Re: Request to backport fix for CVE-2022-45939 to Emacs 28

unofficial mirror of emacs-devel@gnu.org 
 help / color / mirror / code / Atom feed

From: Robert Pluim <rpluim@gmail.com>
To: Tim Cross <theophilusx@gmail.com>
Cc: Eli Zaretskii <eliz@gnu.org>,  lux <lx@shellcodes.org>,
	comms@dabrev.com,  emacs-devel@gnu.org
Subject: Re: Request to backport fix for CVE-2022-45939 to Emacs 28
Date: Wed, 15 Feb 2023 09:32:04 +0100	[thread overview]
Message-ID: <87edqrpbwb.fsf@gmail.com> (raw)
In-Reply-To: <86ttzougu2.fsf@gmail.com> (Tim Cross's message of "Wed, 15 Feb 2023 07:10:58 +1100")

>>>>> On Wed, 15 Feb 2023 07:10:58 +1100, Tim Cross <theophilusx@gmail.com> said:

    Tim> Eli Zaretskii <eliz@gnu.org> writes:

    >>> From: lux <lx@shellcodes.org>
    >>> Cc: emacs-devel@gnu.org
    >>> Date: Tue, 14 Feb 2023 13:07:44 +0800
    >>> 
    >>> Hi, I can fix the CVE-2022-45939, this is a patch.
    >> 
    >> We don't need a patch for that, we just need to cherry-pick the
    >> related commits from emacs-29.
    >> 
    >> But that is not what the OP requested: he requested that we also
    >> produce an Emacs 28.3 release.  And that is a much larger job, for
    >> which we currently don't have the time or resources.

    Tim> While I understand the resourcing issues, I think this is the wrong
    Tim> decision. We are in the situation where the current released version of
    Tim> Emacs has a known security exploit with a severity classification of
    Tim> high (although this assessment seems to be under review) and the
    Tim> response seems to be "Sorry, we are too busy trying to get the next
    Tim> version released to deal with this". If we were actually close to an
    Tim> Emacs 29 release, then perhaps this would be reasonable, but we don't
    Tim> even have a release candidate out yet.

The exploit is severe, in the sense that a car with faulty brakes is
dangerous: if you donʼt drive the car, there is no danger.
Uninstalling the emacs version of ctags/etags is enough to mitigate
this.

    Tim> Failing to address a high security vulnerability for months is a
    Tim> disservice for the emacs user base and likely to be a blight on Emacs'
    Tim> reputation and only provides those against free software with free
    Tim> ammunition. In addition to the technical aspects of a security
    Tim> vulnerability, perception is just as important. While the specific
    Tim> technical aspects of this vulnerability would seem to indicate only a
    Tim> subset of etags users are actually exposed to this risk, such detail is
    Tim> likely to be lost amongst the FUD which tends to accompany security
    Tim> issues. 

Yes, the FUD issue (and the associated hysteria from corporate IT
departments) is all too true (plus how many people run ctags or etags
as a privileged user?).

We *could* rush out a 28.3 release, I guess, given that thereʼs only
one actual non-doc change on the branch, but then again: how is that
any better than downstream just adding the CVE fix to their builds?

Robert
--

next prev parent reply	other threads:[~2023-02-15  8:32 UTC|newest]

Thread overview: 27+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <85f35c42-cfe8-44a7-a9c1-307acc5c17d4@Spark>
2023-02-13 18:15 ` Request to backport fix for CVE-2022-45939 to Emacs 28 Troy Hinckley
2023-02-13 20:47   ` Eli Zaretskii
2023-02-14  5:07     ` lux
2023-02-14 13:19       ` Eli Zaretskii
2023-02-14 16:09         ` Troy Hinckley
2023-02-14 17:04           ` Eli Zaretskii
2023-02-17  1:44           ` Lynn Winebarger
2023-02-17  2:35             ` lux
2023-02-14 20:10         ` Tim Cross
2023-02-15  8:32           ` Robert Pluim [this message]
2023-02-18  4:19             ` Richard Stallman
2023-02-15 12:28           ` Eli Zaretskii
2023-02-16 17:50           ` Richard Stallman
2023-02-16 20:02             ` Eli Zaretskii
2023-02-16 20:41               ` Jim Porter
2023-02-16 20:52                 ` Eli Zaretskii
2023-02-17 10:26               ` Stefan Kangas
2023-02-17 10:38                 ` Robert Pluim
2023-02-17 12:33                 ` Eli Zaretskii
2023-02-17 14:01                   ` Stefan Kangas
2023-02-17 17:37                     ` lux
2023-02-18  6:54                     ` lux
2023-02-19 20:33                     ` Corwin Brust
2023-02-21 14:54                 ` Michael Albinus
2023-02-19  4:47               ` Richard Stallman
2023-02-19  7:05                 ` Eli Zaretskii
2023-02-14  8:13     ` Robert Pluim

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://www.gnu.org/software/emacs/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87edqrpbwb.fsf@gmail.com \
    --to=rpluim@gmail.com \
    --cc=comms@dabrev.com \
    --cc=eliz@gnu.org \
    --cc=emacs-devel@gnu.org \
    --cc=lx@shellcodes.org \
    --cc=theophilusx@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/emacs.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).