* Emacs 28.3 Release [not found] <f4b95933-46bd-4bcb-b9ca-ceed72b1c6ee@Spark> @ 2023-04-10 13:05 ` Troy Hinckley 2023-04-10 13:20 ` Eli Zaretskii ` (2 more replies) 0 siblings, 3 replies; 10+ messages in thread From: Troy Hinckley @ 2023-04-10 13:05 UTC (permalink / raw) To: emacs-devel, Eli Zaretskii, Stefan Kangas [-- Attachment #1: Type: text/plain, Size: 829 bytes --] Hi Emacs devs, I am asking again what we can do to complete the Emacs 28.3 release. My concern is that we have a narrow window in which this version will be viable. As it currently stands the latest stable release has a high severity CVE that prevents Emacs from being installed in security sensitive domains. 28.3 will resolve that and make the latest stable release usable. However, someone will inevitably find another CVE against Emacs. At that point 28.3 will no longer be useful. Given how hard it has been to get this release, I doubt there would be resources to add another security patch to Emacs 28. I am requesting to see if there is anything the community can do to help complete this release before it becomes irrelevant. The release candidate has been out for couple months at this point. — Troy Hinckley [-- Attachment #2: Type: text/html, Size: 1033 bytes --] ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Emacs 28.3 Release 2023-04-10 13:05 ` Emacs 28.3 Release Troy Hinckley @ 2023-04-10 13:20 ` Eli Zaretskii 2023-04-10 14:33 ` lux 2023-04-10 13:50 ` Po Lu 2023-04-11 8:14 ` Jean Louis 2 siblings, 1 reply; 10+ messages in thread From: Eli Zaretskii @ 2023-04-10 13:20 UTC (permalink / raw) To: Troy Hinckley; +Cc: emacs-devel, stefankangas > Date: Mon, 10 Apr 2023 08:05:04 -0500 > From: Troy Hinckley <comms@dabrev.com> > > I am asking again what we can do to complete the Emacs 28.3 release. My concern is that we have a > narrow window in which this version will be viable. As it currently stands the latest stable release has a > high severity CVE that prevents Emacs from being installed in security sensitive domains. 28.3 will > resolve that and make the latest stable release usable. However, someone will inevitably find another > CVE against Emacs. At that point 28.3 will no longer be useful. Given how hard it has been to get this > release, I doubt there would be resources to add another security patch to Emacs 28. > > I am requesting to see if there is anything the community can do to help complete this release before > it becomes irrelevant. The release candidate has been out for couple months at this point. Stefan was working on 28.3, prepared an RC, and is silent for the last 4 weeks or so. I think any work on this should pick up where he left off, but for that we need him to tell us where he left off... ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Emacs 28.3 Release 2023-04-10 13:20 ` Eli Zaretskii @ 2023-04-10 14:33 ` lux 2023-04-10 14:44 ` Ulrich Mueller 0 siblings, 1 reply; 10+ messages in thread From: lux @ 2023-04-10 14:33 UTC (permalink / raw) To: Eli Zaretskii, Troy Hinckley; +Cc: emacs-devel, stefankangas [-- Attachment #1: Type: text/plain, Size: 1428 bytes --] On Mon, 2023-04-10 at 16:20 +0300, Eli Zaretskii wrote: > > Date: Mon, 10 Apr 2023 08:05:04 -0500 > > From: Troy Hinckley <comms@dabrev.com> > > > > I am asking again what we can do to complete the Emacs 28.3 > > release. My concern is that we have a > > narrow window in which this version will be viable. As it currently > > stands the latest stable release has a > > high severity CVE that prevents Emacs from being installed in > > security sensitive domains. 