From debbugs-submit-bounces@debbugs.gnu.org Tue Apr 25 03:13:45 2023
Received: (at submit) by debbugs.gnu.org; 25 Apr 2023 07:13:45 +0000
Received: from localhost ([127.0.0.1]:51077 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1prCrx-0001zn-EB
	for submit@debbugs.gnu.org; Tue, 25 Apr 2023 03:13:45 -0400
Received: from lists.gnu.org ([209.51.188.17]:48824)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <eliz@gnu.org>) id 1prCrv-0001zf-Qi
 for submit@debbugs.gnu.org; Tue, 25 Apr 2023 03:13:44 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <eliz@gnu.org>) id 1prCrv-0004g6-Cc
 for bug-gnu-emacs@gnu.org; Tue, 25 Apr 2023 03:13:43 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <eliz@gnu.org>)
 id 1prCrv-0001bO-0B; Tue, 25 Apr 2023 03:13:43 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=MIME-version:References:Subject:In-Reply-To:To:From:
 Date; bh=3d6Ufrh0P6q+KQMs3ruTsOvBaIwvimbBOxVf+zst8kQ=; b=BgPCAjMN/9eiyDxrPYaU
 4i6NGM3EOCpJCWZ6dngGr0NEAPkQ8JLaGwBr6aD2yXwPWeyOghph71UpiCUkQWhsZVmFt5eEjcXOh
 gtn3Nk0dPN9mQk2ap6CYAKcPHjtPoW51+5FdygUPmpwpTV/wsnZEB7gE9UP51qCHbzK7FDQwMDPd4
 2EGMynUlXXEXfGw5HGyCtX8lyWt+oik5bFyIYvBuYNxq9rDFhAim4G73e+gH+n0xcUT0MmFaN8Zsz
 oFJ8cZeBpAv1lbshEz311GdLepMvUpnZaQCr4z/ZyVmx85uRvc0ZIxe2y134OkILfCKFf5qhdPDCN
 2BOpX7C5xg1oWA==;
Received: from [87.69.77.57] (helo=home-c4e4a596f7)
 by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <eliz@gnu.org>)
 id 1prCrs-0007hX-Js; Tue, 25 Apr 2023 03:13:41 -0400
Date: Tue, 25 Apr 2023 10:14:05 +0300
Message-Id: <83mt2wwi0y.fsf@gnu.org>
From: Eli Zaretskii <eliz@gnu.org>
To: fuomag9 <fuo@fuo.fi>
In-Reply-To: <01070187b52a3165-eeb31a4e-fba7-4290-850a-c73ab11eb43f-000000@eu-central-1.amazonses.com>
 (message from fuomag9 on Mon, 24 Apr 2023 21:27:34 +0000)
Subject: Re: CVE-2021-36699 report
References: <40-63e3c600-3-2d802d00@111202636>
 <01070187b503303f-1657dcaa-4f53-47da-9679-2f68a682d447-000000@eu-central-1.amazonses.com>
 <bcb96279c47143f403f588dc3f020725029137bd.camel@josefsson.org>
 <01070187b52a3165-eeb31a4e-fba7-4290-850a-c73ab11eb43f-000000@eu-central-1.amazonses.com>
MIME-version: 1.0
Content-type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: submit
Cc: bug-gnu-emacs@gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

> From: fuomag9 <fuo@fuo.fi>
> Date: Mon, 24 Apr 2023 21:27:34 +0000
> 
> I’m a security researcher and I’ve searched for a way to contact the emacs security team but I’ve not found any information online, so I’m reporting this issue here.
> I’ve discovered a buffer overflow in GNU Emacs 28.0.50 (at the time of writing the exploit still works on GNU Emacs 28.2)
> The issue is inside the --dump-file functionality of emacs, in particular dump_make_lv_from_reloc at pdumper.c:5239
> Attached to this email there's is payload used to make the vulnerability work (if emacs complains about a signature error you need to replace the hex bytes inside the payload with the expected one, since every emacs binary will expect a different signature).
> This issue has been assigned CVE-2021-36699 and thus I’m notifying you of this. (I do not think the emacs team is aware of this security issue)
> The POC is simple:
> Launch emacs --dump-file exploit, where exploit is a custom crafted emacs dump file

Please tell more about the buffer overflow: where does it happen in
the Emacs sources, which buffer overflows, and why.  I cannot find
these details in your report.

