Re: Request to backport fix for CVE-2022-45939 to Emacs 28

[lux]

On Thu, 2023-02-16 at 20:44 -0500, Lynn Winebarger wrote:
> On Tue, Feb 14, 2023 at 12:06 PM Troy Hinckley <comms@dabrev.com>
> wrote:
> > 
> > If the commit was cherry picked to the emacs-28 branch, does that
> > mean it’s just unreleased changes for Emacs 28? We are building
> > from source, so that might be enough. I didn’t realize cutting a
> > release was high effort.
> 
> FWIW, I suspect a lot of users get automated updates from their
> packager of choice, whether it's linux distro, Cygwin, MSYS2, or
> whatever.  If you look at their source packages, they routinely apply
> these kinds of changes as updates to older releases.  Even if you
> don't use that packager, you can still use their source package for
> Emacs to get a version with the relevant security patches.

Most Linux distributions rely on public CVE information for security
updates, I fixed 4 vulnerabilities[1], but to date, only one
vulnerability has been assigned a CVE number (CVE-2022-45939), so most
Linux distributions have not fixed the other three vulnerabilities.

Depending on the distro security updates are only available for Linux,
BSD etc, while Windows users cannot update automatically.


[1] patches:
-
https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=d48bb4874bc6cd3e69c7a15fc3c91cc141025c51
-
https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=01a4035c869b91c153af9a9132c87adb7669ea1c
-
https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=9a3b08061feea14d6f37685ca1ab8801758bfd1c
-
https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=1b4dc4691c1f87fc970fbe568b43869a15ad0d4c