GNU bug report logs - #19565
Emacs vulnerable to endless-data attack (minor)

Package: emacs;

Reported by: Kelly Dean <kelly <at> prtime.org>

Date: Sun, 11 Jan 2015 11:14:02 UTC

Severity: normal

Tags: security

View this message in rfc822 format

From: Eli Zaretskii <eliz <at> gnu.org>
To: Stefan Kangas <stefan <at> marxist.se>
Cc: larsi <at> gnus.org, 19565 <at> debbugs.gnu.org
Subject: bug#19565: Emacs vulnerable to endless-data attack (minor)
Date: Sun, 06 Oct 2019 20:32:28 +0300

> From: Stefan Kangas <stefan <at> marxist.se>
> Date: Sun, 6 Oct 2019 05:13:27 +0200
> Cc: 19565 <at> debbugs.gnu.org
> 
> I think this affects more than just package.el.  AFAICT, anywhere we
> use the url library, an endless data attack can get Emacs to fill up
> all available memory (wasting also bandwidth resources, of course).

At which point the system will kill the Emacs process.  Why is that a
problem we need to work, given that we already have at least some
protection against stack overflows and running out of memory?

> For example, a new keyword argument :max-size, which would make it
> stop after having reached that many bytes.

The Gnu Coding Standards frown on having arbitrary limits in a
program.  So this could only work if we had some reasonable way of
computing a limit that is not arbitrary.

This bug report was last modified 5 years and 252 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.

GNU bug report logs - #19565 Emacs vulnerable to endless-data attack (minor)

GNU bug report logs - #19565
Emacs vulnerable to endless-data attack (minor)