From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Richard Stallman Newsgroups: gmane.emacs.devel Subject: Re: Emacs Arbitrary Code Execution and How to Avoid It Date: Thu, 05 Dec 2024 23:47:01 -0500 Message-ID: References: <878qswfya2.fsf@librehacker.com> Reply-To: rms@gnu.org Content-Type: text/plain; charset=Utf-8 Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="10369"; mail-complaints-to="usenet@ciao.gmane.io" Cc: emacs-devel@gnu.org To: Gerd =?iso-8859-1?Q?M=C3=B6llmann?= Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Fri Dec 06 05:47:39 2024 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1tJQFe-0002XQ-Ig for ged-emacs-devel@m.gmane-mx.org; Fri, 06 Dec 2024 05:47:38 +0100 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tJQF5-0001j8-BP; Thu, 05 Dec 2024 23:47:03 -0500 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tJQF4-0001iv-63 for emacs-devel@gnu.org; Thu, 05 Dec 2024 23:47:02 -0500 Original-Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tJQF3-0000fu-UJ; Thu, 05 Dec 2024 23:47:01 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=Date:References:Subject:In-Reply-To:To:From: mime-version; bh=SYjci/jPcA5pKDFphv0hGaYewevf/v0v+GvS2KZ2fm8=; b=jM6a7daA9Hkf mbRlqKNrrjoSqqaKbd5G0KAiU9WIzfWI7u6n//pTL5G5phl3qjK/g1YF5RCsci71wLMlXu7GSshRF n3v0pCYkEs7tDuQ5FxCWOKvul4gjoTgNmj1jHSMFFrb2pWbc+WVWSry1ARM+iIIOj0fIdgbbZSlfa jt1osb/ogouDfGEMcVJwdWWmt4W6klQb9QKOJwvq8wkutcWR5IZk0pK5KsrMonurptzB+DSEb9a4u eA0AWbAQdiZztjVKm5k8mBPUzJtLQW7ulJSs3T62DR6RQI5t68Vx6vhTiLQ2bhPxZA87E/5tjcLA6 luubYWv0y6kCAFI/zmpwlg==; Original-Received: from rms by fencepost.gnu.org with local (Exim 4.90_1) (envelope-from ) id 1tJQF3-00035G-7Y; Thu, 05 Dec 2024 23:47:01 -0500 In-Reply-To: (message from Gerd =?iso-8859-1?Q?M=C3=B6llmann?= on Tue, 03 Dec 2024 20:20:04 +0100) X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.devel:326110 Archived-At: [[[ To any NSA and FBI agents reading my email: please consider ]]] [[[ whether defending the US Constitution against all enemies, ]]] [[[ foreign or domestic, requires you to follow Snowden's example. ]]] This sounds like a grave problem, that we had better correct ASAP. Can we reproduce it? Can we see how it happens that Emacs evals code that the user did not specifically say to eval? Users writing Lisp code can cause any sort of vulnerability and it is no use trying to prevent that. But I think we should make sure that no use of advertised features will eval code that the user did specifically say to eval. -- Dr Richard Stallman (https://stallman.org) Chief GNUisance of the GNU Project (https://gnu.org) Founder, Free Software Foundation (https://fsf.org) Internet Hall-of-Famer (https://internethalloffame.org)