Date: Wed, 11 Jan 2012 18:32:22 +0100 From: David Engster <deng@...domsample.de> To: Chong Yidong <cyd@....org> Cc: Kurt Seifried <kseifried@...hat.com>, oss-security@...ts.openwall.com, ulm@...too.org, "Steven M. Christey" <coley@...us.mitre.org>, "Eric M. Ludlam" <eric@...ge-engine.com> Subject: Re: CVE Request: CEDET/Emacs global-ede-mode file loading vulnerability Chong Yidong writes: > Kurt Seifried <kseifried@...hat.com> writes: > >> I'll assign this a CVE once I have determined the code base status (are >> these considered the same codebase, or have they forked enough to be >> considered separate code bases? Also I need to ensure this hasn't >> already been assigned a CVE. CC'ing relevant developers as well. > > No, this hasn't already been assigned a CVE. The upstream CEDET 1.0 is > largely the same codebase as the CEDET distributed in Emacs. The > version in Emacs omits some CEDET components, and added some plumbing to > integrate CEDET into the Emacs build system. But the main part of the > Emacs Lisp code, including the part affected by this flaw, is the same. > > David, could you write up a version of the fix that applies to the CEDET > 1.0 tarball? I think distributors who package CEDET will want it. A patch for cedet-1.0 was posted here: http://sourceforge.net/mailarchive/forum.php?thread_name=87lipg3dw5.fsf%40engster.org&forum_name=cedet-devel In the meantime, Eric published a bugfix-release cedet-1.0.1, so distributors should upgrade to that. -David
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