfixes in the trunk which you would like to see backported to the
emacs-24 branch, please point these out ASAP.  Note also that this means
the current development trunk will be scheduled for Emacs 24.3.