From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Eli Zaretskii Newsgroups: gmane.emacs.bugs Subject: bug#66390: `man' allows to inject arbitrary shell code Date: Mon, 09 Oct 2023 14:04:37 +0300 Message-ID: <83ttr0vyyi.fsf@gnu.org> References: <83wmvyzir2.fsf@gnu.org> <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@gmail.com> <83v8bizf9r.fsf@gnu.org> <1865abb8-16cd-4570-9a8a-87cf9430583d@gmail.com> <875y3iigua.fsf@gmx.de> <83o7hazap7.fsf@gnu.org> <87mswugyoq.fsf@gmx.de> <83jzryz6op.fsf@gnu.org> <87a5sugwcx.fsf@gmx.de> <83h6n2z3tr.fsf@gnu.org> Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="31477"; mail-complaints-to="usenet@ciao.gmane.io" Cc: manikulin@gmail.com, 66390@debbugs.gnu.org, michael.albinus@gmx.de To: rms@gnu.org Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Mon Oct 09 13:07:03 2023 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1qpo6J-0007zo-5Y for geb-bug-gnu-emacs@m.gmane-mx.org; Mon, 09 Oct 2023 13:07:03 +0200 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qpo66-00067w-5r; Mon, 09 Oct 2023 07:06:50 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qpo5z-00063A-Q2 for bug-gnu-emacs@gnu.org; Mon, 09 Oct 2023 07:06:43 -0400 Original-Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1qpo5y-0004Ol-4g for bug-gnu-emacs@gnu.org; Mon, 09 Oct 2023 07:06:43 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1qpo6I-0004UC-DG for bug-gnu-emacs@gnu.org; Mon, 09 Oct 2023 07:07:02 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Eli Zaretskii Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Mon, 09 Oct 2023 11:07:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 66390 X-GNU-PR-Package: emacs Original-Received: via spool by 66390-submit@debbugs.gnu.org id=B66390.169684956417160 (code B ref 66390); Mon, 09 Oct 2023 11:07:02 +0000 Original-Received: (at 66390) by debbugs.gnu.org; 9 Oct 2023 11:06:04 +0000 Original-Received: from localhost ([127.0.0.1]:59405 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qpo5M-0004Sh-6k for submit@debbugs.gnu.org; Mon, 09 Oct 2023 07:06:04 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:35884) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qpo5I-0004S1-Fp for 66390@debbugs.gnu.org; Mon, 09 Oct 2023 07:06:02 -0400 Original-Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qpo4s-00042L-Gb; Mon, 09 Oct 2023 07:05:34 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date: mime-version; bh=tY1THgED6T1aWQPLiclmA41G/HU96mN2J4yG5C+LQEE=; b=sdm88CYznaFp ucIQcTr406N0EtSA8Bxd+3FqXsZaVRTwmXCHDSQyt/fFIt3rxki+IGw82Hj+waTX+DBSq5FnlMJS8 jKJA3imye+BwtKblbiDmO+QZRByrqoqQAHlbKS1V31lnf70apimiz54WVI91wbws+/JIl1eQcUjXz 8o/UtWxnOQQQtZ57M+21tpSNkjwweFBy8QpWiWVZqOQL0ogG0FafSaYq9GEWR1qLlMiEKFv4crPTq tUjA7JZzBzEjfgtmLuiLXYeyzPOCuowDh/q0MOTy9WyB9lRaINhdTvgKXomkWqnLhc+kQDIfSb4XM 6rl3WMlx/c5SStfCK88Aqg==; In-Reply-To: (message from Richard Stallman on Sun, 08 Oct 2023 22:36:39 -0400) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.bugs:272142 Archived-At: > From: Richard Stallman > Cc: michael.albinus@gmx.de, manikulin@gmail.com, 66390@debbugs.gnu.org > Date: Sun, 08 Oct 2023 22:36:39 -0400 > > > We can do something, just not the way it was suggested: avoid using > > the shell. > > I wonder: do we need to backport this fix to old Emacs versions that we > do not normally maintainn at all, because of the insecurity? We don't retrofit fixes into old branches of Emacs that are no longer developed; we leave that to the distros (who maintain old Emacs versions for many more years than we do). At this time, this means only Emacs 29.x and newer can get such fixes, but not older versions. (Btw, there's no fix yet, just discussions about what would be the most appropriate fix.)