Re: Security flaw in EDE; new release plans

[Daniel Colascione]

On 1/8/12 10:07 PM, Chong Yidong wrote:
> A patch to fix this problem, for the Emacs 23.3 release, is attached.
> It prevents EDE from loading Project.ede files, except in directories
> explicitly designated as "safe" by the user via the new list variable
> `ede-project-directories'.  The value of this variable is initially the
> empty list; Emacs offers to add to it when the user invokes the `M-x
> ede' or `M-x ede-new' command.  EDE project types that do not use
> Project.ede (e.g. those that scan makefiles for build information) are
> unaffected, since they do not involve loading Lisp code.

It's great that this is being fixed so quickly.

> Due to this problem, we will make a 23.4 release from the emacs-23
> branch.
[snip]
> In a few days,
> I will make the 23.3.90 pretest; during this brief window, if anyone
> thinks there is another bug fix that ought to go into 23.4, please
> promptly raise the issue on emacs-devel---but we will be very
> conservative about allowing commits, in order to release 23.4 ASAP.

I never got around to committing the patch below to the emacs-23
branch. Would it be okay to add it before the 23.4 release?

*** /a/simple.el        2012-01-08 22:29:04.904878400 -0800
--- /b/simple.el        2012-01-08 22:29:18.867504900 -0800
***************
*** 6660,6665 ****
--- 6660,6667 ----
               (display-warning package (nth 3 list) :warning)))
      (error nil)))

+ (put 'lexical-binding 'safe-local-variable t)
+
  (mapc (lambda (elem)
          (eval-after-load (car elem) `(bad-package-check ',(car elem))))
        bad-packages-alist)

signature.asc
Description: OpenPGP digital signature