From: Reiner Steib <reinersteib+gmane@imap.cc>
Cc: Chris Moore <dooglus@gmail.com>,
c.a.rendle@gmail.com, emacs-devel@gnu.org
Subject: Re: C file recoginzed as image file
Date: Mon, 08 Jan 2007 15:05:11 +0100 [thread overview]
Message-ID: <v9lkkdhaw8.fsf@marauder.physik.uni-ulm.de> (raw)
In-Reply-To: <E1H3n7v-0003xJ-7p@fencepost.gnu.org> (Richard Stallman's message of "Mon\, 08 Jan 2007 00\:32\:55 -0500")
On Mon, Jan 08 2007, Richard Stallman wrote:
> How significant this danger is in the Emacs context depends on a
> number of things. I am not sure whether the danger is enough to
> matter. But if it is, the only adequate protection is NEVER to
> display such images as images by default.
IIUC, Emacs relies on the image libraries in the same way as Emacs
relies on zlib (or is gzip?) to (un)compress *.gz files. I recall
vulnerabilities on both (e.g. zlib and libpng[1]) during the past
years. If you consider image libs as dangerous in general, you may
also think about all other libs linked to Emacs.
> The solution you and others are proposing, to display the image as an
> image only when the file name extension matches the image type, is
> inadequate to avoid the problem. You might feel suspicion when you
> see an extension such as .jpg, .gif, or .png, but lots of users, such
> as me, would not. Checking the file type would not protect us.
> If someone wanted to send us a JPG with a virus, he could call
> the file something.jpg, and bypass this test.
A user who has compiled Emacs _without_ JPEG support would not expect
to see something.jpg displayed as an image even if the content is PNG,
I think. And in case there's a vulnerability in libpng, he would not
expect to be in danger when opening something.jpg.
> If there is some sort of vulnerability in the tiff library, I will not
> know about it. I do not hear about such things.
For most GNU/Linux systems, the vulnerable image libraries will be
replaced by fixed versions via (automatic) online updates soon. If
there's a vulnerability in one of the image libraries it usually
affects dozens or hundreds of programs (or packages). E.g. on my
system, the image libraries used by Emacs (libpng, libjpeg, giflib,
libXpm) are use by more than 200 other packages. As the image libs
(at least libpng and libjpeg) are also used by most web browsers (such
as Mozilla Firefox), such vulnerabilities need to be fixed very fast
by the distributors (displaying images from untrusted sources in web
browsers is much more common[2] that opening them in Emacs).
Bye, Reiner.
[1]
,----[ rpm -q --changelog zlib | less +/secur ]
| * Wed Jul 20 2005 - meissner@...
| - Upgraded to 1.2.3. Security fix is now in mainline.
`----
,----[ rpm -q --changelog libpng | less +/secur ]
| * Mon Aug 16 2004 - nadvornik@...
| - updated to 1.2.6: included security fixes
`----
[2] "more common" in the sense of how many people use web browsers
vs. people who open images in Emacs.
