From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!not-for-mail
From: Chong Yidong <cyd@stupidchicken.com>
Newsgroups: gmane.emacs.devel
Subject: Security advisory?
Date: Fri, 22 Jun 2007 16:25:45 -0400
Message-ID: <87fy4j7n3q.fsf@stupidchicken.com>
NNTP-Posting-Host: lo.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Trace: sea.gmane.org 1182544007 1341 80.91.229.12 (22 Jun 2007 20:26:47 GMT)
X-Complaints-To: usenet@sea.gmane.org
NNTP-Posting-Date: Fri, 22 Jun 2007 20:26:47 +0000 (UTC)
To: emacs-devel@gnu.org
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Fri Jun 22 22:26:46 2007
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane.org
Original-Received: from lists.gnu.org ([199.232.76.165])
	by lo.gmane.org with esmtp (Exim 4.50)
	id 1I1piI-0007eZ-AY
	for ged-emacs-devel@m.gmane.org; Fri, 22 Jun 2007 22:26:38 +0200
Original-Received: from localhost ([127.0.0.1] helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43)
	id 1I1piH-0000x3-Rt
	for ged-emacs-devel@m.gmane.org; Fri, 22 Jun 2007 16:26:37 -0400
Original-Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1I1phw-0000nF-Iv
	for emacs-devel@gnu.org; Fri, 22 Jun 2007 16:26:16 -0400
Original-Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1I1phv-0000mb-78
	for emacs-devel@gnu.org; Fri, 22 Jun 2007 16:26:16 -0400
Original-Received: from [199.232.76.173] (helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1I1phu-0000mU-Rd
	for emacs-devel@gnu.org; Fri, 22 Jun 2007 16:26:14 -0400
Original-Received: from cyd.mit.edu ([18.115.2.24])
	by monty-python.gnu.org with esmtp (Exim 4.60)
	(envelope-from <cyd@stupidchicken.com>) id 1I1phu-0004e8-J2
	for emacs-devel@gnu.org; Fri, 22 Jun 2007 16:26:14 -0400
Original-Received: by cyd.mit.edu (Postfix, from userid 1000)
	id 54FA04E4CE; Fri, 22 Jun 2007 16:25:45 -0400 (EDT)
X-detected-kernel: Linux 2.6 (newer, 1)
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <http://lists.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/emacs-devel>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <http://lists.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=subscribe>
Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Xref: news.gmane.org gmane.emacs.devel:73656
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/73656>

I notice that Mandriva has announced a security advisory for Emacs
21.4, because "a vulnerability in emacs was discovered where it would
crash when processing certain types of images."  This bug is being
files as a DoS (denial of service) vulnerability:

http://www.securityfocus.com/archive/1/471992/30/0/threaded

Does anyone know what the heck this is about?

Over the course of the Emacs 22 release cycle, we have accumulated
literally hundreds of ways to crash Emacs 21.4, some more esoteric
than others.  These are fixed in Emacs 22, not Emacs 21, so if anyone
wanted to, he or she could go through the emacs-devel archives for the
last couple of years, locate these crasher bugs, and file hundreds of
these "security advisories".  So it seems peculiar for this vendor to
single out one particular bug.

IMO, calling a bug that causes Emacs to crash a "denial of service
vulnerability" is little more than a silly example of
computer-security imperialism.