From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Po Lu Newsgroups: gmane.emacs.devel Subject: Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop Date: Wed, 08 Mar 2023 18:29:21 +0800 Message-ID: <87a60no7su.fsf@yahoo.com> References: <167821009581.14664.5608674978571454819@vcs2.savannah.gnu.org> <20230307172816.2D56BC13915@vcs2.savannah.gnu.org> <877cvsozn5.fsf@yahoo.com> <87zg8onfob.fsf@yahoo.com> <87r0tzoeam.fsf@yahoo.com> Mime-Version: 1.0 Content-Type: text/plain Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="33704"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Gnus/5.13 (Gnus v5.13) Cc: emacs-devel@gnu.org To: Ulrich Mueller Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Wed Mar 08 11:30:39 2023 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1pZr4B-0008fv-9K for ged-emacs-devel@m.gmane-mx.org; Wed, 08 Mar 2023 11:30:39 +0100 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pZr3I-0002gK-F0; Wed, 08 Mar 2023 05:29:44 -0500 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pZr3G-0002g9-7r for emacs-devel@gnu.org; Wed, 08 Mar 2023 05:29:42 -0500 Original-Received: from sonic314-13.consmr.mail.bf2.yahoo.com ([74.6.132.123]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1pZr3D-0005Ka-1f for emacs-devel@gnu.org; Wed, 08 Mar 2023 05:29:41 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1678271373; bh=h9oPdp+p6ZRetcCQ6mltQBTp/X62GWGRuSSbGs+Ivvc=; h=From:To:Cc:Subject:In-Reply-To:References:Date:From:Subject:Reply-To; b=Geok0QVNmTVN44g6OesQF+S++vJZIdjnBLAA8C7YPpHJ2W5QjjSHm2/fqFHhoGgoMf2me0W2BNWyx4aF8Myfa08XHFa8WHhywa1nLDZ3C+56BGumH92UI+4YOe4ZJfTZVc+bGFfFdZ2Yp/SPLP5jOHCpSDGAnqyr1v/j4AafCKEoOP8WYUprhVSrV4in1sgfgZatldVQJDpJtkS14PjFB1mnrDig2diql2i0gG3QN4XoJN36l3IjSA7MP/08R+d9xoMKwRhYTZgOnQj3hZl1ig1yu6BKpFZrFC/zrk+k58hgHtQ0tJfIp4w19trZ6eaOKd1rdXdMokBRnjhtU1IVlw== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1678271373; bh=jrxEQ55bq4EILob3UOCZIiUH6+ev7b/+ZYLy17tLaKr=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=iGLRE8qTp/zvPEy3bxofuMt03P2LUC9QRPnJl+8vMme5/QTuhnXCM+lHB7RmZqC7Oy/al7HQGok0IxblE+xYcD2jfwmXrNQ0hEcXxu3DwjcA7EeCnmcy0Q1aIoB76DRIGoinUilnVz5GnGIDQC+ni3Oz4PeWyUmBMJLkXY+8DrAvAeorvn48m5u4Z1PmwLnApJmK1uj9qezUWjqSHjVHKGbv1RcDANG2WRSdKAPKX7GXSLrnqS72ZFefzf2t4oCdmVCmE+1g0PtjBazc2ZVmKHr+DUJPD3tsA0ankq5wAS1U+Qo/SJ0/r5w2KHZVJES4SY9i8Nnd3UbdwhUi3ZKVyg== X-YMail-OSG: b7T41nwVM1k.LaSxjuGMQjGoIZf2PjLH8jJRUUGsYyNj9GYuMF8VW4GsJBGpeSM qw87uvMJ6kxOFAGwUrAzPmDuUkXG5p0yebAKJfl9X5ZGW6tDt82c2IDV4efljCTMLAzB.bq0m5zV r1cTABYUajhWS03Ico9mvLHjMsZ7u7B1xM0zOeEpEM80KQ9cnOWP.ypKywcdXcot0bsudyvbFnsd eZEbVLkSge.SQzgn159F2jb.T8yBWOj8p9zaGsEE9hLneRsJ34Q.87c1irCQScz_vhQtwJkHm5xy Yj7b8_TUEtMBcMyR4X.N1nfZBS82mx0ZIRiH_tmGzlQwo5HK_8QHDHIP5lu5YuhEiviuCIeZJD29 a7oPoEDcLoFcMqeirqvj9TnjX8fN4SUIEcEtO8qsfnMx8odECQTWdbG7JdyCicnQVGVZOpKWezW3 ah5DCW_njH.d30KGhDNYeHGsbc9xdvtHb7B3CXtoMlvi7wO1W.wFrIOjfSYcmMMCGLFR7_y2AsWV KjU3jnvkqVp_FHzGCfEzp7tylQJ2yAkcMi.p5MVcErDKZUqxTOSv3aHlCg1damDuNOyxleBnl3JP oBfQUXZtma9N0yn86sCoYrLuOejKRTbYH9ZOwy_FFpGLKUrKv.wPudNrp.stV_UoEsL_BTQhPVZh KVJM9YqhroL0lCKCeQYPK9cpzo8yPbgn4UoxrsM5U7T1ErWShRHlhWc3nNxDbl8Vzejbu5wQKRT5 LhCDpYRHua5mtjshraTZvbjIwx3EXlqAsb6tvHiC261WAb.3JM3n.sDlJ_OTc_9QwHo0WYQ5.5lM 7p_vTGrxpWdRPeBuByddpC.g8GWE01yabibnua.LEL X-Sonic-MF: Original-Received: from sonic.gate.mail.ne1.yahoo.com by sonic314.consmr.mail.bf2.yahoo.com with HTTP; Wed, 8 Mar 2023 10:29:33 +0000 Original-Received: by hermes--production-sg3-67c57bccff-5lh9j (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID c8309d6d97dd3d686a3006638526b35c; Wed, 08 Mar 2023 10:29:26 +0000 (UTC) In-Reply-To: (Ulrich Mueller's message of "Wed, 08 Mar 2023 09:32:52 +0100") X-Mailer: WebService/1.1.21284 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.yahoo Received-SPF: pass client-ip=74.6.132.123; envelope-from=luangruo@yahoo.com; helo=sonic314-13.consmr.mail.bf2.yahoo.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.devel:304114 Archived-At: Ulrich Mueller writes: >>>>>> On Wed, 08 Mar 2023, Po Lu wrote: > >> For it to be a vulnerability, you will have to click such mailto URIs in >> your web browser without first reading them, and some nasty person will >> have to specifically create URIs that run insidious Emacs Lisp code. > >> How about something simpler: one can copy a command to download malware >> from the Internet, then paste it into a shell buffer. Let's remove a >> serious command injection vulnerability, ``M-x shell'', from Emacs 29! >> While we're at it, how about `interprogram-paste-function' as well? > > No, it doesn't work that way. :) When it comes to vulnerabilities, it is > all about expectations. > > If I execute a program (shell code, binary, etc.) that I find somewhere > in the Internet, then I know that it will execute some code, and that I > must trust its source that it doesn't do anything malicious. > > OTOH, I don't have that expectation when I click on a mailto hyperlink. Before you click a hyperlink, the URL to which it points pops up on the lower left corner. You have every opportunity to see that it doesn't do anything nasty. And again, you're already making the very brazen assumption that some nasty person out there stands ready to take advantage of this bug. Please, fix this so it works without bash, or remove it from emacs-29. Once the pretest comes out, I plan to ask many coworkers to try it out. Many of their systems use the Korn shell and do not have bash.