From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Yuri Khan Newsgroups: gmane.emacs.tangents Subject: Re: 2023-02-27 Emacs news Date: Tue, 28 Feb 2023 21:05:33 +0700 Message-ID: References: <87ilfmprt2.fsf@sachachua.com> <87sfeqshwf.fsf@dataswamp.org> Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="28404"; mail-complaints-to="usenet@ciao.gmane.io" Cc: emacs-tangents@gnu.org To: Jean Louis Original-X-From: emacs-tangents-bounces+get-emacs-tangents=m.gmane-mx.org@gnu.org Tue Feb 28 15:06:32 2023 Return-path: Envelope-to: get-emacs-tangents@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1pX0cg-000771-Fd for get-emacs-tangents@m.gmane-mx.org; Tue, 28 Feb 2023 15:06:30 +0100 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pX0cO-0008V3-Dp; Tue, 28 Feb 2023 09:06:13 -0500 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pX0cE-0008UE-B6 for emacs-tangents@gnu.org; Tue, 28 Feb 2023 09:06:02 -0500 Original-Received: from mail-wm1-x32a.google.com ([2a00:1450:4864:20::32a]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1pX0by-0007dl-Sf for emacs-tangents@gnu.org; Tue, 28 Feb 2023 09:06:02 -0500 Original-Received: by mail-wm1-x32a.google.com with SMTP id m25-20020a7bcb99000000b003e7842b75f2so5938194wmi.3 for ; Tue, 28 Feb 2023 06:05:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=PnUtvHmU7TDSCzI1LYxKiKjkbXJa8zNJnf1nfHCx2MA=; b=UMnNECZXp/b94nulhXqduj91vnc0kL9IDgt2TVxRw8dAL/Z4VR7Jw+I3kN/ztis6qi IcsCVukpsONyAZQxUUc7Q1ln0SBsv8p/TRNv1u+xCpnS++EFBloY+fse0VZNjgr40xAa YZkEpzigHOy47rUe4iy8ktgJPn/eYJOIhG9Hzk185DnNZbBxZnc9IVcC2aZyKfscNSPb 1/f+EGwbwJhayE+w9azvWmfkya6rmsF8qpWx3sw3WRHhHZko0lZWuYIrCHdn1gIbLB1m IERndc+4cKG8z/TaIaJfFhQRq/w3qpwll48Ugs7UlgGrx3NC6RlcZBPF+/RbDgHY3C5K 30FQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=PnUtvHmU7TDSCzI1LYxKiKjkbXJa8zNJnf1nfHCx2MA=; b=U8AJWMTajUHwvxEOqJnzUwy/Zf+IUWRmY0PYzi+ul4Bej6rz1GM+7z/7657HaOstTI iLy3R3XgrvW/9osuLE2yzLRqMSF+3U3XCLPCDmQ3au2LNfqkrT63NhtYmgpv/mr8MSuI JMseosQUdlzGgCrGHfoUi9HT10qeIeCzJ8LAuspL6yp4q8TNDMfYdmosJnKDbwVDu84p E+FTGUNODCZNldXHwIY1UGHdgg0wVltqacYelPzn/ctII4TbECZYjSwriKmksXS354wu fonJXjxSfmxSw07PwNxRa/aDyB9XegpR9IpjNuRKK4zGX3R2/MfHKy82GqfA0ws3ysbl oLqQ== X-Gm-Message-State: AO0yUKVzV7PNUs9qe2/5zMlACvAWZ5wWWMu8cPW1A/Qici7SozvB8MtU x496Iyp1hg8kle5dBLXgL1IRLxJO5Zwu/FdOGlIMBMhuFpg= X-Google-Smtp-Source: AK7set+70rEKnnxGqgTwoNssnMyI2CAHH4l6IkVxiz5XlGTzdCBgOuXIB//Aw7cjDu5hmOvxzA+4JZ5hk5HVGnKrnoA= X-Received: by 2002:a05:600c:a:b0:3e2:1f63:35fb with SMTP id g10-20020a05600c000a00b003e21f6335fbmr835221wmc.0.1677593144558; Tue, 28 Feb 2023 06:05:44 -0800 (PST) In-Reply-To: Received-SPF: pass client-ip=2a00:1450:4864:20::32a; envelope-from=yurivkhan@gmail.com; helo=mail-wm1-x32a.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, T_SPF_TEMPERROR=0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-tangents@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Emacs news and miscellaneous discussions outside the scope of other Emacs mailing lists List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-tangents-bounces+get-emacs-tangents=m.gmane-mx.org@gnu.org Original-Sender: emacs-tangents-bounces+get-emacs-tangents=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.tangents:993 Archived-At: On Tue, 28 Feb 2023 at 18:51, Jean Louis wrote: > But... it is source, one can put anything inside like > (shell-command "sudo rm -rf /") > > Those "CVE" bugs are exaggerated. > > Like this one: > > https://security-tracker.debian.org/tracker/CVE-2022-48338 > "malicious Ruby source files may cause commands to be executed" > > But hey, any malicious source file may cause commands to be > executed. It is a question of expectations. If you execute a malicious source file as a script, sure, you expect it to be executed and you are ready for any damage it causes. There is no vulnerability except in your own head. If you open a malicious source file in an editor, you don=E2=80=99t expect = it to execute any code written within, surely not before you press the Run key. If opening a file for editing trashes your home directory, it=E2=80=99s a bug and a vulnerability. If opening a file for editing cause= s personal information to be sent outside, it=E2=80=99s a bug and a vulnerability.