--
,,,
(o o)
---ooO-(_)-Ooo--- | PGP key available | http://rsteib.home.pages.de/
next prev parent reply other threads:[~2007-01-08 14:05 UTC|newest]
Thread overview: 150+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-01-05 14:27 C file recoginzed as image file Charles Rendleman
2007-01-05 14:46 ` Chris Moore
2007-01-05 14:52 ` Lennart Borgman (gmail)
2007-01-05 15:02 ` Chris Moore
2007-01-05 19:02 ` Juanma Barranquero
2007-01-05 22:23 ` Chris Moore
2007-01-05 22:44 ` Juanma Barranquero
2007-01-05 22:47 ` Juanma Barranquero
2007-01-05 23:01 ` Chris Moore
2007-01-05 23:15 ` Juanma Barranquero
2007-01-06 18:07 ` Richard Stallman
2007-01-06 18:49 ` Chris Moore
2007-01-06 0:12 ` Jason Rumney
2007-01-06 18:07 ` Richard Stallman
2007-01-07 19:20 ` Juanma Barranquero
2007-01-08 5:33 ` Richard Stallman
2007-01-06 2:55 ` Richard Stallman
2007-01-06 10:52 ` Juanma Barranquero
2007-01-06 3:20 ` Stefan Monnier
2007-01-06 10:58 ` Juanma Barranquero
2007-01-07 16:50 ` Mathias Dahl
2007-01-07 3:46 ` Richard Stallman
2007-01-07 5:36 ` Stefan Monnier
2007-01-08 5:32 ` Richard Stallman
2007-01-08 15:09 ` Stefan Monnier
2007-01-08 15:25 ` Kim F. Storm
2007-01-08 17:32 ` Lennart Borgman (gmail)
2007-01-08 19:54 ` Eli Zaretskii
2007-01-09 11:12 ` Jan Nieuwenhuizen
2007-01-09 11:44 ` Chong Yidong
2007-01-09 11:57 ` Jan Nieuwenhuizen
2007-01-09 12:40 ` David Kastrup
2007-01-09 13:03 ` martin rudalics
2007-01-09 12:57 ` Chong Yidong
2007-01-09 16:01 ` Stuart D. Herring
2007-01-09 13:11 ` Stephen Leake
2007-01-15 6:06 ` Giorgos Keramidas
2007-01-09 21:49 ` Eli Zaretskii
2007-01-09 22:20 ` Alan Mackenzie
2007-01-08 19:48 ` Eli Zaretskii
2007-01-08 22:34 ` Stefan Monnier
2007-01-08 23:26 ` Lennart Borgman (gmail)
2007-01-09 4:08 ` Richard Stallman
2007-01-09 9:48 ` Lennart Borgman (gmail)
2007-01-09 11:06 ` Jason Rumney
2007-01-09 12:01 ` Lennart Borgman (gmail)
2007-01-09 12:16 ` Jason Rumney
2007-01-09 12:23 ` Lennart Borgman (gmail)
2007-01-10 1:04 ` Richard Stallman
2007-01-10 9:05 ` Jason Rumney
2007-01-10 9:38 ` Lennart Borgman (gmail)
2007-01-10 23:06 ` Richard Stallman
2007-01-09 21:54 ` Eli Zaretskii
2007-01-09 21:55 ` Lennart Borgman (gmail)
2007-01-09 23:56 ` Chris Moore
2007-01-10 0:21 ` Lennart Borgman (gmail)
2007-01-10 15:11 ` Chris Moore
2007-01-10 15:17 ` Lennart Borgman (gmail)
2007-01-09 21:08 ` Richard Stallman
2007-01-09 21:40 ` Lennart Borgman (gmail)
2007-01-08 17:09 ` Stephen J. Turnbull
2007-01-08 20:26 ` Juanma Barranquero
2007-01-08 20:39 ` David Kastrup
2007-01-08 20:48 ` Juanma Barranquero
2007-01-08 20:52 ` David Kastrup
2007-01-08 21:03 ` Juanma Barranquero
2007-01-09 7:57 ` David Kastrup
2007-01-09 9:08 ` Juanma Barranquero
2007-01-09 18:50 ` Chris Moore
2007-01-09 19:47 ` Juanma Barranquero
2007-01-09 22:38 ` Stefan Monnier
2007-01-09 23:19 ` Juanma Barranquero
2007-01-10 1:12 ` Stefan Monnier
2007-01-10 1:37 ` Stephen Leake
2007-01-08 22:42 ` Juanma Barranquero
2007-01-08 23:27 ` Stefan Monnier
