Re: Fwd: Processed: Re: Bug#408929: emacs21: crash on spam

To: Jérôme Marant <jmarant@free.fr>, Romain Francoise <rfrancoise@debian.org>
Cc: debian-release@lists.debian.org, Hendrik Tews <H.Tews@cs.ru.nl>, 408929@bugs.debian.org
Subject: Re: Fwd: Processed: Re: Bug#408929: emacs21: crash on spam
From: Steve Langasek <vorlon@debian.org>
Date: Sun, 4 Feb 2007 13:36:42 -0800
Message-id: <[🔎] 20070204213641.GK15174@mauritius.dodds.net>
Mail-followup-to: Jérôme Marant <jmarant@free.fr>, Romain Francoise <rfrancoise@debian.org>, debian-release@lists.debian.org, Hendrik Tews <H.Tews@cs.ru.nl>, 408929@bugs.debian.org
In-reply-to: <878xfeoxeo.fsf@pacem.orebokech.com> <[🔎] 200702041356.40694.jmarant@free.fr>
References: <17853.55713.442742.946337@tandem.cs.ru.nl> <87ireip1ei.fsf@pacem.orebokech.com> <20070204121537.GJ15174@mauritius.dodds.net> <878xfeoxeo.fsf@pacem.orebokech.com> <[🔎] 200702041356.40694.jmarant@free.fr>

severity 408929 important
thanks

On Sun, Feb 04, 2007 at 01:56:40PM +0100, Jérôme Marant wrote:
> I'll ask that we tag this bug as etch-ignore: there are tons of bugs like
> this one in Emacs and there are multiple chances to expose such bugs
> by using many different packages.

> Futhermore, emacs21 is (and more generally stable emacs releases are) not
> supported upstream so we have no chances to get help  from them
> (they are preparing the next release BTW).

This last is certainly not a reason to etch-ignore a bug; on the contrary,
it speaks to the overall releasability of the package if neither upstream
nor the maintainers are prepared to cope with possible security bugs that
are uncovered in the version releasing with etch.

However, the current argument in favor of treating this as a grave, security
bug is that it's a DoS causing data loss of unsaved files:

On Sun, Feb 04, 2007 at 02:38:39PM +0100, Romain Francoise wrote:
> Steve Langasek <vorlon@debian.org> writes:

> > I've tagged this bug security, because it wasn't clear to me
> > whether this was a potentially exploitable problem.  Do you think
> > that tag applies here?

> Yes, I think it does.  Crashing Emacs is a denial of service attack
> against the various applications that run inside it, and can cause
> data loss...  Whether code execution is actually possible, I don't
> know.

DoSes, while security bugs, are not treated as grave security bugs; that
severity is reserved for bugs that allow code execution under the attacker's
control.  And data loss because you didn't save before the application
crashed is not the sense in which "data loss" is taken to mean in the policy
definition of grave bugs -- the "data loss" argument is reserved for bugs
that eat your data directly, not as a side effect of you not having saved
your data.

So if there's no evidence of arbitrary code execution, I think it's
appropriate here to downgrade the bug -- but the security team should also
be apprised.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/

Reply to:

Follow-Ups:
- Re: Fwd: Processed: Re: Bug#408929: emacs21: crash on spam
  - From: Moritz Muehlenhoff <jmm@inutil.org>
- Re: Fwd: Processed: Re: Bug#408929: emacs21: crash on spam
  - From: Romain Francoise <rfrancoise@debian.org>

References:
- Fwd: Processed: Re: Bug#408929: emacs21: crash on spam
  - From: Jérôme Marant <jmarant@free.fr>

Prev by Date: Please unblock lpe 1.2.6.13-0.1
Next by Date: hint of gaming related packages
Previous by thread: Fwd: Processed: Re: Bug#408929: emacs21: crash on spam
Next by thread: Re: Fwd: Processed: Re: Bug#408929: emacs21: crash on spam
Index(es):
- Date
- Thread