[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#24489: efaq: security risks

From: Stefan Kangas
Subject: bug#24489: efaq: security risks
Date: Tue, 11 Aug 2020 18:38:12 -0700
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/28.0.50 (gnu/linux)

Glenn Morris <rgm@gnu.org> writes:

> The (very crufty) Emacs FAQ contains a section:
>    "Are there any security risks in Emacs?"
> The stuff about movemail and synthetic X events is archaic.

The movemail stuff was removed in 61223a046c (Bug#37818).

What do you think we should do about synthetic X events?

> There is no mention of the more current problems:
> 1) installing a package runs arbitrary code
> Better make sure you trust whoever gave you that package (gpg signing)
> and how you got it (https), etc.

This was added in the same commit 61223a046c.

> 2) using an Emacs mail client to view HTML mail is a security risk if remote
> content is fetched (I think it isn't by default, but this might not
> apply to every client)

Is it important to warn about this privacy issue here?  I would expect
that any sensible Emacs MUA would disable remote fetching by default,
and document the issues with enabling it.

> 3) viewing remote HTML content (eg with eww or xwidgets) is likewise a
> potential security risk.

True, but isn't this a bit too general to be useful in the context of
the FAQ?

Best regards,
Stefan Kangas

reply via email to

[Prev in Thread] Current Thread [Next in Thread]