From cfee2c6b0f9458cd2414876d911baec8d8273146 Mon Sep 17 00:00:00 2001 From: jasper Date: Fri, 17 Aug 2012 09:09:01 +0000 Subject: [PATCH] Security fix for CVE-2012-3479 GNU Emacs "enable-local-variables" Variable Processing Vulnerability patch from upstream git; earlier releases are not affected --- editors/emacs23/Makefile | 5 +-- editors/emacs23/patches/patch-lisp_files_el | 37 +++++++++++++++++++++ 2 files changed, 40 insertions(+), 2 deletions(-) create mode 100644 editors/emacs23/patches/patch-lisp_files_el diff --git a/editors/emacs23/Makefile b/editors/emacs23/Makefile index b1a3f27b930..ed0dbe14479 100644 --- a/editors/emacs23/Makefile +++ b/editors/emacs23/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.18 2012/08/11 22:55:39 pascal Exp $ +# $OpenBSD: Makefile,v 1.19 2012/08/17 09:09:01 jasper Exp $ COMMENT-main = GNU editor: extensible, customizable, self-documenting COMMENT-el = elisp sources for those who want to read/modify them @@ -10,7 +10,8 @@ PKGNAME-main = emacs-${VERSION} FULLPKGNAME-el = emacs-el-${VERSION} FULLPKGPATH-el = editors/emacs23,-el -REVISION = 2 +REVISION-main = 4 +REVISION-el = 4 CATEGORIES = editors diff --git a/editors/emacs23/patches/patch-lisp_files_el b/editors/emacs23/patches/patch-lisp_files_el new file mode 100644 index 00000000000..5e0cbd7940b --- /dev/null +++ b/editors/emacs23/patches/patch-lisp_files_el @@ -0,0 +1,37 @@ +$OpenBSD: patch-lisp_files_el,v 1.1 2012/08/17 09:09:01 jasper Exp $ + +Security fix for CVE-2012-3479, GNU Emacs "enable-local-variables" Variable Processing Vulnerability + +From 90c310d22c6f06332257c816253c642fd2bf90aa Mon Sep 17 00:00:00 2001 +From: Glenn Morris +Date: Tue, 07 Aug 2012 18:41:39 +0000 +Subject: hack-local-variables-filter fix for bug#12155 + +* lisp/files.el (hack-local-variables-filter): If an eval: form is not +known to be safe, and enable-local-variables is :safe, then ignore +the form totally, as is done for non-eval forms. + +--- lisp/files.el.orig Wed Jan 11 13:35:01 2012 ++++ lisp/files.el Fri Aug 17 10:54:45 2012 +@@ -2986,11 +2986,16 @@ DIR-NAME is a directory name if these settings come fr + ;; Obey `enable-local-eval'. + ((eq var 'eval) + (when enable-local-eval +- (push elt all-vars) +- (or (eq enable-local-eval t) +- (hack-one-local-variable-eval-safep (eval (quote val))) +- (safe-local-variable-p var val) +- (push elt unsafe-vars)))) ++ (let ((safe (or (hack-one-local-variable-eval-safep ++ (eval (quote val))) ++ ;; In case previously marked safe (bug#5636). ++ (safe-local-variable-p var val)))) ++ ;; If not safe and e-l-v = :safe, ignore totally. ++ (when (or safe (not (eq enable-local-variables :safe))) ++ (push elt all-vars) ++ (or (eq enable-local-eval t) ++ safe ++ (push elt unsafe-vars)))))) + ;; Ignore duplicates (except `mode') in the present list. + ((and (assq var all-vars) (not (eq var 'mode))) nil) + ;; Accept known-safe variables.