* release bugs [was Re: Processed: enriched.el code execution] [not found] ` <handler.s.C.150463767313430.transcript@debbugs.gnu.org> @ 2017-09-06 6:40 ` Glenn Morris 2017-09-06 9:41 ` John Wiegley 2017-09-06 16:12 ` Eli Zaretskii 0 siblings, 2 replies; 19+ messages in thread From: Glenn Morris @ 2017-09-06 6:40 UTC (permalink / raw) To: Eli Zaretskii; +Cc: emacs-devel Re https://debbugs.gnu.org/cgi/bugreport.cgi?bug=28350;msg=13 Eli Zaretskii wrote: > unblock 24655 by 28350 I'm surprised that you don't want to motivate people to fix security vulnerabilities for the next release. Anyway, I'll stop adding to list of release bugs, since it feels unproductive. (FTR, no-one else has added anything in the past six months.) ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: release bugs [was Re: Processed: enriched.el code execution] 2017-09-06 6:40 ` release bugs [was Re: Processed: enriched.el code execution] Glenn Morris @ 2017-09-06 9:41 ` John Wiegley 2017-09-06 10:00 ` Sven Joachim 2017-09-06 16:12 ` Eli Zaretskii 1 sibling, 1 reply; 19+ messages in thread From: John Wiegley @ 2017-09-06 9:41 UTC (permalink / raw) To: Glenn Morris; +Cc: Eli Zaretskii, emacs-devel >>>>> "GM" == Glenn Morris <rgm@gnu.org> writes: GM> I'm surprised that you don't want to motivate people to fix security GM> vulnerabilities for the next release. Which security issues do you consider particularly awful? -- John Wiegley GPG fingerprint = 4710 CF98 AF9B 327B B80F http://newartisans.com 60E1 46C4 BD1A 7AC1 4BA2 ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: release bugs [was Re: Processed: enriched.el code execution] 2017-09-06 9:41 ` John Wiegley @ 2017-09-06 10:00 ` Sven Joachim 2017-09-06 10:13 ` John Wiegley 2017-09-07 4:03 ` Richard Stallman 0 siblings, 2 replies; 19+ messages in thread From: Sven Joachim @ 2017-09-06 10:00 UTC (permalink / raw) To: emacs-devel; +Cc: Glenn Morris, Eli Zaretskii On 2017-09-06 10:41 +0100, John Wiegley wrote: >>>>>> "GM" == Glenn Morris <rgm@gnu.org> writes: > > GM> I'm surprised that you don't want to motivate people to fix security > GM> vulnerabilities for the next release. > > Which security issues do you consider particularly awful? Well, #28350 looks pretty awful considering that the code execution happens when you visit a mail attachment, for instance. Has anyone requested a CVE for this yet, BTW? Cheers, Sven ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: release bugs [was Re: Processed: enriched.el code execution] 2017-09-06 10:00 ` Sven Joachim @ 2017-09-06 10:13 ` John Wiegley 2017-09-07 4:03 ` Richard Stallman 1 sibling, 0 replies; 19+ messages in thread From: John Wiegley @ 2017-09-06 10:13 UTC (permalink / raw) To: Sven Joachim; +Cc: Glenn Morris, Eli Zaretskii, emacs-devel >>>>> "SJ" == Sven Joachim <svenjoac@gmx.de> writes: SJ> Well, #28350 looks pretty awful considering that the code execution SJ> happens when you visit a mail attachment, for instance. Has anyone SJ> requested a CVE for this yet, BTW? I'm not aware of a CVE, but the reporter has said he'll be committing a fix shortly. -- John Wiegley GPG fingerprint = 4710 CF98 AF9B 327B B80F http://newartisans.com 60E1 46C4 BD1A 7AC1 4BA2 ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: release bugs [was Re: Processed: enriched.el code execution] 2017-09-06 10:00 ` Sven Joachim 2017-09-06 10:13 ` John Wiegley @ 2017-09-07 4:03 ` Richard Stallman 2017-09-07 14:43 ` Eli Zaretskii 1 sibling, 1 reply; 19+ messages in thread From: Richard Stallman @ 2017-09-07 4:03 UTC (permalink / raw) To: Sven Joachim; +Cc: rgm, eliz, emacs-devel [[[ To any NSA and FBI agents reading my email: please consider ]]] [[[ whether defending the US Constitution against all enemies, ]]] [[[ foreign or domestic, requires you to follow Snowden's example. ]]] > Well, #28350 looks pretty awful considering that the code execution > happens when you visit a mail attachment, for instance. Indeed, that kind of bug is a terrible one. We must not make a release with such a bug. -- Dr Richard Stallman President, Free Software Foundation (gnu.org, fsf.org) Internet Hall-of-Famer (internethalloffame.org) Skype: No way! See stallman.org/skype.html. ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: release bugs [was Re: Processed: enriched.el code execution] 2017-09-07 4:03 ` Richard Stallman @ 2017-09-07 14:43 ` Eli Zaretskii 0 siblings, 0 replies; 19+ messages in thread From: Eli Zaretskii @ 2017-09-07 14:43 UTC (permalink / raw) To: rms; +Cc: rgm, svenjoac, emacs-devel > From: Richard Stallman <rms@gnu.org> > CC: emacs-devel@gnu.org, rgm@gnu.org, eliz@gnu.org > Date: Thu, 07 Sep 2017 00:03:09 -0400 > > > Well, #28350 looks pretty awful considering that the code execution > > happens when you visit a mail attachment, for instance. > > Indeed, that kind of bug is a terrible one. > We must not make a release with such a bug. The person who discovered this is working on a fix, so we should be fine. ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: release bugs [was Re: Processed: enriched.el code execution] 2017-09-06 6:40 ` release bugs [was Re: Processed: enriched.el code execution] Glenn Morris 2017-09-06 9:41 ` John Wiegley @ 2017-09-06 16:12 ` Eli Zaretskii 2017-09-07 6:30 ` Paul Eggert 1 sibling, 1 reply; 19+ messages in thread From: Eli Zaretskii @ 2017-09-06 16:12 UTC (permalink / raw) To: Glenn Morris; +Cc: emacs-devel > From: Glenn Morris <rgm@gnu.org> > Cc: emacs-devel@gnu.org > Date: Wed, 06 Sep 2017 02:40:05 -0400 > > > I'm surprised that you don't want to motivate people to fix security > vulnerabilities for the next release. I do, I just don't see how can I justify delaying a release due to an issue that was with us since 1999. > Anyway, I'll stop adding to list of release bugs, since it feels unproductive. It isn't unproductive, and I appreciate it very much that you are doing it. I just wish you'd do it publicly, at least in controversial cases such as this one. Or maybe we could discuss the criteria for blocking bugs, and if agreed, no further discussions would be necessary. ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: release bugs [was Re: Processed: enriched.el code execution] 2017-09-06 16:12 ` Eli Zaretskii @ 2017-09-07 6:30 ` Paul Eggert 2017-09-07 13:11 ` John Wiegley ` (2 more replies) 0 siblings, 3 replies; 19+ messages in thread From: Paul Eggert @ 2017-09-07 6:30 UTC (permalink / raw) To: Eli Zaretskii, Glenn Morris; +Cc: emacs-devel Eli Zaretskii wrote: > Or maybe we could discuss the criteria for blocking bugs, and if > agreed, no further discussions would be necessary. This particular bug involved remote code execution by visiting an email attachment. Any security hole this serious should be blocking. It doesn't matter that the bug has been around for a while, as the bug is known now and is likely to be exploited by anyone who cares to attack Emacs users. I'm surprised that there was controversy about this case, as the bug really should be fixed as soon as we reasonably can, or in any event before the next release. ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: release bugs [was Re: Processed: enriched.el code execution] 2017-09-07 6:30 ` Paul Eggert @ 2017-09-07 13:11 ` John Wiegley 2017-09-07 15:03 ` Eli Zaretskii 2017-09-07 20:47 ` enriched.el code execution Reiner Steib 2 siblings, 0 replies; 19+ messages in thread From: John Wiegley @ 2017-09-07 13:11 UTC (permalink / raw) To: Paul Eggert; +Cc: Glenn Morris, Eli Zaretskii, emacs-devel >>>>> "PE" == Paul Eggert <eggert@cs.ucla.edu> writes: PE> This particular bug involved remote code execution by visiting an email PE> attachment. Any security hole this serious should be blocking. It doesn't PE> matter that the bug has been around for a while, as the bug is known now PE> and is likely to be exploited by anyone who cares to attack Emacs users. PE> I'm surprised that there was controversy about this case, as the bug PE> really should be fixed as soon as we reasonably can, or in any event PE> before the next release. It does seem that this issue should be easy enough to fix that we can delay until it's included. -- John Wiegley GPG fingerprint = 4710 CF98 AF9B 327B B80F http://newartisans.com 60E1 46C4 BD1A 7AC1 4BA2 ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: release bugs [was Re: Processed: enriched.el code execution] 2017-09-07 6:30 ` Paul Eggert 2017-09-07 13:11 ` John Wiegley @ 2017-09-07 15:03 ` Eli Zaretskii 2017-09-07 21:32 ` Paul Eggert 2017-09-07 20:47 ` enriched.el code execution Reiner Steib 2 