Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 11 Jan 2012 18:32:22 +0100
From: David Engster <deng@...domsample.de>
To: Chong Yidong <cyd@....org>
Cc: Kurt Seifried <kseifried@...hat.com>,  oss-security@...ts.openwall.com,  ulm@...too.org,  "Steven M. Christey" <coley@...us.mitre.org>, "Eric M. Ludlam" <eric@...ge-engine.com>
Subject: Re: CVE Request: CEDET/Emacs global-ede-mode file loading vulnerability

Chong Yidong writes:
> Kurt Seifried <kseifried@...hat.com> writes:
>
>> I'll assign this a CVE once I have determined the code base status (are
>> these considered the same codebase, or have they forked enough to be
>> considered separate code bases? Also I need to ensure this hasn't
>> already been assigned a CVE. CC'ing relevant developers as well.
>
> No, this hasn't already been assigned a CVE.  The upstream CEDET 1.0 is
> largely the same codebase as the CEDET distributed in Emacs.  The
> version in Emacs omits some CEDET components, and added some plumbing to
> integrate CEDET into the Emacs build system.  But the main part of the
> Emacs Lisp code, including the part affected by this flaw, is the same.
>
> David, could you write up a version of the fix that applies to the CEDET
> 1.0 tarball?  I think distributors who package CEDET will want it.

A patch for cedet-1.0 was posted here:

http://sourceforge.net/mailarchive/forum.php?thread_name=87lipg3dw5.fsf%40engster.org&forum_name=cedet-devel

In the meantime, Eric published a bugfix-release cedet-1.0.1, so
distributors should upgrade to that.

-David

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