From xemacs-m  Tue Feb 18 18:00:08 1997
Received: from newman (root@newman.aventail.com [38.225.141.10])
	by xemacs.org (8.8.5/8.8.5) with SMTP id SAA07729
	for <xemacs-beta@xemacs.org>; Tue, 18 Feb 1997 18:00:06 -0600 (CST)
Received: from kramer.in.aventail.com.aventail.com (wmperry@kramer [192.168.1.12]) by newman (8.6.12/8.6.9) with SMTP id PAA28488; Tue, 18 Feb 1997 15:58:09 -0800
Date: Tue, 18 Feb 1997 15:58:09 -0800
Message-Id: <199702182358.PAA28488@newman>
From: "William M. Perry" <wmperry@aventail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
To: Steven L Baur <steve@miranova.com>
Cc: xemacs-beta@xemacs.org
Subject: Re: Safe elisp functions?
In-Reply-To: <m2zpx2gidx.fsf@altair.xemacs.org>
References: <199702172311.PAA23394@newman>
	<m2zpx356pc.fsf@altair.xemacs.org>
	<199702172345.PAA23641@newman>
	<m2wws755ux.fsf@altair.xemacs.org>
	<kigenefx7ux.fsf@jagor.srce.hr>
	<199702181502.HAA25410@newman>
	<m2zpx2gidx.fsf@altair.xemacs.org>
Errors-to: wmperry@aventail.com
Reply-to: wmperry@aventail.com
X-Face: O~Rn;(l][/-o1sALg4A@xpE:9-"'IR[%;,,!m7</SYF`{vYQ(&RI1&EiH[FvT;J}@f!4kfz
 x_!Y#=y{Uuj9GvUi=cPuajQ(Z42R[wE@{G,sn$qGr5g/wnb*"*ktI+,CD}1Z'wxrM2ag-r0p5I6\nA
 [WJopW_J.WY;

Steven L. Baur writes:
>William M Perry writes:
>
>> Hrvoje Niksic writes:
>>> Steven L Baur <steve@miranova.com> writes:
>
>>> I don't understand what's the point of these stack-overrunning stories.
>>> The worst that can happen is that XEmacs crashes (like netscape crashes on
>>> Java).  So what?
>
>>   Well, imagine constructing some completely psychotic string and doing a
>> regexp match on it if you knew the details of the XEmacs regexp matcher
>> bounds lossage.  You could theoretically smash the stack, and execute
>> arbitrary machine code.  Same as any other array-bounds-checking bug.  Ala
>> the FreeBSD alert a few days ago.
>
>See
>	http://www.miranova.com/~steve/StackSmashing.txt

  Ahhh, gotta love phrack.  I should resubscribe at some point.  Its been
years.

>>> I hope you don't intend to run XEmacs setuid root, which would make your
>>> fears legitimate.
>
>> Well, you might legitimately want to run XEmacs _as_ root if you happen
>> to be logged in doing system maintenance.
>
>It's either that or the Roman Numeral editor.

  The beast!

>My apologies if I appeared to come down hard on William.  I have the
>highest respect for William's programming ability and what he's been able
>to do with W3.

  No offense taken.  Always love being controversial.

-Bill P.

