From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id QN2eETVzq19ZawAA0tVLHw (envelope-from ) for ; Wed, 11 Nov 2020 05:14:29 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id 4JdcDTVzq1/XAQAAB5/wlQ (envelope-from ) for ; Wed, 11 Nov 2020 05:14:29 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 6DC7F9404E0 for ; Wed, 11 Nov 2020 05:14:28 +0000 (UTC) Received: from localhost ([::1]:59022 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kciSg-0005sL-Qx for larch@yhetil.org; Wed, 11 Nov 2020 00:14:26 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:49450) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kciSC-0005s7-Gh for emacs-orgmode@gnu.org; Wed, 11 Nov 2020 00:13:56 -0500 Received: from static.rcdrun.com ([95.85.24.50]:59811) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kciSA-00042X-AX for emacs-orgmode@gnu.org; Wed, 11 Nov 2020 00:13:55 -0500 Received: from localhost ([::ffff:197.157.34.177]) (AUTH: PLAIN admin, TLS: TLS1.2,256bits,ECDHE_RSA_AES_256_GCM_SHA384) by static.rcdrun.com with ESMTPSA id 00000000002C0004.000000005FAB730D.0000653F; Wed, 11 Nov 2020 05:13:48 +0000 Date: Wed, 11 Nov 2020 08:03:51 +0300 From: Jean Louis To: Tim Cross Subject: Re: Thoughts on the standardization of Org Message-ID: References: <877dqujj9t.fsf@gmail.com> <193258.1604981615@apollo2.minshall.org> <87y2j8x2tq.fsf@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline In-Reply-To: <87y2j8x2tq.fsf@gmail.com> User-Agent: Mutt/2.0 (3d08634) (2020-11-07) Received-SPF: pass client-ip=95.85.24.50; envelope-from=bugs@gnu.support; helo=static.rcdrun.com X-detected-operating-system: by eggs.gnu.org: First seen = 2020/11/11 00:13:50 X-ACL-Warn: Detected OS = Linux 3.11 and newer [fuzzy] X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-orgmode@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "General discussions about Org-mode." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Maxim Nikulin , emacs-orgmode@gnu.org Errors-To: emacs-orgmode-bounces+larch=yhetil.org@gnu.org Sender: "Emacs-orgmode" X-Scanner: ns3122888.ip-94-23-21.eu Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of emacs-orgmode-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=emacs-orgmode-bounces@gnu.org X-Spam-Score: 0.99 X-TUID: diS+GKUQsbif * Tim Cross [2020-11-11 01:30]: > > Jean Louis writes: > > > * Maxim Nikulin [2020-11-10 19:31]: > >> 2020-11-10 Greg Minshall wrote: > >> > > >> > i would guess > >> > using 'cat -v' to read e-mail is 100% safe. even throwing in > >> > uudecode(1), or whatever is needed to decode base64, (and then piping > >> > through 'cat -v', of course ), it's probably still safe. > >> > >> Please, check that you have at least updated tmux before applying such > >> "safe" handler: https://www.openwall.com/lists/oss-security/2020/11/05/3 The > >> news are too recent to not mention the link in such context. > >> > >> The sour story is that it is unsafe to feed non-trusted files directly to > >> terminal. A filter against control sequences is required. > > > > Is there anyway to disable control sequences? Than cat can be aliased. > > > It should be noted that this vulnerability is a buffer overflow exploit > which ASLR effectively mitigates. This doesn't mean that it isn't a > serious bug in tmux, but it does mean that unless you have disabled > ASLR, there is no known exploit (i.e. it is only theoretical). Given the > popularity of tmux, I suspect it will be patched and a new version Do you know how to disable control sequences?