28.3 will > > resolve that and make the latest stable release usable. However, > > someone will inevitably find another > > CVE against Emacs. At that point 28.3 will no longer be useful. > > Given how hard it has been to get this > > release, I doubt there would be resources to add another security > > patch to Emacs 28. > > > > I am requesting to see if there is anything the community can do to > > help complete this release before > > it becomes irrelevant. The release candidate has been out for > > couple months at this point. > > Stefan was working on 28.3, prepared an RC, and is silent for the > last > 4 weeks or so. I think any work on this should pick up where he left > off, but for that we need him to tell us where he left off... > There are new security patches, CVE-2023-28617, CVE-2023-27985 and CVE- 2023-27986. If Emacs 28.3 is to be released, I suggest it should be applied. But, where is Stefan? [-- Attachment #2: 0001-Fix-CVE-2023-28617.patch --] [-- Type: text/x-patch, Size: 1943 bytes --] From cde4caecff72bcd3e45818838312218dedc6e2f1 Mon Sep 17 00:00:00 2001 From: Xi Lu <lx@shellcodes.org> Date: Mon, 10 Apr 2023 22:23:09 +0800 Subject: [PATCH] Fix CVE-2023-28617. --- lisp/org/ob-latex.el | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/lisp/org/ob-latex.el b/lisp/org/ob-latex.el index d9d66ade56f..f2ab9b16c78 100644 --- a/lisp/org/ob-latex.el +++ b/lisp/org/ob-latex.el @@ -167,7 +167,7 @@ org-babel-execute:latex tmp-pdf (list org-babel-latex-pdf-svg-process) extension err-msg log-buf))) - (shell-command (format "mv %s %s" img-out out-file))))) + (rename-file img-out out-file t)))) ((string-suffix-p ".tikz" out-file) (when (file-exists-p out-file) (delete-file out-file)) (with-temp-file out-file @@ -205,17 +205,14 @@ org-babel-execute:latex (if (string-suffix-p ".svg" out-file) (progn (shell-command "pwd") - (shell-command (format "mv %s %s" - (concat (file-name-sans-extension tex-file) "-1.svg") - out-file))) + (rename-file (concat (file-name-sans-extension tex-file) "-1.svg") + out-file t)) (error "SVG file produced but HTML file requested"))) ((file-exists-p (concat (file-name-sans-extension tex-file) ".html")) (if (string-suffix-p ".html" out-file) - (shell-command "mv %s %s" - (concat (file-name-sans-extension tex-file) - ".html") - out-file) - (error "HTML file produced but SVG file requested"))))) + (rename-file (concat (file-name-sans-extension tex-file) ".html") + out-file t) + (error "HTML file produced but SVG file requested"))))) ((or (string= "pdf" extension) imagemagick) (with-temp-file tex-file (require 'ox-latex) -- 2.39.2 [-- Attachment #3: 0001-Fix-CVE-2023-27985-and-CVE-2023-27986.patch --] [-- Type: text/x-patch, Size: 1706 bytes --] From b58b35322b8142fa22f99624adfc024098e6040c Mon Sep 17 00:00:00 2001 From: Xi Lu <lx@shellcodes.org> Date: Mon, 10 Apr 2023 22:26:53 +0800 Subject: [PATCH] Fix CVE-2023-27985 and CVE-2023-27986. --- etc/emacsclient-mail.desktop | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/etc/emacsclient-mail.desktop b/etc/emacsclient-mail.desktop index b575a41758a..0a2420ddead 100644 --- a/etc/emacsclient-mail.desktop +++ b/etc/emacsclient-mail.desktop @@ -1,7 +1,10 @@ [Desktop Entry] Categories=Network;Email; Comment=GNU Emacs is an extensible, customizable text editor - and more -Exec=sh -c "exec emacsclient --alternate-editor= --display=\\"\\$DISPLAY\\" --eval \\\\(message-mailto\\\\ \\\\\\"%u\\\\\\"\\\\)" +# We want to pass the following commands to the shell wrapper: +# u=$(echo "$1" | sed 's/[\"]/\\&/g'); exec emacsclient --alternate-editor= --display="$DISPLAY" --eval "(message-mailto \"$u\")" +# Special chars '"', '$', and '\' must be escaped as '\\"', '\\$', and '\\\\'. +Exec=sh -c "u=\\$(echo \\"\\$1\\" | sed 's/[\\\\\\"]/\\\\\\\\&/g'); exec emacsclient --alternate-editor= --display=\\"\\$DISPLAY\\" --eval \\"(message-mailto \\\\\\"\\$u\\\\\\")\\"" sh %u Icon=emacs Name=Emacs (Mail, Client) MimeType=x-scheme-handler/mailto; @@ -13,7 +16,7 @@ Actions=new-window;new-instance; [Desktop Action new-window] Name=New Window -Exec=emacsclient --alternate-editor= --create-frame --eval "(message-mailto \\"%u\\")" +Exec=sh -c "u=\\$(echo \\"\\$1\\" | sed 's/[\\\\\\"]/\\\\\\\\&/g'); exec emacsclient --alternate-editor= --create-frame --eval \\"(message-mailto \\\\\\"\\$u\\\\\\")\\"" sh %u [Desktop Action new-instance] Name=New Instance -- 2.39.2 ^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: Emacs 28.3 Release 2023-04-10 14:33 ` lux @ 2023-04-10 14:44 ` Ulrich Mueller 2023-04-10 14:46 ` lux 0 siblings, 1 reply; 10+ messages in thread From: Ulrich Mueller @ 2023-04-10 14:44 UTC (permalink / raw) To: lux; +Cc: Eli Zaretskii, Troy Hinckley, emacs-devel, stefankangas >>>>> On Mon, 10 Apr 2023, lux wrote: > From b58b35322b8142fa22f99624adfc024098e6040c Mon Sep 17 00:00:00 2001 > From: Xi Lu <lx@shellcodes.org> > Date: Mon, 10 Apr 2023 22:26:53 +0800 > Subject: [PATCH] Fix CVE-2023-27985 and CVE-2023-27986. Please don't misrepresent authorship of commits, even when squashing several of them (namely, d32091199ae5, 3c1693d08b0a, and c8ec0017cb96). ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Emacs 28.3 Release 2023-04-10 14:44 ` Ulrich Mueller @ 2023-04-10 14:46 ` lux 0 siblings, 0 replies; 10+ messages in thread From: lux @ 2023-04-10 14:46 UTC (permalink / raw) To: Ulrich Mueller; +Cc: Eli Zaretskii, Troy Hinckley, emacs-devel, stefankangas On Mon, 2023-04-10 at 16:44 +0200, Ulrich Mueller wrote: > > > > > > On Mon, 10 Apr 2023, lux wrote: > > > From b58b35322b8142fa22f99624adfc024098e6040c Mon Sep 17 00:00:00 > > 2001 > > From: Xi Lu <lx@shellcodes.org> > > Date: Mon, 10 Apr 2023 22:26:53 +0800 > > Subject: [PATCH] Fix CVE-2023-27985 and CVE-2023-27986. > > Please don't misrepresent authorship of commits, even when squashing > several of them (namely, d32091199ae5, 3c1693d08b0a, and > c8ec0017cb96). I'm sorry, I didn't notice. ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Emacs 28.3 Release 2023-04-10 13:05 ` Emacs 28.3 Release Troy Hinckley 2023-04-10 13:20 ` Eli Zaretskii @ 2023-04-10 13:50 ` Po Lu 2023-04-11 8:14 ` Jean Louis 2 siblings, 0 replies; 10+ messages in thread From: Po Lu @ 2023-04-10 13:50 UTC (permalink / raw) To: Troy Hinckley; +Cc: emacs-devel, Eli Zaretskii, Stefan Kangas Troy Hinckley <comms@dabrev.com> writes: > Hi Emacs devs, I am asking again what we can do to complete the Emacs > 28.3 release. My concern is that we have a narrow window in which this > version will be viable. As it currently stands the latest stable > release has a high severity CVE that prevents Emacs from being > installed in security sensitive domains. 28.3 will resolve that and > make the latest stable release usable. However, someone will > inevitably find another CVE against Emacs. At that point 28.3 will no > longer be useful. Given how hard it has been to get this release, I > doubt there would be resources to add another security patch to Emacs > 28. BTW, perhaps you could complain to your employer's security folks about their policies wrt the CVE database, which is actually the computer security circus's system for spreading patent libel against software. You could cite the reasons put forth by the SQLite developers for not taking notice of CVE reports, at http://www.sqlite.org/cves.html: - The developers often do not find out about CVEs until long after the bug is fixed. You can see this by the fact that many CVEs reference the bug fix in their initial report. - CVEs are a low-quality source of information about bugs in SQLite that are likely to affect most applications. - Almost all bugs reported by CVEs are just bugs and not true vulnerabilities. Claiming that they are vulnerabilities is stretching the meaning of the word "vulnerability" and the SQLite developers do not wish to participate in that deception. - The developers have no editorial influence on the content of CVEs, and they do not like to be controlled by groups in which they have no voice. ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Emacs 28.3 Release 2023-04-10 13:05 ` Emacs 28.3 Release Troy Hinckley 2023-04-10 13:20 ` Eli Zaretskii 2023-04-10 13:50 ` Po Lu @ 2023-04-11 8:14 ` Jean Louis 2023-04-12 15:37 ` Troy Hinckley 2 siblings, 1 reply; 10+ messages in thread From: Jean Louis @ 2023-04-11 8:14 UTC (permalink / raw) To: Troy Hinckley; +Cc: emacs-devel, Eli Zaretskii, Stefan Kangas * Troy Hinckley <comms@dabrev.com> [2023-04-10 16:21]: > Hi Emacs devs, > I am asking again what we can do to complete the Emacs 28.3 release. My concern is that we have a narrow window in which this version will be viable. As it currently stands the latest stable release has a high severity CVE that prevents Emacs from being installed in security sensitive domains. 