bug#66390: `man' allows to inject arbitrary shell code

bug-gnu-emacs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#66390: `man' allows to inject arbitrary shell code

From:	Eli Zaretskii
Subject:	bug#66390: `man' allows to inject arbitrary shell code
Date:	Mon, 09 Oct 2023 14:04:37 +0300

> From: Richard Stallman <rms@gnu.org>
> Cc: michael.albinus@gmx.de, manikulin@gmail.com, 66390@debbugs.gnu.org
> Date: Sun, 08 Oct 2023 22:36:39 -0400
> 
>   > We can do something, just not the way it was suggested: avoid using
>   > the shell.
> 
> I wonder: do we need to backport this fix to old Emacs versions that we
> do not normally maintainn at all, because of the insecurity?

We don't retrofit fixes into old branches of Emacs that are no longer
developed; we leave that to the distros (who maintain old Emacs
versions for many more years than we do).  At this time, this means
only Emacs 29.x and newer can get such fixes, but not older versions.

(Btw, there's no fix yet, just discussions about what would be the
most appropriate fix.)

[Prev in Thread]

Current Thread

[Next in Thread]

bug#66390: `man' allows to inject arbitrary shell code, (continued)

Prev by Date: bug#66375: 30.0.50; (error "Maximum buffer size exceeded") from (insert-file-contents "/dev/null")
Next by Date: bug#66416: 29.1; Crashes when visiting HELLO file with pgtk on Wayland
Previous by thread: bug#66390: `man' allows to inject arbitrary shell code
Next by thread: bug#66390: `man' allows to inject arbitrary shell code
Index(es):
- Date
- Thread