From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED!not-for-mail From: Eli Zaretskii Newsgroups: gmane.emacs.help Subject: Re: CVE-2017-14482 - Red Hat Customer Portal Date: Fri, 29 Sep 2017 12:48:39 +0300 Message-ID: <83poa996o8.fsf@gnu.org> References: <2e991bb7-c570-49ce-be94-3654945bb4b5@mousecar.com> <87d16jxjz6.fsf@eps142.cdf.udc.es> <861smzcgx3.fsf@zoho.com> <1b3bec6e-d4d5-37a7-ba54-49bd2d8281bd@yandex.com> <87377dtw33.fsf@qcore> <83zi9la78x.fsf@gnu.org> <9uvak9ib98.fsf@fencepost.gnu.org> <83poah9v5c.fsf@gnu.org> <83fubcajtg.fsf@gnu.org> NNTP-Posting-Host: blaine.gmane.org X-Trace: blaine.gmane.org 1506678584 947 195.159.176.226 (29 Sep 2017 09:49:44 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Fri, 29 Sep 2017 09:49:44 +0000 (UTC) To: help-gnu-emacs@gnu.org Original-X-From: help-gnu-emacs-bounces+geh-help-gnu-emacs=m.gmane.org@gnu.org Fri Sep 29 11:49:33 2017 Return-path: Envelope-to: geh-help-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dxrvD-0007G5-BV for geh-help-gnu-emacs@m.gmane.org; Fri, 29 Sep 2017 11:49:27 +0200 Original-Received: from localhost ([::1]:34417 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dxrvJ-0003Ov-53 for geh-help-gnu-emacs@m.gmane.org; Fri, 29 Sep 2017 05:49:33 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:35767) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dxruk-0003Oe-O2 for help-gnu-emacs@gnu.org; Fri, 29 Sep 2017 05:48:59 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dxruh-0004l1-MO for help-gnu-emacs@gnu.org; Fri, 29 Sep 2017 05:48:58 -0400 Original-Received: from fencepost.gnu.org ([2001:4830:134:3::e]:33648) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dxruh-0004kr-If for help-gnu-emacs@gnu.org; Fri, 29 Sep 2017 05:48:55 -0400 Original-Received: from 84.94.185.246.cable.012.net.il ([84.94.185.246]:1109 helo=home-c4e4a596f7) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1dxruf-0000Bf-VY for help-gnu-emacs@gnu.org; Fri, 29 Sep 2017 05:48:55 -0400 In-reply-to: (message from Glenn Morris on Mon, 25 Sep 2017 17:26:45 -0400) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-BeenThere: help-gnu-emacs@gnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: Users list for the GNU Emacs text editor List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-gnu-emacs-bounces+geh-help-gnu-emacs=m.gmane.org@gnu.org Original-Sender: "help-gnu-emacs" Xref: news.gmane.org gmane.emacs.help:114462 Archived-At: > From: Glenn Morris > Cc: help-gnu-emacs@gnu.org > Date: Mon, 25 Sep 2017 17:26:45 -0400 > > Eli Zaretskii wrote: > > > A file whose source you don't trust or are unfamiliar with should > > initially be examined with find-file-literally, if your security is > > indeed important for you. That emulates what most other text editors > > do when you open a file. > > Wow. I find this an extraordinary statement. For example, it means > that "emacs [-Q] somefile" could eg happily delete your home directory. Unless you trust Emacs to have absolutely zero exploitable vulnerabilities, including those not yet revealed, sure it could. Although not "happily", which seems to be uncalled for. And why is "-Q" part of this, anyway? The use case under consideration is precisely that the user nonchalantly visits a file from their _normal_ Emacs session. Using -Q already assumes some unusual care, in which case find-file-literally is a more logical measure. > Please reconsider. I don't see why I should. You seem to be misinterpreting what I wrote in some strange direction, if what I wrote really bothers you.