Re: C file recoginzed as image file

[Richard Stallman]

    > It would never have occurred to me to have doubts about opening a
    > JPG file.  I am sure the same is true of many Emacs users.  If we
    > believe that having Emacs display JPG files as images is dangerous,
    > we had better make sure Emacs NEVER does so by default.

    Maybe the JPG libraries are safe and always have been, I don't know.

That isn't the point.  I mentioned JPG specifically in my message
because I responded to someone else that specifically mentioned JPG.
It would be the same for any other image type.  It would never have
occurred to me to have doubts about opening an image file in Emacs.
ANY type of image file.  I am sure the same is true of many Emacs
users.

    But all it takes is for ONE of the image libraries which Emacs uses to
    be exploitable and you're finished.

If we believe that having Emacs display some kind of image files as
images is dangerous, we had better make sure Emacs doesn't display
them as images until the user asks for that and has seen the file
text.

How significant this danger is in the Emacs context depends on a
number of things.  I am not sure whether the danger is enough to
matter.  But if it is, the only adequate protection is NEVER to
display such images as images by default.

The solution you and others are proposing, to display the image as an
image only when the file name extension matches the image type, is
inadequate to avoid the problem.  You might feel suspicion when you
see an extension such as .jpg, .gif, or .png, but lots of users, such
as me, would not.  Checking the file type would not protect us.
If someone wanted to send us a JPG with a virus, he could call
the file something.jpg, and bypass this test.

      Suppose that's an unpatched
    vulnerability in the tiff library.  All the attacker needs to do is
    rename his virus.tiff file to virus.jpg and send it to you.

If there is some sort of vulnerability in the tiff library, I will not
know about it.  I do not hear about such things.

The way I look at an attachment is to get it in an Emacs buffer.  Then
I save it with M-x write-region.  If it is a JPG, I expect to see PFIF
or EXIF in a certain place.  If I see it there, I save the file as
foo.jpg.

If the attachment was labeled ".jpg" and the contents look like a tiff
file instead of a jpg, I might get suspicious.  However, if it looks
like tiff and the file name is ".tiff", I would not get suspicious.

Thus, the only way to protect me from a vulnerability in the tiff
library is if Emacs does not open tiff files as images by default.

Substitute any other type of image file for "tiff" and the same
conclusion follows.