From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Richard Stallman Newsgroups: gmane.emacs.devel Subject: Re: C file recoginzed as image file Date: Mon, 08 Jan 2007 00:32:55 -0500 Message-ID: References: Reply-To: rms@gnu.org NNTP-Posting-Host: lo.gmane.org Content-Type: text/plain; charset=ISO-8859-15 X-Trace: sea.gmane.org 1168234522 21840 80.91.229.12 (8 Jan 2007 05:35:22 GMT) X-Complaints-To: usenet@sea.gmane.org NNTP-Posting-Date: Mon, 8 Jan 2007 05:35:22 +0000 (UTC) Cc: c.a.rendle@gmail.com, emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Mon Jan 08 06:35:20 2007 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([199.232.76.165]) by lo.gmane.org with esmtp (Exim 4.50) id 1H3nAD-0005bY-5F for ged-emacs-devel@m.gmane.org; Mon, 08 Jan 2007 06:35:17 +0100 Original-Received: from localhost ([127.0.0.1] helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1H3nAC-0000sw-Hq for ged-emacs-devel@m.gmane.org; Mon, 08 Jan 2007 00:35:16 -0500 Original-Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1H3n8O-0007pR-Fl for emacs-devel@gnu.org; Mon, 08 Jan 2007 00:33:24 -0500 Original-Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1H3n8N-0007o5-4g for emacs-devel@gnu.org; Mon, 08 Jan 2007 00:33:23 -0500 Original-Received: from [199.232.76.173] (helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1H3n8M-0007nj-Mh for emacs-devel@gnu.org; Mon, 08 Jan 2007 00:33:22 -0500 Original-Received: from [199.232.76.164] (helo=fencepost.gnu.org) by monty-python.gnu.org with esmtp (Exim 4.52) id 1H3n8M-0000dh-Cf for emacs-devel@gnu.org; Mon, 08 Jan 2007 00:33:22 -0500 Original-Received: from rms by fencepost.gnu.org with local (Exim 4.60) (envelope-from ) id 1H3n7v-0003xJ-7p; Mon, 08 Jan 2007 00:32:55 -0500 Original-To: Chris Moore In-reply-to: (message from Chris Moore on Sun, 07 Jan 2007 10:21:34 +0100) X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:64955 Archived-At: > It would never have occurred to me to have doubts about opening a > JPG file. I am sure the same is true of many Emacs users. If we > believe that having Emacs display JPG files as images is dangerous, > we had better make sure Emacs NEVER does so by default. Maybe the JPG libraries are safe and always have been, I don't know. That isn't the point. I mentioned JPG specifically in my message because I responded to someone else that specifically mentioned JPG. It would be the same for any other image type. It would never have occurred to me to have doubts about opening an image file in Emacs. ANY type of image file. I am sure the same is true of many Emacs users. But all it takes is for ONE of the image libraries which Emacs uses to be exploitable and you're finished. If we believe that having Emacs display some kind of image files as images is dangerous, we had better make sure Emacs doesn't display them as images until the user asks for that and has seen the file text. How significant this danger is in the Emacs context depends on a number of things. I am not sure whether the danger is enough to matter. But if it is, the only adequate protection is NEVER to display such images as images by default. The solution you and others are proposing, to display the image as an image only when the file name extension matches the image type, is inadequate to avoid the problem. You might feel suspicion when you see an extension such as .jpg, .gif, or .png, but lots of users, such as me, would not. Checking the file type would not protect us. If someone wanted to send us a JPG with a virus, he could call the file something.jpg, and bypass this test. Suppose that's an unpatched vulnerability in the tiff library. All the attacker needs to do is rename his virus.tiff file to virus.jpg and send it to you. If there is some sort of vulnerability in the tiff library, I will not know about it. I do not hear about such things. The way I look at an attachment is to get it in an Emacs buffer. Then I save it with M-x write-region. If it is a JPG, I expect to see PFIF or EXIF in a certain place. If I see it there, I save the file as foo.jpg. If the attachment was labeled ".jpg" and the contents look like a tiff file instead of a jpg, I might get suspicious. However, if it looks like tiff and the file name is ".tiff", I would not get suspicious. Thus, the only way to protect me from a vulnerability in the tiff library is if Emacs does not open tiff files as images by default. Substitute any other type of image file for "tiff" and the same conclusion follows.