Emacs 28.3 Release

Emacs 28.3 Release

[Troy Hinckley]

[-- Attachment #1: Type: text/plain, Size: 829 bytes --]

Hi Emacs devs,
I am asking again what we can do to complete the Emacs 28.3 release. My concern is that we have a narrow window in which this version will be viable. As it currently stands the latest stable release has a high severity CVE that prevents Emacs from being installed in security sensitive domains. 28.3 will resolve that and make the latest stable release usable. However, someone will inevitably find another CVE against Emacs. At that point 28.3 will no longer be useful. Given how hard it has been to get this release, I doubt there would be resources to add another security patch to Emacs 28.

I am requesting to see if there is anything the community can do to help complete this release before it becomes irrelevant. The release candidate has been out for couple months at this point.

— Troy Hinckley

[-- Attachment #2: Type: text/html, Size: 1033 bytes --]

Re: Emacs 28.3 Release

[Eli Zaretskii]

> Date: Mon, 10 Apr 2023 08:05:04 -0500
> From: Troy Hinckley <comms@dabrev.com>
> 
> I am asking again what we can do to complete the Emacs 28.3 release. My concern is that we have a
> narrow window in which this version will be viable. As it currently stands the latest stable release has a
> high severity CVE that prevents Emacs from being installed in security sensitive domains. 28.3 will
> resolve that and make the latest stable release usable. However, someone will inevitably find another
> CVE against Emacs. At that point 28.3 will no longer be useful. Given how hard it has been to get this
> release, I doubt there would be resources to add another security patch to Emacs 28. 
> 
> I am requesting to see if there is anything the community can do to help complete this release before
> it becomes irrelevant. The release candidate has been out for couple months at this point.

Stefan was working on 28.3, prepared an RC, and is silent for the last
4 weeks or so.  I think any work on this should pick up where he left
off, but for that we need him to tell us where he left off...

Re: Emacs 28.3 Release

[Po Lu]

Troy Hinckley <comms@dabrev.com> writes:

> Hi Emacs devs, I am asking again what we can do to complete the Emacs
> 28.3 release. My concern is that we have a narrow window in which this
> version will be viable. As it currently stands the latest stable
> release has a high severity CVE that prevents Emacs from being
> installed in security sensitive domains. 28.3 will resolve that and
> make the latest stable release usable. However, someone will
> inevitably find another CVE against Emacs. At that point 28.3 will no
> longer be useful. Given how hard it has been to get this release, I
> doubt there would be resources to add another security patch to Emacs
> 28.

BTW, perhaps you could complain to your employer's security folks about
their policies wrt the CVE database, which is actually the computer
security circus's system for spreading patent libel against software.

You could cite the reasons put forth by the SQLite developers for not
taking notice of CVE reports, at http://www.sqlite.org/cves.html:

  - The developers often do not find out about CVEs until long after the
    bug is fixed. You can see this by the fact that many CVEs reference
    the bug fix in their initial report.

  - CVEs are a low-quality source of information about bugs in SQLite
    that are likely to affect most applications.

  - Almost all bugs reported by CVEs are just bugs and not true
    vulnerabilities. Claiming that they are vulnerabilities is
    stretching the meaning of the word "vulnerability" and the SQLite
    developers do not wish to participate in that deception.

  - The developers have no editorial influence on the content of CVEs,
    and they do not like to be controlled by groups in which they have
    no voice.

Re: Emacs 28.3 Release

[lux]

[-- Attachment #1: Type: text/plain, Size: 1428 bytes --]

On Mon, 2023-04-10 at 16:20 +0300, Eli Zaretskii wrote:
> > Date: Mon, 10 Apr 2023 08:05:04 -0500
> > From: Troy Hinckley <comms@dabrev.com>
> > 
> > I am asking again what we can do to complete the Emacs 28.3
> > release. My concern is that we have a
> > narrow window in which this version will be viable. As it currently
> > stands the latest stable release has a
> > high severity CVE that prevents Emacs from being installed in
> > security sensitive domains. 28.3 will
> > resolve that and make the latest stable release usable. However,
> > someone will inevitably find another
> > CVE against Emacs. At that point 28.3 will no longer be useful.
> > Given how hard it has been to get this
> > release, I doubt there would be resources to add another security
> > patch to Emacs 28. 
> > 
> > I am requesting to see if there is anything the community can do to
> > help complete this release before
> > it becomes irrelevant. The release candidate has been out for
> > couple months at this point.
> 
> Stefan was working on 28.3, prepared an RC, and is silent for the
> last
> 4 weeks or so.  I think any work on this should pick up where he left
> off, but for that we need him to tell us where he left off...
> 

There are new security patches, CVE-2023-28617, CVE-2023-27985 and CVE-
2023-27986. If Emacs 28.3 is to be released, I suggest it should be
applied.

