From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Yuri Khan Newsgroups: gmane.emacs.tangents Subject: Re: 2023-02-27 Emacs news Date: Wed, 1 Mar 2023 01:56:36 +0700 Message-ID: References: <87ilfmprt2.fsf@sachachua.com> <87sfeqshwf.fsf@dataswamp.org> <88a8d27c-1eb3-b0f0-8929-027bbd024822@yandex.ru> Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="5323"; mail-complaints-to="usenet@ciao.gmane.io" Cc: Jean Louis , emacs-tangents@gnu.org To: Dmitry Gutov Original-X-From: emacs-tangents-bounces+get-emacs-tangents=m.gmane-mx.org@gnu.org Tue Feb 28 19:57:11 2023 Return-path: Envelope-to: get-emacs-tangents@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1pX59y-00019O-6K for get-emacs-tangents@m.gmane-mx.org; Tue, 28 Feb 2023 19:57:10 +0100 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pX59h-00029n-6H; Tue, 28 Feb 2023 13:56:53 -0500 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pX59f-00029f-G2 for emacs-tangents@gnu.org; Tue, 28 Feb 2023 13:56:51 -0500 Original-Received: from mail-wm1-x334.google.com ([2a00:1450:4864:20::334]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1pX59d-0008EE-U6 for emacs-tangents@gnu.org; Tue, 28 Feb 2023 13:56:51 -0500 Original-Received: by mail-wm1-x334.google.com with SMTP id p16so7102114wmq.5 for ; Tue, 28 Feb 2023 10:56:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=B9hflqd1/lLjp7Z+ckhgyd5cbrDHFrWXDrg14xwcThI=; b=TdXpHUNZOkoZrtiOQN5JBKSZd36mqAIdL/VlmxYGq6JdI8N++QoROMMKKnH/wpxCFS mNoZf3T6BexZYWuer13+SyncNDqgS7Pw6ygXJUDSuu5CvAt1iJ1UKE02RYOCoW+Lzr4I Wx6Mq05nJBMkvrlVz1kCuY5E0QrR223ccmDdk+dEKdl1/egOH9fnpDJ5ovUGEGHv9KOn FlpjI5LuZsyWrCyIb55/4zO2+r0dRMZi3ucA6P/h90aqnOMiJY8cqJdBWLs6GFmKH00j deUn4bL5rj4YXwUMNiN/pxukhcdNyves6Jxy6WuLDmE9yhlQswzpExsyVAuzUkXVb95z nN6w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=B9hflqd1/lLjp7Z+ckhgyd5cbrDHFrWXDrg14xwcThI=; b=A9XA0ICRBNcpCcvxEXdkbNe0lTOz8BnVsTC3CW3f80ZlG68yghFF0MzrQaVmgQThJt dUypCXUvx+2Q8tkqJw5VKsvupUrgznANbqsA9/35/uV4bgPXi6OXS693Cxc5rx+tHZq4 /9UnVevAVR63wyYmJ1o1DTg9V0xpTMsvWQIX/aY+OpK/4yvobTm1PNrFiLmsMyMktp9j t1mVwF5Y7yS9eIgVIo/iguxpQQGHqruE15OWdPFeK62yi8RDeqaXWlvgYvNJjKwfmS7/ FlpgmYf8XmBWK3zSnWiqnRtrSXMQK7r5TN8zSfytVOhwJZH3Uku7AkOCVvfAkZ7C4mCQ sKTw== X-Gm-Message-State: AO0yUKW4ju4nhIaLUt5kTUzjsixVDNk7KZ25d4mAIj7ICLsKWZ+Vh+js XXMUT8gnV5xiBDRSI6nqkQzDQ/xdI8hn5qkPx3cepphxrSnHCg== X-Google-Smtp-Source: AK7set9gklltARY4NHaskd8cvE0ArfklTyFk/UgQkGuS+EowNnsKTFVwBjCfIcM70D0IK8j3iODxJtFGaPqtoWnXtlA= X-Received: by 2002:a05:600c:9:b0:3eb:38b0:e741 with SMTP id g9-20020a05600c000900b003eb38b0e741mr1139284wmc.0.1677610607445; Tue, 28 Feb 2023 10:56:47 -0800 (PST) In-Reply-To: <88a8d27c-1eb3-b0f0-8929-027bbd024822@yandex.ru> Received-SPF: pass client-ip=2a00:1450:4864:20::334; envelope-from=yurivkhan@gmail.com; helo=mail-wm1-x334.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-tangents@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Emacs news and miscellaneous discussions outside the scope of other Emacs mailing lists List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-tangents-bounces+get-emacs-tangents=m.gmane-mx.org@gnu.org Original-Sender: emacs-tangents-bounces+get-emacs-tangents=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.tangents:995 Archived-At: On Wed, 1 Mar 2023 at 01:08, Dmitry Gutov wrote: > > On 28/02/2023 16:05, Yuri Khan wrote: > > If you open a malicious source file in an editor, you don=E2=80=99t exp= ect it > > to execute any code written within, surely not before you press the > > Run key. If opening a file for editing trashes your home directory, > > it=E2=80=99s a bug and a vulnerability. If opening a file for editing c= auses > > personal information to be sent outside, it=E2=80=99s a bug and a > > vulnerability. > > Neither of that happened with the linked "vulnerability", though. > > It only worked if you pressed "C-c C-f" on a line that contained > something like > > require '; rm -rf ~' (ruby-find-library-file &optional FEATURE-NAME) Visit a library file denoted by FEATURE-NAME. FEATURE-NAME is a relative file name, file extension is optional. [=E2=80=A6] When called interactively, defaults to the feature name in the =E2=80=98require=E2= =80=99 or =E2=80=98gem=E2=80=99 statement around point. So it=E2=80=99s not an auto-pwn but rather user-assisted, as in, *if* the attacker can convince you to visit a malicious source file *and* do a navigation command on a dangerously-looking import, *then* you=E2=80=99re pwned? That significantly reduces the severity in my book.