A flaw was found in EDE (part of CEDET, and included in emacs and xemacs in Fedora). Quoting the report from emacs-devel [1]: Hiroshi Oota has found a security flaw in EDE (part of CEDET), a development tool included in Emacs. EDE can store various information about a project, such as how to build the project, in a file named Project.ede in the project directory tree. When the minor mode `global-ede-mode' is enabled, visiting a file causes Emacs to look for Project.ede in the file's directory or one of its parent directories. If Project.ede is present, Emacs automatically reads and evaluates the first Lisp expression in it. This design exposes EDE users to the danger of loading malicious code from one file (Project.ede), simply by visiting another file in the same directory tree. A patch for emacs 23.3 is attached to the initial report [1], and emacs 23.4 will be released to correct this flaw. This has also been corrected upstream [2] in CEDET (which we do not ship on its own). I am not 100% sure that this affects xemacs; there is the implication that it does as an upstream bug [3] was filed, however it is currently private so I cannot see the status of the report. For Red Hat Enterprise Linux, the shipped versions of emacs do not include CEDET; it was merged into emacs with version 23.2 (RHEL6 has 23.1). [1] http://lists.gnu.org/archive/html/emacs-devel/2012-01/msg00387.html [2] http://cedet.bzr.sourceforge.net/bzr/cedet/code/trunk/revision/8114 [3] http://tracker.xemacs.org/XEmacs/its/issue825 Statement: Not vulnerable. This issue did not affect the versions of emacs as shipped with Red Hat Enterprise Linux 4, 5 or 6 as they did not include support for CEDET.
Created emacs tracking bugs for this issue Affects: fedora-all [bug 773024]
Created xemacs tracking bugs for this issue Affects: fedora-all [bug 773025]
For RHEL5 and 6 xemacs is within EPEL5 and 6 and this does contain: /usr/share/xemacs/xemacs-packages/lisp/ede so checking if its really not vulnerable. The package is very close to the fedora one so I expect so. Steve.
Oh, it most likely would affect xemacs in EPEL then, since it's pretty close to the version in Fedora. Again, with the upstream xemacs bug being private, it's difficult to tell whether or not xemacs is affected at all (I suspect it is, but don't know for sure). I can file an EPEL tracker for xemacs if you like (sorry, I completely missed it).
emacs-23.3-8.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.
emacs-23.3-9.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
(In reply to Steve Traylen from comment #3) > For RHEL5 and 6 xemacs is within EPEL5 and 6 and this does contain: > > /usr/share/xemacs/xemacs-packages/lisp/ede > > so checking if its really not vulnerable. The package is very close to the > fedora one so I expect so. > > Steve. Hi Steve, Did you find if xemacs in EPEL was vulnerable? From a brief look at EPEL 6 it was missing some of the files the patch changes. Should I test further or you have already done that? Thanks