From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Tim Cross Newsgroups: gmane.emacs.devel Subject: Re: Request to backport fix for CVE-2022-45939 to Emacs 28 Date: Wed, 15 Feb 2023 07:10:58 +1100 Message-ID: <86ttzougu2.fsf@gmail.com> References: <85f35c42-cfe8-44a7-a9c1-307acc5c17d4@Spark> <09998122-0110-454f-94d1-e29c37b833f4@Spark> <83sff9e1is.fsf@gnu.org> <838rh0e64j.fsf@gnu.org> Mime-Version: 1.0 Content-Type: text/plain Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="27061"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: mu4e 1.9.19; emacs 29.0.60 Cc: lux , comms@dabrev.com, emacs-devel@gnu.org To: Eli Zaretskii Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Tue Feb 14 21:35:07 2023 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1pS215-0006jx-6Y for ged-emacs-devel@m.gmane-mx.org; Tue, 14 Feb 2023 21:35:07 +0100 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pS20U-0008Ec-0m; Tue, 14 Feb 2023 15:34:30 -0500 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pS20Q-0008C9-Ek for emacs-devel@gnu.org; Tue, 14 Feb 2023 15:34:27 -0500 Original-Received: from mail-pl1-x630.google.com ([2607:f8b0:4864:20::630]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1pS20O-0004mb-R9; Tue, 14 Feb 2023 15:34:26 -0500 Original-Received: by mail-pl1-x630.google.com with SMTP id i18so9812573pli.3; Tue, 14 Feb 2023 12:34:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:message-id:in-reply-to:date:subject:cc:to:from :user-agent:references:from:to:cc:subject:date:message-id:reply-to; bh=kCew42ZBgF3Zu4f/3NBOPb2jMSwwD4naE2J+t5Db9t8=; b=Z/k7O50UReBBWUgGL6SlK26USWbRv6TN3axc/WDJ4KgH5ffhHsFv+g58nU0q7uyaKV dURUbPqWmn7ZwMNFsR0qarY4MQksIdttgDQk2hvW8YjjAtDZHWnIaV7+lDMQ1BC1DmTD FTKNLY4JBG5jXtju4iSXHxUg01wtgMd5DRjtkuya9adPUu5q6MWuMfv6/Fr3v6R+iEX+ NmJWe0I4yUJ6Tc+LdtqqIPX2Y9AWVeSvf68y3DYmwL0yakqviAtk7Injzuqmpd2f71z4 vdiyR0uCfRb1q4poVRMrlKF6bz4h7/yi8uZvme6CXfjPaPhENoCI6AE8zSvXz+A1IjVm hGlA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=mime-version:message-id:in-reply-to:date:subject:cc:to:from :user-agent:references:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=kCew42ZBgF3Zu4f/3NBOPb2jMSwwD4naE2J+t5Db9t8=; b=TERmY816rVO9Lg9fgkVVePxcctUFKbVscD1HHxKv7sPJMA51xxGPJrJT4XyUT8/eYb sMClwnFAcLWvyRpocSqW+0xmjZ/47Le558HvtudBVWu4V/Rm+P9DIih0oINfskm5miCc JKn83I5ySsnD+NWJniV8p78OAeKsloXcCNmmGL7bJKHpWFXca4FgpXyR1/Z5OMwRcJcG hCbOp3j7nzwygXp0GCph3hLplDDIIlyJDLiuB2jij3ofmIpqpqfRNfoElVCSRojO1VV+ RZXu77z6A+88UMgMd60TTVfng30dCSGi55UF2RHrxV6o5SlQWyNBhZAKaVxro4JDCML9 +dbg== X-Gm-Message-State: AO0yUKWqzpGzqg5O1KrjIyTH+IlzkEfr3KN+t3z9waK/NkE6OYZSFJ0F 2GoyA09Dwyo147bt66PfxAJNhQ5PGT4= X-Google-Smtp-Source: AK7set/evgl0dXQnIDFFOotrK3mHUe6c9Rwg4CfRD99CF6LlQ/92cm9bfsK3RkidZt0sEiOHXNLN+g== X-Received: by 2002:a17:902:f304:b0:19a:6e98:b0e2 with SMTP id c4-20020a170902f30400b0019a6e98b0e2mr2813873ple.67.1676406859353; Tue, 14 Feb 2023 12:34:19 -0800 (PST) Original-Received: from dingbat (124-169-47-98.dyn.iinet.net.au. [124.169.47.98]) by smtp.gmail.com with ESMTPSA id g9-20020a633749000000b004db367c10b0sm9134269pgn.46.2023.02.14.12.34.16 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 14 Feb 2023 12:34:18 -0800 (PST) In-reply-to: <838rh0e64j.fsf@gnu.org> Received-SPF: pass client-ip=2607:f8b0:4864:20::630; envelope-from=theophilusx@gmail.com; helo=mail-pl1-x630.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.devel:303290 Archived-At: Eli Zaretskii writes: >> From: lux >> Cc: emacs-devel@gnu.org >> Date: Tue, 14 Feb 2023 13:07:44 +0800 >> >> Hi, I can fix the CVE-2022-45939, this is a patch. > > We don't need a patch for that, we just need to cherry-pick the > related commits from emacs-29. > > But that is not what the OP requested: he requested that we also > produce an Emacs 28.3 release. And that is a much larger job, for > which we currently don't have the time or resources. While I understand the resourcing issues, I think this is the wrong decision. We are in the situation where the current released version of Emacs has a known security exploit with a severity classification of high (although this assessment seems to be under review) and the response seems to be "Sorry, we are too busy trying to get the next version released to deal with this". If we were actually close to an Emacs 29 release, then perhaps this would be reasonable, but we don't even have a release candidate out yet. Failing to address a high security vulnerability for months is a disservice for the emacs user base and likely to be a blight on Emacs' reputation and only provides those against free software with free ammunition. In addition to the technical aspects of a security vulnerability, perception is just as important. While the specific technical aspects of this vulnerability would seem to indicate only a subset of etags users are actually exposed to this risk, such detail is likely to be lost amongst the FUD which tends to accompany security issues.