Re: Emacs security issues; XEmacs affected?

Thursday, 4 October 2012

        Stephen J. Turnbull wrote:

...
 The thing is that there are scads of ways that random evil can
invade
 your Emacs.  ftp://random.evil.com/lisp-pkg.tar.el, .emacs.desktop,
 ~user/.emacs, C-c C-c in many modes, and I'm sure there are others. 
Yes, but are those comparable to the EDE vulnerability?  The
announcement said 

    Hiroshi Oota discovered that Emacs incorrectly handled search
    paths. If a user were tricked into opening a file with Emacs, a
    local attacker could execute arbitrary Lisp code with the privileges
    of the user invoking the program. (CVE-2012-0035)

I'd hope that just visiting a random evil file would be safe, assuming a
default configuration for things like local variables.  (I'm assuming
this is an accurate description of the attack vector.  I haven't studied
the patch or EDE enough to say for sure.  And my apologies for not
quoting the above paragraph earlier.)

...
 Heck, AFAIK nobody has ever done a serious review of the code in EDE
 itself. 
Okay, but that's not an argument against patching vulnerabilities when
they are discovered.

mike

_______________________________________________
XEmacs-Beta mailing list
XEmacs-Beta(a)xemacs.org
http://lists.xemacs.org/mailman/listinfo/xemacs-beta

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

Re: Emacs security issues; XEmacs affected?