severity 408929 important thanks On Sun, Feb 04, 2007 at 01:56:40PM +0100, Jérôme Marant wrote: > I'll ask that we tag this bug as etch-ignore: there are tons of bugs like > this one in Emacs and there are multiple chances to expose such bugs > by using many different packages.
> Futhermore, emacs21 is (and more generally stable emacs releases are) not > supported upstream so we have no chances to get help from them > (they are preparing the next release BTW). This last is certainly not a reason to etch-ignore a bug; on the contrary, it speaks to the overall releasability of the package if neither upstream nor the maintainers are prepared to cope with possible security bugs that are uncovered in the version releasing with etch. However, the current argument in favor of treating this as a grave, security bug is that it's a DoS causing data loss of unsaved files: On Sun, Feb 04, 2007 at 02:38:39PM +0100, Romain Francoise wrote: > Steve Langasek <[EMAIL PROTECTED]> writes: > > I've tagged this bug security, because it wasn't clear to me > > whether this was a potentially exploitable problem. Do you think > > that tag applies here? > Yes, I think it does. Crashing Emacs is a denial of service attack > against the various applications that run inside it, and can cause > data loss... Whether code execution is actually possible, I don't > know. DoSes, while security bugs, are not treated as grave security bugs; that severity is reserved for bugs that allow code execution under the attacker's control. And data loss because you didn't save before the application crashed is not the sense in which "data loss" is taken to mean in the policy definition of grave bugs -- the "data loss" argument is reserved for bugs that eat your data directly, not as a side effect of you not having saved your data. So if there's no evidence of arbitrary code execution, I think it's appropriate here to downgrade the bug -- but the security team should also be apprised. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. [EMAIL PROTECTED] http://www.debian.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
