+emacs22 (22.1+1-3) unstable; urgency=low
+
+ * Incorporate a patch to fix a vulnerability in the handling of file
+ local variables (CVE-2007-5795) (closes: #449008). Thanks to Drake
+ Wilson <drake@begriffli.ch>, and also thanks to Romain Francoise for
+ the 22.1+1-2.1 NMU. [rlb]
+
+ -- Rob Browning <rlb@defaultvalue.org> Fri, 23 Nov 2007 16:12:04 -0800
+
emacs22 (22.1+1-2) unstable; urgency=low
* Fix mail locking patch for Debian's non-Linux architectures. Thanks
--- /dev/null
+* A security vulnerability in the handling of local variables has been fixed.
+ Patch: cve-2007-5795.diff
+ Provided-by: Drake Wilson <drake@begriffli.ch>
+ Date: Sat Nov 24 00:39:36 UTC 2007
+ Added-by: Rob Browning <rlb@defaultvalue.org>
+ Status: merged upstream
+
+ Upstream changelog entry:
+
+ 2007-11-02 Drake Wilson <drake@begriffli.ch> (tiny change)
+
+ * files.el (hack-local-variables): Fix membership tests to avoid
+ treating all variables as safe if `enable-local-variables' is
+ set to :safe.
+
+--- a/lisp/files.el
++++ b/lisp/files.el
+@@ -2736,8 +2736,8 @@
+ ;; If caller wants only the safe variables,
+ ;; install only them.
+ (dolist (elt result)
+- (unless (or (memq (car elt) unsafe-vars)
+- (memq (car elt) risky-vars))
++ (unless (or (member elt unsafe-vars)
++ (member elt risky-vars))
+ (hack-one-local-variable (car elt) (cdr elt))))
+ ;; Query, except in the case where all are known safe
+ ;; if the user wants no quuery in that case.
projects / emacs.git / commitdiff