Also, the CVE ID seems to be incorrect: if I look it up, I get some
SQL related issue, not an Emacs issue.




From debbugs-submit-bounces@debbugs.gnu.org Tue Apr 25 03:24:48 2023
Received: (at 63063) by debbugs.gnu.org; 25 Apr 2023 07:24:48 +0000
Received: from localhost ([127.0.0.1]:51089 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1prD2d-0002II-S8
	for submit@debbugs.gnu.org; Tue, 25 Apr 2023 03:24:48 -0400
Received: from sonic310-23.consmr.mail.ne1.yahoo.com ([66.163.186.204]:33471)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <luangruo@yahoo.com>) id 1prD2b-0002I2-JO
 for 63063@debbugs.gnu.org; Tue, 25 Apr 2023 03:24:46 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1682407480; bh=od/E9RwuuAnNRejEc8o6j3NF6SHbb+Y2TZpu+lkT47o=;
 h=From:To:Cc:Subject:In-Reply-To:References:Date:From:Subject:Reply-To;
 b=Wzm5tu5hJkcHH5IBL2ZSa1+vyzlb6oEVErG6wzMvdWzuJ+IHexy+hHMr2QK/9am8LIw4mfSDkhq0z7fUo9l/tYV+j8QYU8zRSMPyqRhznru1V46LOrkFKeS28h66ABzuqhw+ZucXUCAOhR6FqjdmIdhEnCSe0eXwgSZjT/IY0OPItCdRd1mgs27EzUfgtwyJnGvuI4AMFA6Btr5igBrMztAuSwhMkRm5R+UsHL109QznadggVlEIV9ISM/B3idkp1t3VrypsQdR3mnRhrMY3Z0P4/mfEFMTVQ1ksUTkOHyvvCTDPmMviWnYeTYe/FoPo7RSGTGN20SsUggpKm2YRNA==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1682407480; bh=P6Rn+YRqRvF+z6BVrbjZIaij1vx+FP7o27pT1jusxzb=;
 h=X-Sonic-MF:From:To:Subject:Date:From:Subject;
 b=hsc33KcJZOY+hzeNc8PexRhu/QV6jB3pYPDjDcimpongudXbqyJlvTVBRCk8rmqHDd/ONpiJ0q+hDrHJoURHL2a+/qpMfZPu9LkeFg2VmkpT9XZWdbZT28TQ3KcGhPrk3bwk6sQUccUIcpISHNdItaz27tPCi+YWonIo0nzldk6ekjsBwIJFHkfCkaOBo4UJsjKwv9HDs8kQVeg5sgwLmUAU73r7X35cUO+uApow6r3eCu3YrZrc+P/NgeB5CzENESxLNDJPydBA1DEgxAPjr0SoWYTAh+3GAy5tcFfHd3WajOJip9cvGYgKf+gS1ASh1MhuUrrk/Y3aG63+etZWvg==
X-YMail-OSG: K3zwn6UVM1murryLsDxdg1.J.u82OLasXvCNBNd1YWa2B_0RSeXi3EABUhppEeH
 Tz41wZ2XdX2JH5103t0OC5J3wQN.Yo4go3cmzqBC.Dj9AHOsKlRg0FQpOJaRjrxXlLVNwJaARAmv
