From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!.POSTED!not-for-mail
From: Glenn Morris <rgm@gnu.org>
Newsgroups: gmane.emacs.bugs
Subject: bug#24489: efaq: security risks
Date: Tue, 20 Sep 2016 18:48:06 -0400
Message-ID: <7ca8f2ur15.fsf@fencepost.gnu.org>
NNTP-Posting-Host: blaine.gmane.org
Mime-Version: 1.0
Content-Type: text/plain
X-Trace: blaine.gmane.org 1474411757 972 195.159.176.226 (20 Sep 2016 22:49:17 GMT)
X-Complaints-To: usenet@blaine.gmane.org
NNTP-Posting-Date: Tue, 20 Sep 2016 22:49:17 +0000 (UTC)
User-Agent: Gnus (www.gnus.org), GNU Emacs (www.gnu.org/software/emacs/)
To: 24489@debbugs.gnu.org
Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Wed Sep 21 00:49:12 2016
Return-path: <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>
Envelope-to: geb-bug-gnu-emacs@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by blaine.gmane.org with esmtp (Exim 4.84_2)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>)
	id 1bmTqh-0007vp-R3
	for geb-bug-gnu-emacs@m.gmane.org; Wed, 21 Sep 2016 00:49:11 +0200
Original-Received: from localhost ([::1]:38606 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>)
	id 1bmTqf-0007Hy-Sj
	for geb-bug-gnu-emacs@m.gmane.org; Tue, 20 Sep 2016 18:49:09 -0400
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:43685)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1bmTqa-0007Hr-Js
	for bug-gnu-emacs@gnu.org; Tue, 20 Sep 2016 18:49:05 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1bmTqY-0008Rj-QW
	for bug-gnu-emacs@gnu.org; Tue, 20 Sep 2016 18:49:03 -0400
Original-Received: from debbugs.gnu.org ([208.118.235.43]:52366)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1bmTqY-0008Rf-Nd
	for bug-gnu-emacs@gnu.org; Tue, 20 Sep 2016 18:49:02 -0400
Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1bmTqY-0007d4-GZ
	for bug-gnu-emacs@gnu.org; Tue, 20 Sep 2016 18:49:02 -0400
X-Loop: help-debbugs@gnu.org
Resent-From: Glenn Morris <rgm@gnu.org>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@gnu.org
Resent-Date: Tue, 20 Sep 2016 22:49:02 +0000
Resent-Message-ID: <handler.24489.B.147441169429256@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: report 24489
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: security
X-Debbugs-Original-To: submit@debbugs.gnu.org
Original-Received: via spool by submit@debbugs.gnu.org id=B.147441169429256
	(code B ref -1); Tue, 20 Sep 2016 22:49:02 +0000
Original-Received: (at submit) by debbugs.gnu.org; 20 Sep 2016 22:48:14 +0000
Original-Received: from localhost ([127.0.0.1]:58555 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1bmTpl-0007bo-Ui
	for submit@debbugs.gnu.org; Tue, 20 Sep 2016 18:48:14 -0400
Original-Received: from eggs.gnu.org ([208.118.235.92]:52583)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <rgm@gnu.org>) id 1bmTpl-0007bc-0y
	for submit@debbugs.gnu.org; Tue, 20 Sep 2016 18:48:13 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <rgm@gnu.org>) id 1bmTpf-0008AL-2c
	for submit@debbugs.gnu.org; Tue, 20 Sep 2016 18:48:07 -0400
Original-Received: from fencepost.gnu.org ([2001:4830:134:3::e]:51402)
	by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <rgm@gnu.org>)
	id 1bmTpf-0008AE-0D
	for submit@debbugs.gnu.org; Tue, 20 Sep 2016 18:48:07 -0400
Original-Received: from rgm by fencepost.gnu.org with local (Exim 4.82)
	(envelope-from <rgm@gnu.org>)
	id 1bmTpe-0006f9-Gx; Tue, 20 Sep 2016 18:48:06 -0400
X-Spook: Standoff Chemical Jyllandsposten fundamentalist Echelon
X-Ran: O<kH5#,>6Tg|(P>I,RNU8[/;cD`#~i(?_9|5{fZL!7|k*4n/\7aCIt(t7)RRmyE37y{d2N
X-Hue: red
X-Attribution: GM
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 208.118.235.43
X-BeenThere: bug-gnu-emacs@gnu.org
List-Id: "Bug reports for GNU Emacs,
	the Swiss army knife of text editors" <bug-gnu-emacs.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-gnu-emacs>,
	<mailto:bug-gnu-emacs-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-gnu-emacs/>
List-Post: <mailto:bug-gnu-emacs@gnu.org>
List-Help: <mailto:bug-gnu-emacs-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-gnu-emacs>,
	<mailto:bug-gnu-emacs-request@gnu.org?subject=subscribe>
Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org
Original-Sender: "bug-gnu-emacs"
	<bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>
Xref: news.gmane.org gmane.emacs.bugs:123489
Archived-At: <http://permalink.gmane.org/gmane.emacs.bugs/123489>

Package: emacs
Severity: minor
Tags: security
Version: 25.1

The (very crufty) Emacs FAQ contains a section:

   "Are there any security risks in Emacs?"

The stuff about movemail and synthetic X events is archaic.

There is no mention of the more current problems:

1) installing a package runs arbitrary code
Better make sure you trust whoever gave you that package (gpg signing)
and how you got it (https), etc.

2) using an Emacs mail client to view HTML mail is a security risk if remote
content is fetched (I think it isn't by default, but this might not
apply to every client)

3) viewing remote HTML content (eg with eww or xwidgets) is likewise a
potential security risk.