Security fix for CVE-2012-3479

GNU Emacs "enable-local-variables" Variable Processing Vulnerability patch from upstream git; earlier releases are not affected
2012-08-17 09:09:01 +00:00 · 2012-08-17 09:09:01 +00:00 · cfee2c6b0f
commit cfee2c6b0f
parent ae2bb3270f
2 changed files with 40 additions and 2 deletions
--- a/editors/emacs23/Makefile
+++ b/editors/emacs23/Makefile
@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.18 2012/08/11 22:55:39 pascal Exp $
+# $OpenBSD: Makefile,v 1.19 2012/08/17 09:09:01 jasper Exp $

 COMMENT-main =		GNU editor: extensible, customizable, self-documenting
 COMMENT-el =		elisp sources for those who want to read/modify them
@ -10,7 +10,8 @@ PKGNAME-main =		emacs-${VERSION}
 FULLPKGNAME-el =	emacs-el-${VERSION}
 FULLPKGPATH-el =	editors/emacs23,-el

-REVISION =		2
+REVISION-main =		4
+REVISION-el =		4

 CATEGORIES =		editors

--- a/editors/emacs23/patches/patch-lisp_files_el
+++ b/editors/emacs23/patches/patch-lisp_files_el
@ -0,0 +1,37 @@
+$OpenBSD: patch-lisp_files_el,v 1.1 2012/08/17 09:09:01 jasper Exp $
+
+Security fix for CVE-2012-3479, GNU Emacs "enable-local-variables" Variable Processing Vulnerability
+
+From 90c310d22c6f06332257c816253c642fd2bf90aa Mon Sep 17 00:00:00 2001
+From: Glenn Morris <rgm@gnu.org>
+Date: Tue, 07 Aug 2012 18:41:39 +0000
+Subject: hack-local-variables-filter fix for bug#12155
+
+* lisp/files.el (hack-local-variables-filter): If an eval: form is not
+known to be safe, and enable-local-variables is :safe, then ignore
+the form totally, as is done for non-eval forms.
+
+--- lisp/files.el.orig	Wed Jan 11 13:35:01 2012
+++ lisp/files.el	Fri Aug 17 10:54:45 2012
+@@ -2986,11 +2986,16 @@ DIR-NAME is a directory name if these settings come fr
+ 	      ;; Obey `enable-local-eval'.
+ 	      ((eq var 'eval)
+ 	       (when enable-local-eval
+-		 (push elt all-vars)
+-		 (or (eq enable-local-eval t)
+-		     (hack-one-local-variable-eval-safep (eval (quote val)))
+-		     (safe-local-variable-p var val)
+-		     (push elt unsafe-vars))))
+		 (let ((safe (or (hack-one-local-variable-eval-safep
+				  (eval (quote val)))
+				 ;; In case previously marked safe (bug#5636).
+				 (safe-local-variable-p var val))))
+		   ;; If not safe and e-l-v = :safe, ignore totally.
+		   (when (or safe (not (eq enable-local-variables :safe)))
+		     (push elt all-vars)
+		     (or (eq enable-local-eval t)
+			 safe
+			 (push elt unsafe-vars))))))
+ 	      ;; Ignore duplicates (except `mode') in the present list.
+ 	      ((and (assq var all-vars) (not (eq var 'mode))) nil)
+ 	      ;; Accept known-safe variables.