 7ZzitGRWQ_Ae7xtlxPmNnR9Vs41T6v8byOBXmNUoYmdFy.H2TPMQFpY0rYfEWo_K2nzEweYiekxM
 bVnAoxWNPGQC8yRqRmO.1vOSPE3.OpR238hdPc8fXP.4CW8pPZLw9kBW2rS2P3tFrs8SIz86ab0n
 72gL.s6beIdiFiKYf_Ve8VK58_VGRFNzICWeaYFALZYsIv75iiVNupkM9453MBEOhSXi300fEB4d
 wvH5OU7JOpJC7.iLkIbKanI3RGnC6Ubw6IOQ4fmdybg4n9ktoQ4jYsutzrJnKxWoA5uBqrDj9wwa
 4k50_SpFNz3EI_Fkd6306D4Hq4TCIXfkCI3C4IJYSynUI4.WApIFLWDC7NPkj3v14fO03FlaEn3i
 kS4mNFTTjb7kW.2y1r8QLluypbvpPXY3e0dhCCLeNNbZ25GXqZoOkOXKlJalKDgAMcHf_AIZlWhQ
 4dDAW0swr64ziEFEjI1egMBJx8PxkFb.R5PcaCcYkp3986mDQNS4Raxb1xYdU7SMJJUeuCwra.VZ
 LXnVW7mv19DRrYzv9mueA9Ig9mWrPaazFjgNPLF5MjF.1cGj1igCNulM2Yp51SYZlinzgKJUfxmZ
 P6.62q9psE031DvePfofeKDD_JxnX4QAxQytDcy510yDOOqLimvY1.XgqnZFrGvZKWQkxp6sH9tE
 5JKit9oiXoD_PdfxwdTlMrmP6ZR8A1K9nYYhm3glOyKaf4RHxsfMNOtYALDzyqr.p1U5N8QjV.UB
 DpmSUPC.Ol85AjfT0pShD6q3Ci.u1NZrt8rorvxwJ2_yFK56s7y_yWaqq5Tnn3DEpHAUL0DZtkA3
 NPMBtb_J7s3auZzL.THNIB9hLv8APyvN8Tl7EQKQmwoI3gNptQyoTpC4wjU4WD8T7rvaRd7GpexN
 z8gRjuWzsdel1_klIwJShDp0rfxWlP_OOArZCDK7sVwWgbSBj5Eq7a8Tb6wTaDHuokGAXMEbkZAz
 i1j8bNko0.TpRDOJpFc.Dcl_55_ceqT4hHUpK.207alVDlMb6qdNC7Ds0CKl1UNbmJ85t0vgO1Jm
 bhfQPP78_FUlaJZxwMFKTVoeWeAG0k74ok_xrQkH7MZgO5e464joEIlazMUtQ0EKT5N2SQcN.47r
 V660HOmeK97pvutGXebzHBhhWwdZoDRM4T3tRXuvp2Ve8kpKf42gUcXV9ldS3hW9pGFoVL0SrK_8
 AirB9Sam6h5fVqZR20LSipOuBd5TF90IGyEnOvUToBB0bqQ2zGEfjHDioOUiW2CY2mr7yRoE_EjN
 iwaAAbYUuqH9M3qSzIUxXO2X8YKxWOlHxSgHd7.62gNJqSlsU7OL8lJjNJeaFDOGNtE0xtpgY58O
 RVXARZwIfNmFpWS_B3L5o2PMsfDX4L.hFoaeRIC.0uSuchtmi4cf1XqmFAf9K_GOed7xga4ujfu2
 4gIxHqAtYKbMPHhSmiFqUK1FsoBcPMadpWidu9JMru5JGJHwZLAwgfq2IQzfR0BfDwrcTTsUBBpE
 ITktrjE7hnDnXR47P4HkjxfzJXwOcACdwqSSwwY_c6iaV9wHlhllWgf7JnNTcxEyZ4wq8Vz8rce0
 N6wdPaaeaEyUqIYmu46Do6WXAaOaJC.kcuAbZuItKK3yeFUSv5AUdGFzX4zQuYLbUuN5F5JYiKUu
 FmGLz1GqatMyiqw3B8y5l6YlnobU4oWCp1SVc43W_a6ZXvBtdfX.FQtKkqz3JPehEYGFm_.Br7HI
