From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail
From: Stefan Kangas <stefankangas@gmail.com>
Newsgroups: gmane.emacs.bugs
Subject: bug#66245: [PATCH] ; Silence macOS 14 warning
Date: Thu, 28 Sep 2023 15:16:21 -0700
Message-ID: <CADwFkmnuxV++36jWGURehKu7WvFPp42sT5fq3vSp8EErC7-E1g@mail.gmail.com>
References: <m1cyy38mqq.fsf@eshelyaron.com> <ZRVW8SV8r5MbT35C@idiocy.org>
 <m15y3us94z.fsf@eshelyaron.com> <ZRX0duIkgeO3vyfs@idiocy.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214";
	logging-data="40846"; mail-complaints-to="usenet@ciao.gmane.io"
Cc: 66245@debbugs.gnu.org
To: Alan Third <alan@idiocy.org>, Eshel Yaron <me@eshelyaron.com>
Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Fri Sep 29 00:17:03 2023
Return-path: <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>
Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org
Original-Received: from lists.gnu.org ([209.51.188.17])
	by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>)
	id 1qlzJe-000AL1-M1
	for geb-bug-gnu-emacs@m.gmane-mx.org; Fri, 29 Sep 2023 00:17:02 +0200
Original-Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <bug-gnu-emacs-bounces@gnu.org>)
	id 1qlzJQ-0003j4-QD; Thu, 28 Sep 2023 18:16:48 -0400
Original-Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1qlzJP-0003il-SR
 for bug-gnu-emacs@gnu.org; Thu, 28 Sep 2023 18:16:48 -0400
Original-Received: from debbugs.gnu.org ([2001:470:142:5::43])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1qlzJP-0000mQ-K0
 for bug-gnu-emacs@gnu.org; Thu, 28 Sep 2023 18:16:47 -0400
Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1qlzJd-0001wN-Mi
 for bug-gnu-emacs@gnu.org; Thu, 28 Sep 2023 18:17:01 -0400
X-Loop: help-debbugs@gnu.org
Resent-From: Stefan Kangas <stefankangas@gmail.com>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@gnu.org
Resent-Date: Thu, 28 Sep 2023 22:17:01 +0000
Resent-Message-ID: <handler.66245.B66245.16959394087434@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 66245
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: patch
Original-Received: via spool by 66245-submit@debbugs.gnu.org id=B66245.16959394087434
 (code B ref 66245); Thu, 28 Sep 2023 22:17:01 +0000
Original-Received: (at 66245) by debbugs.gnu.org; 28 Sep 2023 22:16:48 +0000
Original-Received: from localhost ([127.0.0.1]:54659 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1qlzJP-0001vq-Kg
 for submit@debbugs.gnu.org; Thu, 28 Sep 2023 18:16:47 -0400
Original-Received: from mail-lj1-x230.google.com ([2a00:1450:4864:20::230]:48492)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <stefankangas@gmail.com>) id 1qlzJL-0001vX-AV
 for 66245@debbugs.gnu.org; Thu, 28 Sep 2023 18:16:46 -0400
Original-Received: by mail-lj1-x230.google.com with SMTP id
 38308e7fff4ca-2c17de836fbso77647851fa.1
 for <66245@debbugs.gnu.org>; Thu, 28 Sep 2023 15:16:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1695939382; x=1696544182; darn=debbugs.gnu.org;
 h=cc:to:subject:message-id:date:mime-version:references:in-reply-to
 :from:from:to:cc:subject:date:message-id:reply-to;
 bh=buvZqvkEkYkDmvpypBveyqq2TmMTSKnXYrCKkN2ILVE=;
 b=Vsv9EOw1Mzt5nRfKalJcT64XyWF5IrNDfPdanZdVbukra9DJOy9/8jAVR6R7IMwi9n
 Vvht7JhHVzB9QU5B7o5WHgygV/OQp0/f6ebX1mwkPpVSLDN/gwLX2aPysCKVCiaEmXK4
 IglbOmd874lrDZfkyLfI3+H9IKPvRs2jas+1gPgkESNXJDUl+9ltjVAeHRtgdMe+wXXi
 FzsJU7HbET63y7OpuHRG0wTu9I+2AZyxwerbhPp7ZYEnoNCxCgEnYHrZCdF0GTQyNaYt