28.3 will resolve that and make the latest stable release usable. However, someone will inevitably find another CVE against Emacs. At that point 28.3 will no longer be useful. Given how hard it has been to get this release, I doubt there would be resources to add another security patch to Emacs 28. Emacs has built-in programming language. Programming languages are not secure by default. Their purpose is freedom to programmer to do what programmers wants. If people on this mailing list would decide, they could file X number of (not so) common vulnerabilities, though developers are constantly improving Emacs, not making their reputation by "discovering security holes". As if focus would be on common vulnerabilities reporting then those reports would be as great as GNU Emacs bug reports This means that handling those one or few CVE reports related to Emacs is only there for cosmetics purposes. It is for the fake image. Handling few of those CVEs, or removing reports, or closing those reports, doesn't make Emacs secure for "secure domains" as you mentioned it. It is as secure as people who are working with it. -- Jean Take action in Free Software Foundation campaigns: https://www.fsf.org/campaigns In support of Richard M. Stallman https://stallmansupport.org/ ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Emacs 28.3 Release 2023-04-11 8:14 ` Jean Louis @ 2023-04-12 15:37 ` Troy Hinckley 2023-04-12 16:31 ` lux 0 siblings, 1 reply; 10+ messages in thread From: Troy Hinckley @ 2023-04-12 15:37 UTC (permalink / raw) To: Jean Louis; +Cc: emacs-devel, Eli Zaretskii, Stefan Kangas [-- Attachment #1: Type: text/plain, Size: 2381 bytes --] Everything you said is correct, Jean. But I work at one of the major tech companies in the US with over 100,000 engineers. I have tried to argue with IT about their policies, but as you can image it makes no difference. They see high-severity CVE’s and won’t install it. And we are not the only company that has such policies. We have 1000’s of Emacs users here who can’t use the latest stable Emacs until 28.3 comes out. I am really appreciative of the effort that has been put in so far to get this version of Emacs out. I hope we can make this release soon. On Apr 11, 2023 at 3:14 AM -0500, Jean Louis <bugs@gnu.support>, wrote: > * Troy Hinckley <comms@dabrev.com> [2023-04-10 16:21]: > > Hi Emacs devs, > > I am asking again what we can do to complete the Emacs 28.3 release. My concern is that we have a narrow window in which this version will be viable. As it currently stands the latest stable release has a high severity CVE that prevents Emacs from being installed in security sensitive domains. 28.3 will resolve that and make the latest stable release usable. However, someone will inevitably find another CVE against Emacs. At that point 28.3 will no longer be useful. Given how hard it has been to get this release, I doubt there would be resources to add another security patch to Emacs 28. > > Emacs has built-in programming language. Programming languages are not > secure by default. Their purpose is freedom to programmer to do what > programmers wants. > > If people on this mailing list would decide, they could file X number > of (not so) common vulnerabilities, though developers are constantly > improving Emacs, not making their reputation by "discovering security > holes". As if focus would be on common vulnerabilities reporting then > those reports would be as great as GNU Emacs bug reports > > This means that handling those one or few CVE reports related to Emacs > is only there for cosmetics purposes. It is for the fake image. > > Handling few of those CVEs, or removing reports, or closing those > reports, doesn't make Emacs secure for "secure domains" as you > mentioned it. > > It is as secure as people who are working