From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Dmitry Gutov Newsgroups: gmane.emacs.tangents Subject: Re: 2023-02-27 Emacs news Date: Tue, 28 Feb 2023 21:34:10 +0200 Message-ID: <18b496f7-f23c-67c0-8694-0a71af46848c@yandex.ru> References: <87ilfmprt2.fsf@sachachua.com> <87sfeqshwf.fsf@dataswamp.org> <88a8d27c-1eb3-b0f0-8929-027bbd024822@yandex.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="36221"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.7.1 Cc: Jean Louis , emacs-tangents@gnu.org To: Yuri Khan Original-X-From: emacs-tangents-bounces+get-emacs-tangents=m.gmane-mx.org@gnu.org Tue Feb 28 20:34:38 2023 Return-path: Envelope-to: get-emacs-tangents@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1pX5kD-0009DM-D7 for get-emacs-tangents@m.gmane-mx.org; Tue, 28 Feb 2023 20:34:37 +0100 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pX5jz-0002TR-8E; Tue, 28 Feb 2023 14:34:24 -0500 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pX5jt-0002T4-5H for emacs-tangents@gnu.org; Tue, 28 Feb 2023 14:34:17 -0500 Original-Received: from mail-wr1-x434.google.com ([2a00:1450:4864:20::434]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1pX5jq-0000Bn-Uc for emacs-tangents@gnu.org; Tue, 28 Feb 2023 14:34:16 -0500 Original-Received: by mail-wr1-x434.google.com with SMTP id bw19so10912931wrb.13 for ; Tue, 28 Feb 2023 11:34:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1677612853; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :sender:from:to:cc:subject:date:message-id:reply-to; bh=w11olEMdVFN5tGGAzTUOtMi8LWS9NtrUl33foTzwsz4=; b=GvPUtKJUP1ikz4Zkclu8CIxOGY+rjriiDTyOUynXFbaLji9GGhjws9g3CyAYcUzlOA DsG7QX4k1/rZUVTOWRk9r0Rn3tiT4+3rz9Xo5PQgOwPpYRveS4W+bX0qD7ub6kj9sjHn axDsaS4DTjqrozRFwU8r7EDJOa7sSkSsHo+Stf9f04H8uvUFJ2uBhZ/C+VDvQZiBcF4F mUISTZfH0qoTFAJrr5kWnH51hR2A2VIKm0cKUlV3A2bWYlXCQYoateW16lUixR8Tlpzv Fze2FUlJOplnuB0wScRA5LZZCkpbGQWGDFOENIZM7muhV6VbA2H/Og+ZVw9U0VI7F2q1 uoFQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1677612853; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :sender:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=w11olEMdVFN5tGGAzTUOtMi8LWS9NtrUl33foTzwsz4=; b=wZzG+c8/glpxu+lRajmxBPXV65IYly7H5SAj6N5sWmr2IFyd4Lfd8W5KmFE8HyCLy9 z5upx6jA3b7jzQaP2n3swDA3vVxM7BRpDq0AoTL7lGaNbQGtdkLJG6SbmX9EBSJ+zR3b gAIH4/3ExmWi1Dwfm4B/ACtLNgKjxgeGte/egN6aEHiwhWPlLDHt0/ZENFKT0j/Ppv3T FkwKwLREJbUzy72ykNYgMrN1HHSVKaGEgZkPppmyOnVJA9+OpSlfa+3lHHRYuumfwKaW 4D/53553lnWtglv92+QZUSGOeIUVO4JPNIpuDoXkFDZnHPRXeoWAhJZzXVm0GRROQuot D3lA== X-Gm-Message-State: AO0yUKVkFD6KC1VFApb1sawGEa8l9yf4NJhuTUZt7OciJNAzz2nEZuE6 DZmRvhzhRtEChya/X2brcWk= X-Google-Smtp-Source: AK7set92+owqPRM0YkuQ5VCFdLj32tXS4lMvgIkyGEmHlqldEdnHHjABOUNb1x+soj9fY/NuHZYbnQ== X-Received: by 2002:a5d:4b87:0:b0:2c9:a8c7:b48d with SMTP id b7-20020a5d4b87000000b002c9a8c7b48dmr3117774wrt.10.1677612853136; Tue, 28 Feb 2023 11:34:13 -0800 (PST) Original-Received: from [192.168.0.2] ([46.251.119.176]) by smtp.googlemail.com with ESMTPSA id h16-20020adff4d0000000b002c70851fdd8sm10618414wrp.75.2023.02.28.11.34.12 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 28 Feb 2023 11:34:12 -0800 (PST) Content-Language: en-US In-Reply-To: Received-SPF: pass client-ip=2a00:1450:4864:20::434; envelope-from=raaahh@gmail.com; helo=mail-wr1-x434.google.com X-Spam_score_int: -15 X-Spam_score: -1.6 X-Spam_bar: - X-Spam_report: (-1.6 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, NICE_REPLY_A=-0.092, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-tangents@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Emacs news and miscellaneous discussions outside the scope of other Emacs mailing lists List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-tangents-bounces+get-emacs-tangents=m.gmane-mx.org@gnu.org Original-Sender: emacs-tangents-bounces+get-emacs-tangents=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.tangents:996 Archived-At: On 28/02/2023 20:56, Yuri Khan wrote: > On Wed, 1 Mar 2023 at 01:08, Dmitry Gutov wrote: >> On 28/02/2023 16:05, Yuri Khan wrote: >>> If you open a malicious source file in an editor, you don’t expect it >>> to execute any code written within, surely not before you press the >>> Run key. If opening a file for editing trashes your home directory, >>> it’s a bug and a vulnerability. If opening a file for editing causes >>> personal information to be sent outside, it’s a bug and a >>> vulnerability. >> Neither of that happened with the linked "vulnerability", though. >> >> It only worked if you pressed "C-c C-f" on a line that contained >> something like >> >> require '; rm -rf ~' > (ruby-find-library-file &optional FEATURE-NAME) > > Visit a library file denoted by FEATURE-NAME. > FEATURE-NAME is a relative file name, file extension is optional. > […] When called > interactively, defaults to the feature name in the ‘require’ > or ‘gem’ statement around point. > > So it’s not an auto-pwn but rather user-assisted, as in,*if* the > attacker can convince you to visit a malicious source file*and* do a > navigation command on a dangerously-looking import,*then* you’re > pwned? That significantly reduces the severity in my book. Right. The htmlfontify and etags vulns look a little more severe, though.