From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Robert Pluim Newsgroups: gmane.emacs.devel Subject: Re: Request to backport fix for CVE-2022-45939 to Emacs 28 Date: Wed, 15 Feb 2023 09:32:04 +0100 Message-ID: <87edqrpbwb.fsf@gmail.com> References: <85f35c42-cfe8-44a7-a9c1-307acc5c17d4@Spark> <09998122-0110-454f-94d1-e29c37b833f4@Spark> <83sff9e1is.fsf@gnu.org> <838rh0e64j.fsf@gnu.org> <86ttzougu2.fsf@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="8066"; mail-complaints-to="usenet@ciao.gmane.io" Cc: Eli Zaretskii , lux , comms@dabrev.com, emacs-devel@gnu.org To: Tim Cross Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Wed Feb 15 09:32:53 2023 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1pSDDg-0001tL-Mb for ged-emacs-devel@m.gmane-mx.org; Wed, 15 Feb 2023 09:32:52 +0100 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pSDD2-0000CQ-D3; Wed, 15 Feb 2023 03:32:12 -0500 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pSDD1-0000CC-Av for emacs-devel@gnu.org; Wed, 15 Feb 2023 03:32:11 -0500 Original-Received: from mail-wm1-x32e.google.com ([2a00:1450:4864:20::32e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1pSDCz-0001Y9-N1; Wed, 15 Feb 2023 03:32:11 -0500 Original-Received: by mail-wm1-x32e.google.com with SMTP id m16-20020a05600c3b1000b003dc4050c94aso880526wms.4; Wed, 15 Feb 2023 00:32:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:message-id:date :gmane-reply-to-list:references:in-reply-to:subject:cc:to:from:from :to:cc:subject:date:message-id:reply-to; bh=qNzOLQgLvCqzEjqszJ4raJ4ats/cwy4ECKkjvVLwqNk=; b=iFjVdHKyDYBwTSpedVnQ8nWrmkbkEkWMU8Mb+j8v0dS+kKIV2q0y7T8JPNMIfGctmV hkHUKVTbVRiQhgOAyCBA7jNj5Fa8vrPgcrmxe+m06hwq3W20IBnKuhCmFsXForh6q1jr N0sNwX5vb4gwmTDSWTgl7EWgyBfKMn2fSdsdiOkZX/3CXWDxZaDXT005rsxLhT+V4zhD cBRoFAHgO/YTtoY042jU40IJV1d2zSJFYHKXyMv3fPdjPCZw1rXsGWNsHyklXvbTsIxg 4KCX/4cknTiAz4kuHsbCxjzxtuMrOs+/HK44R1hkba+ZJc03MdiWp7QJDK52h6PCj6aU 6eTw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:message-id:date :gmane-reply-to-list:references:in-reply-to:subject:cc:to:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=qNzOLQgLvCqzEjqszJ4raJ4ats/cwy4ECKkjvVLwqNk=; b=nsdNEYQH8pPiUmOeCi64UOrBFUdNq0gtwwG3zPt8FhERMlqXyUtW94j0vR5cm+sEwe vQ6hhGBB6+dvU5tS/A8IlZ9nZ6KueTnZLcAFSzaYOH4h5yKNwtta7GXgZgC5oam5/Bhd VqSZIORNCcu0OvruiODF7sOsg9bM3ISVRV/ILsaDf6l6ek4qvT4k7uPcX93JWgmxmJlq l84jfG49UZf9cooLYIyHnpfuwE36XQjoaABxHy1KxkdIaiqrcfZCEvvEkizjaj3Uz0b2 b3XQtKINC+j66VqnVaamom5iKvLrbydIlMzyY1yYa8ACUjpITz/54GQm2fJsXdUSNoI/ W2AQ== X-Gm-Message-State: AO0yUKUJYqHUGaADU1sU9jnflcnlHF626yd2lr0DxbNET7whrFbax2M9 0klgLOrikpBbcgMBGFUEKkRb5YBoLYw= X-Google-Smtp-Source: AK7set/nf2x6SeZ3ocVa55xqrR7BtT9yaVytiHqn566fanpZen53GP0MUHtSBmlPmvHq/9AcySZjew== X-Received: by 2002:a05:600c:4929:b0:3c6:e63e:23e9 with SMTP id f41-20020a05600c492900b003c6e63e23e9mr1750168wmp.24.1676449926535; Wed, 15 Feb 2023 00:32:06 -0800 (PST) Original-Received: from rltb ([82.66.8.55]) by smtp.gmail.com with ESMTPSA id w8-20020a05600c474800b003de2fc8214esm1408561wmo.20.2023.02.15.00.32.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 15 Feb 2023 00:32:05 -0800 (PST) In-Reply-To: <86ttzougu2.fsf@gmail.com> (Tim Cross's message of "Wed, 15 Feb 2023 07:10:58 +1100") Gmane-Reply-To-List: yes Received-SPF: pass client-ip=2a00:1450:4864:20::32e; envelope-from=rpluim@gmail.com; helo=mail-wm1-x32e.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.devel:303297 Archived-At: >>>>> On Wed, 15 Feb 2023 07:10:58 +1100, Tim Cross = said: Tim> Eli Zaretskii writes: >>> From: lux >>> Cc: emacs-devel@gnu.org >>> Date: Tue, 14 Feb 2023 13:07:44 +0800 >>>=20 >>> Hi, I can fix the CVE-2022-45939, this is a patch. >>=20 >> We don't need a patch for that, we just need to cherry-pick the >> related commits from emacs-29. >>=20 >> But that is not what the OP requested: he requested that we also >> produce an Emacs 28.3 release. And that is a much larger job, for >> which we currently don't have the time or resources. Tim> While I understand the resourcing issues, I think this is the wrong Tim> decision. We are in the situation where the current released versi= on of Tim> Emacs has a known security exploit with a severity classification = of Tim> high (although this assessment seems to be under review) and the Tim> response seems to be "Sorry, we are too busy trying to get the next Tim> version released to deal with this". If we were actually close to = an Tim> Emacs 29 release, then perhaps this would be reasonable, but we do= n't Tim> even have a release candidate out yet. The exploit is severe, in the sense that a car with faulty brakes is dangerous: if you don=CA=BCt drive the car, there is no danger. Uninstalling the emacs version of ctags/etags is enough to mitigate this. Tim> Failing to address a high security vulnerability for months is a Tim> disservice for the emacs user base and likely to be a blight on Em= acs' Tim> reputation and only provides those against free software with free Tim> ammunition. In addition to the technical aspects of a security Tim> vulnerability, perception is just as important. While the specific Tim> technical aspects of this vulnerability would seem to indicate onl= y a Tim> subset of etags users are actually exposed to this risk, such deta= il is Tim> likely to be lost amongst the FUD which tends to accompany security Tim> issues.=20 Yes, the FUD issue (and the associated hysteria from corporate IT departments) is all too true (plus how many people run ctags or etags as a privileged user?). We *could* rush out a 28.3 release, I guess, given that there=CA=BCs only one actual non-doc change on the branch, but then again: how is that any better than downstream just adding the CVE fix to their builds? Robert --=20