reinit the tree, so we can have metadata

1 files changed, 90 insertions, 0 deletions

diff --git a/metadata/glsa/glsa-200902-06.xml b/metadata/glsa/glsa-200902-06.xml
new file mode 100644
index 000000000000..90c11e521482
--- /dev/null
+++ b/metadata/glsa/glsa-200902-06.xml
@@ -0,0 +1,90 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="200902-06">
+  <title>GNU Emacs, XEmacs: Multiple vulnerabilities</title>
+  <synopsis>
+    Two vulnerabilities were found in GNU Emacs, possibly leading to
+    user-assisted execution of arbitrary code. One also affects edit-utils in
+    XEmacs.
+  </synopsis>
+  <product type="ebuild">emacs edit-utils</product>
+  <announced>2009-02-23</announced>
+  <revised>2009-02-23: 01</revised>
+  <bug>221197</bug>
+  <bug>236498</bug>
+  <access>remote</access>
+  <affected>
+    <package name="app-editors/emacs" auto="yes" arch="*">
+      <unaffected range="ge">22.2-r3</unaffected>
+      <unaffected range="rge">21.4-r17</unaffected>
+      <unaffected range="lt">19</unaffected>
+      <vulnerable range="lt">22.2-r3</vulnerable>
+    </package>
+    <package name="app-xemacs/edit-utils" auto="yes" arch="*">
+      <unaffected range="ge">2.39</unaffected>
+      <vulnerable range="lt">2.39</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>
+    GNU Emacs and XEmacs are highly extensible and customizable text
+    editors. edit-utils are miscellaneous extensions to XEmacs.
+    </p>
+  </background>
+  <description>
+    <p>
+    Morten Welinder reports about GNU Emacs and edit-utils in XEmacs: By
+    shipping a .flc accompanying a source file (.c for example) and setting
+    font-lock-support-mode to fast-lock-mode in the source file through
+    local variables, any Lisp code in the .flc file is executed without
+    warning (CVE-2008-2142).
+    </p>
+    <p>
+    Romain Francoise reported a security risk in a feature of GNU Emacs
+    related to interacting with Python. The vulnerability arises because
+    Python, by default, prepends the current directory to the module search
+    path, allowing for arbitrary code execution when launched from a
+    specially crafted directory (CVE-2008-3949).
+    </p>
+  </description>
+  <impact type="normal">
+    <p>
+    Remote attackers could entice a user to open a specially crafted file
+    in GNU Emacs, possibly leading to the execution of arbitrary Emacs Lisp
+    code or arbitrary Python code with the privileges of the user running
+    GNU Emacs or XEmacs.
+    </p>
+  </impact>
+  <workaround>
+    <p>
+    There is no known workaround at this time.
+    </p>
+  </workaround>
+  <resolution>
+    <p>
+    All GNU Emacs users should upgrade to the latest version:
+    </p>
+    <code>
+    # emerge --sync
+    # emerge --ask --oneshot --verbose "&gt;=app-editors/emacs-22.2-r3"</code>
+    <p>
+    All edit-utils users should upgrade to the latest version:
+    </p>
+    <code>
+    # emerge --sync
+    # emerge --ask --oneshot --verbose "&gt;=app-xemacs/edit-utils-2.39"</code>
+  </resolution>
+  <references>
+    <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2142">CVE-2008-2142</uri>
+    <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3949">CVE-2008-3949</uri>
+  </references>
+  <metadata tag="requester" timestamp="2008-07-06T22:12:00Z">
+    rbu
+  </metadata>
+  <metadata tag="bugReady" timestamp="2008-07-12T19:44:28Z">
+    vorlon
+  </metadata>
+  <metadata tag="submitter" timestamp="2009-02-09T22:47:35Z">
+    p-y
+  </metadata>
+</glsa>