But, where is Stefan?

[-- Attachment #2: 0001-Fix-CVE-2023-28617.patch --]
[-- Type: text/x-patch, Size: 1943 bytes --]

From cde4caecff72bcd3e45818838312218dedc6e2f1 Mon Sep 17 00:00:00 2001
From: Xi Lu <lx@shellcodes.org>
Date: Mon, 10 Apr 2023 22:23:09 +0800
Subject: [PATCH] Fix CVE-2023-28617.

---
 lisp/org/ob-latex.el | 15 ++++++---------
 1 file changed, 6 insertions(+), 9 deletions(-)

diff --git a/lisp/org/ob-latex.el b/lisp/org/ob-latex.el
index d9d66ade56f..f2ab9b16c78 100644
--- a/lisp/org/ob-latex.el
+++ b/lisp/org/ob-latex.el
@@ -167,7 +167,7 @@ org-babel-execute:latex
 	                     tmp-pdf
                              (list org-babel-latex-pdf-svg-process)
                              extension err-msg log-buf)))
-              (shell-command (format "mv %s %s" img-out out-file)))))
+              (rename-file img-out out-file t))))
          ((string-suffix-p ".tikz" out-file)
 	  (when (file-exists-p out-file) (delete-file out-file))
 	  (with-temp-file out-file
@@ -205,17 +205,14 @@ org-babel-execute:latex
 	    (if (string-suffix-p ".svg" out-file)
 		(progn
 		  (shell-command "pwd")
-		  (shell-command (format "mv %s %s"
-					 (concat (file-name-sans-extension tex-file) "-1.svg")
-					 out-file)))
+                  (rename-file (concat (file-name-sans-extension tex-file) "-1.svg")
+                               out-file t))
 	      (error "SVG file produced but HTML file requested")))
 	   ((file-exists-p (concat (file-name-sans-extension tex-file) ".html"))
 	    (if (string-suffix-p ".html" out-file)
-		(shell-command "mv %s %s"
-			       (concat (file-name-sans-extension tex-file)
-				       ".html")
-			       out-file)
-	      (error "HTML file produced but SVG file requested")))))
+                (rename-file (concat (file-name-sans-extension tex-file) ".html")
+                             out-file t)
+              (error "HTML file produced but SVG file requested")))))
 	 ((or (string= "pdf" extension) imagemagick)
 	  (with-temp-file tex-file
 	    (require 'ox-latex)
-- 
2.39.2


[-- Attachment #3: 0001-Fix-CVE-2023-27985-and-CVE-2023-27986.patch --]
[-- Type: text/x-patch, Size: 1706 bytes --]

From b58b35322b8142fa22f99624adfc024098e6040c Mon Sep 17 00:00:00 2001
From: Xi Lu <lx@shellcodes.org>
Date: Mon, 10 Apr 2023 22:26:53 +0800
Subject: [PATCH] Fix CVE-2023-27985 and CVE-2023-27986.

---
 etc/emacsclient-mail.desktop | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/etc/emacsclient-mail.desktop b/etc/emacsclient-mail.desktop
index b575a41758a..0a2420ddead 100644
--- a/etc/emacsclient-mail.desktop
+++ b/etc/emacsclient-mail.desktop
@@ -1,7 +1,10 @@
 [Desktop Entry]
 Categories=Network;Email;
 Comment=GNU Emacs is an extensible, customizable text editor - and more
-Exec=sh -c "exec emacsclient --alternate-editor= --display=\\"\\$DISPLAY\\" --eval \\\\(message-mailto\\\\ \\\\\\"%u\\\\\\"\\\\)"
+# We want to pass the following commands to the shell wrapper:
+# u=$(echo "$1" | sed 's/[\"]/\\&/g'); exec emacsclient --alternate-editor= --display="$DISPLAY" --eval "(message-mailto \"$u\")"
+# Special chars '"', '$', and '\' must be escaped as '\\"', '\\$', and '\\\\'.
+Exec=sh -c "u=\\$(echo \\"\\$1\\" | sed 's/[\\\\\\"]/\\\\\\\\&/g'); exec emacsclient --alternate-editor= --display=\\"\\$DISPLAY\\" --eval \\"(message-mailto \\\\\\"\\$u\\\\\\")\\"" sh %u
 Icon=emacs
 Name=Emacs (Mail, Client)
 MimeType=x-scheme-handler/mailto;
@@ -13,7 +16,7 @@ Actions=new-window;new-instance;
 
