GNU bug report logs - #44018
Don't consider play-sound-file to be a 'safe' function

Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.

Package: emacs; Reported by: Mattias EngdegÄrd <mattiase@HIDDEN>; dated Thu, 15 Oct 2020 16:56:02 UTC; Maintainer for emacs is bug-gnu-emacs@HIDDEN.

Message received at 44018 <at> debbugs.gnu.org:


Received: (at 44018) by debbugs.gnu.org; 16 Oct 2020 09:45:27 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Oct 16 05:45:27 2020
Received: from localhost ([127.0.0.1]:57697 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1kTMIh-0005R6-6Q
	for submit <at> debbugs.gnu.org; Fri, 16 Oct 2020 05:45:27 -0400
Received: from mail1433c50.megamailservers.eu ([91.136.14.33]:33748
 helo=mail263c50.megamailservers.eu)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <mattiase@HIDDEN>) id 1kTMIe-0005Qn-H5
 for 44018 <at> debbugs.gnu.org; Fri, 16 Oct 2020 05:45:26 -0400
X-Authenticated-User: mattiase@HIDDEN
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=megamailservers.eu;
 s=maildub; t=1602841517;
 bh=5GB8kdEA9SXkmzS4BgngMD5/rSMIKnZUbExeFEPfrHg=;
 h=Subject:From:In-Reply-To:Date:Cc:References:To:From;
 b=gc/v+lsXYtQbcjctd6rDFqBWA0oaltrk+TomyM3ZVYhOUaYmlJ0BDi5e2zZXSBine
 BQFNRcVdyevSvCDPSpCByLSP48PS5mfig33adNKHzY98kRCl0qnAaB4nb8Ew4+GJtN
 bnWsSr91RHXQEl/v7S4mFX7OeDE3Hxf9fbezblwg=
Feedback-ID: mattiase@HIDDEN
Received: from [192.168.0.4] (c188-150-171-71.bredband.comhem.se
 [188.150.171.71]) (authenticated bits=0)
 by mail263c50.megamailservers.eu (8.14.9/8.13.1) with ESMTP id 09G9jFmg018661; 
 Fri, 16 Oct 2020 09:45:17 +0000
Content-Type: text/plain;
	charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.17\))
Subject: Re: bug#44018: Don't consider play-sound-file to be a 'safe' function
From: =?utf-8?Q?Mattias_Engdeg=C3=A5rd?= <mattiase@HIDDEN>
In-Reply-To: <83r1pzwb2q.fsf@HIDDEN>
Date: Fri, 16 Oct 2020 11:45:14 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <CAC099B0-C1B8-4716-956E-9AEE8F248DDA@HIDDEN>
References: <5A2CDAEA-03CF-4F92-AF9D-40421A9B362E@HIDDEN>
 <83zh4nwgbs.fsf@HIDDEN> <024E3091-EB4E-419F-847B-CDB2FF3C96CC@HIDDEN>
 <83r1pzwb2q.fsf@HIDDEN>
To: Eli Zaretskii <eliz@HIDDEN>
X-Mailer: Apple Mail (2.3445.104.17)
X-CTCH-RefID: str=0001.0A782F29.5F896BAD.00AB, ss=1, re=0.000, recu=0.000,
 reip=0.000, cl=1, cld=1, fgs=0
X-CTCH-VOD: Unknown
X-CTCH-Spam: Unknown
X-CTCH-Score: 0.000
X-CTCH-Rules: 
X-CTCH-Flags: 0
X-CTCH-ScoreCust: 0.000
X-CSC: 0
X-CHA: v=2.3 cv=e6d4tph/ c=1 sm=1 tr=0 a=SF+I6pRkHZhrawxbOkkvaA==:117
 a=SF+I6pRkHZhrawxbOkkvaA==:17 a=kj9zAlcOel0A:10 a=M51BFTxLslgA:10
 a=mDV3o1hIAAAA:8 a=QSW7H6V1MBmUL0kLStEA:9 a=7Zwj6sZBwVKJAoWSPKxL6X1jA+E=:19
 a=CjuIK1q_8ugA:10 a=_FVE-zBwftR9WsbkzFJk:22
X-Origin-Country: SE
X-Spam-Score: 1.2 (+)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview:  15 okt. 2020 kl. 21.20 skrev Eli Zaretskii <eliz@HIDDEN>:
 > Any specifics, though? Surely, if the risks are known, there should > be
 some vulnerabilities recorded somewhere? Is it possible to give a > couple
 of examples, or refer to known vulnerabilities? 
 Content analysis details:   (1.2 points, 10.0 required)
 pts rule name              description
 ---- ---------------------- --------------------------------------------------
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 1.0 SPF_SOFTFAIL           SPF: sender does not match SPF record (softfail)
 0.3 KHOP_HELO_FCRDNS       Relay HELO differs from its IP's reverse DNS
X-Debbugs-Envelope-To: 44018
Cc: Lars Ingebrigtsen <larsi@HIDDEN>, 44018 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.0 (/)

15 okt. 2020 kl. 21.20 skrev Eli Zaretskii <eliz@HIDDEN>:

> Any specifics, though?  Surely, if the risks are known, there should
> be some vulnerabilities recorded somewhere?  Is it possible to give a
> couple of examples, or refer to known vulnerabilities?

