From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Romain Francoise Newsgroups: gmane.emacs.devel Subject: Fwd: Bug#449008: emacs22-common: enable-local-variables :safe mode acts like :all Date: Fri, 02 Nov 2007 12:16:30 +0100 Organization: orebokech dot com Message-ID: <87zlxwganl.fsf@elegiac.orebokech.com> NNTP-Posting-Host: lo.gmane.org Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-Trace: ger.gmane.org 1194002206 2874 80.91.229.12 (2 Nov 2007 11:16:46 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Fri, 2 Nov 2007 11:16:46 +0000 (UTC) Cc: Drake Wilson To: emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Fri Nov 02 12:16:49 2007 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([199.232.76.165]) by lo.gmane.org with esmtp (Exim 4.50) id 1InuW7-0008FQ-8c for ged-emacs-devel@m.gmane.org; Fri, 02 Nov 2007 12:16:47 +0100 Original-Received: from localhost ([127.0.0.1] helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1InuVx-0001bv-28 for ged-emacs-devel@m.gmane.org; Fri, 02 Nov 2007 07:16:37 -0400 Original-Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1InuVt-0001be-WD for emacs-devel@gnu.org; Fri, 02 Nov 2007 07:16:34 -0400 Original-Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1InuVs-0001bO-W2 for emacs-devel@gnu.org; Fri, 02 Nov 2007 07:16:33 -0400 Original-Received: from [199.232.76.173] (helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1InuVs-0001bL-SM for emacs-devel@gnu.org; Fri, 02 Nov 2007 07:16:32 -0400 Original-Received: from home.orebokech.com ([82.67.41.165] helo=elegiac.orebokech.com) by monty-python.gnu.org with esmtp (Exim 4.60) (envelope-from ) id 1InuVr-0004aW-Ol for emacs-devel@gnu.org; Fri, 02 Nov 2007 07:16:32 -0400 Original-Received: by elegiac.orebokech.com (Postfix, from userid 1000) id 95BEE3B198; Fri, 2 Nov 2007 12:16:30 +0100 (CET) X-Face: }9mYu,e_@+e!`Z-P5kVXa3\_b:hdJ"B)ww[&=b<2=awG:GOIM X-detected-kernel: by monty-python.gnu.org: Linux 2.6 (newer, 3) X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:82348 Archived-At: --=-=-= Hi all, This report was sent to the Debian bug tracking system, and after verifying that the bug still existed in CVS I've installed the attached patch in EMACS_22_BASE and in the trunk. Let me know if there are any issues. --=-=-= Content-Type: message/rfc822 Content-Disposition: inline Path: news.gmane.org!not-for-mail From: Drake Wilson Newsgroups: gmane.linux.debian.devel.bugs.rc Subject: Bug#449008: emacs22-common: enable-local-variables :safe mode acts like :all Date: Fri, 02 Nov 2007 04:56:52 -0500 Lines: 116 Approved: news@gmane.org Message-ID: <20071102095652.26866.52602.reportbug__36470.6036322334$1193997879$gmane$org@drache.begriffli.ch> Reply-To: Drake Wilson , 449008@bugs.debian.org NNTP-Posting-Host: lo.gmane.org X-Trace: ger.gmane.org 1193997869 21852 80.91.229.12 (2 Nov 2007 10:04:29 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Fri, 2 Nov 2007 10:04:29 +0000 (UTC) To: Debian Bug Tracking System Original-X-From: bounce-debian-bugs-rc=glddbr-debian-bugs-rc=gmane.org@lists.debian.org Fri Nov 02 11:04:32 2007 Return-path: Envelope-to: glddbr-debian-bugs-rc@gmane.org Original-Received: from murphy.debian.org ([70.103.162.31]) by lo.gmane.org with esmtp (Exim 4.50) id 1IntMb-0000NH-Bv for glddbr-debian-bugs-rc@gmane.org; Fri, 02 Nov 2007 11:02:53 +0100 Original-Received: from localhost (localhost [127.0.0.1]) by murphy.debian.org (Postfix) with QMQP id 0938F2EC14; Fri, 2 Nov 2007 10:02:43 +0000 (UTC) Old-Return-Path: X-Original-To: lists-debian-bugs-rc@murphy.debian.org Original-Received: from localhost (localhost [127.0.0.1]) by murphy.debian.org (Postfix) with ESMTP id C5CD92EC19 for ; Fri, 2 Nov 2007 10:02:42 +0000 (UTC) Original-Received: from murphy.debian.org ([127.0.0.1]) by localhost (lists.debian.org [127.0.0.1]) (amavisd-new, port 2525) with ESMTP id 18572-90 for ; Fri, 2 Nov 2007 10:02:34 +0000 (UTC) Original-Received: from rietz.debian.org (rietz.debian.org [140.211.166.43]) by murphy.debian.org (Postfix) with ESMTP id 4F77C2EC14; Fri, 2 Nov 2007 10:02:34 +0000 (UTC) Original-Received: from debbugs by rietz.debian.org with local (Exim 4.50) id 1IntJr-00005Q-Qd; Fri, 02 Nov 2007 10:00:03 +0000 X-Loop: owner@bugs.debian.org Resent-From: Drake Wilson Resent-To: debian-bugs-dist@lists.debian.org Resent-Cc: Debian Security Team , Rob Browning Resent-Date: Fri, 02 Nov 2007 10:00:01 +0000 Resent-Message-ID: X-Debian-PR-Message: report 449008 X-Debian-PR-Package: emacs22-common X-Debian-PR-Keywords: patch security X-Debian-PR-Source: emacs22 Original-Received: via spool by submit@bugs.debian.org id=B.119399744930897 (code B ref -1); Fri, 02 Nov 2007 10:00:01 +0000 Original-Received: (at submit) by bugs.debian.org; 2 Nov 2007 09:57:29 +0000 Original-Received: from adsl-75-55-112-14.dsl.austtx.sbcglobal.net ([75.55.112.14] helo=zwischenschaltung.begriffli.ch) by rietz.debian.org with