GNU bug report logs - #37656
27.0.50; Arbitrary code execution with special `mode:'

Previous Next

Package: emacs;

Reported by: adam plaice <plaice.adam+lists <at> gmail.com>

Date: Tue, 8 Oct 2019 08:49:02 UTC

Severity: normal

Tags: security

Found in version 27.0.50

Fixed in version 30.1

Done: Stefan Kangas <stefankangas <at> gmail.com>

Bug is archived. No further changes may be made.

Full log

Message #35 received at 37656 <at> debbugs.gnu.org (full text, mbox):

From: Eli Zaretskii <eliz <at> gnu.org>
To: Stefan Kangas <stefan <at> marxist.se>
Cc: 37656 <at> debbugs.gnu.org, plaice.adam+lists <at> gmail.com
Subject: Re: bug#37656: 27.0.50; Arbitrary code execution with special `mode:'
Date: Wed, 16 Oct 2019 10:58:06 +0300

> From: Stefan Kangas <stefan <at> marxist.se>
> Date: Wed, 16 Oct 2019 01:17:51 +0200
> Cc: 37656 <at> debbugs.gnu.org, Emacs developers <emacs-devel <at> gnu.org>
> 
> The "multiple mode specification feature" dates back to:
> 9fa7bfe524 1993-09-11 Richard M. Stallman
>     (hack-local-variables-prop-line): Ignore any specification
>     for `mode:', since set-auto-mode has already handled it.
>     (set-auto-mode): Clean up.  Handle more than one `mode:' spec in -*-.
> 
> The code that my proposed patch changes has stayed untouched since
> this 1993 commit.  If we agree that disabling this feature is the
> solution here, a backported security fix should therefore hopefully be
> a one liner all the way back to version 22.1.

This feature was described as "deprecated", but where and why did we
deprecate it?

This bug report was last modified 126 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.

GNU bug report logs - #37656 27.0.50; Arbitrary code execution with special `mode:'

GNU bug report logs - #37656
27.0.50; Arbitrary code execution with special `mode:'