Emacs 29.3 released
Emacs 29.3 is an emergency bugfix release; it includes no new features except a small number of changes intended to resolve security vulnerabilities uncovered in Emacs 29.2.
Those vulnerabilities mostly have to do with executing untrusted Lisp code;
see the
NEWS file for a bit more information.
(Log in to post comments)
What old versions are vulnerable?
Posted Mar 25, 2024 17:19 UTC (Mon) by epa (subscriber, #39769) [Link]
What old versions are vulnerable?
Posted Mar 26, 2024 20:29 UTC (Tue) by dvdeug (subscriber, #10998) [Link]
What old versions are vulnerable?
Posted Mar 27, 2024 3:12 UTC (Wed) by floppus (guest, #137245) [Link]
org-macro--set-templates: Prevent code evaluation
https://git.savannah.gnu.org/cgit/emacs.git/commit/?h=ema...
* lisp/files.el (untrusted-content): New variable.
https://git.savannah.gnu.org/cgit/emacs.git/commit/?h=ema...
* lisp/gnus/mm-view.el (mm-display-inline-fontify): Mark contents untrusted.
https://git.savannah.gnu.org/cgit/emacs.git/commit/?h=ema...
org-latex-preview: Add protection when `untrusted-content' is non-nil
https://git.savannah.gnu.org/cgit/emacs.git/commit/?h=ema...
org-file-contents: Consider all remote files unsafe
https://git.savannah.gnu.org/cgit/emacs.git/commit/?h=ema...
org--confirm-resource-safe: Fix prompt when prompting in non-file Org buffers
https://git.savannah.gnu.org/cgit/emacs.git/commit/?h=ema...
To my untrained eye, it looks like the macroexpand issue is present in Emacs 28.2 (Debian stable) but not in Emacs 27.1 (Debian oldstable). It looks like the LaTeX issue is present in both versions.
Until backported packages are available, I'm going with the easy workaround of 'rm -rf /usr/share/emacs/*/lisp/org/'.
Emacs 29.3 released
Posted Mar 27, 2024 2:12 UTC (Wed) by ejr (subscriber, #51652) [Link]
Thoughts on editors and code execution
Posted Mar 27, 2024 5:02 UTC (Wed) by floppus (guest, #137245) [Link]
There's always going to be a temptation to enable arbitrary code execution inside your editor, because that's "the easy way" to do lots of useful and powerful things. I'm grateful that Emacs, in general, works to avoid that temptation, and to provide sophisticated editing capabilities "the hard way".
(I cringe when I see somebody using an editor that prompts them to "trust this project" to enable advanced features. I suspect that often means "trust everything that ever gets pulled into the present git repository." Obviously trust your own code, but most of us no longer live in a world where the only code we're reading or editing is our own.)
Yes, Emacs has the option to trust "safe values of risky local variables", but those are sensibly tracked per-value, not per-variable or per-directory or per-project. (Which means that users and Lisp developers are encouraged to use even risky variables in limited, safe ways.)
Until now, Emacs hasn't had an "untrusted-content" variable. The answer was always (and should be) "t".
I don't use Org mode regularly, and I'm not familiar with the features in question here. But the "evaluate Lisp on export" feature looks a little sketchy (I guess you can assume people will only ever export a document they wrote themselves?) And the "LaTeX preview" feature looks *quite* sketchy. It's not just a matter of "might generate huge PDF files" - LaTeX is an actual programming language, y'know?
Thoughts on editors and code execution
Posted Mar 27, 2024 21:43 UTC (Wed) by ebeale (subscriber, #170376) [Link]
It's actually evaluated when org-mode is enabled, which (to me) is *way* worse:
> Arbitrary Lisp code is no longer evaluated as part of turning on Org mode. This is for security reasons, to avoid evaluating malicious Lisp code