 [Desktop Action new-window]
 Name=New Window
-Exec=emacsclient --alternate-editor= --create-frame --eval "(message-mailto \\"%u\\")"
+Exec=sh -c "u=\\$(echo \\"\\$1\\" | sed 's/[\\\\\\"]/\\\\\\\\&/g'); exec emacsclient --alternate-editor= --create-frame --eval \\"(message-mailto \\\\\\"\\$u\\\\\\")\\"" sh %u
 
 [Desktop Action new-instance]
 Name=New Instance
-- 
2.39.2

Re: Emacs 28.3 Release

[Ulrich Mueller]

>>>>> On Mon, 10 Apr 2023, lux  wrote:

> From b58b35322b8142fa22f99624adfc024098e6040c Mon Sep 17 00:00:00 2001
> From: Xi Lu <lx@shellcodes.org>
> Date: Mon, 10 Apr 2023 22:26:53 +0800
> Subject: [PATCH] Fix CVE-2023-27985 and CVE-2023-27986.

Please don't misrepresent authorship of commits, even when squashing
several of them (namely, d32091199ae5, 3c1693d08b0a, and c8ec0017cb96).

Re: Emacs 28.3 Release

[lux]

On Mon, 2023-04-10 at 16:44 +0200, Ulrich Mueller wrote:
> > > > > > On Mon, 10 Apr 2023, lux  wrote:
> 
> > From b58b35322b8142fa22f99624adfc024098e6040c Mon Sep 17 00:00:00
> > 2001
> > From: Xi Lu <lx@shellcodes.org>
> > Date: Mon, 10 Apr 2023 22:26:53 +0800
> > Subject: [PATCH] Fix CVE-2023-27985 and CVE-2023-27986.
> 
> Please don't misrepresent authorship of commits, even when squashing
> several of them (namely, d32091199ae5, 3c1693d08b0a, and
> c8ec0017cb96).

I'm sorry, I didn't notice.

Re: Emacs 28.3 Release

[Jean Louis]

* Troy Hinckley <comms@dabrev.com> [2023-04-10 16:21]:
> Hi Emacs devs,
> I am asking again what we can do to complete the Emacs 28.3 release. My concern is that we have a narrow window in which this version will be viable. As it currently stands the latest stable release has a high severity CVE that prevents Emacs from being installed in security sensitive domains. 28.3 will resolve that and make the latest stable release usable. However, someone will inevitably find another CVE against Emacs. At that point 28.3 will no longer be useful. Given how hard it has been to get this release, I doubt there would be resources to add another security patch to Emacs 28.

Emacs has built-in programming language. Programming languages are not
secure by default. Their purpose is freedom to programmer to do what
programmers wants.

If people on this mailing list would decide, they could file X number
of (not so) common vulnerabilities, though developers are constantly
improving Emacs, not making their reputation by "discovering security
holes". As if focus would be on common vulnerabilities reporting then
those reports would be as great as GNU Emacs bug reports

This means that handling those one or few CVE reports related to Emacs
is only there for cosmetics purposes. It is for the fake image.

Handling few of those CVEs, or removing reports, or closing those
reports, doesn't make Emacs secure for "secure domains" as you
mentioned it.

It is as secure as people who are working with it.

