On Tue, 28 Feb 2023 at 18:51, Jean Louis <bugs@gnu.support> wrote: > But... it is source, one can put anything inside like > (shell-command "sudo rm -rf /") > > Those "CVE" bugs are exaggerated. > > Like this one: > > https://security-tracker.debian.org/tracker/CVE-2022-48338 > "malicious Ruby source files may cause commands to be executed" > > But hey, any malicious source file may cause commands to be > executed.
It is a question of expectations. If you execute a malicious source file as a script, sure, you expect it to be executed and you are ready for any damage it causes. There is no vulnerability except in your own head. If you open a malicious source file in an editor, you don’t expect it to execute any code written within, surely not before you press the Run key. If opening a file for editing trashes your home directory, it’s a bug and a vulnerability. If opening a file for editing causes personal information to be sent outside, it’s a bug and a vulnerability.
