[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Request to backport fix for CVE-2022-45939 to Emacs 28
From: |
Robert Pluim |
Subject: |
Re: Request to backport fix for CVE-2022-45939 to Emacs 28 |
Date: |
Wed, 15 Feb 2023 09:32:04 +0100 |
>>>>> On Wed, 15 Feb 2023 07:10:58 +1100, Tim Cross <theophilusx@gmail.com>
>>>>> said:
Tim> Eli Zaretskii <eliz@gnu.org> writes:
>>> From: lux <lx@shellcodes.org>
>>> Cc: emacs-devel@gnu.org
>>> Date: Tue, 14 Feb 2023 13:07:44 +0800
>>>
>>> Hi, I can fix the CVE-2022-45939, this is a patch.
>>
>> We don't need a patch for that, we just need to cherry-pick the
>> related commits from emacs-29.
>>
>> But that is not what the OP requested: he requested that we also
>> produce an Emacs 28.3 release. And that is a much larger job, for
>> which we currently don't have the time or resources.
Tim> While I understand the resourcing issues, I think this is the wrong
Tim> decision. We are in the situation where the current released version of
Tim> Emacs has a known security exploit with a severity classification of
Tim> high (although this assessment seems to be under review) and the
Tim> response seems to be "Sorry, we are too busy trying to get the next
Tim> version released to deal with this". If we were actually close to an
Tim> Emacs 29 release, then perhaps this would be reasonable, but we don't
Tim> even have a release candidate out yet.
The exploit is severe, in the sense that a car with faulty brakes is
dangerous: if you donʼt drive the car, there is no danger.
Uninstalling the emacs version of ctags/etags is enough to mitigate
this.
Tim> Failing to address a high security vulnerability for months is a
Tim> disservice for the emacs user base and likely to be a blight on Emacs'
Tim> reputation and only provides those against free software with free
Tim> ammunition. In addition to the technical aspects of a security
Tim> vulnerability, perception is just as important. While the specific
Tim> technical aspects of this vulnerability would seem to indicate only a
Tim> subset of etags users are actually exposed to this risk, such detail is
Tim> likely to be lost amongst the FUD which tends to accompany security
Tim> issues.
Yes, the FUD issue (and the associated hysteria from corporate IT
departments) is all too true (plus how many people run ctags or etags
as a privileged user?).
We *could* rush out a 28.3 release, I guess, given that thereʼs only
one actual non-doc change on the branch, but then again: how is that
any better than downstream just adding the CVE fix to their builds?
Robert
--
- Request to backport fix for CVE-2022-45939 to Emacs 28, Troy Hinckley, 2023/02/13
- Re: Request to backport fix for CVE-2022-45939 to Emacs 28, Eli Zaretskii, 2023/02/13
- Re: Request to backport fix for CVE-2022-45939 to Emacs 28, lux, 2023/02/14
- Re: Request to backport fix for CVE-2022-45939 to Emacs 28, Eli Zaretskii, 2023/02/14
- Re: Request to backport fix for CVE-2022-45939 to Emacs 28, Troy Hinckley, 2023/02/14
- Re: Request to backport fix for CVE-2022-45939 to Emacs 28, Eli Zaretskii, 2023/02/14
- Re: Request to backport fix for CVE-2022-45939 to Emacs 28, Lynn Winebarger, 2023/02/16
- Re: Request to backport fix for CVE-2022-45939 to Emacs 28, lux, 2023/02/16
- Re: Request to backport fix for CVE-2022-45939 to Emacs 28, Tim Cross, 2023/02/14
- Re: Request to backport fix for CVE-2022-45939 to Emacs 28,
Robert Pluim <=
- Re: Request to backport fix for CVE-2022-45939 to Emacs 28, Richard Stallman, 2023/02/17
- Re: Request to backport fix for CVE-2022-45939 to Emacs 28, Eli Zaretskii, 2023/02/15
- Re: Request to backport fix for CVE-2022-45939 to Emacs 28, Richard Stallman, 2023/02/16
- Re: Request to backport fix for CVE-2022-45939 to Emacs 28, Eli Zaretskii, 2023/02/16
- Re: Request to backport fix for CVE-2022-45939 to Emacs 28, Jim Porter, 2023/02/16
- Re: Request to backport fix for CVE-2022-45939 to Emacs 28, Eli Zaretskii, 2023/02/16
- Re: Request to backport fix for CVE-2022-45939 to Emacs 28, Stefan Kangas, 2023/02/17
- Re: Request to backport fix for CVE-2022-45939 to Emacs 28, Robert Pluim, 2023/02/17
- Re: Request to backport fix for CVE-2022-45939 to Emacs 28, Eli Zaretskii, 2023/02/17
- Re: Request to backport fix for CVE-2022-45939 to Emacs 28, Stefan Kangas, 2023/02/17