 .ZUZFu4UEMepFeaqoGuoTeYrsD21gTLe3uddZzUore5QtPHpqt0xkA62dO5W7HU2RgrWTGMw_xeC
 ljNxwIGfg7IYJvXdpDOOgi1kP8SDztZ06lHmMBuD_tjhxsJi6dQiUu.UmCm8ylmoQVwngLmBIqGg
 evhQGMd16jSH1jpZMNAK_tIYKrNEzFG6DF_OCqYHuUboZsIJsgchQEFt8CmK4GLAR_6UStzL9Yve
 KRvrd42upTphJgwo5nTlxWKTsnnWzp9UxhKWKzAzNVH84cR3761dyg18zh9GAA.kCY_nuTRgpVCp
 S5d0b7PxK6c6nnf9rN400JrROtiAX9ybnMypPw05hdOaqxZZz6ClML9ZFUA1.RxbYwRehI.87PHH
 DBcdP7aBxGP_PMLuVMJ.k.4HHPHc_wCL3ANkniqF9LOT6Y167FMuxBtOmmMJEGYRG
X-Sonic-MF: <luangruo@yahoo.com>
X-Sonic-ID: fd23c4ab-4ef5-4292-a726-7d6be1379d1d
Received: from sonic.gate.mail.ne1.yahoo.com by
 sonic310.consmr.mail.ne1.yahoo.com with HTTP; Tue, 25 Apr 2023 07:24:40 +0000
Received: by hermes--production-sg3-6d6fb994f6-5v57h (Yahoo Inc. Hermes SMTP
 Server) with ESMTPA ID eba1d9fd6e607b1193dcb00ba7d39ae9; 
 Tue, 25 Apr 2023 07:24:36 +0000 (UTC)
From: Po Lu <luangruo@yahoo.com>
To: Eli Zaretskii <eliz@gnu.org>
Subject: Re: bug#63063: CVE-2021-36699 report
In-Reply-To: <83mt2wwi0y.fsf@gnu.org> (Eli Zaretskii's message of "Tue, 25 Apr
 2023 10:14:05 +0300")
References: <40-63e3c600-3-2d802d00@111202636>
 <01070187b503303f-1657dcaa-4f53-47da-9679-2f68a682d447-000000@eu-central-1.amazonses.com>
 <bcb96279c47143f403f588dc3f020725029137bd.camel@josefsson.org>
 <01070187b52a3165-eeb31a4e-fba7-4290-850a-c73ab11eb43f-000000@eu-central-1.amazonses.com>
 <83mt2wwi0y.fsf@gnu.org>
Date: Tue, 25 Apr 2023 15:24:31 +0800
Message-ID: <87v8hkctlc.fsf@yahoo.com>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain
X-Mailer: WebService/1.1.21365
 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.yahoo
Content-Length: 604
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 63063
Cc: 63063@debbugs.gnu.org, fuomag9 <fuo@fuo.fi>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Eli Zaretskii <eliz@gnu.org> writes:

> Please tell more about the buffer overflow: where does it happen in
> the Emacs sources, which buffer overflows, and why.  I cannot find
> these details in your report.

It happens because the dump file is deliberately edited to be invalid.
It is not a dump file that Emacs will generate under any circumstance,
and as such it's not a bug; by the same means, a pointer to an invalid
Lisp object could be created, causing a similar crash.  Emacs is not
expected to operate from a corrupt dump file any more than it is
expected to operate from a corrupt executable.




From debbugs-submit-bounces@debbugs.gnu.org Tue Apr 25 03:52:51 2023
Received: (at 63063) by debbugs.gnu.org; 25 Apr 2023 07:52:52 +0000
Received: from localhost ([127.0.0.1]:51130 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1prDTn-00038f-KE
	for submit@debbugs.gnu.org; Tue, 25 Apr 2023 03:52:51 -0400
Received: from eggs.gnu.org ([209.51.188.92]:50804)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <eliz@gnu.org>) id 1prDTl-00038S-H7
 for 63063@debbugs.gnu.org; Tue, 25 Apr 2023 03:52:50 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <eliz@gnu.org>)
 id 1prDTf-0007wU-8s; Tue, 25 Apr 2023 03:52:43 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date:
 mime-version; bh=d5HkmmmTlNFdL6b/nGK86eGqIbVfUFEZ+GPHnrDmglY=; b=UU0mPdFgdhfk
 aDtuMfh0lBg3P6pxB+eESNCcQ2kkPhyBUd38tKDj1QSAwfrrojzDwYoM7CNx24Fyg3RA+CrBMiibE
 FE1CER0AC8sSGSKreq0pLTrofaTtWCkvlWi93poENSRlPjDA8/10oWKvz1vVXrJdSBR7ypuJ42hPl
 EAp+MXJBXEAG818Z1lYYMTSqVJrnG/M+IlHF8GWtr2RYcqO5Xtpk6wPXc/LWO6yXZYF8AtqoGT95o
 XrPLzO7raaXeEziceMzpoaVk6o0W1PT7dlG1+OO2AVJkgUn8Jve2weUABdcT+9xlI6EZjDYhkEJqx
 a/Gpn5cf1XL2fnHgH1xfPw==;
Received: from [87.69.77.57] (helo=home-c4e4a596f7)
 by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <eliz@gnu.org>)
 id 1prDTe-0007hT-7P; Tue, 25 Apr 2023 03:52:42 -0400
Date: Tue, 25 Apr 2023 10:53:09 +0300
Message-Id: <83ildkwg7u.fsf@gnu.org>
From: Eli Zaretskii <eliz@gnu.org>
To: Nicolas Martyanoff <nicolas@n16f.net>
In-Reply-To: <87o7nc77tt.fsf@valhala.localdomain> (message from Nicolas
 Martyanoff on Tue, 25 Apr 2023 09:13:34 +0200)
Subject: Re: CVE-2021-36699 report
References: <40-63e3c600-3-2d802d00@111202636>
 <01070187b503303f-1657dcaa-4f53-47da-9679-2f68a682d447-000000@eu-central-1.amazonses.com>
 <bcb96279c47143f403f588dc3f020725029137bd.camel@josefsson.org>
 <01070187b52a3165-eeb31a4e-fba7-4290-850a-c73ab11eb43f-000000@eu-central-1.amazonses.com>
 <874jp4ecg6.fsf@yahoo.com> <87o7nc77tt.fsf@valhala.localdomain>
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 63063
Cc: luangruo@yahoo.com, 63063@debbugs.gnu.org, fuo@fuo.fi
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

> From: Nicolas Martyanoff <nicolas@n16f.net>
> Cc: fuomag9 <fuo@fuo.fi>,  emacs-devel@gnu.org
> Date: Tue, 25 Apr 2023 09:13:34 +0200
> 
> Po Lu <luangruo@yahoo.com> writes:
> 
> > If you create a malformed dump file, of course Emacs cannot possibly
> > work.  Here, the buffer overflow is not even a bug: signature checks are
> > already there to prevent a dump file created for a different copy of
> > Emacs from being loaded by mistake.  If you deliberately create a
> > malformed dump file, Emacs does not guarantee correct operation.
> Is there a reason why Emacs does not validate dump files while reading
> them as any other program with any other data format? Nothing good ever
> comes from buffer overflows.
> 
> > We are trying to put together two releases of a very large piece of
> > software at the same time, and really should not be wasting our time on
> > these CVE reports.  It would save us a great deal of trouble if whoever
> > runs the CVE registry stopped tracking security ``issues'' with Emacs.
> I'm aware that most people simply do not care about security, and it is
> your right to do the same. However I sincerely hope it is not the view
> of the GNU Emacs project in general.

Please do NOT respond on emacs-devel, only to the bug tracker.

I've redirected the response.




