[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Security flaw in EDE; new release plans
From: |
Daniel Colascione |
Subject: |
Re: Security flaw in EDE; new release plans |
Date: |
Sun, 08 Jan 2012 22:33:11 -0800 |
User-agent: |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0) Gecko/20111105 Thunderbird/8.0 |
On 1/8/12 10:07 PM, Chong Yidong wrote:
> A patch to fix this problem, for the Emacs 23.3 release, is attached.
> It prevents EDE from loading Project.ede files, except in directories
> explicitly designated as "safe" by the user via the new list variable
> `ede-project-directories'. The value of this variable is initially the
> empty list; Emacs offers to add to it when the user invokes the `M-x
> ede' or `M-x ede-new' command. EDE project types that do not use
> Project.ede (e.g. those that scan makefiles for build information) are
> unaffected, since they do not involve loading Lisp code.
It's great that this is being fixed so quickly.
> Due to this problem, we will make a 23.4 release from the emacs-23
> branch.
[snip]
> In a few days,
> I will make the 23.3.90 pretest; during this brief window, if anyone
> thinks there is another bug fix that ought to go into 23.4, please
> promptly raise the issue on emacs-devel---but we will be very
> conservative about allowing commits, in order to release 23.4 ASAP.
I never got around to committing the patch below to the emacs-23
branch. Would it be okay to add it before the 23.4 release?
*** /a/simple.el 2012-01-08 22:29:04.904878400 -0800
--- /b/simple.el 2012-01-08 22:29:18.867504900 -0800
***************
*** 6660,6665 ****
--- 6660,6667 ----
(display-warning package (nth 3 list) :warning)))
(error nil)))
+ (put 'lexical-binding 'safe-local-variable t)
+
(mapc (lambda (elem)
(eval-after-load (car elem) `(bad-package-check ',(car elem))))
bad-packages-alist)
signature.asc
Description: OpenPGP digital signature