Sorry for being unclear. This is not about known vulnerabilities (which =
we hope are not present!) but about reducing risks -- ie, exposure to =
unknown present and future security holes.

Security thinking takes some getting used to; risks have to be motivated =
by clear needs. In this case, the needs for calls to play-sound-file =
with arbitrary input data seem very small but the risks aren't =
commensurate.

> I'm not sure I understand: what's unsafe in playing sound?

A fair question! Safe parsing and handling of binary file formats can be =
surprisingly difficult, especially in an unsafe language; the slightest =
mistake can be exploited by an intelligent adversary. It could be a =
buffer overrun, an unsufficiently checked parameter, signedness =
confusion, nonsensical combination of values, unexpected alignment, =
legal but untested values, text encoding traps in string fields (oh =
yes)... I have written many sound and image file parsers over the years, =
most of which would be completely unsuitable in a hostile environment.

And new attack vectors keep turning up. Inaudible sound streams carrying =
covert instructions to always-on voice-activated assistants? Maybe all =
they can do is to turn off the lights or order you more rolls of toilet =
paper but don't count on it.

Most weaknesses are likely to have been fuzzed and patched out of =
existence by now but it does not change the fact that playing arbitrary =
audio is an activity that will always carry more inherent risk than, =
say, calling ding or split-string, also in the same list of safe =
functions.

But, someone objects, I play arbitrary sound files in my web browser all =
the time! Yes, and that is not free of risk either -- but that web =
browser is likely to have undergone more care and hardening of these =
code paths than Emacs: more careful selection of libraries and APIs =
used, fewer obscure or obscure file formats supported, and even measures =
taken to contain breaches, such as sandboxing.

Finally, Emacs must be completely trusted as a tool for inspecting =
arbitrary files, even ones prepared with malicious intent.

> Do you understand why 'message' was removed?

I can only guess, but that function could be used to display deceptive =
messages that mislead the user to take actions against his or her own =
interest. Removing it looks like a wise decision.





Information forwarded to bug-gnu-emacs@HIDDEN:
bug#44018; Package emacs. Full text available.

Message received at 44018 <at> debbugs.gnu.org:


Received: (at 44018) by debbugs.gnu.org; 16 Oct 2020 06:23:52 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Oct 16 02:23:52 2020
Received: from localhost ([127.0.0.1]:57363 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1kTJ9b-0004HM-Ld
	for submit <at> debbugs.gnu.org; Fri, 16 Oct 2020 02:23:51 -0400
Received: from eggs.gnu.org ([209.51.188.92]:44694)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <eliz@HIDDEN>) id 1kTJ9Z-0004H5-Ie
 for 44018 <at> debbugs.gnu.org; Fri, 16 Oct 2020 02:23:49 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e]:41253)
 by eggs.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <eliz@HIDDEN>)
 id 1kTJ9U-00076m-2R; Fri, 16 Oct 2020 02:23:44 -0400
Received: from [176.228.60.248] (port=3219 helo=home-c4e4a596f7)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <eliz@HIDDEN>)
 id 1kTJ9T-0004ZA-Gu; Fri, 16 Oct 2020 02:23:43 -0400
Date: Fri, 16 Oct 2020 09:23:40 +0300
Message-Id: <83k0vqwuxf.fsf@HIDDEN>
From: Eli Zaretskii <eliz@HIDDEN>
To: Lars Ingebrigtsen <larsi@HIDDEN>
In-Reply-To: <87mu0mrapy.fsf@HIDDEN> (message from Lars Ingebrigtsen on Fri, 
 16 Oct 2020 07:39:05 +0200)
Subject: Re: bug#44018: Don't consider play-sound-file to be a 'safe' function
References: <5A2CDAEA-03CF-4F92-AF9D-40421A9B362E@HIDDEN>
 <83zh4nwgbs.fsf@HIDDEN> <87mu0mrapy.fsf@HIDDEN>
MIME-version: 1.0
Content-type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 44018
Cc: mattiase@HIDDEN, 44018 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

