all messages for Emacs-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
* Need information regarding Emacs application
@ 2024-02-09  8:51 Srinivasan Santhanam via Users list for the GNU Emacs text editor
  2024-02-09 15:12 ` Anders Munch
  0 siblings, 1 reply; 5+ messages in thread
From: Srinivasan Santhanam via Users list for the GNU Emacs text editor @ 2024-02-09  8:51 UTC (permalink / raw)
  To: help-gnu-emacs@gnu.org; +Cc: Alec Gordon, Sridhar Peddapelli

Hi team,

I am sending this email regarding Emacs application.

Could you please confirm whether there are any vulnerabilities identified with the latest 29.2 version.

Additionally, could you provide support with this for example security patches where issues may be identified in the future?

Thanks in advance for your support.
Regards,
Srinivasan S



^ permalink raw reply	[flat|nested] 5+ messages in thread

* RE: Need information regarding Emacs application
  2024-02-09  8:51 Need information regarding Emacs application Srinivasan Santhanam via Users list for the GNU Emacs text editor
@ 2024-02-09 15:12 ` Anders Munch
  2024-02-10 10:31   ` Jean Louis
  0 siblings, 1 reply; 5+ messages in thread
From: Anders Munch @ 2024-02-09 15:12 UTC (permalink / raw)
  To: Srinivasan Santhanam, help-gnu-emacs@gnu.org
  Cc: Alec Gordon, Sridhar Peddapelli

Srinivasan Santhanam wrote:
> Could you please confirm whether there are any vulnerabilities identified with the latest 29.2 version.

https://www.opencve.io/cve?vendor=gnu&product=emacs

regards, Anders




^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Need information regarding Emacs application
  2024-02-09 15:12 ` Anders Munch
@ 2024-02-10 10:31   ` Jean Louis
  2024-02-10 11:07     ` Thibaut Verron
  2024-02-12 10:35     ` Anders Munch
  0 siblings, 2 replies; 5+ messages in thread
From: Jean Louis @ 2024-02-10 10:31 UTC (permalink / raw)
  To: Anders Munch
  Cc: Srinivasan Santhanam, help-gnu-emacs@gnu.org, Alec Gordon,
	Sridhar Peddapelli

* Anders Munch <ajm@flonidan.dk> [2024-02-09 18:19]:
> Srinivasan Santhanam wrote:
> > Could you please confirm whether there are any vulnerabilities identified with the latest 29.2 version.
> 
> https://www.opencve.io/cve?vendor=gnu&product=emacs

I would not agree that those CVE reports are propriate to Emacs. 

Let us review few examples:

> CVE-2023-2491 	2 Gnu, Redhat 	5 Emacs, Enterprise Linux, Enterprise Linux Eus and 2 more 	2023-12-10 	N/A 	7.8 HIGH
> A flaw was found in the Emacs text editor. Processing a specially
> crafted org-mode code with the "org-babel-execute:latex" function in
> ob-latex.el can result in arbitrary command execution. This CVE exists
> because of a CVE-2023-28617 security regression for the emacs package
> in Red Hat Enterprise Linux 8.8 and Red Hat Enterprise Linux 9.2.

We have to consider that Emacs has a built-in programming
language. All parts of Emacs can be replaced, or loaded from not only
system files but also private files.

If any attacking user has access to file system, than such user can
provide custom "Org" library or any other library and can impose on
the victim user for that library to do whatever they want.

"A specially crafted key stroke combination can result inn arbitrary
command execution" -- this is also true, so one could file unlimited
number of such non-sensical CVE reports, and I invite people to do
that until group cognition come to place how little it makes sense.

"A specially crafted shell script can result in arbitrary command
execution" -- please think along those lines.

When I keep reading those CVE reports, the more I read, the more it
looks like it only serves some business purposes, not the real
security.

Emacs is programmable editor. Any person who has access to Emacs on
computer is free to do whatever system privileges allow to that
user. And any attacker can send arbitrary files to victim and impose
on the victim to execute such files. 

All that does not mean it is "security issue" and especially not that
it is something to be worried about.

