Security advisory?

Security advisory?

[Chong Yidong]

I notice that Mandriva has announced a security advisory for Emacs
21.4, because "a vulnerability in emacs was discovered where it would
crash when processing certain types of images."  This bug is being
files as a DoS (denial of service) vulnerability:

http://www.securityfocus.com/archive/1/471992/30/0/threaded

Does anyone know what the heck this is about?

Over the course of the Emacs 22 release cycle, we have accumulated
literally hundreds of ways to crash Emacs 21.4, some more esoteric
than others.  These are fixed in Emacs 22, not Emacs 21, so if anyone
wanted to, he or she could go through the emacs-devel archives for the
last couple of years, locate these crasher bugs, and file hundreds of
these "security advisories".  So it seems peculiar for this vendor to
single out one particular bug.

IMO, calling a bug that causes Emacs to crash a "denial of service
vulnerability" is little more than a silly example of
computer-security imperialism.

Re: Security advisory?

[Glenn Morris]

Chong Yidong wrote:

> http://www.securityfocus.com/archive/1/471992/30/0/threaded
>
> Does anyone know what the heck this is about?

It links to a debian bug report, which is more informative:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=408929

I think they call it a "denial of service" because it occurred in the
VM mail reader (not part of Emacs, of course), when viewing a spam
mail with a malformed image. So someone could email you an image that
would crash Emacs. I don't know if gnus, rmail, or mh-e automatically
display images; I suspect not.

Re: Security advisory?

[Thien-Thi Nguyen]

() Chong Yidong <cyd@stupidchicken.com>
() Fri, 22 Jun 2007 16:25:45 -0400

   a silly example of
   computer-security imperialism.

don't you mean "computer-security imperilism"?  :-P
(i agree about it being silly, regardless.)

thi

Automatic display of images (was: Security advisory?)

[Reiner Steib]

On Fri, Jun 22 2007, Glenn Morris wrote:

> I think they call it a "denial of service" because it occurred in the
> VM mail reader (not part of Emacs, of course), when viewing a spam
> mail with a malformed image. So someone could email you an image that
> would crash Emacs. I don't know if gnus, rmail, or mh-e automatically
> display images; I suspect not.

Gnus does display images automatically.  But we have been through this
discussion before in February in the thread "Image mode"...

,----[ http://article.gmane.org/gmane.emacs.devel/66004 ]
| From: Lars Magne Ingebrigtsen <larsi <at> gnus.org>
| Subject: Re: Image mode
| Newsgroups: gmane.emacs.devel
| Date: 2007-02-06 10:53:50 GMT
| 
| Richard Stallman <rms <at> gnu.org> writes:
| 
| >     In contrast, if someone sends me a JPEG image in an email, Gnus
| >     will happily show it to me without asking (at least with the
| >     settings I'm using).  So where's the protection in that case?
| >
| > Should we consider that a bug in Gnus?
| > (I don't know what the answer is.)
| 
| Switching image display off in a mail reader is like switching it off
| in a web browser.  Does Firefox query the user before displaying an
| image?  "Warning!  The web page you're browsing contains an image!
| Image libraries are sometimes prone to buffer overflows!  Do you
| really wish to expose yourself to this danger!!1!?"
| 
| Warning users about something that's almost certainly not dangerous is
| a huge security risk in itself, because you're inuring the users to
| warnings.  The user will answer "Yeah, whatever" when being bothered
| with these things, and then when Emacs asks the user "Are you sure you
| wish to do an rm -rf?" (or whatever the genuinely dangerous thing it
| is), they won't bother to read the warning. 
`----

Richard replied:

,----
| From: Richard Stallman <rms <at> gnu.org>
| Subject: Re: Image mode
| Newsgroups: gmane.emacs.devel
| Date: 2007-02-06 23:16:17 GMT
| 
|     Switching image display off in a mail reader is like switching it off
|     in a web browser.  Does Firefox query the user before displaying an
|     image?  "Warning!  The web page you're browsing contains an image!
|     Image libraries are sometimes prone to buffer overflows!  Do you
|     really wish to expose yourself to this danger!!1!?"
| 
| If this argument is valid for Gnus, it seems just as valid for
| visiting a file directly with Emacs.
| 
| To the extent that image libraries have bugs, there will be some level
| of danger in viewing images with Emacs.  That danger will obtain
| regardless of whether the image files have expected image extensions.
| It doesn't go away just because the JPG is in a file called foo.jpg.
| 
| Lars' argument seems to show that we just have to live with it.
`----

Bye, Reiner.
-- 
       ,,,
      (o o)
---ooO-(_)-Ooo---  |  PGP key available  |  http://rsteib.home.pages.de/