From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: lux Newsgroups: gmane.emacs.devel Subject: Re: Structurally fixing command injection bugs Date: Wed, 22 Feb 2023 20:05:27 +0800 Message-ID: References: Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="18252"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Evolution 3.46.4 (3.46.4-1.fc37) Cc: emacs-devel@gnu.org To: Vasilij Schneidermann Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Wed Feb 22 13:08:28 2023 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1pUnv8-0004aO-Ug for ged-emacs-devel@m.gmane-mx.org; Wed, 22 Feb 2023 13:08:26 +0100 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pUnuZ-000313-R2; Wed, 22 Feb 2023 07:07:51 -0500 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pUnuX-0002zw-JO for emacs-devel@gnu.org; Wed, 22 Feb 2023 07:07:49 -0500 Original-Received: from out203-205-251-66.mail.qq.com ([203.205.251.66]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pUnuV-0008J3-F9 for emacs-devel@gnu.org; Wed, 22 Feb 2023 07:07:49 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qq.com; s=s201512; t=1677067659; bh=luchKw4kbJ/tsk1NEgcEQENEd0NvPiIaag907hacUzE=; h=Subject:From:To:Cc:Date:In-Reply-To:References; b=Yhzv1cUpRmmQhXfDH8GTqHF0yW+S/Kz32zc9EbozjbggWECLne93Xs55yMQMzS5pn 0WbB9M4x4yCHxvQCC+fR8WGAHfZopjqU0rL2Q5GUfE3FjIe1wzg3Np6+pHWECjoL3N sqVwtcieZNvF+PrOc7lNyB0HvataVFLEeJN0GE7s= Original-Received: from [IPv6:240e:399:e6f:ee32:f815:4044:ba50:97f9] ([240e:399:e6f:ee32:f815:4044:ba50:97f9]) by newxmesmtplogicsvrszc2-1.qq.com (NewEsmtp) with SMTP id 15B9A460; Wed, 22 Feb 2023 20:05:27 +0800 X-QQ-mid: xmsmtpt1677067527tai0b3ysz X-QQ-XMAILINFO: OHNqCmPDT5DP8wf5WiYJkOdMBZga2WlkMuXSsnwXs/laZ7s3fr7BpMMqtuzzGN sMI5B18HaMubSrGCncSmTzpXHiSY4bQljgwDkIDP5xEsjEBtrJC1xQ4CVuT1GuJiftSjfJ8L2tg8 D+6kevTL8qFEuGFrah8Kgnq5S5EQezwZC4HE9Zi/tcXShi19oE0YS47Y6VP9Eye05yFw+w0v+U6L 479jxFD9MPiMrAsfx0ypgeVYiDVnNE2mHyMSDYi04DJYHZyBpLB+KlrJIUpuu/DvAZHF2pcqD9i7 KHHZAZ1md78bDc5PYpWySHZ9ot5FkyxdBX8tb2vELeFH3epToJViYYepFsygGUg6jHIlkeraNIHf DlYyLeVz9QjCr+29uI701JAfOBxdA6TfyEHNo6acX5TSDPezaen6H/KE3dnhm7JWIcIM12KhUWX/ Cll+eJHF/JQ1nYhXzOELaWjL8Xyz2qOXaIGmffxgl+qIVLwlgQVpmdS8wdMDbn1e9Rs4EGVweCbh ekRoywjmGxdhsval8y93ATN4U5MlcbNbQXmZ2niDB68ueNX++TlMv0UtQ2bcumve78tmv3S+ZVxa +QN32L+LmJ4ogDHWhIWIIE23zFcVPg/L6BKIkvo/ATmAG0thhEmozaWnRdTH715Wz+2mTAKAvRta 73hQRDEVZHNQ/m3UGvYy4XYFtrjf+LsBQasKHRow60m/kGDAj1DzXGTh/swYXiZhSFg08MgvkZnU Evk8bUI6kiDUjJ+27PIm5bKq1iwX/cbfG5j5WGRKRa7+tyHkID9VgJbxMMWatMIdQWX8/Fi1YTv7 W/sRWh+0aTs6v5VVPwz3W/iPriaBlHUsJz4AgPSm X-OQ-MSGID: <342b39e4fca3c49b338cc9a28a6a35f65468dafc.camel@shellcodes.org> In-Reply-To: Received-SPF: none client-ip=203.205.251.66; envelope-from=lx@shellcodes.org; helo=out203-205-251-66.mail.qq.com X-Spam_score_int: 44 X-Spam_score: 4.4 X-Spam_bar: ++++ X-Spam_report: (4.4 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HELO_DYNAMIC_IPADDR=1.951, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_SBL_CSS=3.335, RDNS_DYNAMIC=0.982, SPF_HELO_NONE=0.001, SPF_NONE=0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.devel:303676 Archived-At: On Wed, 2023-02-22 at 11:34 +0100, Vasilij Schneidermann wrote: > On 02/22/23 at 06:20pm, lux wrote: > > > PS: Where should I report analogous misuse of `shell-command-to- > > > string`?=C2=A0 I cannot submit patches currently because I've changed > > > employers and need to renew copyright assignment, again (that > > > would > > > be the third time already). > >=20 > > You can send to bug-gnu-emacs@gnu.org >=20 > Yes, usually I'd just use M-x report-emacs-bug, but in this case it's > different because I plan to develop proof of concept code (PoC) and > submit it to the responsible maintainer for verifying the > vulnerability > and the fix. Publicly disclosing PoC code is usually frowned upon, no > matter how trivial/exploitable the issue is. At present, there is no better channel.I feel open the PoCs good for developers to understand, fix vulnerability and improving the code security. Make the problem public instead of hiding it. I also want to hear the thoughts of others.