-- 
Jean

Take action in Free Software Foundation campaigns:
https://www.fsf.org/campaigns

In support of Richard M. Stallman
https://stallmansupport.org/

Re: Emacs 28.3 Release

[Troy Hinckley]

[-- Attachment #1: Type: text/plain, Size: 2381 bytes --]

Everything you said is correct, Jean. But I work at one of the major tech companies in the US with over 100,000 engineers. I have tried to argue with IT about their policies, but as you can image it makes no difference. They see high-severity CVE’s and won’t install it. And we are not the only company that has such policies. We have 1000’s of Emacs users here who can’t use the latest stable Emacs until 28.3 comes out. I am really appreciative of the effort that has been put in so far to get this version of Emacs out. I hope we can make this release soon.
On Apr 11, 2023 at 3:14 AM -0500, Jean Louis <bugs@gnu.support>, wrote:
> * Troy Hinckley <comms@dabrev.com> [2023-04-10 16:21]:
> > Hi Emacs devs,
> > I am asking again what we can do to complete the Emacs 28.3 release. My concern is that we have a narrow window in which this version will be viable. As it currently stands the latest stable release has a high severity CVE that prevents Emacs from being installed in security sensitive domains. 28.3 will resolve that and make the latest stable release usable. However, someone will inevitably find another CVE against Emacs. At that point 28.3 will no longer be useful. Given how hard it has been to get this release, I doubt there would be resources to add another security patch to Emacs 28.
>
> Emacs has built-in programming language. Programming languages are not
> secure by default. Their purpose is freedom to programmer to do what
> programmers wants.
>
> If people on this mailing list would decide, they could file X number
> of (not so) common vulnerabilities, though developers are constantly
> improving Emacs, not making their reputation by "discovering security
> holes". As if focus would be on common vulnerabilities reporting then
> those reports would be as great as GNU Emacs bug reports
>
> This means that handling those one or few CVE reports related to Emacs
> is only there for cosmetics purposes. It is for the fake image.
>
> Handling few of those CVEs, or removing reports, or closing those
> reports, doesn't make Emacs secure for "secure domains" as you
> mentioned it.
>
> It is as secure as people who are working with it.
>
> --
> Jean
>
> Take action in Free Software Foundation campaigns:
> https://www.fsf.org/campaigns
>
> In support of Richard M. Stallman
> https://stallmansupport.org/

[-- Attachment #2: Type: text/html, Size: 2935 bytes --]

Re: Emacs 28.3 Release

[lux]

[-- Attachment #1: Type: text/plain, Size: 809 bytes --]

On Wed, 2023-04-12 at 10:37 -0500, Troy Hinckley wrote:
> Everything you said is correct, Jean. But I work at one of the major
> tech companies in the US with over 100,000 engineers. I have tried to
> argue with IT about their policies, but as you can image it makes no
> difference. They see high-severity CVE’s and won’t install it. And we
> are not the only company that has such policies. We have 1000’s of
> Emacs users here who can’t use the latest stable Emacs until 28.3
> comes out. I am really appreciative of the effort that has been put
> in so far to get this version of Emacs out. I hope we can make this
> release soon.

Hi Tory

    The main change in Emacs 28.3 is to fix known vulnerabilities. If
urgency, I think also you can self-compile Emacs 28.3 or Emacs 29?


[-- Attachment #2: Type: text/html, Size: 1110 bytes --]

Re: Emacs 28.3 Release

[Corwin Brust]

Hi all,

On Wed, Apr 12, 2023 at 11:31 AM lux <lx@shellcodes.org> wrote:
>
>     The main change in Emacs 28.3 is to fix known vulnerabilities. If urgency, I think also you can self-compile Emacs 28.3 or Emacs 29?
>


TL;DR:  Troy's request resinates with mine; this isn't something I'd
expect Troy can work around

In heavily controlled computing offices (my experience is financial
services, specifically) it's usual to restrict access to install and
run compilers.  Even some of my devs who are using visual studio can't
run gcc.  (There are tools like carbonblack that are used specifically
to detect users attempting to run unapproved software.)

Generally, in this type of environment, I'm able to get Emacs
available for download and use on "company-managed hardware" only by
providing a corp desktop support team with an installer.   That
installer is then used in a sandbox environment, various "security
scans" are run, and then (eventually, if we are lucky) the company's
internal software self-service catalog is updated to provide a
repackaged version of the vetted software.  Career-to-date, I've only
once had success at getting the desktop support team to actually
compile Emacs for me.  (It was a pre-release for Emacs 27.1, FTR.
That only worked because Emacs can build a Windows installer, which
that company required any internally distributed software to provide,
and because the engineer who picked up the ticket was into the idea of
playing around with GCC in the sandbox and had the ear of their boss:
this was well outside the normal duties for that team.)