Re: Request to backport fix for CVE-2022-45939 to Emacs 28

[Robert Pluim <rpluim@gmail.com>]

>>>>> On Wed, 15 Feb 2023 07:10:58 +1100, Tim Cross <theophilusx@gmail.com> said:

    Tim> Eli Zaretskii <eliz@gnu.org> writes:

    >>> From: lux <lx@shellcodes.org>
    >>> Cc: emacs-devel@gnu.org
    >>> Date: Tue, 14 Feb 2023 13:07:44 +0800
    >>> 
    >>> Hi, I can fix the CVE-2022-45939, this is a patch.
    >> 
    >> We don't need a patch for that, we just need to cherry-pick the
    >> related commits from emacs-29.
    >> 
    >> But that is not what the OP requested: he requested that we also
    >> produce an Emacs 28.3 release.  And that is a much larger job, for
    >> which we currently don't have the time or resources.

    Tim> While I understand the resourcing issues, I think this is the wrong
    Tim> decision. We are in the situation where the current released version of
    Tim> Emacs has a known security exploit with a severity classification of
    Tim> high (although this assessment seems to be under review) and the
    Tim> response seems to be "Sorry, we are too busy trying to get the next
    Tim> version released to deal with this". If we were actually close to an
    Tim> Emacs 29 release, then perhaps this would be reasonable, but we don't
    Tim> even have a release candidate out yet.

The exploit is severe, in the sense that a car with faulty brakes is
dangerous: if you donʼt drive the car, there is no danger.
Uninstalling the emacs version of ctags/etags is enough to mitigate
this.

    Tim> Failing to address a high security vulnerability for months is a
    Tim> disservice for the emacs user base and likely to be a blight on Emacs'
    Tim> reputation and only provides those against free software with free
    Tim> ammunition. In addition to the technical aspects of a security
    Tim> vulnerability, perception is just as important. While the specific
    Tim> technical aspects of this vulnerability would seem to indicate only a
    Tim> subset of etags users are actually exposed to this risk, such detail is
    Tim> likely to be lost amongst the FUD which tends to accompany security
    Tim> issues. 

Yes, the FUD issue (and the associated hysteria from corporate IT
departments) is all too true (plus how many people run ctags or etags
as a privileged user?).

We *could* rush out a 28.3 release, I guess, given that thereʼs only
one actual non-doc change on the branch, but then again: how is that
any better than downstream just adding the CVE fix to their builds?

Robert
--