[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: 2023-02-27 Emacs news
|
From: |
Jean Louis |
|
Subject: |
Re: 2023-02-27 Emacs news |
|
Date: |
Tue, 28 Feb 2023 07:04:49 +0300 |
|
User-agent: |
Mutt/2.2.9+54 (af2080d) (2022-11-21) |
* Emanuel Berg <incal@dataswamp.org> [2023-02-28 06:26]:
> Maybe the Emacs community _is_ big, after all ...
>
> > - Security:
> > - [CVE-2022-48337: GNU Emacs through 28.2 allows attackers to execute
> > commands via shell metacharacters in the name of a source-code file]
> > (<https://security-tracker.debian.org/tracker/CVE-2022-48337>)
> > - [CVE-2022-48338: In GNU Emacs through 28.2. In ruby-mode.el, the
> > ruby-find-library-file function has a local command injection
> > vulnerability.]
> > (<https://security-tracker.debian.org/tracker/CVE-2022-48338>)
> > - [CVE-2022-48339: Emacs <= 28.2: htmlfontify.el has a command
> > injection vulnerability]
> > (<https://security-tracker.debian.org/tracker/CVE-2022-48339>)
> > - [Emacs 28.3 rc1 pretest is available, fixing CVE-2022-45939]
> > (<https://www.reddit.com/r/emacs/comments/117mezb/emacs_283_rc1_pretest_is_available_fixing/>)
But... it is source, one can put anything inside like
(shell-command "sudo rm -rf /")
Those "CVE" bugs are exaggerated.
Like this one:
https://security-tracker.debian.org/tracker/CVE-2022-48338
"malicious Ruby source files may cause commands to be executed"
But hey, any malicious source file may cause commands to be
executed. Some CVE bug reporters maybe enjoy to find "bugs", which are
obvious. Emacs is insecure in general.
--
Jean
Take action in Free Software Foundation campaigns:
https://www.fsf.org/campaigns
In support of Richard M. Stallman
https://stallmansupport.org/