From debbugs-submit-bounces@debbugs.gnu.org Tue Apr 25 03:53:36 2023
Received: (at 63063) by debbugs.gnu.org; 25 Apr 2023 07:53:36 +0000
Received: from localhost ([127.0.0.1]:51135 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1prDUW-0003A2-0E
	for submit@debbugs.gnu.org; Tue, 25 Apr 2023 03:53:36 -0400
Received: from eggs.gnu.org ([209.51.188.92]:34294)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <eliz@gnu.org>) id 1prDUU-00039o-1S
 for 63063@debbugs.gnu.org; Tue, 25 Apr 2023 03:53:34 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <eliz@gnu.org>)
 id 1prDUO-00087P-NR; Tue, 25 Apr 2023 03:53:28 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date:
 mime-version; bh=R3a5eApDOG0Ps/hzSgLHZFakpd61+eel08/ZYdPtyd4=; b=qg+KWnYTRtgs
 RKWEHZnnV5X+3k5o68t9EDg+CqaHri4fOkCAM0wjcVig2XP+hOzo0/X4tUcg/uRFvcstS+0cheWIR
 +jcabDaor95aGUCH7KOmw03HolUX6PD9sPHXCzN2/qioryf9OAMS4lA3m71FxSX/Ou+ns/axCbQK4
 makFVTioat5YOuW6GAEzN5B17iYHVrScTwX5kDhfwaZ6NCa7A/n0p8Rk/3G8Mn/+H166AS4qwPsaK
 i0KiMc7XqUXElcOIwNbpioRfN96xlfHAfCDExDCQId26SrJneKQXJy4qA72PukI0FyI7ox/4hk1WL
 o5Uzt/TOO6IYIrJ75lzPHQ==;
Received: from [87.69.77.57] (helo=home-c4e4a596f7)
 by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <eliz@gnu.org>)
 id 1prDUN-0007n8-Tl; Tue, 25 Apr 2023 03:53:28 -0400
Date: Tue, 25 Apr 2023 10:53:54 +0300
Message-Id: <83h6t4wg6l.fsf@gnu.org>
From: Eli Zaretskii <eliz@gnu.org>
To: Po Lu <luangruo@yahoo.com>
In-Reply-To: <87zg6wctqg.fsf@yahoo.com> (message from Po Lu on Tue, 25 Apr
 2023 15:21:27 +0800)
Subject: Re: CVE-2021-36699 report
References: <40-63e3c600-3-2d802d00@111202636>
 <01070187b503303f-1657dcaa-4f53-47da-9679-2f68a682d447-000000@eu-central-1.amazonses.com>
 <bcb96279c47143f403f588dc3f020725029137bd.camel@josefsson.org>
 <01070187b52a3165-eeb31a4e-fba7-4290-850a-c73ab11eb43f-000000@eu-central-1.amazonses.com>
 <874jp4ecg6.fsf@yahoo.com> <87o7nc77tt.fsf@valhala.localdomain>
 <87zg6wctqg.fsf@yahoo.com>
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 63063
Cc: 63063@debbugs.gnu.org, fuo@fuo.fi, nicolas@n16f.net
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

> From: Po Lu <luangruo@yahoo.com>
> Cc: fuomag9 <fuo@fuo.fi>,  emacs-devel@gnu.org
> Date: Tue, 25 Apr 2023 15:21:27 +0800
> 
> Nicolas Martyanoff <nicolas@n16f.net> writes:
> 
> > Is there a reason why Emacs does not validate dump files while reading
> > them as any other program with any other data format? Nothing good ever
> > comes from buffer overflows.
> 
> Is there any reason Unix does not verify that machine code is free of
> bugs before loading an a.out into memory?

Please keep this discussion on the bug tracker, not on emacs-devel.

PLEASE!!