> From: Lars Ingebrigtsen <larsi@HIDDEN>
> Cc: Mattias Engdegćrd <mattiase@HIDDEN>,
>   44018 <at> debbugs.gnu.org
> Date: Fri, 16 Oct 2020 07:39:05 +0200
> 
> Eli Zaretskii <eliz@HIDDEN> writes:
> 
> > Are the risks the same on all the supported platforms, or just on
> > some?
> 
> My understanding of unsafep.el isn't that it's trying to protect against
> any particular exploits, but just give a list of things that are totally
> and utterly OK to eval.  So you have stuff like:
> 
> commit a8c41b4c0d3b0a3e87f17bbcdd8ac12dae296b3a
> Author:     Chong Yidong <cyd@HIDDEN>
> AuthorDate: Mon Oct 18 13:28:20 2010 -0400
> 
>     Don't allow functions that display messages in unsafep.
> 
> So even `message' isn't "safe" in this context.  I think it's odd to
> have `play-sound-file' marked as "safe" if `message' isn't.

Do you understand why 'message' was removed?  I don't, and couldn't
find any discussion on Emacs lists that discussed that; I may have
missed something.  I have no idea why 'message' could be unsafe.
unsafep.el doesn't provide a high-level definition of what is
considered "safe", unfortunately, and was evidently written for SES,
so may have some bias due to that context.  Still, it is not clear to
me why 'message' was removed.

I'm uneasy with doing things when the only argument is "why not?".
Maybe I'm the odd one out, but I generally think we should have a lot
of respect for those who wrote code for Emacs in the past, unless we
have a clear reason to think it was in error of some kind.  So I'm
trying to get to the bottom of an issue when the proposal is clearly
at odds with something we had for years.




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#44018; Package emacs. Full text available.

Message received at 44018 <at> debbugs.gnu.org:


Received: (at 44018) by debbugs.gnu.org; 16 Oct 2020 05:39:18 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Oct 16 01:39:18 2020
Received: from localhost ([127.0.0.1]:57299 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1kTIST-00014h-O4
	for submit <at> debbugs.gnu.org; Fri, 16 Oct 2020 01:39:17 -0400
Received: from quimby.gnus.org ([95.216.78.240]:51186)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <larsi@HIDDEN>) id 1kTISS-00014R-3B
 for 44018 <at> debbugs.gnu.org; Fri, 16 Oct 2020 01:39:16 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnus.org;
 s=20200322; h=Content-Type:MIME-Version:Message-ID:In-Reply-To:Date:
 References:Subject:Cc:To:From:Sender:Reply-To:Content-Transfer-Encoding:
 Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
 Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=s8t1s04SNMaPq5MeBjeNHjSJyHsAsS9VfNXDDArAJ2k=; b=WtOfEAYpQeFmDIIXqi9fbT/oJI
 7mx8C3CTHebHJ1rripiNoikjtH/3NZAqfOWfvKa5oMpm3Iqk2Nb1USoX9LU43sjZCLLRRTkda/jN6
 00CNFLZ2vAPfM/Icv+r26xomrErbjQLWHHoX5Ll/WLxVF9JHInoWPNOGkAwwI2SlPN7c=;
Received: from cm-84.212.202.86.getinternet.no ([84.212.202.86] helo=xo)
 by quimby.gnus.org with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.92) (envelope-from <larsi@HIDDEN>)
 id 1kTISJ-0007RC-CJ; Fri, 16 Oct 2020 07:39:10 +0200
From: Lars Ingebrigtsen <larsi@HIDDEN>
To: Eli Zaretskii <eliz@HIDDEN>
Subject: Re: bug#44018: Don't consider play-sound-file to be a 'safe' function
References: <5A2CDAEA-03CF-4F92-AF9D-40421A9B362E@HIDDEN>
 <83zh4nwgbs.fsf@HIDDEN>
X-Now-Playing: Grace Jones's _Muse_: "Sinning"
Date: Fri, 16 Oct 2020 07:39:05 +0200
In-Reply-To: <83zh4nwgbs.fsf@HIDDEN> (Eli Zaretskii's message of "Thu, 15 Oct
 2020 20:26:47 +0300")
Message-ID: <87mu0mrapy.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.0.50 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Report: Spam detection software, running on the system "quimby.gnus.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 @@CONTACT_ADDRESS@@ for details.
 Content preview: Eli Zaretskii <eliz@HIDDEN> writes: > Are the risks the same
 on all the supported platforms,
 or just on > some? My understanding of unsafep.el
 isn't that it's trying to protect against any particular exploits, but just
 give a list of things that are totally and utterly OK to eval. So you have
 stuff like: 
 Content analysis details:   (-2.9 points, 5.0 required)
 pts rule name              description
 ---- ---------------------- --------------------------------------------------
 -1.0 ALL_TRUSTED            Passed through trusted hosts only via SMTP
 -1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1%
 [score: 0.0000]
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 44018
Cc: Mattias =?utf-8?Q?Engdeg=C3=A5rd?= <mattiase@HIDDEN>,
 44018 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Eli Zaretskii <eliz@HIDDEN> writes:

> Are the risks the same on all the supported platforms, or just on
> some?

