Re: Structurally fixing command injection bugs

emacs-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Structurally fixing command injection bugs

From:	Vasilij Schneidermann
Subject:	Re: Structurally fixing command injection bugs
Date:	Wed, 22 Feb 2023 11:34:30 +0100

On 02/22/23 at 06:20pm, lux wrote:
> > PS: Where should I report analogous misuse of `shell-command-to-
> > string`?  I cannot submit patches currently because I've changed
> > employers and need to renew copyright assignment, again (that would
> > be the third time already).
> 
> You can send to bug-gnu-emacs@gnu.org

Yes, usually I'd just use M-x report-emacs-bug, but in this case it's
different because I plan to develop proof of concept code (PoC) and
submit it to the responsible maintainer for verifying the vulnerability
and the fix. Publicly disclosing PoC code is usually frowned upon, no
matter how trivial/exploitable the issue is.

signature.asc
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

Structurally fixing command injection bugs, Vasilij Schneidermann, 2023/02/22
- Re: Structurally fixing command injection bugs, lux, 2023/02/22
  - Re: Structurally fixing command injection bugs, Vasilij Schneidermann <=
    - Re: Structurally fixing command injection bugs, lux, 2023/02/22
    - Re: Structurally fixing command injection bugs, Gregory Heytings, 2023/02/22
- Re: Structurally fixing command injection bugs, lux, 2023/02/22
- Re: Structurally fixing command injection bugs, Jim Porter, 2023/02/22

Prev by Date: Re: Structurally fixing command injection bugs
Next by Date: Re: master 098add06eb7: Say whether we're using X11 double buffering
Previous by thread: Re: Structurally fixing command injection bugs
Next by thread: Re: Structurally fixing command injection bugs
Index(es):
- Date
- Thread