From: Jean Louis <bugs@gnu.support>
To: emacs-tangents@gnu.org
Subject: Re: 2023-02-27 Emacs news
Date: Tue, 28 Feb 2023 07:04:49 +0300 [thread overview]
Message-ID: <Y/19YVF/xXNt40eg@protected.localdomain> (raw)
In-Reply-To: <87sfeqshwf.fsf@dataswamp.org>
* Emanuel Berg <incal@dataswamp.org> [2023-02-28 06:26]:
> Maybe the Emacs community _is_ big, after all ...
>
> > - Security:
> > - [CVE-2022-48337: GNU Emacs through 28.2 allows attackers to execute commands via shell metacharacters in the name of a source-code file] (<https://security-tracker.debian.org/tracker/CVE-2022-48337>)
> > - [CVE-2022-48338: In GNU Emacs through 28.2. In ruby-mode.el, the ruby-find-library-file function has a local command injection vulnerability.] (<https://security-tracker.debian.org/tracker/CVE-2022-48338>)
> > - [CVE-2022-48339: Emacs <= 28.2: htmlfontify.el has a command injection vulnerability] (<https://security-tracker.debian.org/tracker/CVE-2022-48339>)
> > - [Emacs 28.3 rc1 pretest is available, fixing CVE-2022-45939] (<https://www.reddit.com/r/emacs/comments/117mezb/emacs_283_rc1_pretest_is_available_fixing/>)
But... it is source, one can put anything inside like
(shell-command "sudo rm -rf /")
Those "CVE" bugs are exaggerated.
Like this one:
https://security-tracker.debian.org/tracker/CVE-2022-48338
"malicious Ruby source files may cause commands to be executed"
But hey, any malicious source file may cause commands to be
executed. Some CVE bug reporters maybe enjoy to find "bugs", which are
obvious. Emacs is insecure in general.
--
Jean
Take action in Free Software Foundation campaigns:
https://www.fsf.org/campaigns
In support of Richard M. Stallman
https://stallmansupport.org/
next prev parent reply other threads:[~2023-02-28 4:04 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-02-28 0:16 2023-02-27 Emacs news Sacha Chua
2023-02-28 1:22 ` Emanuel Berg
2023-02-28 4:04 ` Jean Louis [this message]
2023-02-28 14:05 ` Yuri Khan
2023-02-28 18:08 ` Dmitry Gutov
2023-02-28 18:56 ` Yuri Khan
2023-02-28 19:34 ` Dmitry Gutov
2023-03-01 20:55 ` Emanuel Berg
2023-03-02 10:55 ` Pankaj Jangid
2023-03-03 19:11 ` Akib Azmain Turja
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y/19YVF/xXNt40eg@protected.localdomain \
--to=bugs@gnu.support \
--cc=emacs-tangents@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).