My understanding of unsafep.el isn't that it's trying to protect against
any particular exploits, but just give a list of things that are totally
and utterly OK to eval.  So you have stuff like:

commit a8c41b4c0d3b0a3e87f17bbcdd8ac12dae296b3a
Author:     Chong Yidong <cyd@HIDDEN>
AuthorDate: Mon Oct 18 13:28:20 2010 -0400

    Don't allow functions that display messages in unsafep.

So even `message' isn't "safe" in this context.  I think it's odd to
have `play-sound-file' marked as "safe" if `message' isn't.

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#44018; Package emacs. Full text available.

Message received at 44018 <at> debbugs.gnu.org:


Received: (at 44018) by debbugs.gnu.org; 15 Oct 2020 19:20:24 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Oct 15 15:20:24 2020
Received: from localhost ([127.0.0.1]:56603 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1kT8nY-0006jn-28
	for submit <at> debbugs.gnu.org; Thu, 15 Oct 2020 15:20:24 -0400
Received: from eggs.gnu.org ([209.51.188.92]:43610)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <eliz@HIDDEN>) id 1kT8nW-0006jX-UV
 for 44018 <at> debbugs.gnu.org; Thu, 15 Oct 2020 15:20:23 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e]:57158)
 by eggs.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <eliz@HIDDEN>)
 id 1kT8nR-0003KS-Iv; Thu, 15 Oct 2020 15:20:17 -0400
Received: from [176.228.60.248] (port=2321 helo=home-c4e4a596f7)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <eliz@HIDDEN>)
 id 1kT8nR-0004MJ-2J; Thu, 15 Oct 2020 15:20:17 -0400
Date: Thu, 15 Oct 2020 22:20:13 +0300
Message-Id: <83r1pzwb2q.fsf@HIDDEN>
From: Eli Zaretskii <eliz@HIDDEN>
To: Mattias =?utf-8?Q?Engdeg=C3=A5rd?= <mattiase@HIDDEN>
In-Reply-To: <024E3091-EB4E-419F-847B-CDB2FF3C96CC@HIDDEN> (message from
 Mattias =?utf-8?Q?Engdeg=C3=A5rd?= on Thu, 15 Oct 2020 21:01:20 +0200)
Subject: Re: bug#44018: Don't consider play-sound-file to be a 'safe' function
References: <5A2CDAEA-03CF-4F92-AF9D-40421A9B362E@HIDDEN>
 <83zh4nwgbs.fsf@HIDDEN> <024E3091-EB4E-419F-847B-CDB2FF3C96CC@HIDDEN>
MIME-version: 1.0
Content-type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 44018
Cc: 44018 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

> From: Mattias EngdegÄrd <mattiase@HIDDEN>
> Date: Thu, 15 Oct 2020 21:01:20 +0200
> Cc: 44018 <at> debbugs.gnu.org
> 
> 15 okt. 2020 kl. 19.26 skrev Eli Zaretskii <eliz@HIDDEN>:
> 
> > Any details for the uninitiated, or pointers to the info?
> 
> You are definitely not uninitiated but others may be so please bear with me.
> 
> There are many things that can go wrong:
> 
> Playing sound files involves lots of code and libraries, sometimes even executing external processes.
> Sound file formats are complex and a player typically needs to understand several different ones; security-related bugs are not uncommon.
> Sound file players may also need access to the hardware, which can greatly amplify the severity of any breach.

Any specifics, though?  Surely, if the risks are known, there should
be some vulnerabilities recorded somewhere?  Is it possible to give a
couple of examples, or refer to known vulnerabilities?

> > Are the risks the same on all the supported platforms, or just on
> > some?
> 
> The security fundamentals (as above) are the same everywhere; details obviously differ. Even if we could pronounce one platform as entirely 'safe' for audio-playing, which I don't think is feasible, I don't see the gain from doing so.

I asked because I looked for any known security risks associated with
the MCI interface we use on MS-Windows to implement
play-sound-internal, and couldn't find any.  Maybe I overlooked
something, or used sub-optimal search phrases, so I'd love to see
something about the risks.  Otherwise it sounds (pun intended) like we
are afraid of a danger that doesn't exist.

> Obviously 'safe' has to be understood in context. Can Emacs be tricked to call play-sound-file with the name of a crafted file as argument? Maybe; as far as I can tell, unsafe is only used by SES in Emacs proper, but it seems feasible to create a .ses file that calls play-sound-file without asking the user. To assume otherwise would be imprudent.

