[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: 2023-02-27 Emacs news
From: |
Yuri Khan |
Subject: |
Re: 2023-02-27 Emacs news |
Date: |
Tue, 28 Feb 2023 21:05:33 +0700 |
On Tue, 28 Feb 2023 at 18:51, Jean Louis <bugs@gnu.support> wrote:
> But... it is source, one can put anything inside like
> (shell-command "sudo rm -rf /")
>
> Those "CVE" bugs are exaggerated.
>
> Like this one:
>
> https://security-tracker.debian.org/tracker/CVE-2022-48338
> "malicious Ruby source files may cause commands to be executed"
>
> But hey, any malicious source file may cause commands to be
> executed.
It is a question of expectations.
If you execute a malicious source file as a script, sure, you expect
it to be executed and you are ready for any damage it causes. There is
no vulnerability except in your own head.
If you open a malicious source file in an editor, you don’t expect it
to execute any code written within, surely not before you press the
Run key. If opening a file for editing trashes your home directory,
it’s a bug and a vulnerability. If opening a file for editing causes
personal information to be sent outside, it’s a bug and a
vulnerability.