Fix CVE-2012-3479:

When the Emacs user option `enable-local-variables' is set to `:safe'
(the default value is t), Emacs should automatically refuse to evaluate
`eval' forms in file-local variable sections.  Due to the bug, Emacs
instead automatically evaluates such `eval' forms.  Thus, if the user
changes the value of `enable-local-variables' to `:safe', visiting a
malicious file can cause automatic execution of arbitrary Emacs Lisp
code with the permissions of the user.

Bug tracker ref: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=12155

3 files changed, 41 insertions, 3 deletions

diff --git a/editors/emacs/Makefile b/editors/emacs/Makefile
index 9392286da8e..3286cf1f676 100644
--- a/editors/emacs/Makefile
+++ b/editors/emacs/Makefile
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.145 2012/06/14 07:44:37 sbd Exp $
+# $NetBSD: Makefile,v 1.146 2012/08/13 06:53:06 wiz Exp $
 
 CONFLICTS+=	emacs-nox11-[0-9]*
 
 .include "../../editors/emacs/Makefile.common"
-PKGREVISION=	3
+PKGREVISION=	4
 
 .include "options.mk"
 
diff --git a/editors/emacs/distinfo b/editors/emacs/distinfo
index 03158c96150..35d1d1811ec 100644
--- a/editors/emacs/distinfo
+++ b/editors/emacs/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.57 2012/05/09 09:30:07 wiz Exp $
+$NetBSD: distinfo,v 1.58 2012/08/13 06:53:06 wiz Exp $
 
 SHA1 (emacs-23.4.tar.gz) = 0a78466fff52d1f43c0db0ea66651a0b13b7e473
 RMD160 (emacs-23.4.tar.gz) = 5fb7e4cd4270a524b8723ad86a145a0e47336bf7
@@ -9,6 +9,7 @@ SHA1 (patch-ad) = e37f73048273801b8fd330d6897346b1f6e55fe9
 SHA1 (patch-ae) = 116394051b3e2f4220ff5a3de3402923857940b9
 SHA1 (patch-ag) = f462ad22762469360d90060afbc73e660e9f7db5
 SHA1 (patch-bf) = 9ff58581e7b9c865397729169fadd3baecc4a1e3
+SHA1 (patch-lisp_files.el) = e10c6949029ca7933ea632693843a911b7e010c2
 SHA1 (patch-src_config.in) = c1f7b608dc49da704571a71f96067a0ffac01df9
 SHA1 (patch-src_m_amdx86-64.h) = 0928f4e80c456e5b94a74cfeb3589e411a134507
 SHA1 (patch-src_xgselect.c) = 4a0b246eae2e43fc1e544210fc97c0170e3cffdc
diff --git a/editors/emacs/patches/patch-lisp_files.el b/editors/emacs/patches/patch-lisp_files.el
new file mode 100644
index 00000000000..75cdfb55938
--- /dev/null
+++ b/editors/emacs/patches/patch-lisp_files.el
@@ -0,0 +1,37 @@
+$NetBSD: patch-lisp_files.el,v 1.1 2012/08/13 06:53:06 wiz Exp $
+
+CVE-2012-3479:
+When the Emacs user option `enable-local-variables' is set to `:safe'
+(the default value is t), Emacs should automatically refuse to evaluate
+`eval' forms in file-local variable sections.  Due to the bug, Emacs
+instead automatically evaluates such `eval' forms.  Thus, if the user
+changes the value of `enable-local-variables' to `:safe', visiting a
+malicious file can cause automatic execution of arbitrary Emacs Lisp
+code with the permissions of the user.
+
+Bug tracker ref: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=12155
+
+--- lisp/files.el.orig	2012-01-11 12:35:01.000000000 +0000
++++ lisp/files.el
+@@ -2986,11 +2986,16 @@ DIR-NAME is a directory name if these se
+ 	      ;; Obey `enable-local-eval'.
+ 	      ((eq var 'eval)
+ 	       (when enable-local-eval
+-		 (push elt all-vars)
+-		 (or (eq enable-local-eval t)
+-		     (hack-one-local-variable-eval-safep (eval (quote val)))
+-		     (safe-local-variable-p var val)
+-		     (push elt unsafe-vars))))
++		 (let ((safe (or (hack-one-local-variable-eval-safep
++				  (eval (quote val)))
++				 ;; In case previously marked safe (bug#5636).
++				 (safe-local-variable-p var val))))
++		   ;; If not safe and e-l-v = :safe, ignore totally.
++		   (when (or safe (not (eq enable-local-variables :safe)))
++		     (push elt all-vars)
++		     (or (eq enable-local-eval t)
++			 safe
++			 (push elt unsafe-vars))))))
+ 	      ;; Ignore duplicates (except `mode') in the present list.
+ 	      ((and (assq var all-vars) (not (eq var 'mode))) nil)
+ 	      ;; Accept known-safe variables.