I'm not sure I understand: what's unsafe in playing sound?  I thought
you were talking about the danger of using a malicious file that is
disguised as a sound file, but in that case the fact that we invoke
the function is not the problem, the problem would be (AFAIU) if the
sound device failed to recognize the file as corrupted or of wrong
format, and caused whatever damage that was supposed to do.  Those are
the kind of details about the vulnerabilities I expected to see.  Is
any information along these lines available?

> It is true that the hostile Internet has hardened audio file code considerably over the years but why would we explicitly make a security exception for a function with large attack surface in an application (Emacs) that may very well be used for inspection of potentially harmful files?

I'm struggling to understand what is the attack surface.  Can you (or
someone else) help in understanding that?




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#44018; Package emacs. Full text available.

Message received at 44018 <at> debbugs.gnu.org:


Received: (at 44018) by debbugs.gnu.org; 15 Oct 2020 19:01:36 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Oct 15 15:01:36 2020
Received: from localhost ([127.0.0.1]:56580 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1kT8VI-0006Ha-RU
	for submit <at> debbugs.gnu.org; Thu, 15 Oct 2020 15:01:36 -0400
Received: from mail213c50.megamailservers.eu ([91.136.10.223]:57938
 helo=mail194c50.megamailservers.eu)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <mattiase@HIDDEN>) id 1kT8VG-0006HL-0U
 for 44018 <at> debbugs.gnu.org; Thu, 15 Oct 2020 15:01:31 -0400
X-Authenticated-User: mattiase@HIDDEN
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=megamailservers.eu;
 s=maildub; t=1602788483;
 bh=EVkdRFkw5gssawommp2bsb7x5X3EX2sPqi/80HCeRik=;
 h=Subject:From:In-Reply-To:Date:Cc:References:To:From;
 b=Bdc5C0SkWn9rBcuawsdRBvUmn0b9SaU7uNCYONN1dQ804mLPbkjFhNkY7/Q0GgpV3
 eY9RyBvas0tr/7iQ8dqCjCK6lRv5pQobEFxKosY2kpqNIvEEAF8CyYoCdQwLwXoSRt
 UEfXjpEHALyd5zCPSZ/c4x2yNBnP9ZqabKr0cP+0=
Feedback-ID: mattiase@HIDDEN
Received: from [192.168.0.4] (c188-150-171-71.bredband.comhem.se
 [188.150.171.71]) (authenticated bits=0)
 by mail194c50.megamailservers.eu (8.14.9/8.13.1) with ESMTP id 09FJ1KBN003131; 
 Thu, 15 Oct 2020 19:01:22 +0000
Content-Type: text/plain;
	charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.17\))
Subject: Re: bug#44018: Don't consider play-sound-file to be a 'safe' function
From: =?utf-8?Q?Mattias_Engdeg=C3=A5rd?= <mattiase@HIDDEN>
In-Reply-To: <83zh4nwgbs.fsf@HIDDEN>
Date: Thu, 15 Oct 2020 21:01:20 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <024E3091-EB4E-419F-847B-CDB2FF3C96CC@HIDDEN>
References: <5A2CDAEA-03CF-4F92-AF9D-40421A9B362E@HIDDEN>
 <83zh4nwgbs.fsf@HIDDEN>
To: Eli Zaretskii <eliz@HIDDEN>
X-Mailer: Apple Mail (2.3445.104.17)
X-CTCH-RefID: str=0001.0A782F19.5F889C83.0021, ss=1, re=0.000, recu=0.000,
 reip=0.000, cl=1, cld=1, fgs=0
X-CTCH-VOD: Unknown
X-CTCH-Spam: Unknown
X-CTCH-Score: 0.000
X-CTCH-Rules: 
X-CTCH-Flags: 0
X-CTCH-ScoreCust: 0.000
X-CSC: 0
X-CHA: v=2.3 cv=KsozJleN c=1 sm=1 tr=0 a=SF+I6pRkHZhrawxbOkkvaA==:117
 a=SF+I6pRkHZhrawxbOkkvaA==:17 a=kj9zAlcOel0A:10 a=M51BFTxLslgA:10
 a=mDV3o1hIAAAA:8 a=cnFT-rFFrLEGL5obsWoA:9 a=CjuIK1q_8ugA:10
 a=_FVE-zBwftR9WsbkzFJk:22
X-Origin-Country: SE
X-Spam-Score: 1.0 (+)
X-Debbugs-Envelope-To: 44018
Cc: 44018 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

15 okt. 2020 kl. 19.26 skrev Eli Zaretskii <eliz@HIDDEN>:

> Any details for the uninitiated, or pointers to the info?

You are definitely not uninitiated but others may be so please bear with =
me.

