From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: lux Newsgroups: gmane.emacs.devel Subject: Re: Request to backport fix for CVE-2022-45939 to Emacs 28 Date: Fri, 17 Feb 2023 10:35:43 +0800 Message-ID: References: <85f35c42-cfe8-44a7-a9c1-307acc5c17d4@Spark> <09998122-0110-454f-94d1-e29c37b833f4@Spark> <83sff9e1is.fsf@gnu.org> <838rh0e64j.fsf@gnu.org> <1a08b002-890e-40dc-9ff1-35f61d8c5e41@Spark> Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="37299"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Evolution 3.46.3 (3.46.3-1.fc37) Cc: Eli Zaretskii , emacs-devel@gnu.org To: Lynn Winebarger , Troy Hinckley Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Fri Feb 17 03:37:55 2023 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1pSqdG-0009Uo-FL for ged-emacs-devel@m.gmane-mx.org; Fri, 17 Feb 2023 03:37:54 +0100 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pSqcf-0000l8-P2; Thu, 16 Feb 2023 21:37:17 -0500 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pSqcd-0000jp-3m for emacs-devel@gnu.org; Thu, 16 Feb 2023 21:37:15 -0500 Original-Received: from out162-62-57-137.mail.qq.com ([162.62.57.137]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pSqca-0007h1-OA for emacs-devel@gnu.org; Thu, 16 Feb 2023 21:37:14 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qq.com; s=s201512; t=1676601428; bh=SCZybWKUPrszje6/6SwC+BX3urz5HoPgmZ2/+0KuDUE=; h=Subject:From:To:Cc:Date:In-Reply-To:References; b=eKjzva8Gnhlv/5q/mAj4f82KdxwkZscFKFyNwNEFR472VjfmFwBw06CQjWTuO6ueh Am0wfbv5NQXBRMvonYFVOo5KZ/UMP3yNrMCM5y4znEJaEJKTuq/TZ+uZR4nwo5lS2W hhSi7DmZasxCvJICo68bf1e9dpWPIyTfC38/w4TM= Original-Received: from [10.8.192.150] ([140.210.194.131]) by newxmesmtplogicsvrszb6-0.qq.com (NewEsmtp) with SMTP id 8EC372B1; Fri, 17 Feb 2023 10:35:44 +0800 X-QQ-mid: xmsmtpt1676601344txlnzg5wv X-QQ-XMAILINFO: NzOHSugmTg7XdAIUIFhtuUvWVb+bmmueo6+mUKQ3LRkdNPEeuuGJG14+n1p0Ax dvONe4pB0kT5C28X6inf3iUEGNXaDzQgXLnghiXOErinFxs79E0vpmHex2yC2C6xt7a3TZG+l/s3 0bMA6KDaCnkL5PWmb7q/m/mkTIURFaa0Fgo92xEjbuTan6EFuN3Wm2srXhxGELTtEM5e8eqnHO9w lkXrwiq/m9Y/LV+cwqlXpssjn5vD6rI4POjNCHWTdKrPM0Kn7YuwRE5GkAbrAbFNJLzUYzdTgQks FJmZSsrIEfUx3Y9wjtLfxyFM/yElQQ/7vVfqC6J9tPHW5w5gEGPyZWiERlEEhJaGNgP+iD2I0Tyu +s+caM+ppsa7SShddm9kgLGYJ9QiWXAZrpTzPC5QZD5ztrLvypUkj0yewdrXJkpYZYMGGx6+hc0Q RYJJ37Kjhz35HV1Xdd0OK8UqGMMgeCziy0BOJmXrfVA2lJvsBbl79ivAtdNk9PWhvHwyq5O/pEIG 7PGNv6Jk5c0ZFYlCN0yw2+dSQ9MHjitQLIK9hRkShs/VNjXCHUy+PTW5qBMSdF6e6XxFQ2yBSpeu Q7OPFkCCl2B5dE6l5FxQCFhUAk2WvwFZ/KWa5lDiggvf8bdzc8kMRkNunBWjYAGplNofLnRm1LIB BEIYwTI6joyACOj6SEra20wLwcINy7fm53JdEhKaptysrWdKb7HthADQ9S1CwbbJrj8szxWpjBWT Q1ECUeCb32Iy4XszP6APYJC+lcgLudTL2BR71DZX94MdeNiEFXhtWAjlDJPCDGZcp4baqGYR9zrk 1w81Dw2k//JYgmCw+3uSeMl2sbGz53toBhZ9woyA X-OQ-MSGID: <9c831f25b8576f6c085272facc194c5a2d5d8d83.camel@shellcodes.org> In-Reply-To: Received-SPF: none client-ip=162.62.57.137; envelope-from=lx@shellcodes.org; helo=out162-62-57-137.mail.qq.com X-Spam_score_int: 10 X-Spam_score: 1.0 X-Spam_bar: + X-Spam_report: (1.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HELO_DYNAMIC_IPADDR=1.951, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RDNS_DYNAMIC=0.982, SPF_HELO_NONE=0.001, SPF_NONE=0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.devel:303446 Archived-At: On Thu, 2023-02-16 at 20:44 -0500, Lynn Winebarger wrote: > On Tue, Feb 14, 2023 at 12:06 PM Troy Hinckley > wrote: > >=20 > > If the commit was cherry picked to the emacs-28 branch, does that > > mean it=E2=80=99s just unreleased changes for Emacs 28? We are building > > from source, so that might be enough. I didn=E2=80=99t realize cutting = a > > release was high effort. >=20 > FWIW, I suspect a lot of users get automated updates from their > packager of choice, whether it's linux distro, Cygwin, MSYS2, or > whatever.=C2=A0 If you look at their source packages, they routinely appl= y > these kinds of changes as updates to older releases.=C2=A0 Even if you > don't use that packager, you can still use their source package for > Emacs to get a version with the relevant security patches. Most Linux distributions rely on public CVE information for security updates, I fixed 4 vulnerabilities[1], but to date, only one vulnerability has been assigned a CVE number (CVE-2022-45939), so most Linux distributions have not fixed the other three vulnerabilities. Depending on the distro security updates are only available for Linux, BSD etc, while Windows users cannot update automatically. [1] patches: - https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=3Dd48bb4874bc6cd3e69= c7a15fc3c91cc141025c51 - https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=3D01a4035c869b91c153= af9a9132c87adb7669ea1c - https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=3D9a3b08061feea14d6f= 37685ca1ab8801758bfd1c - https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=3D1b4dc4691c1f87fc97= 0fbe568b43869a15ad0d4c