From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED!not-for-mail From: Philipp Stephani Newsgroups: gmane.emacs.help Subject: Re: eval and security Date: Mon, 24 Oct 2016 18:50:19 +0000 Message-ID: References: <20161024123151.GB10964@tuxteam.de> NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Trace: blaine.gmane.org 1477339700 7110 195.159.176.226 (24 Oct 2016 20:08:20 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Mon, 24 Oct 2016 20:08:20 +0000 (UTC) To: tomas@tuxteam.de, help-gnu-emacs@gnu.org Original-X-From: help-gnu-emacs-bounces+geh-help-gnu-emacs=m.gmane.org@gnu.org Mon Oct 24 22:08:14 2016 Return-path: Envelope-to: geh-help-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bylXN-00084E-QV for geh-help-gnu-emacs@m.gmane.org; Mon, 24 Oct 2016 22:08:01 +0200 Original-Received: from localhost ([::1]:49618 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bylXQ-0002NT-37 for geh-help-gnu-emacs@m.gmane.org; Mon, 24 Oct 2016 16:08:04 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:33277) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bykKR-0006Be-Pu for help-gnu-emacs@gnu.org; Mon, 24 Oct 2016 14:50:36 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bykKQ-0005NW-Tq for help-gnu-emacs@gnu.org; Mon, 24 Oct 2016 14:50:35 -0400 Original-Received: from mail-wm0-x234.google.com ([2a00:1450:400c:c09::234]:37912) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1bykKQ-0005M5-MV for help-gnu-emacs@gnu.org; Mon, 24 Oct 2016 14:50:34 -0400 Original-Received: by mail-wm0-x234.google.com with SMTP id c78so131627088wme.1 for ; Mon, 24 Oct 2016 11:50:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=tYBaddt1fJoVkjDrnRCKL1WSFH8pSLAf3nkeLsDVGtY=; b=TagXYiIC01RuD3xSjZGvUKfhJTe1+Xynqp1JyAiwsugGkgY3qofdMQaOQYinQ16fX+ ryz1596Kqes4WxphNPTNpCRGR9fZxUfqmFKnbqNih9TWJ+vs+OMbGhxymK8UTFrxsjf3 MLDUVZd5E1jq3k6hBEfvh0V4ihqiziyFCMq+g/HfF66NEzQFZ5M/T3A3tBxJ8Thw/ykD VE3kdI8HBMWPNxFwRWeewarZ81Nw0S/iUKZFX3vDvQVZV2jqK5E11rR7JYB329ONxvTe TIA6CqhiNqEXa22s5ry60FoK62gl1FoElFxYNetvpsV8FvSR29VrMiT+vGXmWyrNvzS+ X5+g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=tYBaddt1fJoVkjDrnRCKL1WSFH8pSLAf3nkeLsDVGtY=; b=Wd07Lok7iQNd6RL7XTga9vZ8ZaFPdNvcdfmjzlxitfvWk8drCTHWPPnrfZZbKJaNJZ UzShkw57ZBgqXWzXZldSMXqAoT6q7iPh7xbc+mLh6DJL0A2DLPGvXtf0Xg21tt4UAivD h7/TwjQKBWcrlYm9Y9T7Lo9uPaQigemZ/0OwkhZrGjZmjWcAF2qvIdIjJVAn7C6PaMwY je1crDz3N8Fx61dy0qRbO3gf5VGR1CaQr0kH30w2mMinPU1UfLpJIPX4iEPj25KRXWqg 6AORLkEODFUv/r6tknfNMp+x+OZZvTquQDSozpgrYV/j7CCHpGrLlVc77uEhEB/Uzg/g z7sA== X-Gm-Message-State: AA6/9RnYFrMEIrcZjT1VQQIw7r+Nn1G9pFcQueJIx7akwKzFXU71mke7Bxt+Q9LWXgeV3hgZsq3nS5Vrjukaqw== X-Received: by 10.28.139.14 with SMTP id n14mr17918549wmd.112.1477335030196; Mon, 24 Oct 2016 11:50:30 -0700 (PDT) In-Reply-To: <20161024123151.GB10964@tuxteam.de> X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2a00:1450:400c:c09::234 X-Content-Filtered-By: Mailman/MimeDel 2.1.21 X-BeenThere: help-gnu-emacs@gnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: Users list for the GNU Emacs text editor List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-gnu-emacs-bounces+geh-help-gnu-emacs=m.gmane.org@gnu.org Original-Sender: "help-gnu-emacs" Xref: news.gmane.org gmane.emacs.help:111611 Archived-At: schrieb am Mo., 24. Okt. 2016 um 14:32 Uhr: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Mon, Oct 24, 2016 at 02:20:44PM +0200, Andreas R=C3=B6hler wrote: > > Hi, > > > > remember a saying like "avoid calls like (eval 'my-symbol) in > > lisp-code" as related to security issues. > > > > Is there some reading to learn more? Maybe I'm mistaking something? > > Perhaps because a randomly downloaded package can redefine 'my-symbol > to be something evil? > Randomly downloaded packages can just say (eval-when-compile (shell-command "rm -rf /")) No need to override symbols to do something evil.