From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Gregory Heytings Newsgroups: gmane.emacs.devel Subject: Re: Structurally fixing command injection bugs Date: Wed, 22 Feb 2023 12:57:12 +0000 Message-ID: References: Mime-Version: 1.0 Content-Type: text/plain; format=flowed; charset=us-ascii Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="31098"; mail-complaints-to="usenet@ciao.gmane.io" Cc: lux , emacs-devel@gnu.org To: Vasilij Schneidermann Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Wed Feb 22 13:58:04 2023 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1pUoh9-0007rG-PU for ged-emacs-devel@m.gmane-mx.org; Wed, 22 Feb 2023 13:58:03 +0100 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pUogR-0003LJ-SB; Wed, 22 Feb 2023 07:57:19 -0500 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pUogQ-0003KS-8Q for emacs-devel@gnu.org; Wed, 22 Feb 2023 07:57:18 -0500 Original-Received: from heytings.org ([95.142.160.155]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pUogO-0005Qt-FT for emacs-devel@gnu.org; Wed, 22 Feb 2023 07:57:17 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=heytings.org; s=20220101; t=1677070632; bh=w+B7skVw2+xBa5EnQE/W4sEGhxS0PjCm645/kaP5AGI=; h=Date:From:To:cc:Subject:In-Reply-To:Message-ID:References:From; b=NygDKRzANAZ7vMKChvR+Se9Akboj+M1zkE6iP/ghduyKIe9K8ukSNLK3/UWEEJMp9 KhNNa7iXNBmbtwr3tGOEj6zWtLYP4j32Nkkb3SZhoIQFVLX8FqzLxKhRizo5R8bnef 7Yj5W9ykWlMyo+t0pYgovq3zrRaejl9ui1MbLfIS2lPQi/uE4BuUFUfDtWFVMESKH2 vv6hfzd4FfzUgiUPzYWMWW5yGf5fHhq30EK2/5xngf0cfORWF3WIh51OqGksDr6EgH X9Obj1nGTEv7uZ18P5Co63LoHfIfvE1zPrye3VboriV/DmfSenkraFICgwGXrSSPC2 tNq4wkoVcBTTQ== In-Reply-To: Received-SPF: pass client-ip=95.142.160.155; envelope-from=gregory@heytings.org; helo=heytings.org X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.devel:303677 Archived-At: > > I plan to develop proof of concept code (PoC) and submit it to the > responsible maintainer for verifying the vulnerability and the fix. > Publicly disclosing PoC code is usually frowned upon, no matter how > trivial/exploitable the issue is. > If you're unsure what to do, you can always send a private mail to the two head maintainers: Eli Zaretskii and Lars Ingebrigtsen .