Re: Possible problem with Gnus

[Reiner Steib <4.uce.03.r.s@nurfuerspam.de>]

[ The following message is a courtesy copy of an article that has
  been posted to news:gmane.emacs.devel as well. ]

On Tue, May 11 2004, Richard Stallman wrote:

> We have to pay attention to an issue of how Gnus and other Emacs mail
> readers treat MIME attachments.
>
> Windows viruses often spread in attachments for Word.  We have to make
> sure that attachments don't become a method for spreading viruses in
> Emacs.  Some kinds of attachments run applications that perhaps can be
> assumed safe, such as a gif displayer.  But attachments that run more
> complex attachments, such as a browser that might execute programs
> given it, have to be treated as unsafe.

I agree with Stefan and David that Gnus is pretty safe in this
respect.

> How does a Gnus user specify to display an attachment?

For types that cannot displayed inline in Emacs, a buttons is created,
e.g. "[4. application/pdf; foo.pdf]".  To display the attachment, the
user has to press RET or mouse-2 on this button.

The viewer used to display the attachment is usually determined by
parsing the mailcap file(s), if present.  Additionally, Gnus has an
internal list of viewers, see `mailcap-mime-data' in `mailcap.el'[1].
Those viewers are designed to be as safe as possible.  Quoting from
the emacs-mime manual[2] (from Gnus 5.10):

  "When you launch an attachment through mailcap an attempt is made to
  use a safe viewer with the safest options--this isn't the case if
  you save it to disk and launch it in a different way (command line
  or double-clicking)."

E.g. xdvi is launched as "xdvi -safer %s".

> Does the user do this for one specific attachment, or for all the
> attachments in one message?

It is customizable based on the MIME type, i.e. different types of
attachment are treated differently.

> Does Gnus ever display attachments in a message without a specific
> direct user request for that message?

By default, only types that can displayed inline in Emacs are
displayed automatically, i.e. without a specific user request.
But the user can also changes this so that in principle, it can
become unsafe (but this risk is also present e.g. if the user sets
`enable-local-eval' to t).

AFAIK, you had a discussion with Florian Weimer about MIME security in
Gnus after your message[3] about "Windows viruses and GNU/Linux" on
gnu.announce.  As a result of discussing this issue on the Gnus
list[4], I have installed a variable `mm-enable-external'[2] in Gnus
5.10.5.  Setting `mm-enable-external' to `nil' disables the use of
external program through MIME completely.  But we decided not to do
this by default because using the programs from mailcap usually is
safer (as explained above and in [2]) as by saving to file and
starting the viewer from the command line.

(A related variable, e.g. for uuencoded messages is
`gnus-article-emulate-mime'[5].)

Bye, Reiner.

[1] (info "(emacs-mime)mailcap")

[2]
,----[ (info "(emacs-mime)Display Customization") ]
| `mm-enable-external'
|      Indicate whether external MIME handlers should be used.
| 
|      If `t', all defined external MIME handlers are used.  If `nil',
|      files are saved to disk (`mailcap-save-binary-file').  If it is
|      the symbol `ask', you are prompted before the external MIME
|      handler is invoked.
| 
|      When you launch an attachment through mailcap (*note mailcap::) an
|      attempt is made to use a safe viewer with the safest options--this
|      isn't the case if you save it to disk and launch it in a different
|      way (command line or double-clicking).  Anyhow, if you want to be
|      sure not to launch any external programs, set this variable to
|      `nil' or `ask'.
`----

[3]
,----[ <news:mailman.944.1061837187.29551.info-gnu@gnu.org> ]
| From: Richard Stallman <rms@gnu.org>
| Subject: Windows viruses and GNU/Linux
| Newsgroups: gnu.announce
| To: info-gnu@gnu.org
| Date: Sun, 24 Aug 2003 23:30:22 -0400
`----

[4] <URL:http://thread.gmane.org/gmane.emacs.gnus.general/54091>

,----[ <news:20030928161139.GA31465@deneb.enyo.de> ]
| From: Florian Weimer <fw@deneb.enyo.de>
| Subject: Disable mailcap support
| Newsgroups: gmane.emacs.gnus.general
| Date: Sun Sep 28 18:11:39 2003 +0200
| Original-To: ding@gnus.org
`----

[5]
,----[ (info "(gnus)MIME Commands") ]
| `gnus-article-emulate-mime'
|      There are other, non-MIME encoding methods used.  The most common
|      is `uuencode', but yEncode is also getting to be popular.  If this
|      variable is non-`nil', Gnus will look in message bodies to see if
|      it finds these encodings, and if so, it'll run them through the
|      Gnus MIME machinery.  The default is `t'.
`----
-- 
       ,,,
      (o o)
---ooO-(_)-Ooo--- PGP key available via WWW   http://rsteib.home.pages.de/