with it. > > -- > Jean > > Take action in Free Software Foundation campaigns: > https://www.fsf.org/campaigns > > In support of Richard M. Stallman > https://stallmansupport.org/ [-- Attachment #2: Type: text/html, Size: 2935 bytes --] ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Emacs 28.3 Release 2023-04-12 15:37 ` Troy Hinckley @ 2023-04-12 16:31 ` lux 2023-04-12 16:56 ` Corwin Brust 0 siblings, 1 reply; 10+ messages in thread From: lux @ 2023-04-12 16:31 UTC (permalink / raw) To: Troy Hinckley, Jean Louis; +Cc: emacs-devel, Eli Zaretskii, Stefan Kangas [-- Attachment #1: Type: text/plain, Size: 809 bytes --] On Wed, 2023-04-12 at 10:37 -0500, Troy Hinckley wrote: > Everything you said is correct, Jean. But I work at one of the major > tech companies in the US with over 100,000 engineers. I have tried to > argue with IT about their policies, but as you can image it makes no > difference. They see high-severity CVE’s and won’t install it. And we > are not the only company that has such policies. We have 1000’s of > Emacs users here who can’t use the latest stable Emacs until 28.3 > comes out. I am really appreciative of the effort that has been put > in so far to get this version of Emacs out. I hope we can make this > release soon. Hi Tory The main change in Emacs 28.3 is to fix known vulnerabilities. If urgency, I think also you can self-compile Emacs 28.3 or Emacs 29? [-- Attachment #2: Type: text/html, Size: 1110 bytes --] ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Emacs 28.3 Release 2023-04-12 16:31 ` lux @ 2023-04-12 16:56 ` Corwin Brust 0 siblings, 0 replies; 10+ messages in thread From: Corwin Brust @ 2023-04-12 16:56 UTC (permalink / raw) To: lux; +Cc: Troy Hinckley, Jean Louis, emacs-devel, Eli Zaretskii, Stefan Kangas Hi all, On Wed, Apr 12, 2023 at 11:31 AM lux <lx@shellcodes.org> wrote: > > The main change in Emacs 28.3 is to fix known vulnerabilities. If urgency, I think also you can self-compile Emacs 28.3 or Emacs 29? > TL;DR: Troy's request resinates with mine; this isn't something I'd expect Troy can work around In heavily controlled computing offices (my experience is financial services, specifically) it's usual to restrict access to install and run compilers. Even some of my devs who are using visual studio can't run gcc. (There are tools like carbonblack that are used specifically to detect users attempting to run unapproved software.) Generally, in this type of environment, I'm able to get Emacs available for download and use on "company-managed hardware" only by providing a corp desktop support team with an installer. That installer is then used in a sandbox environment, various "security scans" are run, and then (eventually, if we are lucky) the company's internal software self-service catalog is updated to provide a repackaged version of the vetted software. Career-to-date, I've only once had success at getting the desktop support team to actually compile Emacs for me. (It was a pre-release for Emacs 27.1, FTR. That only worked because Emacs can build a Windows installer, which that company required any internally distributed software to provide, and because the engineer who picked up the ticket was into the idea of playing around with GCC in the sandbox and had the ear of their boss: this was well outside the normal duties for that team.) ^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2023-04-12 16:56 UTC | newest] Thread overview: 10+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- [not found] <f4b95933-46bd-4bcb-b9ca-ceed72b1c6ee@Spark> 2023-04-10 13:05 ` Emacs 28.3 Release Troy Hinckley 2023-04-10 13:20 ` Eli Zaretskii 2023-04-10 14:33 ` lux 2023-04-10 14:44 ` Ulrich Mueller 2023-04-10 14:46 ` lux 2023-04-10 13:50 ` Po Lu 2023-04-11 8:14 ` Jean Louis 2023-04-12 15:37 ` Troy Hinckley 2023-04-12 16:31 ` lux 2023-04-12 16:56 ` Corwin Brust
Code repositories for project(s) associated with this public inbox https://git.savannah.gnu.org/cgit/emacs.git This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).