GNU bug report logs - #34180
27.0.50; argv[0] used incorrectly to find the .pdmp

Previous Next

Package: emacs;

Reported by: Stefan Monnier <monnier <at> IRO.UMontreal.CA>

Date: Wed, 23 Jan 2019 16:09:02 UTC

Severity: important

Tags: security

Found in version 27.0.50

Fixed in version 28.1

Done: Lars Ingebrigtsen <larsi <at> gnus.org>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Eli Zaretskii <eliz <at> gnu.org>
To: Daniel Colascione <dancol <at> dancol.org>
Cc: 34180 <at> debbugs.gnu.org, monnier <at> IRO.UMontreal.CA
Subject: bug#34180: 27.0.50; argv[0] used incorrectly to find the .pdmp
Date: Sun, 27 Jan 2019 17:23:46 +0200

> From: Daniel Colascione <dancol <at> dancol.org>
> Date: Sat, 26 Jan 2019 19:54:29 -0800
> 
> > 1- It fails miserably if argv[0] is a name relative to $PATH since it
> >     performs the lookup relative to $PWD instead, which is additionally
> >     a security issue.
> > 
> > 2- If the executable named by argv[0] is a symlink, it does not try to
> >     follow the symlink in case the .pdmp is stored next to the
> >     destination rather than next to the source.
> 
> Yep. We should definitely fix that. realpath on argv[0] seems like the 
> right thing.

Wouldn't it be better to have a method of finding the absolute file
name of the executable from which the process was started, regardless
of what argv[0] says?  The way to do that is system-dependent (on
GNU/Linux, I believe you need to readlink ("/proc/self/exe") or
somesuch, for example), but AFAIK this can be done on all platforms we
support.
This bug report was last modified 3 years and 219 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.