From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Chris Moore Newsgroups: gmane.emacs.devel Subject: Re: C file recoginzed as image file Date: Wed, 10 Jan 2007 00:24:00 +0100 Message-ID: References: NNTP-Posting-Host: lo.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Trace: sea.gmane.org 1168385074 9315 80.91.229.12 (9 Jan 2007 23:24:34 GMT) X-Complaints-To: usenet@sea.gmane.org NNTP-Posting-Date: Tue, 9 Jan 2007 23:24:34 +0000 (UTC) Cc: lekktu@gmail.com, emacs-devel@gnu.org, monnier@iro.umontreal.ca, c.a.rendle@gmail.com Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Wed Jan 10 00:24:32 2007 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([199.232.76.165]) by lo.gmane.org with esmtp (Exim 4.50) id 1H4QKU-0000oN-6G for ged-emacs-devel@m.gmane.org; Wed, 10 Jan 2007 00:24:30 +0100 Original-Received: from localhost ([127.0.0.1] helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1H4QKQ-000146-JH for ged-emacs-devel@m.gmane.org; Tue, 09 Jan 2007 18:24:26 -0500 Original-Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1H4QKB-00012W-VD for emacs-devel@gnu.org; Tue, 09 Jan 2007 18:24:12 -0500 Original-Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1H4QK7-0000zN-VZ for emacs-devel@gnu.org; Tue, 09 Jan 2007 18:24:11 -0500 Original-Received: from [199.232.76.173] (helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1H4QK7-0000z9-PK for emacs-devel@gnu.org; Tue, 09 Jan 2007 18:24:07 -0500 Original-Received: from [66.249.92.175] (helo=ug-out-1314.google.com) by monty-python.gnu.org with esmtp (Exim 4.52) id 1H4QK6-0005n4-2y for emacs-devel@gnu.org; Tue, 09 Jan 2007 18:24:06 -0500 Original-Received: by ug-out-1314.google.com with SMTP id j3so7484802ugf for ; Tue, 09 Jan 2007 15:24:05 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:to:cc:references:from:date:in-reply-to:message-id:user-agent:mime-version:content-type:x-sa-exim-connect-ip:x-sa-exim-mail-from:x-spam-checker-version:x-spam-level:x-spam-status:subject:x-sa-exim-version:x-sa-exim-scanned:sender; b=PbFCTQCp37NOX8qe8XN4rcVkgskAw404nzjvHVjHAZcHxLz8lyZSkimj4KwfFfRcf9XdBlylH9H1pSkERv9pjQSvd8jsP1f8+YOUlC9x5GrVFJDF+3+X5A6dGhbjafyv2fEh7SFV6kxkvyPDXwGvlJfwhvUvz+Lgk56J3j5Qpns= Original-Received: by 10.67.91.6 with SMTP id t6mr20069418ugl.1168385044863; Tue, 09 Jan 2007 15:24:04 -0800 (PST) Original-Received: from chrislap.local ( [89.176.28.156]) by mx.google.com with ESMTP id y1sm30378037uge.2007.01.09.15.24.03; Tue, 09 Jan 2007 15:24:04 -0800 (PST) Original-Received: from localhost ([127.0.0.1] helo=chrislap.local) by chrislap.local with esmtp (Exim 4.63) (envelope-from ) id 1H4QK0-00044C-Lu; Wed, 10 Jan 2007 00:24:01 +0100 Original-To: rms@gnu.org In-Reply-To: (Richard Stallman's message of "Tue\, 09 Jan 2007 12\:57\:18 -0500") User-Agent: Gnus/5.11 (Gnus v5.11) Emacs/22.0.92 (gnu/linux) X-SA-Exim-Connect-IP: 127.0.0.1 X-SA-Exim-Mail-From: dooglus@gmail.com X-SA-Exim-Version: 4.2.1 (built Tue, 09 Jan 2007 17:23:22 +0000) X-SA-Exim-Scanned: Yes (on chrislap.local) X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:65090 Archived-At: Richard Stallman writes: > There are two different possible ways to exploit such a bug: > > 1. Ways that operate directly on the file system, for which it > makes no difference from which program the library is run. This is the way that would almost certainly be used. > If the virus works in the former way, it could do the same harm if you > display the image with qiv. Imagine that 'image' is called mymode.txt. I would never think of displaying it with qiv. As far as I know, it's a text file, so I open it in Emacs. I might open it in vi (but that wouldn't display it as an image) or maybe gedit (and that wouldn't, either). I might use 'less' or 'cat' (if it was little). They would both be safe, too. Emacs is the only program I know which both: * I would consider using to open a .txt file and * would display it as an image without warning if it was a disguised image file. Incidentally, I hadn't heard of qiv before, but I just installed it to see what how it works. It refuses to display images which are disguised as .txt files: chris@trpaslik:/tmp$ qiv foo.jpg [image displays] chris@trpaslik:/tmp$ cp foo.jpg foo.txt chris@trpaslik:/tmp$ qiv foo.txt qiv: cannot load any images. qiv (Quick Image Viewer) v2.0 Usage: qiv [options] files ... See 'man qiv' or type 'qiv --help' for options. chris@trpaslik:/tmp$ This is sensible behaviour. Displaying foo.txt as an image without warning the user first isn't sensible, IMHO. > Protecting Emacs would be like stuffing insulation in the crack > under the door while the window is wide open. Such exploits have to > be blocked, and avoided, in the libraries concerned. They are being. Maybe the image libraries are all perfectly secure now. But just as we are still finding new bugs in Emacs after 30 years, I really don't think we've seen the last image library vulnerability yet. > 1. Validate the image data before calling the library (or better, in > the library). The libraries do take steps to validate the image data, but since they are written and maintained by human beings, they are prone to contain errors. > 2. Have Emacs run the library in a separate program rather than in > its own address space. This reduces the Emacs case to the qiv case. I don't think we need to worry about specific attacks against Emacs. > It is not clear to me what the answer to that question is. It is > about the magnitude of X/Y where X and Y are both getting large. When I used to run Windows, I ran a virus scanner. It would scan every executable file before writing it to disk and before running it, and every few days it would scan around 200,000 files on my hard disk. I ran it for over a year. In all that time it only found and blocked one virus. In this case X/Y is 1/30,000,000 or so. Was it worth wasting all that time scanning 29,999,999 clean files to prevent just one virus being installed? What price is the average user willing to pay to prevent having their keypresses logged and transferred to a stranger, or to prevent their Internet banking details being stolen?