All bugs are reported by M-x report-emacs-bug and are handled
basically promptly. In that sense, Emacs with its professional
developers and millions of users is far more secure system than those
less known editors.

-- 
Jean

Take action in Free Software Foundation campaigns:
https://www.fsf.org/campaigns

In support of Richard M. Stallman
https://stallmansupport.org/



^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Need information regarding Emacs application
  2024-02-10 10:31   ` Jean Louis
@ 2024-02-10 11:07     ` Thibaut Verron
  2024-02-12 10:35     ` Anders Munch
  1 sibling, 0 replies; 5+ messages in thread
From: Thibaut Verron @ 2024-02-10 11:07 UTC (permalink / raw)
  To: Anders Munch, Srinivasan Santhanam, help-gnu-emacs, Alec Gordon,
	Sridhar Peddapelli

On Sat 10 Feb 2024, 11:33 Jean Louis, <bugs@gnu.support> wrote:

> * Anders Munch <ajm@flonidan.dk> [2024-02-09 18:19]:
> > Srinivasan Santhanam wrote:
> > > Could you please confirm whether there are any vulnerabilities
> identified with the latest 29.2 version.
> >
> > https://www.opencve.io/cve?vendor=gnu&product=emacs
>
> I would not agree that those CVE reports are propriate to Emacs.
>
> Let us review few examples:
>
> > CVE-2023-2491         2 Gnu, Redhat   5 Emacs, Enterprise Linux,
> Enterprise Linux Eus and 2 more      2023-12-10      N/A     7.8 HIGH
> > A flaw was found in the Emacs text editor. Processing a specially
> > crafted org-mode code with the "org-babel-execute:latex" function in
> > ob-latex.el can result in arbitrary command execution. This CVE exists
> > because of a CVE-2023-28617 security regression for the emacs package
> > in Red Hat Enterprise Linux 8.8 and Red Hat Enterprise Linux 9.2.
>
> We have to consider that Emacs has a built-in programming
> language. All parts of Emacs can be replaced, or loaded from not only
> system files but also private files.
>
> If any attacking user has access to file system, than such user can
> provide custom "Org" library or any other library and can impose on
> the victim user for that library to do whatever they want.
>

This one could point to an actual vulnerability, given that LaTeX by
default does not allow evaluating arbitrary code on the system.

A user can be wary about elisp and e.g. python snippets, yet trust that
LaTeX code should be safe.

I don't see why you bring compromised libraries into the mix, afaik
ob-latex is distributed with org-mode. If I understand the summary
correctly, the attack only requires a .org file with a malicious "src
LaTeX" block, that's not full access to the file system.

Thibaut


^ permalink raw reply	[flat|nested] 5+ messages in thread

* RE: Need information regarding Emacs application
  2024-02-10 10:31   ` Jean Louis
  2024-02-10 11:07     ` Thibaut Verron
@ 2024-02-12 10:35     ` Anders Munch
  1 sibling, 0 replies; 5+ messages in thread
From: Anders Munch @ 2024-02-12 10:35 UTC (permalink / raw)
  To: help-gnu-emacs

Jean Louis <bugs@gnu.support> wrote:
> When I keep reading those CVE reports, the more I read, the more it looks like it only serves some business purposes, not the real security.

CVEs vary in quality.  Even for the good CVEs, severity levels tend to be way inflated.
But when a for real serious vuln does occur, it will also end up on the CVE list.  So it's still a good thing to follow.

Srinivasan wanted to know how to be notified of future issues.  Subscribing to notifications about GNU Emacs on opencve.io is a way to do that.

regards, Anders


^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2024-02-12 10:35 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-02-09  8:51 Need information regarding Emacs application Srinivasan Santhanam via Users list for the GNU Emacs text editor
2024-02-09 15:12 ` Anders Munch
2024-02-10 10:31   ` Jean Louis
2024-02-10 11:07     ` Thibaut Verron
2024-02-12 10:35     ` Anders Munch

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/emacs.git
	https://git.savannah.gnu.org/cgit/emacs/org-mode.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.