There are many things that can go wrong:

Playing sound files involves lots of code and libraries, sometimes even =
executing external processes.
Sound file formats are complex and a player typically needs to =
understand several different ones; security-related bugs are not =
uncommon.
Sound file players may also need access to the hardware, which can =
greatly amplify the severity of any breach.

> Are the risks the same on all the supported platforms, or just on
> some?

The security fundamentals (as above) are the same everywhere; details =
obviously differ. Even if we could pronounce one platform as entirely =
'safe' for audio-playing, which I don't think is feasible, I don't see =
the gain from doing so.

Obviously 'safe' has to be understood in context. Can Emacs be tricked =
to call play-sound-file with the name of a crafted file as argument? =
Maybe; as far as I can tell, unsafe is only used by SES in Emacs proper, =
but it seems feasible to create a .ses file that calls play-sound-file =
without asking the user. To assume otherwise would be imprudent.

It is true that the hostile Internet has hardened audio file code =
considerably over the years but why would we explicitly make a security =
exception for a function with large attack surface in an application =
(Emacs) that may very well be used for inspection of potentially harmful =
files?





Information forwarded to bug-gnu-emacs@HIDDEN:
bug#44018; Package emacs. Full text available.

Message received at 44018 <at> debbugs.gnu.org:


Received: (at 44018) by debbugs.gnu.org; 15 Oct 2020 17:26:59 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Oct 15 13:26:59 2020
Received: from localhost ([127.0.0.1]:56489 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1kT71n-0003sw-9q
	for submit <at> debbugs.gnu.org; Thu, 15 Oct 2020 13:26:59 -0400
Received: from eggs.gnu.org ([209.51.188.92]:46856)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <eliz@HIDDEN>) id 1kT71l-0003si-Nw
 for 44018 <at> debbugs.gnu.org; Thu, 15 Oct 2020 13:26:58 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e]:55147)
 by eggs.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <eliz@HIDDEN>)
 id 1kT71g-0006OX-Dx; Thu, 15 Oct 2020 13:26:52 -0400
Received: from [176.228.60.248] (port=3290 helo=home-c4e4a596f7)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <eliz@HIDDEN>)
 id 1kT71f-00023r-59; Thu, 15 Oct 2020 13:26:51 -0400
Date: Thu, 15 Oct 2020 20:26:47 +0300
Message-Id: <83zh4nwgbs.fsf@HIDDEN>
From: Eli Zaretskii <eliz@HIDDEN>
To: Mattias =?utf-8?Q?Engdeg=C3=A5rd?= <mattiase@HIDDEN>
In-Reply-To: <5A2CDAEA-03CF-4F92-AF9D-40421A9B362E@HIDDEN> (message from
 Mattias =?utf-8?Q?Engdeg=C3=A5rd?= on Thu, 15 Oct 2020 18:55:26 +0200)
Subject: Re: bug#44018: Don't consider play-sound-file to be a 'safe' function
References: <5A2CDAEA-03CF-4F92-AF9D-40421A9B362E@HIDDEN>
MIME-version: 1.0
Content-type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 44018
Cc: 44018 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

> From: Mattias EngdegÄrd <mattiase@HIDDEN>
> Date: Thu, 15 Oct 2020 18:55:26 +0200
> 
> We should remove play-sound-file from the list of 'safe' functions in unsafep.el.
> The risks outweigh the benefits here; this is just basic security engineering.
> The attack surface of play-sound-file is considerable.

Any details for the uninitiated, or pointers to the info?

Are the risks the same on all the supported platforms, or just on
some?

Thanks.




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#44018; Package emacs. Full text available.

Message received at 44018 <at> debbugs.gnu.org:


