GNU bug report logs - #59544
[PATCH] Fixed lib-src/etags.c command execute vulnerability

Previous Next

Package: emacs;

Reported by: "lux" <lx <at> shellcodes.org>

Date: Thu, 24 Nov 2022 15:28:02 UTC

Severity: normal

Tags: patch, security

Done: Eli Zaretskii <eliz <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

Message #55 received at 59544 <at> debbugs.gnu.org (full text, mbox):

From: Eli Zaretskii <eliz <at> gnu.org>
To: Stefan Kangas <stefankangas <at> gmail.com>
Cc: 59544 <at> debbugs.gnu.org, lx <at> shellcodes.org
Subject: Re: bug#59544: [PATCH] Fixed lib-src/etags.c command execute
 vulnerability
Date: Sat, 26 Nov 2022 12:14:56 +0200

> From: Stefan Kangas <stefankangas <at> gmail.com>
> Date: Sat, 26 Nov 2022 01:47:25 -0800
> Cc: Eli Zaretskii <eliz <at> gnu.org>, 59544 <at> debbugs.gnu.org
> 
> lux <lx <at> shellcodes.org> writes:
> 
> > 在 2022/11/26 08:43, Stefan Kangas 写道:
> >
> >  Other than that, LGTM.
> >
> >> +          char *buf = xmalloc (buf_len);
> >
> > The buf variable is not released after use, I added free (buf)
> 
> Thanks.  I think we should aim to push this security fix ASAP.
> 
> Eli, any additional comments on the patch?

Please don't push, the patch was posted just a few hours ago.  I have a lot
to do on my hands, and will get to reviewing this in due time.  We've lived
with this "security issue" for decades, so I see nothing here that justifies
"ASAP".

I find the tendency to rush with installing changes bad for the quality of
our code.  I always wait at least for a week before installing myself, and
suggest that you do the same.  Doing so lets others chime in and provide
valuable input and comments.

Thanks in advance.
This bug report was last modified 2 years and 129 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.