From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Jean Louis Newsgroups: gmane.emacs.help Subject: Re: Need information regarding Emacs application Date: Sat, 10 Feb 2024 13:31:38 +0300 Message-ID: References: Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="27959"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Mutt/2.2.10+64 (b470a9a) (2023-06-05) Cc: Srinivasan Santhanam , "help-gnu-emacs@gnu.org" , Alec Gordon , Sridhar Peddapelli To: Anders Munch Original-X-From: help-gnu-emacs-bounces+geh-help-gnu-emacs=m.gmane-mx.org@gnu.org Sat Feb 10 11:33:10 2024 Return-path: Envelope-to: geh-help-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1rYkfW-00071U-5W for geh-help-gnu-emacs@m.gmane-mx.org; Sat, 10 Feb 2024 11:33:10 +0100 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rYkey-0003zh-Fo; Sat, 10 Feb 2024 05:32:37 -0500 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rYket-0003zS-HE for help-gnu-emacs@gnu.org; Sat, 10 Feb 2024 05:32:32 -0500 Original-Received: from stw1.rcdrun.com ([217.170.207.13]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rYker-0003lz-KJ for help-gnu-emacs@gnu.org; Sat, 10 Feb 2024 05:32:31 -0500 Original-Received: from localhost ([::ffff:41.75.184.209]) (AUTH: PLAIN admin, TLS: TLS1.3,256bits,ECDHE_RSA_AES_256_GCM_SHA384) by stw1.rcdrun.com with ESMTPSA id 000000000010BBE2.0000000065C7509B.00000739; Sat, 10 Feb 2024 03:31:55 -0700 Mail-Followup-To: Anders Munch , Srinivasan Santhanam , "help-gnu-emacs@gnu.org" , Alec Gordon , Sridhar Peddapelli Content-Disposition: inline In-Reply-To: Received-SPF: pass client-ip=217.170.207.13; envelope-from=bugs@gnu.support; helo=stw1.rcdrun.com X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: help-gnu-emacs@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Users list for the GNU Emacs text editor List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-gnu-emacs-bounces+geh-help-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: help-gnu-emacs-bounces+geh-help-gnu-emacs=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.help:145900 Archived-At: * Anders Munch [2024-02-09 18:19]: > Srinivasan Santhanam wrote: > > Could you please confirm whether there are any vulnerabilities identified with the latest 29.2 version. > > https://www.opencve.io/cve?vendor=gnu&product=emacs I would not agree that those CVE reports are propriate to Emacs. Let us review few examples: > CVE-2023-2491 2 Gnu, Redhat 5 Emacs, Enterprise Linux, Enterprise Linux Eus and 2 more 2023-12-10 N/A 7.8 HIGH > A flaw was found in the Emacs text editor. Processing a specially > crafted org-mode code with the "org-babel-execute:latex" function in > ob-latex.el can result in arbitrary command execution. This CVE exists > because of a CVE-2023-28617 security regression for the emacs package > in Red Hat Enterprise Linux 8.8 and Red Hat Enterprise Linux 9.2. We have to consider that Emacs has a built-in programming language. All parts of Emacs can be replaced, or loaded from not only system files but also private files. If any attacking user has access to file system, than such user can provide custom "Org" library or any other library and can impose on the victim user for that library to do whatever they want. "A specially crafted key stroke combination can result inn arbitrary command execution" -- this is also true, so one could file unlimited number of such non-sensical CVE reports, and I invite people to do that until group cognition come to place how little it makes sense. "A specially crafted shell script can result in arbitrary command execution" -- please think along those lines. When I keep reading those CVE reports, the more I read, the more it looks like it only serves some business purposes, not the real security. Emacs is programmable editor. Any person who has access to Emacs on computer is free to do whatever system privileges allow to that user. And any attacker can send arbitrary files to victim and impose on the victim to execute such files. All that does not mean it is "security issue" and especially not that it is something to be worried about. All bugs are reported by M-x report-emacs-bug and are handled basically promptly. In that sense, Emacs with its professional developers and millions of users is far more secure system than those less known editors. -- Jean Take action in Free Software Foundation campaigns: https://www.fsf.org/campaigns In support of Richard M. Stallman https://stallmansupport.org/