Received: (at 44018) by debbugs.gnu.org; 15 Oct 2020 17:14:44 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Oct 15 13:14:44 2020
Received: from localhost ([127.0.0.1]:56472 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1kT6pw-0003ad-2v
	for submit <at> debbugs.gnu.org; Thu, 15 Oct 2020 13:14:44 -0400
Received: from quimby.gnus.org ([95.216.78.240]:45344)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <larsi@HIDDEN>) id 1kT6pu-0003aP-6L
 for 44018 <at> debbugs.gnu.org; Thu, 15 Oct 2020 13:14:42 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnus.org;
 s=20200322; h=Content-Transfer-Encoding:Content-Type:MIME-Version:Message-ID
 :In-Reply-To:Date:References:Subject:Cc:To:From:Sender:Reply-To:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
 List-Post:List-Owner:List-Archive;
 bh=VUdL4PDgsnYNnbgJGFkffSQ6Fb1RiChDpWIX0t6oHSs=; b=RsaAoDkOLb7492m86OD49AH1Eh
 msiIlI1F7qG5L1F+NW0CnnF50XSUW7Ts2u6VdCTbHvM/T6IPeP0SwrFm6tc+M1Y9BxYtU6mSek29k
 8vrckz69frPVxlZLAWN+3lgy0DRhRVx3T//mJXgbzLNaUW9DBPRYPp9DGRuYZwnFGEw4=;
Received: from cm-84.212.202.86.getinternet.no ([84.212.202.86] helo=xo)
 by quimby.gnus.org with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.92) (envelope-from <larsi@HIDDEN>)
 id 1kT6pd-0006hW-5r; Thu, 15 Oct 2020 19:14:36 +0200
From: Lars Ingebrigtsen <larsi@HIDDEN>
To: Mattias =?utf-8?Q?Engdeg=C3=A5rd?= <mattiase@HIDDEN>
Subject: Re: bug#44018: Don't consider play-sound-file to be a 'safe' function
References: <5A2CDAEA-03CF-4F92-AF9D-40421A9B362E@HIDDEN>
Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAABGdBTUEAALGPC/xhBQAAACBj
 SFJNAAB6JgAAgIQAAPoAAACA6AAAdTAAAOpgAAA6mAAAF3CculE8AAAAFVBMVEXGuqSViXlkXFSF
 dGRJPTYlIB7////v1iDdAAAAAWJLR0QGYWa4fQAAAAd0SU1FB+QKDxEODNkDUyEAAAG8SURBVDjL
 bZRBdoMwDERNmwMASfdgzD6kdN+o8gWodP+rdCQ3CfDQghB/a2TJ8wgB0U7hMFrmn6P1N2ZJ9QFI
 rBK7A8C5gHa4hqqrcnMpu95FAe4hjMK06Nv3KOLgpKocfwzgRaslC3vKFwDFGMKFOFIa8kyRCGA0
 JQMnGjmL5ovwYiAbSAAfkvCe08kWUFvt1zqcGYmxP1czTU0TLtiEGjhVUzUIn0R/jjiLCbCBR2Pv
 OBeHTBHl9b6eEf5rMOG8AW12YAWT5hVIWkBKMSp/P9crBxISJYpZXiDMBn5RA/Ng6XY17gHLKSlf
 SwuuNUCsN0Cs3Dyitk5nGVCcN8CjFWSwAdqC5mw3fgTsxpkj5/u6BqrUDpLk3hc/m9fZDCD6G67g
 c3qmFIAp9zay6an/yBC/uwLwqOt/IEIOBn9GUwNCgzBaXMUNtaaSkTbgfIMl3D1KG2CBYcOVbrht
 9CaFHOIjgNsY3b47KaHMWXekswwa3S8b4sW5+EWXvRTHY6BMayl6AWEdddemA83iYvvjmh8prdq3
 kXZlVmxllocSvJy8D0tB77bO6R9ey3fBnKJ0880vIO4G8ownqMMf/VytvLbdr5oAAAAldEVYdGRh
 dGU6Y3JlYXRlADIwMjAtMTAtMTVUMTc6MTQ6MTIrMDA6MDDnKMLCAAAAJXRFWHRkYXRlOm1vZGlm
 eQAyMDIwLTEwLTE1VDE3OjE0OjEyKzAwOjAwlnV6fgAAAABJRU5ErkJggg==
X-Now-Playing: Black Cab's _Altamont Diary_: "A Killing"
Date: Thu, 15 Oct 2020 19:14:23 +0200
In-Reply-To: <5A2CDAEA-03CF-4F92-AF9D-40421A9B362E@HIDDEN> ("Mattias
 =?utf-8?Q?Engdeg=C3=A5rd=22's?= message of "Thu, 15 Oct 2020 18:55:26
 +0200")
Message-ID: <87y2k7tnrk.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.0.50 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Report: Spam detection software, running on the system "quimby.gnus.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 @@CONTACT_ADDRESS@@ for details.
 
 Content preview:  Mattias EngdegÄrd <mattiase@HIDDEN> writes: > We should
   remove play-sound-file from the list of 'safe' functions in > unsafep.el.
   > The risks outweigh the benefits here; this is just basic security engineering.
    > The attack surface of play-soun [...] 
 
 Content analysis details:   (-2.9 points, 5.0 required)
 
  pts rule name              description
 ---- ---------------------- --------------------------------------------------
 -1.0 ALL_TRUSTED            Passed through trusted hosts only via SMTP
 -1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1%
                             [score: 0.0000]
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 44018
Cc: 44018 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Mattias Engdeg=C3=A5rd <mattiase@HIDDEN> writes:

> We should remove play-sound-file from the list of 'safe' functions in
> unsafep.el.
> The risks outweigh the benefits here; this is just basic security enginee=
ring.
> The attack surface of play-sound-file is considerable.

Makes sense to me; go ahead.

