From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Vasilij Schneidermann Newsgroups: gmane.emacs.devel Subject: Re: Structurally fixing command injection bugs Date: Wed, 22 Feb 2023 11:34:30 +0100 Message-ID: References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="YdwPkcj2tLBP+iKD" Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="16131"; mail-complaints-to="usenet@ciao.gmane.io" Cc: emacs-devel@gnu.org To: lux Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Wed Feb 22 11:35:24 2023 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1pUmT5-0003ur-J3 for ged-emacs-devel@m.gmane-mx.org; Wed, 22 Feb 2023 11:35:23 +0100 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pUmSP-0002eK-5E; Wed, 22 Feb 2023 05:34:41 -0500 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pUmSN-0002eC-Qs for emacs-devel@gnu.org; Wed, 22 Feb 2023 05:34:39 -0500 Original-Received: from mout-p-202.mailbox.org ([80.241.56.172]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_CHACHA20_POLY1305:256) (Exim 4.90_1) (envelope-from ) id 1pUmSK-0007WD-ON for emacs-devel@gnu.org; Wed, 22 Feb 2023 05:34:38 -0500 Original-Received: from smtp102.mailbox.org (smtp102.mailbox.org [IPv6:2001:67c:2050:b231:465::102]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-202.mailbox.org (Postfix) with ESMTPS id 4PMCFg1ggHz9sWJ; Wed, 22 Feb 2023 11:34:31 +0100 (CET) Content-Disposition: inline In-Reply-To: X-Rspamd-Queue-Id: 4PMCFg1ggHz9sWJ Received-SPF: pass client-ip=80.241.56.172; envelope-from=mail@vasilij.de; helo=mout-p-202.mailbox.org X-Spam_score_int: -25 X-Spam_score: -2.6 X-Spam_bar: -- X-Spam_report: (-2.6 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.devel:303673 Archived-At: --YdwPkcj2tLBP+iKD Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 02/22/23 at 06:20pm, lux wrote: > > PS: Where should I report analogous misuse of `shell-command-to- > > string`? I cannot submit patches currently because I've changed > > employers and need to renew copyright assignment, again (that would > > be the third time already). >=20 > You can send to bug-gnu-emacs@gnu.org Yes, usually I'd just use M-x report-emacs-bug, but in this case it's different because I plan to develop proof of concept code (PoC) and submit it to the responsible maintainer for verifying the vulnerability and the fix. Publicly disclosing PoC code is usually frowned upon, no matter how trivial/exploitable the issue is. --YdwPkcj2tLBP+iKD Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAABCAAdFiEE0dAcySl3bqM8O17WFmfJg6zCifoFAmP177IACgkQFmfJg6zC ifoZngf/UIqU0fQQ2bAdR36JilZLEuzRssDb8xea7Rk1zt/FqUDi+InpP3id/otk XdFEVTO0Nkl2VhKUnC2HU1IcHW/hC/jejhGCXXqnPjGklc8RhHUhHk1S5ca+vN9S nCux8J5XS7DRgFrk/6K5MNhM8wC7Nq0ZLOHOwxJLOBslpfNp+JGPTgv9mPQ2MvED 6fx+H2sHmaBBEyQhlWqaywYl2sX0EqYoEmj1z++bamdPI2+xAHSwL3rIaeY7vQJ0 gH3HYfTZoK+xJJ0Vt+/sJ4B4FN2bNaWoMVcqq89H0zpqs8M2aOgJ+cJzfLKtns5h TCNtuKAm4e8WorknUsr2EpKkWbbZRQ== =ZYmZ -----END PGP SIGNATURE----- --YdwPkcj2tLBP+iKD--