 o5xxLkqVQH4/uRAhCRxl6NC+C9s31WMo2Wgb6Yel3z7n9QSyw/8zwihkSeQGuwPoYKjr
 Bxhg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1695939382; x=1696544182;
 h=cc:to:subject:message-id:date:mime-version:references:in-reply-to
 :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
 bh=buvZqvkEkYkDmvpypBveyqq2TmMTSKnXYrCKkN2ILVE=;
 b=qgHr5BJQIU/uTFjru11NLWe5sQesjCfS0Ih+I1nZ6ZQsNrrFDIsTvXTNugp5Cj4GLg
 RQwmQQrql0KlrXgpzcx/jtw+coP3904Kzvj1Gok0SIkVIt8Twhx9uqDM/M9Aj2XKz58t
 jSvyqNbD8ncimh/9BSem2giuyh28S4vOVfU51dnk4Bi/jOLtfoRaFoLNj+6X73AHzfdS
 2zc8aXiimpMlfRCNk2v95tZG2F6idDHpMdDRjllN0sDYWwIyKRa/FKB10/JtXuy1qBnZ
 rdH6am0zBJATlBIj5WCTrzSogJ1K5Myl2jCgQt4+8xNluKrHfb41kdNM67XOj2c9V7E/
 NEgQ==
X-Gm-Message-State: AOJu0YyY83Vb2iglhZ9bnWzgs5D5BajWKHqYPbGBqZ+y5pPzCv5fU5Np
 fqKSn9zOQjRA/EuMSJDellR4JnhTD9XCF7dzy/c=
X-Google-Smtp-Source: AGHT+IE52OvD7qMRVz/dBPRioMuxJTGyGca5VPO/TIlxrR8QEpOUQNUingWALyTxVfX5Hnb7cmVOWQxtER02iT8dq+k=
X-Received: by 2002:a05:6512:1284:b0:4ff:a04c:8a5b with SMTP id
 u4-20020a056512128400b004ffa04c8a5bmr2661166lfs.47.1695939382102; Thu, 28 Sep
 2023 15:16:22 -0700 (PDT)
Original-Received: from 753933720722 named unknown by gmailapi.google.com with
 HTTPREST; Thu, 28 Sep 2023 15:16:21 -0700
In-Reply-To: <ZRX0duIkgeO3vyfs@idiocy.org>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: bug-gnu-emacs@gnu.org
List-Id: "Bug reports for GNU Emacs,
 the Swiss army knife of text editors" <bug-gnu-emacs.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-gnu-emacs>,
 <mailto:bug-gnu-emacs-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/bug-gnu-emacs>
List-Post: <mailto:bug-gnu-emacs@gnu.org>
List-Help: <mailto:bug-gnu-emacs-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-gnu-emacs>,
 <mailto:bug-gnu-emacs-request@gnu.org?subject=subscribe>
Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org
Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org
Xref: news.gmane.io gmane.emacs.bugs:271454
Archived-At: <http://permalink.gmane.org/gmane.emacs.bugs/271454>

Alan Third <alan@idiocy.org> writes:

> Eli, Stefan, any thoughts? Does this look bad enough to force a new
> Emacs 29 release?
>
> The link with the in-depth explanation again:
>
>     https://sector7.computest.nl/post/2022-08-process-injection-breaking-all-macos-security-layers-with-a-single-vulnerability/

Let's see if I understand this right.

Without this code, are we enabling malicious processes to escape the
macOS sandbox, and gain the same privileges as the Emacs process?

It is presumably easy for some malware to just test all processes on the
machine until one is found to be vulnerable, right?  So they don't have
to specifically target Emacs?

The full exploit chain there is not very easy to understand, but it
seems like several techniques are used for some of the more nasty stuff,
and some of the steps have been fixed already.  There can be other ways
to do the same thing of course.  So I'm not sure what to say about the
urgency of fixing this; it could be urgent, or it could wait until 29.2.
What is your view?

Another thing.  The link says:

    Nevertheless, if you write an Objective-C application, please make
    sure you add -applicationSupportsSecureRestorableState: to return
    TRUE and to adapt secure coding for all classes used for your saved
    states!

Do we use "secure coding for all classes used for saved states", or does
that also need to be fixed?

BTW, any idea why we're only hearing about it now?