OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/emacs?expand=0&rev=27

emacs-22.1-fast-lock.patch

@@ -0,0 +1,37 @@
+CVE-2008-2142
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2142
+http://thread.gmane.org/gmane.emacs.devel/96903
+http://article.gmane.org/gmane.emacs.devel/97038
+http://article.gmane.org/gmane.emacs.devel/97074
+
+--- lisp/obsolete/fast-lock.el
++++ lisp/obsolete/fast-lock.el	2008-05-13 11:33:10.000000000 +0200
+@@ -286,7 +286,7 @@ for buffers in Rmail mode, and size is i
+ 				      (integer :tag "size")))))
+   :group 'fast-lock)
+ 
+-(defcustom fast-lock-cache-directories '("." "~/.emacs-flc")
++(defcustom fast-lock-cache-directories '("~/.emacs-flc")
+ ; - `internal', keep each file's Font Lock cache file in the same file.
+ ; - `external', keep each file's Font Lock cache file in the same directory.
+   "*Directories in which Font Lock cache files are saved and read.
+@@ -304,13 +304,18 @@ For example:
+  ((\"^/your/true/home/directory/\" . \".\") \"~/.emacs-flc\")
+ 
+ would cause a file's current directory to be used if the file is under your
+-home directory hierarchy, or otherwise the absolute directory `~/.emacs-flc'."
++home directory hierarchy, or otherwise the absolute directory `~/.emacs-flc'.
++For security reasons, it is not advisable to use the file's current directory
++to avoid the possibility of using the cache of another user."
+   :type '(repeat (radio (directory :tag "directory")
+ 			(cons :tag "Matching"
+ 			      (regexp :tag "regexp")
+ 			      (directory :tag "directory"))))
+   :group 'fast-lock)
+ 
++;;;###autoload
++(put 'fast-lock-cache-directories 'risky-local-variable t)
++
+ (defcustom fast-lock-save-events '(kill-buffer kill-emacs)
+   "*Events under which caches will be saved.
+ Valid events are `save-buffer', `kill-buffer' and `kill-emacs'.

emacs.changes

@@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Tue May 13 12:10:45 CEST 2008 - werner@suse.de
+
+- Add fix for fast-lock-mode arbitrary lips code execution (bnc#389154)
+
 -------------------------------------------------------------------
 Mon Mar 31 13:08:37 CEST 2008 - werner@suse.de
 

emacs.spec

@@ -21,7 +21,7 @@ Requires:       emacs-info ctags emacs_program
 Provides:       ge_site ge_exec emacs-url Mule-UCS emacs-calc erc
 AutoReqProv:    on
 Version:        22.2
-Release:        1
+Release:        18
 Summary:        GNU Emacs Base Package
 Source:         emacs-22.2.tar.bz2
 Source1:        app-defaults.Emacs
@@ -45,6 +45,7 @@ Patch12:        emacs-22.0.99-x11r7.patch
 Patch13:        emacs-22.0.99-s390x.dif
 Patch14:        emacs-22.1-conf.diff
 Patch15:        emacs-22.2-iconic.patch
+Patch16:        emacs-22.1-fast-lock.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %{expand: %%global _exec_prefix %(type -p pkg-config &>/dev/null && pkg-config --variable prefix x11 || echo /usr/X11R6)}
 %if "%_exec_prefix" == "/usr/X11R6"
@@ -220,6 +221,7 @@ Authors:
 %patch13 -p0 -b .s390x
 %patch14 -p0 -b .conf
 %patch15 -p0 -b .iconic
+%patch16 -p0 -b .flc
 %patch
 if test ! -e $HOME/.mh_profile && type -p install-mh > /dev/null 2>&1; then
     install-mh -auto < /dev/null
@@ -441,6 +443,9 @@ rm -vf %{buildroot}/usr/share/emacs/%{version}/lisp/ldefs-boot.el.psbdf
 rm -vf %{buildroot}/usr/share/emacs/%{version}/lisp/ps-mule.el.psmu
 rm -vf %{buildroot}/usr/share/emacs/%{version}/lisp/textmodes/ispell.el.psmu
 rm -vf %{buildroot}/usr/share/emacs/%{version}/lisp/files.el.CVE20075795
+rm -vf %{buildroot}/usr/share/emacs/%{version}/lisp/fast-lock.el.flc
+rm -vf %{buildroot}/usr/share/emacs/%{version}/lisp/obsolete/fast-lock.el.flc
+rm -vf %{buildroot}/usr/share/emacs/%{version}/lisp/loaddefs.el.flc
 unelc  %{buildroot}/usr/share/emacs/%{version}/lisp/bindings.elc
 unelc  %{buildroot}/usr/share/emacs/%{version}/lisp/cus-start.elc
 unelc  %{buildroot}/usr/share/emacs/%{version}/lisp/generic-x.elc
@@ -3272,6 +3277,8 @@ done
 /usr/share/emacs/%{version}/lisp/xt-mouse.el.gz
 
 %changelog
+* Tue May 13 2008 werner@suse.de
+- Add fix for fast-lock-mode arbitrary lips code execution (bnc#389154)
 * Mon Mar 31 2008 werner@suse.de
 - Update to emacs version 22.1
   * Relicense all FSF files to GPLv3 or later.