* Security advisory?
@ 2007-06-22 20:25 Chong Yidong
2007-06-22 20:46 ` Glenn Morris
2007-06-22 22:17 ` Security advisory? Thien-Thi Nguyen
0 siblings, 2 replies; 4+ messages in thread
From: Chong Yidong @ 2007-06-22 20:25 UTC (permalink / raw)
To: emacs-devel
I notice that Mandriva has announced a security advisory for Emacs
21.4, because "a vulnerability in emacs was discovered where it would
crash when processing certain types of images." This bug is being
files as a DoS (denial of service) vulnerability:
http://www.securityfocus.com/archive/1/471992/30/0/threaded
Does anyone know what the heck this is about?
Over the course of the Emacs 22 release cycle, we have accumulated
literally hundreds of ways to crash Emacs 21.4, some more esoteric
than others. These are fixed in Emacs 22, not Emacs 21, so if anyone
wanted to, he or she could go through the emacs-devel archives for the
last couple of years, locate these crasher bugs, and file hundreds of
these "security advisories". So it seems peculiar for this vendor to
single out one particular bug.
IMO, calling a bug that causes Emacs to crash a "denial of service
vulnerability" is little more than a silly example of
computer-security imperialism.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Security advisory?
2007-06-22 20:25 Security advisory? Chong Yidong
@ 2007-06-22 20:46 ` Glenn Morris
2007-06-23 16:44 ` Automatic display of images (was: Security advisory?) Reiner Steib
2007-06-22 22:17 ` Security advisory? Thien-Thi Nguyen
1 sibling, 1 reply; 4+ messages in thread
From: Glenn Morris @ 2007-06-22 20:46 UTC (permalink / raw)
To: Chong Yidong; +Cc: emacs-devel
Chong Yidong wrote:
> http://www.securityfocus.com/archive/1/471992/30/0/threaded
>
> Does anyone know what the heck this is about?
It links to a debian bug report, which is more informative:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=408929
I think they call it a "denial of service" because it occurred in the
VM mail reader (not part of Emacs, of course), when viewing a spam
mail with a malformed image. So someone could email you an image that
would crash Emacs. I don't know if gnus, rmail, or mh-e automatically
display images; I suspect not.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Security advisory?
2007-06-22 20:25 Security advisory? Chong Yidong
2007-06-22 20:46 ` Glenn Morris
@ 2007-06-22 22:17 ` Thien-Thi Nguyen
1 sibling, 0 replies; 4+ messages in thread
From: Thien-Thi Nguyen @ 2007-06-22 22:17 UTC (permalink / raw)
To: Chong Yidong; +Cc: emacs-devel
() Chong Yidong <cyd@stupidchicken.com>
() Fri, 22 Jun 2007 16:25:45 -0400
a silly example of
computer-security imperialism.
don't you mean "computer-security imperilism"? :-P
(i agree about it being silly, regardless.)
thi
^ permalink raw reply [flat|nested] 4+ messages in thread
* Automatic display of images (was: Security advisory?)
2007-06-22 20:46 ` Glenn Morris
@ 2007-06-23 16:44 ` Reiner Steib
0 siblings, 0 replies; 4+ messages in thread
From: Reiner Steib @ 2007-06-23 16:44 UTC (permalink / raw)
To: emacs-devel
On Fri, Jun 22 2007, Glenn Morris wrote:
> I think they call it a "denial of service" because it occurred in the
> VM mail reader (not part of Emacs, of course), when viewing a spam
> mail with a malformed image. So someone could email you an image that
> would crash Emacs. I don't know if gnus, rmail, or mh-e automatically
> display images; I suspect not.
Gnus does display images automatically. But we have been through this
discussion before in February in the thread "Image mode"...
,----[ http://article.gmane.org/gmane.emacs.devel/66004 ]
| From: Lars Magne Ingebrigtsen <larsi <at> gnus.org>
| Subject: Re: Image mode
| Newsgroups: gmane.emacs.devel
| Date: 2007-02-06 10:53:50 GMT
|
| Richard Stallman <rms <at> gnu.org> writes:
|
| > In contrast, if someone sends me a JPEG image in an email, Gnus
| > will happily show it to me without asking (at least with the
| > settings I'm using). So where's the protection in that case?
| >
| > Should we consider that a bug in Gnus?
| > (I don't know what the answer is.)
|
| Switching image display off in a mail reader is like switching it off
| in a web browser. Does Firefox query the user before displaying an
| image? "Warning! The web page you're browsing contains an image!
| Image libraries are sometimes prone to buffer overflows! Do you
| really wish to expose yourself to this danger!!1!?"
|
| Warning users about something that's almost certainly not dangerous is
| a huge security risk in itself, because you're inuring the users to
| warnings. The user will answer "Yeah, whatever" when being bothered
| with these things, and then when Emacs asks the user "Are you sure you
| wish to do an rm -rf?" (or whatever the genuinely dangerous thing it
| is), they won't bother to read the warning.
`----
Richard replied:
,----
| From: Richard Stallman <rms <at> gnu.org>
| Subject: Re: Image mode
| Newsgroups: gmane.emacs.devel
| Date: 2007-02-06 23:16:17 GMT
|
| Switching image display off in a mail reader is like switching it off
| in a web browser. Does Firefox query the user before displaying an
| image? "Warning! The web page you're browsing contains an image!
| Image libraries are sometimes prone to buffer overflows! Do you
| really wish to expose yourself to this danger!!1!?"
|
| If this argument is valid for Gnus, it seems just as valid for
| visiting a file directly with Emacs.
|
| To the extent that image libraries have bugs, there will be some level
| of danger in viewing images with Emacs. That danger will obtain
| regardless of whether the image files have expected image extensions.
| It doesn't go away just because the JPG is in a file called foo.jpg.
|
| Lars' argument seems to show that we just have to live with it.
`----
Bye, Reiner.
--
,,,
(o o)
---ooO-(_)-Ooo--- | PGP key available | http://rsteib.home.pages.de/
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2007-06-23 16:44 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-06-22 20:25 Security advisory? Chong Yidong
2007-06-22 20:46 ` Glenn Morris
2007-06-23 16:44 ` Automatic display of images (was: Security advisory?) Reiner Steib
2007-06-22 22:17 ` Security advisory? Thien-Thi Nguyen
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/emacs.git
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.