From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Troy Hinckley Newsgroups: gmane.emacs.devel Subject: Re: Request to backport fix for CVE-2022-45939 to Emacs 28 Date: Tue, 14 Feb 2023 10:09:43 -0600 Message-ID: <1a08b002-890e-40dc-9ff1-35f61d8c5e41@Spark> References: <85f35c42-cfe8-44a7-a9c1-307acc5c17d4@Spark> <09998122-0110-454f-94d1-e29c37b833f4@Spark> <83sff9e1is.fsf@gnu.org> <838rh0e64j.fsf@gnu.org> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="63ebb263_3d1b58ba_9dc4" Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="25318"; mail-complaints-to="usenet@ciao.gmane.io" Cc: emacs-devel@gnu.org To: lux , Eli Zaretskii Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Tue Feb 14 18:06:02 2023 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1pRyki-0006Ga-Oc for ged-emacs-devel@m.gmane-mx.org; Tue, 14 Feb 2023 18:06:00 +0100 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pRykQ-0002Yp-Cd; Tue, 14 Feb 2023 12:05:42 -0500 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pRxsx-0001t6-Po for emacs-devel@gnu.org; Tue, 14 Feb 2023 11:10:27 -0500 Original-Received: from sender4-op-o12.zoho.com ([136.143.188.12]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pRxsv-0005Et-Eb; Tue, 14 Feb 2023 11:10:27 -0500 ARC-Seal: i=1; a=rsa-sha256; t=1676391020; cv=none; d=zohomail.com; s=zohoarc; b=UauuIXkYGfsDRac/TPuwKP/1fyLUHIuZ5Smcu5ReXsvzJoKZJ25wXIJ7gAjnE6RFDBfmkS+Mburpd+XNnZYuRmdMCUyerUOGgycU1vmjaJ0WuqzFL0Eg1kqGh+PnO24Xt6eqb25uIwEU9OkcIAaD2Eb8lxynjfesbYggS+O/BP4= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1676391020; h=Content-Type:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=ok1/3VZebA+I+XCai8OghDn+c7Oe+UXd6SSTKT2ULKw=; b=FthTxitU7aXtbgT/iAIjgTUibgjv7gaK5dJ1vn2Gfi/hY/LxYwCsn5l3cqPoCWsCqtNeuW6DjB3rxJFUBAbg3eagZF9rvppVWLVBJ1+FxIczr4zEH4n0rJNAXy2L6yjEO+k+SKnhV5VWCB20Jzw2GSMn8wzshPS6UFADFQGeSOM= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass header.i=dabrev.com; spf=pass smtp.mailfrom=comms@dabrev.com; dmarc=pass header.from= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1676391020; s=zoho; d=dabrev.com; i=comms@dabrev.com; h=Date:Date:From:From:To:To:Cc:Cc:Message-ID:In-Reply-To:References:Subject:Subject:MIME-Version:Content-Type:Message-Id:Reply-To; bh=ok1/3VZebA+I+XCai8OghDn+c7Oe+UXd6SSTKT2ULKw=; b=ATDOmAAj3gKfFpY5IwiGpjgby0hoM/OnuYlXVMVHz8BSb28Hpk5ZU9mgsVSak0bb fF1QI7soGS762zvf31QE/CZCWVQvEwBhw+BuQXelMIjeZbmdm/+gfvrLF+aQs+PDItj CiYDOz599EkGQdDdhRN/h5ddm4mUyzFYvp67HrK4= Original-Received: from [192.168.1.134] (24-35-132-35.fidnet.com [24.35.132.35]) by mx.zohomail.com with SMTPS id 1676391017534803.3677912793225; Tue, 14 Feb 2023 08:10:17 -0800 (PST) In-Reply-To: <838rh0e64j.fsf@gnu.org> X-Readdle-Message-ID: 1a08b002-890e-40dc-9ff1-35f61d8c5e41@Spark X-ZohoMailClient: External Received-SPF: pass client-ip=136.143.188.12; envelope-from=comms@dabrev.com; helo=sender4-op-o12.zoho.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Mailman-Approved-At: Tue, 14 Feb 2023 12:05:40 -0500 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.devel:303283 Archived-At: --63ebb263_3d1b58ba_9dc4 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline If the commit was cherry picked to the emacs-28 branch, does that mean it= =E2=80=99s just unreleased changes for Emacs 28=3F We are building from s= ource, so that might be enough. I didn=E2=80=99t realize cutting a releas= e was high effort. On =46eb 14, 2023 at 7:20 AM -0600, Eli Zaretskii , wrote= : > > =46rom: lux > > Cc: emacs-devel=40gnu.org > > Date: Tue, 14 =46eb 2023 13:07:44 +0800 > > > > Hi, I can fix the CVE-2022-45939, this is a patch. > > We don't need a patch for that, we just need to cherry-pick the > related commits from emacs-29. > > But that is not what the OP requested: he requested that we also > produce an Emacs 28.3 release. And that is a much larger job, for > which we currently don't have the time or resources. --63ebb263_3d1b58ba_9dc4 Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline
If the commit was cherry picked to the emacs-28 bra= nch, does that mean it=E2=80=99s just unreleased changes for Emacs 28=3F = We are building from source, so that might be enough. I didn=E2=80=99t re= alize cutting a release was high effort.&=23160;
On =46eb 14, 2023 at 7:20 AM -0600,= Eli Zaretskii <eliz=40gnu.org>, wrote:
=46rom: lux <lx=40shellcodes.org>
Cc: emacs-devel=40gnu.org
Date: Tue, 14 =46eb 2023 13:07:44 +0800

Hi, I can fix the CVE-2022-45939, this is a patch.

We don't need a patch for that, we just need to cherry-pick the
related commits from emacs-29.

But that is not what the OP requested: he requested that we also
produce an Emacs 28.3 release. And that is a much larger job, for
which we currently don't have the time or resources.
--63ebb263_3d1b58ba_9dc4--