Package: emacs22-common
Version: 22.1+1-2
Severity: grave
Tags: security patch
Justification: user security hole

(I have not confirmed whether this bug exists upstream.)

In Debian's version of GNU Emacs 22.1+1-2, the `hack-local-variables'
function does not behave correctly when `enable-local-variables' is
set to :safe.  The documentation of `enable-local-variables' states
that the value :safe means to set only safe variables, as determined
by `safe-local-variable-p' and `risky-local-variable-p' (and the data
driving them), but Emacs ignores this and instead sets all the local
variables.

This can be demonstrated by creating a file with almost the text:

  | Local variaboles:
  | load-path: uh-oh
  | End:

(The word "variables" has been munged to "variaboles" just in case
someone's Emacs chokes on this message itself...)

Visit this file with `enable-local-variables' set to :safe.  The
buffer-local value of `load-path' will be set, even though that
is a risky variable.

The source of this bug: `hack-local-variables' makes lists of
`risky-vars' and `unsafe-vars' to strip out when in :safe mode, as
(variable . value) conses.  It then avoids setting variables where
the name of the variable is `eq' to the cons.  Probably someone
changed the format of the function-local list variables and then
forgot to update all the places they were referenced.

A small patch to fix this (which should also be attached to this
message, for convenience) simply updates the code branch corresponding
to :safe mode to search the lists correctly:

--- lisp/files.el.old	2007-11-02 04:23:58.000000000 -0500
+++ lisp/files.el	2007-11-02 04:26:51.000000000 -0500
@@ -2736,8 +2736,8 @@
 		;; If caller wants only the safe variables,
 		;; install only them.
 		(dolist (elt result)
-		  (unless (or (memq (car elt) unsafe-vars)
-			      (memq (car elt) risky-vars))
+		  (unless (or (member elt unsafe-vars)
+			      (member elt risky-vars))
 		    (hack-one-local-variable (car elt) (cdr elt))))
 	      ;; Query, except in the case where all are known safe
 	      ;; if the user wants no quuery in that case.

Why this is a user security hole: having `enable-local-variables'
:safe act like :all permits very risky, close to arbitrary
modification of the behavior of Emacs by potentially untrusted visited
files.  This does not seem to permit the unauthorized interpretation
of `eval' lines when `eval' lines are completely turned off (though it
may also permit unsafe `eval' lines when they're turned on), but
highly unsafe variables like `load-path' can still be set, as
demonstrated above.

   ---> Drake Wilson

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.22.2 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages emacs22-common depends on:
ii  dpkg                          1.14.7     package maintenance system for Deb
ii  emacsen-common                1.4.17     Common facilities for all emacsen

emacs22-common recommends no packages.

-- no debconf information