From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Jean Louis Newsgroups: gmane.emacs.tangents Subject: Re: 2023-02-27 Emacs news Date: Tue, 28 Feb 2023 07:04:49 +0300 Message-ID: References: <87ilfmprt2.fsf@sachachua.com> <87sfeqshwf.fsf@dataswamp.org> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="25204"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Mutt/2.2.9+54 (af2080d) (2022-11-21) To: emacs-tangents@gnu.org Original-X-From: emacs-tangents-bounces+get-emacs-tangents=m.gmane-mx.org@gnu.org Tue Feb 28 12:51:35 2023 Return-path: Envelope-to: get-emacs-tangents@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1pWyW6-0006Jj-8v for get-emacs-tangents@m.gmane-mx.org; Tue, 28 Feb 2023 12:51:34 +0100 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pWyVq-0004il-7c; Tue, 28 Feb 2023 06:51:18 -0500 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pWsGe-0007QB-Nq for emacs-tangents@gnu.org; Tue, 28 Feb 2023 00:11:12 -0500 Original-Received: from stw1.rcdrun.com ([217.170.207.13]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pWsGY-0005ux-Cv for emacs-tangents@gnu.org; Tue, 28 Feb 2023 00:11:08 -0500 Original-Received: from localhost ([::ffff:102.85.152.11]) (AUTH: PLAIN admin, TLS: TLS1.3,256bits,ECDHE_RSA_AES_256_GCM_SHA384) by stw1.rcdrun.com with ESMTPSA id 000000000010B84D.0000000063FD8CCB.000060ED; Mon, 27 Feb 2023 22:10:35 -0700 Content-Disposition: inline In-Reply-To: <87sfeqshwf.fsf@dataswamp.org> Received-SPF: pass client-ip=217.170.207.13; envelope-from=bugs@gnu.support; helo=stw1.rcdrun.com X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Mailman-Approved-At: Tue, 28 Feb 2023 06:51:16 -0500 X-BeenThere: emacs-tangents@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Emacs news and miscellaneous discussions outside the scope of other Emacs mailing lists List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-tangents-bounces+get-emacs-tangents=m.gmane-mx.org@gnu.org Original-Sender: emacs-tangents-bounces+get-emacs-tangents=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.tangents:992 Archived-At: * Emanuel Berg [2023-02-28 06:26]: > Maybe the Emacs community _is_ big, after all ... > > > - Security: > > - [CVE-2022-48337: GNU Emacs through 28.2 allows attackers to execute commands via shell metacharacters in the name of a source-code file] () > > - [CVE-2022-48338: In GNU Emacs through 28.2. In ruby-mode.el, the ruby-find-library-file function has a local command injection vulnerability.] () > > - [CVE-2022-48339: Emacs <= 28.2: htmlfontify.el has a command injection vulnerability] () > > - [Emacs 28.3 rc1 pretest is available, fixing CVE-2022-45939] () But... it is source, one can put anything inside like (shell-command "sudo rm -rf /") Those "CVE" bugs are exaggerated. Like this one: https://security-tracker.debian.org/tracker/CVE-2022-48338 "malicious Ruby source files may cause commands to be executed" But hey, any malicious source file may cause commands to be executed. Some CVE bug reporters maybe enjoy to find "bugs", which are obvious. Emacs is insecure in general. -- Jean Take action in Free Software Foundation campaigns: https://www.fsf.org/campaigns In support of Richard M. Stallman https://stallmansupport.org/