Bug 366801 (CVE-2007-5795)

Summary: CVE-2007-5795 emacs insufficient safe mode checks
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: coldwell
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5795
Whiteboard:
Fixed In Version: 22.1-8.fc8 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-11-17 05:33:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 367581, 367591, 367601    
Bug Blocks:    

Description Tomas Hoger 2007-11-05 13:53:31 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2007-5795 to the following vulnerability:

The hack-local-variables function in Emacs before 22.2, when
enable-local-variables is set to :safe, does not properly search lists of
unsafe or risky variables, which might allow user-assisted attackers to bypass
intended restrictions and modify critical program variables via a file
containing a Local variables declaration.

References:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=449008
Comment 7 Fedora Update System 2007-11-08 05:59:15 UTC 
emacs-22.1-8.fc8 has been pushed to the Fedora 8 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update emacs'
Comment 9 Tomas Hoger 2007-11-08 13:39:22 UTC 
This issue only affected emacs as of version 22.

This issue did not affect versions of emacs packages as shipped with Red Hat
Enterprise Linux 2.1, 3, 4, or 5.

Updates for Fedora 7 and Fedora 8 were build and will be pushed to stable
repository shortly.
Comment 11 Fedora Update System 2007-11-09 23:46:30 UTC 
emacs-22.1-5.fc7 has been pushed to the Fedora 7 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update emacs'
Comment 12 Fedora Update System 2007-11-17 05:33:08 UTC 
emacs-22.1-8.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Fedora Update System 2007-11-17 05:34:31 UTC 
emacs-22.1-5.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.