From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Eli Zaretskii Newsgroups: gmane.emacs.devel Subject: Re: Request to backport fix for CVE-2022-45939 to Emacs 28 Date: Mon, 13 Feb 2023 22:47:07 +0200 Message-ID: <83sff9e1is.fsf@gnu.org> References: <85f35c42-cfe8-44a7-a9c1-307acc5c17d4@Spark> <09998122-0110-454f-94d1-e29c37b833f4@Spark> Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="38560"; mail-complaints-to="usenet@ciao.gmane.io" Cc: emacs-devel@gnu.org To: Troy Hinckley Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Mon Feb 13 21:48:13 2023 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1pRfkB-0009qc-R9 for ged-emacs-devel@m.gmane-mx.org; Mon, 13 Feb 2023 21:48:12 +0100 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pRfje-0007zi-Au; Mon, 13 Feb 2023 15:47:38 -0500 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pRfjc-0007yX-IU for emacs-devel@gnu.org; Mon, 13 Feb 2023 15:47:37 -0500 Original-Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pRfja-0005RP-4g; Mon, 13 Feb 2023 15:47:36 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date: mime-version; bh=QCuxNzMsN/poAk8+cUZVMW6LkrImHeFhCKgBhe/IOd0=; b=hzZYE3qixghs +0gTAytk/EBL0Srcjhxk7TGOaXezakapYRz8dQNb7R7zzsWslgRfG3Symow92D+xz+EdTT7GhpBz0 qtobkYKCnpIBC+6XOuv51IPfnuSzYEsM+qIDQm9TWVQKpHwf8PzPbmgatBNhK6BGft2GM6ELDOSUr wpp9mukcg1BUqAHhVjiTVvpLy0uXG5z7Dzq1X8fT02S0EV3CxsKZn1p63tEGJwn7fp9xZLfhTYTH8 Z+m+TRN7qKqAvqJC6Gtk2HUBzh1AaC53eW+PGgSKBSCmjRGBsvqZovhAKEatPCJgqa74nXbojYVM3 2OMmJobsTMdQCmyzvc+5vQ==; Original-Received: from [87.69.77.57] (helo=home-c4e4a596f7) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pRfjV-0000rA-UD; Mon, 13 Feb 2023 15:47:31 -0500 In-Reply-To: <09998122-0110-454f-94d1-e29c37b833f4@Spark> (message from Troy Hinckley on Mon, 13 Feb 2023 12:15:50 -0600) X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.devel:303236 Archived-At: > Date: Mon, 13 Feb 2023 12:15:50 -0600 > From: Troy Hinckley > > My company will not allow an install of Emacs 28 due to CVE-2022-45939. There is a patch for this in the > master branch, but it did not make it in time for Emacs 28.2. We have many Emacs users who would like to > upgrade to 28. What would be the effort to back port this fix and do an Emacs 28.3 release? Unfortunately, we don't have the resources to produce another v28.x release. Emacs 29.1 will start its pretest soon, and will have this issue resolved when it is released, hopefully in a couple of months. Alternatively, you could ask the distro which you are using (if you are using a distro) to backport that patch to the Emacs 28 codebase. Or patch the sources yourself and build Emacs, if that is how you produce the binaries.