Re: C file recoginzed as image file

[Reiner Steib]

On Mon, Jan 08 2007, Richard Stallman wrote:

> How significant this danger is in the Emacs context depends on a
> number of things.  I am not sure whether the danger is enough to
> matter.  But if it is, the only adequate protection is NEVER to
> display such images as images by default.

IIUC, Emacs relies on the image libraries in the same way as Emacs
relies on zlib (or is gzip?) to (un)compress *.gz files.  I recall
vulnerabilities on both (e.g. zlib and libpng[1]) during the past
years.  If you consider image libs as dangerous in general, you may
also think about all other libs linked to Emacs.

> The solution you and others are proposing, to display the image as an
> image only when the file name extension matches the image type, is
> inadequate to avoid the problem.  You might feel suspicion when you
> see an extension such as .jpg, .gif, or .png, but lots of users, such
> as me, would not.  Checking the file type would not protect us.
> If someone wanted to send us a JPG with a virus, he could call
> the file something.jpg, and bypass this test.

A user who has compiled Emacs _without_ JPEG support would not expect
to see something.jpg displayed as an image even if the content is PNG,
I think.  And in case there's a vulnerability in libpng, he would not
expect to be in danger when opening something.jpg.

> If there is some sort of vulnerability in the tiff library, I will not
> know about it.  I do not hear about such things.

For most GNU/Linux systems, the vulnerable image libraries will be
replaced by fixed versions via (automatic) online updates soon.  If
there's a vulnerability in one of the image libraries it usually
affects dozens or hundreds of programs (or packages).  E.g. on my
system, the image libraries used by Emacs (libpng, libjpeg, giflib,
libXpm) are use by more than 200 other packages.  As the image libs
(at least libpng and libjpeg) are also used by most web browsers (such
as Mozilla Firefox), such vulnerabilities need to be fixed very fast
by the distributors (displaying images from untrusted sources in web
browsers is much more common[2] that opening them in Emacs).

Bye, Reiner.

[1]
,----[ rpm -q --changelog zlib | less +/secur ]
| * Wed Jul 20 2005 - address@hidden
| - Upgraded to 1.2.3. Security fix is now in mainline.
`----

,----[ rpm -q --changelog libpng | less +/secur ]
| * Mon Aug 16 2004 - address@hidden
| - updated to 1.2.6: included security fixes
`----

[2] "more common" in the sense of how many people use web browsers
    vs. people who open images in Emacs.
-- 
       ,,,
      (o o)
---ooO-(_)-Ooo---  |  PGP key available  |  http://rsteib.home.pages.de/