--=20
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#44018; Package emacs. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 15 Oct 2020 16:55:41 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Oct 15 12:55:41 2020
Received: from localhost ([127.0.0.1]:56444 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1kT6XS-00036T-HM
	for submit <at> debbugs.gnu.org; Thu, 15 Oct 2020 12:55:41 -0400
Received: from lists.gnu.org ([209.51.188.17]:56724)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <mattiase@HIDDEN>) id 1kT6XR-00036L-0r
 for submit <at> debbugs.gnu.org; Thu, 15 Oct 2020 12:55:37 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:44818)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mattiase@HIDDEN>) id 1kT6XQ-0005Pv-MR
 for bug-gnu-emacs@HIDDEN; Thu, 15 Oct 2020 12:55:36 -0400
Received: from mail1447c50.megamailservers.eu ([91.136.14.47]:48148
 helo=mail265c50.megamailservers.eu)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mattiase@HIDDEN>) id 1kT6XN-0001hA-S2
 for bug-gnu-emacs@HIDDEN; Thu, 15 Oct 2020 12:55:36 -0400
X-Authenticated-User: mattiase@HIDDEN
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=megamailservers.eu;
 s=maildub; t=1602780929;
 bh=7ESvkrsxX4Ax5dJthY3wmkY+cG42g92Ci3nZ+MyvTe4=;
 h=From:Subject:Date:To:From;
 b=luJcM4mHjxKMj98tMVRpsoOIT+2IG7xYUdcnNWBhn0gq/jArpnR8rUtLABVfJkiz1
 yVs9GF5PX/5uWgaeJPOMVHG4/LwmrZL69fP5DOBV2eIAA4YgjHzm3YEU2lc0OqCev0
 y1DM3kQ4Bn94QMhC/iFOF3T/cdSvQdoY7EtBr1SQ=
Feedback-ID: mattiase@HIDDEN
Received: from [192.168.0.4] (c188-150-171-71.bredband.comhem.se
 [188.150.171.71]) (authenticated bits=0)
 by mail265c50.megamailservers.eu (8.14.9/8.13.1) with ESMTP id 09FGtRUi015050
 for <bug-gnu-emacs@HIDDEN>; Thu, 15 Oct 2020 16:55:29 +0000
From: =?utf-8?Q?Mattias_Engdeg=C3=A5rd?= <mattiase@HIDDEN>
Content-Type: text/plain;
	charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.17\))
Subject: Don't consider play-sound-file to be a 'safe' function
Message-Id: <5A2CDAEA-03CF-4F92-AF9D-40421A9B362E@HIDDEN>
Date: Thu, 15 Oct 2020 18:55:26 +0200
To: bug-gnu-emacs@HIDDEN
X-Mailer: Apple Mail (2.3445.104.17)
X-CTCH-RefID: str=0001.0A782F18.5F887F01.001C, ss=1, re=0.000, recu=0.000,
 reip=0.000, cl=1, cld=1, fgs=0
X-CTCH-VOD: Unknown
X-CTCH-Spam: Unknown
X-CTCH-Score: 0.000
X-CTCH-Rules: 
X-CTCH-Flags: 0
X-CTCH-ScoreCust: 0.000
X-CSC: 0
X-CHA: v=2.3 cv=D5w51cZj c=1 sm=1 tr=0 a=SF+I6pRkHZhrawxbOkkvaA==:117
 a=SF+I6pRkHZhrawxbOkkvaA==:17 a=kj9zAlcOel0A:10 a=M51BFTxLslgA:10
 a=xbG14G6FIAm6cbfVX4gA:9 a=CjuIK1q_8ugA:10
X-Origin-Country: SE
Received-SPF: softfail client-ip=91.136.14.47; envelope-from=mattiase@HIDDEN;
 helo=mail265c50.megamailservers.eu
X-detected-operating-system: by eggs.gnu.org: First seen = 2020/10/15 12:55:29
X-ACL-Warn: Detected OS   = Linux 2.2.x-3.x (no timestamps) [generic]
X-Spam_score_int: -11
X-Spam_score: -1.2
X-Spam_bar: -
X-Spam_report: (-1.2 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, SPF_HELO_NONE=0.001,
 SPF_SOFTFAIL=0.665 autolearn=no autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.3 (-)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

We should remove play-sound-file from the list of 'safe' functions in =
unsafep.el.
The risks outweigh the benefits here; this is just basic security =
engineering.
The attack surface of play-sound-file is considerable.





Acknowledgement sent to Mattias EngdegÄrd <mattiase@HIDDEN>:
New bug report received and forwarded. Copy sent to bug-gnu-emacs@HIDDEN. Full text available.
Report forwarded to bug-gnu-emacs@HIDDEN:
bug#44018; Package emacs. Full text available.
Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Last modified: Fri, 16 Oct 2020 10:00:02 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.