calculate/gentoo-full-overlay
4
1
Fork 0
Code Issues Pull requests Releases Wiki Activity
gentoo-full-overlay/metadata/glsa/glsa-201403-05.xml

67 lines
2.4 KiB
XML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201403-05">
<title>GNU Emacs: Multiple vulnerabilities</title>
<synopsis>Two vulnerabilities have been found in GNU Emacs, possibly leading
to user-assisted execution of arbitrary code.
</synopsis>
<product type="ebuild">emacs</product>
<announced>March 20, 2014</announced>
<revised>March 20, 2014: 1</revised>
<bug>398239</bug>
<bug>431178</bug>
<access>remote</access>
<affected>
<package name="app-editors/emacs" auto="yes" arch="*">
<unaffected range="ge">24.1-r1</unaffected>
<unaffected range="rge">23.4-r4</unaffected>
<unaffected range="lt">23.2</unaffected>
<vulnerable range="lt">24.1-r1</vulnerable>
</package>
</affected>
<background>
<p>GNU Emacs is a highly extensible and customizable text editor.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in GNU Emacs:</p>
<ul>
<li>When global-ede-mode is enabled, EDE in Emacs automatically
loads a Project.ede file from the project directory (CVE-2012-0035).
</li>
<li>When enable-local-variables is set to :safe, Emacs
automatically processes eval forms (CVE-2012-3479).
</li>
</ul>
</description>
<impact type="normal">
<p>A remote attacker could entice a user to open a specially crafted file,
possibly resulting in execution of arbitrary code with the privileges of
the process or a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All GNU Emacs 24.x users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=app-editors/emacs-24.1-r1"
</code>
<p>All GNU Emacs 23.x users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=app-editors/emacs-23.4-r4"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0035">CVE-2012-0035</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3479">CVE-2012-3479</uri>
</references>
<metadata tag="requester" timestamp="Mon, 16 Jan 2012 09:37:15 +0000">ago</metadata>
<metadata tag="submitter" timestamp="Thu, 20 Mar 2014 10:30:13 +0000">ackle</metadata>
</glsa>
Reference in a new issue View git blame Copy permalink