From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Chris Moore Newsgroups: gmane.emacs.devel Subject: Re: C file recoginzed as image file Date: Tue, 09 Jan 2007 02:08:40 +0100 Message-ID: References: NNTP-Posting-Host: lo.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Trace: sea.gmane.org 1168304951 10103 80.91.229.12 (9 Jan 2007 01:09:11 GMT) X-Complaints-To: usenet@sea.gmane.org NNTP-Posting-Date: Tue, 9 Jan 2007 01:09:11 +0000 (UTC) Cc: lekktu@gmail.com, emacs-devel@gnu.org, monnier@iro.umontreal.ca, c.a.rendle@gmail.com Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Tue Jan 09 02:09:09 2007 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([199.232.76.165]) by lo.gmane.org with esmtp (Exim 4.50) id 1H45U9-0003TH-Hz for ged-emacs-devel@m.gmane.org; Tue, 09 Jan 2007 02:09:05 +0100 Original-Received: from localhost ([127.0.0.1] helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1H45U8-00019F-R6 for ged-emacs-devel@m.gmane.org; Mon, 08 Jan 2007 20:09:04 -0500 Original-Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1H45Tv-00019A-9K for emacs-devel@gnu.org; Mon, 08 Jan 2007 20:08:51 -0500 Original-Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1H45Tq-00018V-Gs for emacs-devel@gnu.org; Mon, 08 Jan 2007 20:08:50 -0500 Original-Received: from [199.232.76.173] (helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1H45Tq-00018S-E6 for emacs-devel@gnu.org; Mon, 08 Jan 2007 20:08:46 -0500 Original-Received: from [66.249.92.172] (helo=ug-out-1314.google.com) by monty-python.gnu.org with esmtp (Exim 4.52) id 1H45Tp-00035b-GZ for emacs-devel@gnu.org; Mon, 08 Jan 2007 20:08:45 -0500 Original-Received: by ug-out-1314.google.com with SMTP id j3so7155157ugf for ; Mon, 08 Jan 2007 17:08:44 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:to:cc:references:from:date:in-reply-to:message-id:user-agent:mime-version:content-type:x-sa-exim-connect-ip:x-sa-exim-mail-from:x-spam-checker-version:x-spam-level:x-spam-status:subject:x-sa-exim-version:x-sa-exim-scanned:sender; b=ggngJWwIv5hin1KMrWoZf+qDOO+5+PYCZPEaNB03h9/9YmWkLJUuEmp9H8nySihQl2SutSr5xgxttzOT+bW9w3E71vxgAv72CpBHdbM0mirN0LtXUux8U0f6EskWSHC06I51nnyR1AKBH4Oyd+O6hRiSYKXIgOuDG+XsMUKXnQM= Original-Received: by 10.66.248.5 with SMTP id v5mr34078541ugh.1168304924454; Mon, 08 Jan 2007 17:08:44 -0800 (PST) Original-Received: from chrislap.local ( [89.176.28.156]) by mx.google.com with ESMTP id z40sm33619516ugc.2007.01.08.17.08.43; Mon, 08 Jan 2007 17:08:43 -0800 (PST) Original-Received: from localhost ([127.0.0.1] helo=chrislap.local) by chrislap.local with esmtp (Exim 4.63) (envelope-from ) id 1H45Tk-00041w-Oq; Tue, 09 Jan 2007 02:08:41 +0100 Original-To: rms@gnu.org In-Reply-To: (Richard Stallman's message of "Mon\, 08 Jan 2007 19\:01\:13 -0500") User-Agent: Gnus/5.11 (Gnus v5.11) Emacs/22.0.92 (gnu/linux) X-SA-Exim-Connect-IP: 127.0.0.1 X-SA-Exim-Mail-From: dooglus@gmail.com X-SA-Exim-Version: 4.2.1 (built Sun, 03 Dec 2006 00:39:09 +0000) X-SA-Exim-Scanned: Yes (on chrislap.local) X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:65032 Archived-At: Richard Stallman writes: > Your conclusion is based on two assumptions: that (1) there is a bug > in a library and (2) the image file has a virus specifically designed > to take advantage of this bug and cause trouble in Emacs. > > Assumption 1 may be true occasionally, but it will be false nearly > all the time. While it may be true that there are no publicly disclosed bugs in image libraries most of the time, I would question how likely it is that there are no undisclosed bugs in image libraries at any given point in time. It's quite possible that there's an exploitable bug in one of the image libraries which Emacs uses which has been there since the library was first created. > Assumption 2 is not impossible, but we don't know that anyone will > actually do it. It's not necessary for the virus to be specific to Emacs. The bug can potentially be exploitable not matter which application the library is linked to. > Please don't assume that the unlikely case is the only case. I don't think it is particularly unlikely that it is possible to construct an image file which will caused Emacs to execute malicious code when the image is displayed. Most, and probably all images on any given user's system are safe to display in Emacs, but shouldn't we guard against the time that they open that one specially crafted image which infects their system?