siblings, 1 reply; 19+ messages in thread From: Eli Zaretskii @ 2017-09-07 15:03 UTC (permalink / raw) To: Paul Eggert; +Cc: rgm, emacs-devel > Cc: emacs-devel@gnu.org > From: Paul Eggert <eggert@cs.ucla.edu> > Date: Wed, 6 Sep 2017 23:30:15 -0700 > > Eli Zaretskii wrote: > > Or maybe we could discuss the criteria for blocking bugs, and if > > agreed, no further discussions would be necessary. > > This particular bug involved remote code execution by visiting an email > attachment. Any security hole this serious should be blocking. It doesn't matter > that the bug has been around for a while, as the bug is known now and is likely > to be exploited by anyone who cares to attack Emacs users. I'm surprised that > there was controversy about this case, as the bug really should be fixed as soon > as we reasonably can, or in any event before the next release. There's no controversy regarding the need to fix serious security bugs, such as this one. However, marking a bug as blocking doesn't fix it, only code changes will fix it. If this bug is indeed deemed urgent by the community, it will be fixed very soon, and in that case blocking the next release, which will not happen tomorrow or the next week, is meaningless. OTOH, if the bug will remain unfixed till we are ready to release Emacs 26.1, in, like, 6 months, then it means fixing it is not deemed important, and blocking the release for it makes no sense. ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: release bugs [was Re: Processed: enriched.el code execution] 2017-09-07 15:03 ` Eli Zaretskii @ 2017-09-07 21:32 ` Paul Eggert 2017-09-08 6:55 ` Eli Zaretskii 0 siblings, 1 reply; 19+ messages in thread From: Paul Eggert @ 2017-09-07 21:32 UTC (permalink / raw) To: Eli Zaretskii; +Cc: rgm, emacs-devel Eli Zaretskii wrote: > If this bug is indeed deemed > urgent by the community, it will be fixed very soon, and in that case > blocking the next release, which will not happen tomorrow or the next > week, is meaningless. OTOH, if the bug will remain unfixed till we > are ready to release Emacs 26.1, in, like, 6 months, then it means > fixing it is not deemed important, and blocking the release for it > makes no sense. A similar argument could be applied to any blocking bug, so why bother to mark any bug as blocking? I find value in having even easily-fixed bugs marked as blocking, if the bugs are important (as this one surely is). ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: release bugs [was Re: Processed: enriched.el code execution] 2017-09-07 21:32 ` Paul Eggert @ 2017-09-08 6:55 ` Eli Zaretskii 2017-09-08 7:11 ` Paul Eggert 0 siblings, 1 reply; 19+ messages in thread From: Eli Zaretskii @ 2017-09-08 6:55 UTC (permalink / raw) To: Paul Eggert; +Cc: rgm, emacs-devel > Cc: rgm@gnu.org, emacs-devel@gnu.org > From: Paul Eggert <eggert@cs.ucla.edu> > Date: Thu, 7 Sep 2017 14:32:48 -0700 > > Eli Zaretskii wrote: > > If this bug is indeed deemed > > urgent by the community, it will be fixed very soon, and in that case > > blocking the next release, which will not happen tomorrow or the next > > week, is meaningless. OTOH, if the bug will remain unfixed till we > > are ready to release Emacs 26.1, in, like, 6 months, then it means > > fixing it is not deemed important, and blocking the release for it > > makes no sense. > > A similar argument could be applied to any blocking bug No, it cannot. The point is that marking bugs as blocking and their urgency are two different and almost independent issues. > so why bother to mark any bug as blocking? Because it helps in management of a release. It's a managerial tool. ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: release bugs [was Re: Processed: enriched.el code execution] 2017-09-08 6:55 ` Eli Zaretskii @ 2017-09-08 7:11 ` Paul Eggert 2017-09-08 8:20 ` Fabrice Popineau 0 siblings, 1 reply; 19+ messages in thread From: Paul Eggert @ 2017-09-08 7:11 UTC (permalink / raw) To: Eli Zaretskii; +Cc: rgm, emacs-devel Eli Zaretskii wrote: > marking bugs as blocking and their > urgency are two different and almost independent issues. They are different but not that independent. Urgent bugs are considerably more likely to be blocking (i.e., they should be fixed before the next release) than non-urgent bugs are. >> so why bother to mark any bug as blocking? > Because it helps in management of a release. It's a managerial tool. Yes, of course. It's just that this particular bug is severe enough that it should be fixed before the next release. I'm even becoming to be inclined to think that it should be backported to the *previous* release, and I *hate* doing that sort of thing. ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: release bugs [was Re: Processed: enriched.el code execution] 2017-09-08 7:11 ` Paul Eggert @ 2017-09-08 8:20 ` Fabrice Popineau 2017-09-08 21:42 ` Óscar Fuentes 2017-09-09 17:12 ` Richard Stallman 0 siblings, 2 replies; 19+ messages in thread From: Fabrice Popineau @ 2017-09-08 8:20 UTC (permalink / raw) To: Paul Eggert; +Cc: rgm, Eli Zaretskii, Emacs developers [-- Attachment #1: Type: text/plain, Size: 1429 bytes --] Maybe I am naive, but I don't see why a bug existing in previous releases should be blocking. If the bug exists in say emacs 25.1, blocking the release of 26.1 will not prevent people to be at risk because they will continue to use 25.1. I would say that only newly introduced bugs for example related to new features or refactoring should be considered to be blocking. Fabrice 2017-09-08 9:11 GMT+02:00 Paul Eggert <eggert@cs.ucla.edu>: > Eli Zaretskii wrote: > >> marking bugs as blocking and their >> urgency are two different and almost independent issues. >> > > They are different but not that independent. Urgent bugs are considerably > more likely to be blocking (i.e., they should be fixed before the next > release) than non-urgent bugs are. > > so why bother to mark any bug as blocking? >>> >> Because it helps in management of a release. It's a managerial tool. >> > > Yes, of course. It's just that this particular bug is severe enough that > it should be fixed before the next release. I'm even becoming to be > inclined to think that it should be backported to the *previous* release, > and I *hate* doing that sort of thing. > > -- Fabrice Popineau ----------------------------- CentraleSupelec Département Informatique 3, rue Joliot Curie 91192 Gif/Yvette Cedex Tel direct : +33 (0) 169851950 Standard : +33 (0) 169851212 ------------------------------ [-- Attachment #2: Type: text/html, Size: 2757 bytes --] ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: release bugs [was Re: Processed: enriched.el code execution] 2017-09-08 8:20 ` Fabrice Popineau @ 2017-09-08 21:42 ` Óscar Fuentes 2017-09-09 17:12 ` Richard Stallman 1 sibling, 0 replies; 19+ messages in thread From: Óscar Fuentes @ 2017-09-08 21:42 UTC (permalink / raw) To: Emacs developers Fabrice Popineau <fabrice.popineau@centralesupelec.fr> writes: > Maybe I am naive, but I don't see why a bug existing in previous releases > should be blocking. We opened a secret door that can be used to cause harm to our users. It is bad enough that we did that on past releases, but it would be totally irresponsible to not fix our blunder on the next release. > If the bug exists in say emacs 25.1, blocking the release of 26.1 will not > prevent > people to be at risk because they will continue to use 25.1. This is why I'm with Paul about backporting the fix. This bug is truly abhorrent. [snip] ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: release bugs [was Re: Processed: enriched.el code execution] 2017-09-08 8:20 ` Fabrice Popineau 2017-09-08 21:42 ` Óscar Fuentes @ 2017-09-09 17:12 ` Richard Stallman 2017-09-09 18:27 ` Fabrice Popineau 1 sibling, 1 reply; 19+ messages in thread From: Richard Stallman @ 2017-09-09 17:12 UTC (permalink / raw) To: Fabrice Popineau; +Cc: rgm, eliz, eggert, emacs-devel [[[ To any NSA and FBI agents reading my email: please consider ]]] [[[ whether defending the US Constitution against all enemies, ]]] [[[ foreign or domestic, requires you to follow Snowden's example. ]]] > Maybe I am naive, but I don't see why a bug existing in previous releases > should be blocking. Because this bug is so grave we must not tolerate its presence. > If the bug exists in say emacs 25.1, blocking the release of 26.1 will not > prevent > people to be at risk because they will continue to use 25.1. We should urge them all to upgrade to the new Emacs 25 release that we should make as soon as we can. -- Dr Richard Stallman President, Free Software Foundation (gnu.org, fsf.org) Internet Hall-of-Famer (internethalloffame.org) Skype: No way! See stallman.org/skype.html. ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: release bugs [was Re: Processed: enriched.el code execution] 2017-09-09 17:12 ` Richard Stallman @ 2017-09-09 18:27 ` Fabrice Popineau 0 siblings, 0 replies; 19+ messages in thread From: Fabrice Popineau @ 2017-09-09 18:27 UTC (permalink / raw) To: rms; +Cc: rgm, Eli Zaretskii, Paul Eggert, Emacs developers [-- Attachment #1: Type: text/plain, Size: 590 bytes --] 2017-09-09 19:12 GMT+02:00 Richard Stallman <rms@gnu.org>: > [[[ To any NSA and FBI agents reading my email: please consider ]]] > [[[ whether defending the US Constitution against all enemies, ]]] > [[[ foreign or domestic, requires you to follow Snowden's example. ]]] > > > Maybe I am naive, but I don't see why a bug existing in previous > releases > > should be blocking. > > Because this bug is so grave we must not tolerate its presence. > I agree. So I realized in the mean time that it all depends about the extension you give to the "blocking" term :-) -- Fabrice [-- Attachment #2: Type: text/html, Size: 1179 bytes --] ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: enriched.el code execution 2017-09-07 6:30 ` Paul Eggert 2017-09-07 13:11 ` John Wiegley 2017-09-07 15:03 ` Eli Zaretskii @ 2017-09-07 20:47 ` Reiner Steib 2017-09-07 21:24 ` Paul Eggert 2 siblings, 1 reply; 19+ messages in thread From: Reiner Steib @ 2017-09-07 20:47 UTC (permalink / raw) To: Paul Eggert; +Cc: Eli Zaretskii, emacs-devel On Wed, Sep 06 2017, Paul Eggert wrote: > This particular bug involved remote code execution by visiting an > email attachment. Any security hole this serious should be > blocking. It doesn't matter that the bug has been around for a while, > as the bug is known now and is likely to be exploited by anyone who > cares to attack Emacs users. I'm surprised that there was controversy > about this case, as the bug really should be fixed as soon as we > reasonably can, or in any event before the next release. If I understand correctly, this issue is serious enough (CVSS is 8.8, Common Vulnerability Scoring System, v3.0) that we should prepare a security fix release (from Emacs 25.2) as soon as we have a fix for this bug (or we should disable this feature of enriched mode). Bye, Reiner. ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: enriched.el code execution 2017-09-07 20:47 ` enriched.el code execution Reiner Steib @ 2017-09-07 21:24 ` Paul Eggert 0 siblings, 0 replies; 19+ messages in thread From: Paul Eggert @ 2017-09-07 21:24 UTC (permalink / raw) To: Eli Zaretskii, emacs-devel Reiner Steib wrote: > If I understand correctly, this issue is serious enough (CVSS is 8.8, > Common Vulnerability Scoring System, v3.0) that we should prepare a > security fix release (from Emacs 25.2) as soon as we have a fix for > this bug (or we should disable this feature of enriched mode). I favor this as well. Although I hate maintaining the old branch, this bug is quite serious. ^ permalink raw reply [flat|nested] 19+ messages in thread
end of thread, other threads:[~2017-09-09 18:27 UTC | newest]
Thread overview: 19+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <83tw0h0yem.fsf@gnu.org>
[not found] ` <handler.s.C.150463767313430.transcript@debbugs.gnu.org>
2017-09-06 6:40 ` release bugs [was Re: Processed: enriched.el code execution] Glenn Morris
2017-09-06 9:41 ` John Wiegley
2017-09-06 10:00 ` Sven Joachim
2017-09-06 10:13 ` John Wiegley
2017-09-07 4:03 ` Richard Stallman
2017-09-07 14:43 ` Eli Zaretskii
2017-09-06 16:12 ` Eli Zaretskii
2017-09-07 6:30 ` Paul Eggert
2017-09-07 13:11 ` John Wiegley
2017-09-07 15:03 ` Eli Zaretskii
2017-09-07 21:32 ` Paul Eggert
2017-09-08 6:55 ` Eli Zaretskii
2017-09-08 7:11 ` Paul Eggert
2017-09-08 8:20 ` Fabrice Popineau
2017-09-08 21:42 ` Óscar Fuentes
2017-09-09 17:12 ` Richard Stallman
2017-09-09 18:27 ` Fabrice Popineau
2017-09-07 20:47 ` enriched.el code execution Reiner Steib
2017-09-07 21:24 ` Paul Eggert
Code repositories for project(s) associated with this public inbox https://git.savannah.gnu.org/cgit/emacs.git This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).