2007-01-08 23:39 ` Juanma Barranquero
2007-01-09 2:07 ` Stefan Monnier
2007-01-08 23:32 ` Stefan Monnier
2007-01-08 23:43 ` Juanma Barranquero
2007-01-09 0:11 ` Stuart D. Herring
2007-01-09 0:19 ` Juanma Barranquero
2007-01-09 13:16 ` Stephen Leake
2007-01-09 17:57 ` Richard Stallman
2007-01-09 19:59 ` Lennart Borgman (gmail)
2007-01-10 1:04 ` Richard Stallman
2007-01-07 9:04 ` Chris Moore
2007-01-08 5:33 ` Richard Stallman
2007-01-08 13:34 ` Chris Moore
2007-01-08 18:20 ` David Kastrup
2007-01-08 21:02 ` Chris Moore
2007-01-08 21:14 ` Chris Moore
2007-01-09 0:01 ` Richard Stallman
2007-01-09 1:08 ` Chris Moore
2007-01-09 17:57 ` Richard Stallman
2007-01-09 23:24 ` Chris Moore
2007-01-09 23:39 ` Lennart Borgman (gmail)
2007-01-10 1:00 ` Chris Moore
2007-01-10 1:05 ` Lennart Borgman (gmail)
2007-01-09 4:40 ` Stephen J. Turnbull
2007-01-09 21:07 ` Richard Stallman
2007-01-10 4:23 ` Stephen J. Turnbull
2007-01-10 23:05 ` Richard Stallman
2007-01-09 13:07 ` Stephen Leake
2007-01-09 13:25 ` Juanma Barranquero
2007-01-09 13:57 ` Vinicius Jose Latorre
2007-01-09 23:37 ` Juanma Barranquero
2007-01-15 6:10 ` Giorgos Keramidas
2007-01-09 22:58 ` Chris Moore
2007-01-09 23:31 ` Juanma Barranquero
2007-01-10 1:31 ` Stephen Leake
2007-01-08 5:33 ` Richard Stallman
2007-01-07 10:05 ` Lennart Borgman (gmail)
2007-01-06 2:55 ` Richard Stallman
2007-01-06 3:16 ` Stefan Monnier
2007-01-06 12:48 ` Chris Moore
2007-01-07 3:47 ` Richard Stallman
2007-01-07 9:21 ` Chris Moore
2007-01-07 9:58 ` Lennart Borgman (gmail)
2007-01-08 5:32 ` Richard Stallman
2007-01-08 14:05 ` Reiner Steib [this message]
2007-01-08 14:16 ` Andreas Schwab
2007-01-08 18:12 ` Stuart D. Herring
2007-01-09 0:01 ` Richard Stallman
2007-01-14 2:52 ` Giorgos Keramidas
2007-01-14 18:55 ` Sascha Wilde
2007-01-15 14:58 ` Richard Stallman
2007-01-15 15:14 ` Jason Rumney
2007-01-19 16:14 ` Juanma Barranquero
2007-01-19 16:33 ` Jason Rumney
2007-01-19 17:10 ` Juanma Barranquero
2007-01-20 2:10 ` Richard Stallman
2007-01-20 23:38 ` Juanma Barranquero
2007-01-21 22:27 ` Richard Stallman
2007-01-21 22:36 ` Jason Rumney
2007-01-21 22:47 ` Juanma Barranquero
2007-01-22 9:04 ` Richard Stallman
2007-01-14 23:23 ` Richard Stallman
2007-01-15 1:14 ` Stefan Monnier
2007-01-15 5:59 ` Giorgos Keramidas
2007-01-15 23:27 ` Richard Stallman
2007-01-07 11:49 ` Jason Rumney
2007-01-07 16:21 ` Stefan Monnier
2007-01-08 5:33 ` Richard Stallman
2007-01-06 2:55 ` Richard Stallman
2007-01-06 12:42 ` Chris Moore
2007-01-07 3:47 ` Richard Stallman
2007-01-07 9:28 ` Michaël Cadilhac
2007-01-08 5:32 ` Richard Stallman
2007-01-06 2:55 ` Richard Stallman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=v9lkkdhaw8.fsf@marauder.physik.uni-ulm.de \
--to=reinersteib+gmane@imap.cc \
--cc=Reiner.Steib@gmx.de \
--cc=c.a.rendle@gmail.com \
--cc=dooglus@gmail.com \
--cc=emacs-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/emacs.git
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.