esmtp (Exim 4.50) id 1IntHN-0007wJ-4v for submit@bugs.debian.org; Fri, 02 Nov 2007 09:57:29 +0000 Original-Received: from drache.begriffli.ch (drache [192.168.2.1]) by zwischenschaltung.begriffli.ch (Postfix) with ESMTP id 65828279DD; Fri, 2 Nov 2007 04:56:53 -0500 (CDT) Original-Received: from drake by drache.begriffli.ch with local (Exim 4.67) (envelope-from ) id 1IntGm-000742-UZ; Fri, 02 Nov 2007 04:56:52 -0500 X-Mailer: reportbug 3.39 Delivered-To: submit@bugs.debian.org Resent-Date: Fri, 02 Nov 2007 10:00:03 +0000 X-Virus-Scanned: at lists.debian.org with policy bank bug X-Spam-Status: No, score=-5.749 tagged_above=3.6 required=5.3 tests=[AWL=0.965, BAYES_00=-2, FORGED_RCVD_HELO=0.135, FOURLA=0.1, LDO_WHITELIST=-5, MURPHY_DRUGS_REL8=0.02, UNPARSEABLE_RELAY=0.001, UNWANTED_LANGUAGE_BODY=0.03] X-Spam-Level: X-Debian-Message: from BTS X-Rc-Virus: 2007-09-13_01 X-Rc-Spam: 2007-10-04_01 X-Mailing-List: archive/latest/173333 X-Loop: debian-bugs-rc@lists.debian.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: Precedence: list Resent-Sender: debian-bugs-rc-request@lists.debian.org Xref: news.gmane.org gmane.linux.debian.devel.bugs.rc:165023 Archived-At: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===-=-=" --===-=-= Content-Disposition: inline Package: emacs22-common Version: 22.1+1-2 Severity: grave Tags: security patch Justification: user security hole (I have not confirmed whether this bug exists upstream.) In Debian's version of GNU Emacs 22.1+1-2, the `hack-local-variables' function does not behave correctly when `enable-local-variables' is set to :safe. The documentation of `enable-local-variables' states that the value :safe means to set only safe variables, as determined by `safe-local-variable-p' and `risky-local-variable-p' (and the data driving them), but Emacs ignores this and instead sets all the local variables. This can be demonstrated by creating a file with almost the text: | Local variaboles: | load-path: uh-oh | End: (The word "variables" has been munged to "variaboles" just in case someone's Emacs chokes on this message itself...) Visit this file with `enable-local-variables' set to :safe. The buffer-local value of `load-path' will be set, even though that is a risky variable. The source of this bug: `hack-local-variables' makes lists of `risky-vars' and `unsafe-vars' to strip out when in :safe mode, as (variable . value) conses. It then avoids setting variables where the name of the variable is `eq' to the cons. Probably someone changed the format of the function-local list variables and then forgot to update all the places they were referenced. A small patch to fix this (which should also be attached to this message, for convenience) simply updates the code branch corresponding to :safe mode to search the lists correctly: --- lisp/files.el.old 2007-11-02 04:23:58.000000000 -0500 +++ lisp/files.el 2007-11-02 04:26:51.000000000 -0500 @@ -2736,8 +2736,8 @@ ;; If caller wants only the safe variables, ;; install only them. (dolist (elt result) - (unless (or (memq (car elt) unsafe-vars) - (memq (car elt) risky-vars)) + (unless (or (member elt unsafe-vars) + (member elt risky-vars)) (hack-one-local-variable (car elt) (cdr elt)))) ;; Query, except in the case where all are known safe ;; if the user wants no quuery in that case. Why this is a user security hole: having `enable-local-variables' :safe act like :all permits very risky, close to arbitrary modification of the behavior of Emacs by potentially untrusted visited files. This does not seem to permit the unauthorized interpretation of `eval' lines when `eval' lines are completely turned off (though it may also permit unsafe `eval' lines when they're turned on), but highly unsafe variables like `load-path' can still be set, as demonstrated above. ---> Drake Wilson -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.22.2 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages emacs22-common depends on: ii dpkg 1.14.7 package maintenance system for Deb ii emacsen-common 1.4.17 Common facilities for all emacsen emacs22-common recommends no packages. -- no debconf information --===-=-= Content-Disposition: attachment; filename=emacs22-files-el-20071102-dpw.patch --- lisp/files.el.old 2007-11-02 04:23:58.000000000 -0500 +++ lisp/files.el 2007-11-02 04:26:51.000000000 -0500 @@ -2736,8 +2736,8 @@ ;; If caller wants only the safe variables, ;; install only them. (dolist (elt result) - (unless (or (memq (car elt) unsafe-vars) - (memq (car elt) risky-vars)) + (unless (or (member elt unsafe-vars) + (member elt risky-vars)) (hack-one-local-variable (car elt) (cdr elt)))) ;; Query, except in the case where all are known safe ;; if the user wants no quuery in that case. --===-=-=-- --=-=-= Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Emacs-devel mailing list Emacs-devel@gnu.org http://lists.gnu.org/mailman/listinfo/emacs-devel --=-=-=--