[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#24489: efaq: security risks
From: |
Stefan Kangas |
Subject: |
bug#24489: efaq: security risks |
Date: |
Tue, 11 Aug 2020 18:38:12 -0700 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/28.0.50 (gnu/linux) |
Glenn Morris <rgm@gnu.org> writes:
> The (very crufty) Emacs FAQ contains a section:
>
> "Are there any security risks in Emacs?"
>
> The stuff about movemail and synthetic X events is archaic.
The movemail stuff was removed in 61223a046c (Bug#37818).
What do you think we should do about synthetic X events?
> There is no mention of the more current problems:
>
> 1) installing a package runs arbitrary code
> Better make sure you trust whoever gave you that package (gpg signing)
> and how you got it (https), etc.
This was added in the same commit 61223a046c.
> 2) using an Emacs mail client to view HTML mail is a security risk if remote
> content is fetched (I think it isn't by default, but this might not
> apply to every client)
Is it important to warn about this privacy issue here? I would expect
that any sensible Emacs MUA would disable remote fetching by default,
and document the issues with enabling it.
> 3) viewing remote HTML content (eg with eww or xwidgets) is likewise a
> potential security risk.
True, but isn't this a bit too general to be useful in the context of
the FAQ?
Best regards,
Stefan Kangas
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- bug#24489: efaq: security risks,
Stefan Kangas <=