bug#24489: efaq: security risks

all messages for Emacs-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed

From: Stefan Kangas <stefan@marxist.se>
To: Glenn Morris <rgm@gnu.org>
Cc: 24489@debbugs.gnu.org
Subject: bug#24489: efaq: security risks
Date: Tue, 11 Aug 2020 18:38:12 -0700	[thread overview]
Message-ID: <CADwFkmkA5ddNYRckbOkReiEtN_KqJHg_KO=VTVvMEydJuRn+zw@mail.gmail.com> (raw)
In-Reply-To: <7ca8f2ur15.fsf@fencepost.gnu.org> (Glenn Morris's message of "Tue, 20 Sep 2016 18:48:06 -0400")

Glenn Morris <rgm@gnu.org> writes:

> The (very crufty) Emacs FAQ contains a section:
>
>    "Are there any security risks in Emacs?"
>
> The stuff about movemail and synthetic X events is archaic.

The movemail stuff was removed in 61223a046c (Bug#37818).

What do you think we should do about synthetic X events?

> There is no mention of the more current problems:
>
> 1) installing a package runs arbitrary code
> Better make sure you trust whoever gave you that package (gpg signing)
> and how you got it (https), etc.

This was added in the same commit 61223a046c.

> 2) using an Emacs mail client to view HTML mail is a security risk if remote
> content is fetched (I think it isn't by default, but this might not
> apply to every client)

Is it important to warn about this privacy issue here?  I would expect
that any sensible Emacs MUA would disable remote fetching by default,
and document the issues with enabling it.

> 3) viewing remote HTML content (eg with eww or xwidgets) is likewise a
> potential security risk.

True, but isn't this a bit too general to be useful in the context of
the FAQ?

Best regards,
Stefan Kangas

next prev parent reply	other threads:[~2020-08-12  1:38 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-09-20 22:48 bug#24489: efaq: security risks Glenn Morris
2016-09-20 22:53 ` Lars Ingebrigtsen
2016-09-21 21:26 ` Richard Stallman
2016-09-22 10:56   ` Ted Zlatanov
2016-09-23 20:38     ` Richard Stallman
2016-09-24  2:45       ` Ted Zlatanov
2016-09-25 17:15         ` Richard Stallman
2020-08-12  1:38 ` Stefan Kangas [this message]
2022-01-29 16:51   ` Lars Ingebrigtsen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CADwFkmkA5ddNYRckbOkReiEtN_KqJHg_KO=VTVvMEydJuRn+zw@mail.gmail.com' \
    --to=stefan@marxist.se \
    --cc=24489@debbugs.gnu.org \
    --cc=rgm@gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/emacs.git
	https://git.savannah.gnu.org/cgit/emacs/org-mode.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.