From debbugs-submit-bounces@debbugs.gnu.org Tue Apr 25 03:55:17 2023
Received: (at 63063) by debbugs.gnu.org; 25 Apr 2023 07:55:17 +0000
Received: from localhost ([127.0.0.1]:51166 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1prDW9-0003F4-H3
	for submit@debbugs.gnu.org; Tue, 25 Apr 2023 03:55:17 -0400
Received: from eggs.gnu.org ([209.51.188.92]:55514)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <eliz@gnu.org>) id 1prDW7-0003ED-HM
 for 63063@debbugs.gnu.org; Tue, 25 Apr 2023 03:55:15 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <eliz@gnu.org>)
 id 1prDW2-0008Tq-42; Tue, 25 Apr 2023 03:55:10 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date:
 mime-version; bh=5bjeSOGnt2Y3/q2oK9GH5FjME0mPtJYnVO7y+Ou7Fm8=; b=a3Oq+0GzA3O8
 mrvTpyH6bpH7s+7lu29j6uMNbjPh8Jq7RMxHdMQHL67D6OThwxJXvD4RqASzB042iyFOduhT6bTjP
 ZOGXgLxPBgzrFpQQvaKfSEPkHVpyOEK6kkUX0WNcqGdiea8usXdN/+N0D3ATIF7W0XzLpKrLBMIi9
 7biCqg2SHYyQY4/PuePfohHQrpRs+YqD0azfDdDUlyRuKewVQR1Ah19ZdSVybiFrg4Xe3cEB/zTF8
 6cFabXEVABJDGDk3Dv6AZ8u7lpRUWYsQK3GI6+YXof/6fLWdquGFX32IvGC/v4xbayflikzjR7mik
 6IigDG0itAUpNV4J13XX9Q==;
Received: from [87.69.77.57] (helo=home-c4e4a596f7)
 by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <eliz@gnu.org>)
 id 1prDW1-0007wB-Jz; Tue, 25 Apr 2023 03:55:09 -0400
Date: Tue, 25 Apr 2023 10:55:36 +0300
Message-Id: <83fs8owg3r.fsf@gnu.org>
From: Eli Zaretskii <eliz@gnu.org>
To: Po Lu <luangruo@yahoo.com>
In-Reply-To: <87v8hkctlc.fsf@yahoo.com> (message from Po Lu on Tue, 25 Apr
 2023 15:24:31 +0800)
Subject: Re: bug#63063: CVE-2021-36699 report
References: <40-63e3c600-3-2d802d00@111202636>
 <01070187b503303f-1657dcaa-4f53-47da-9679-2f68a682d447-000000@eu-central-1.amazonses.com>
 <bcb96279c47143f403f588dc3f020725029137bd.camel@josefsson.org>
 <01070187b52a3165-eeb31a4e-fba7-4290-850a-c73ab11eb43f-000000@eu-central-1.amazonses.com>
 <83mt2wwi0y.fsf@gnu.org> <87v8hkctlc.fsf@yahoo.com>
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 63063
Cc: 63063@debbugs.gnu.org, fuo@fuo.fi
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

> From: Po Lu <luangruo@yahoo.com>
> Cc: fuomag9 <fuo@fuo.fi>,  63063@debbugs.gnu.org
> Date: Tue, 25 Apr 2023 15:24:31 +0800
> 
> Eli Zaretskii <eliz@gnu.org> writes:
> 
> > Please tell more about the buffer overflow: where does it happen in
> > the Emacs sources, which buffer overflows, and why.  I cannot find
> > these details in your report.
> 
> It happens because the dump file is deliberately edited to be invalid.

I didn't ask about the root cause, I asked about the details of the
problem: where it happens in our sources, and what exactly happens.

> It is not a dump file that Emacs will generate under any circumstance,
> and as such it's not a bug; by the same means, a pointer to an invalid
> Lisp object could be created, causing a similar crash.  Emacs is not
> expected to operate from a corrupt dump file any more than it is
> expected to operate from a corrupt executable.

Noted.  But please let me make up my own mind about this issue, once I
understand the details.  OK?




From debbugs-submit-bounces@debbugs.gnu.org Tue Apr 25 03:56:50 2023
Received: (at 63063) by debbugs.gnu.org; 25 Apr 2023 07:56:50 +0000
Received: from localhost ([127.0.0.1]:51179 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1prDXd-0003L0-VO
	for submit@debbugs.gnu.org; Tue, 25 Apr 2023 03:56:50 -0400
Received: from eggs.gnu.org ([209.51.188.92]:56834)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <eliz@gnu.org>) id 1prDXb-0003Kk-Nr
 for 63063@debbugs.gnu.org; Tue, 25 Apr 2023 03:56:48 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <eliz@gnu.org>)
 id 1prDXW-0000IV-GZ; Tue, 25 Apr 2023 03:56:42 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=MIME-version:References:Subject:In-Reply-To:To:From:
 Date; bh=LwppUyijvc7de2gOIA7nLu8V2q0JUruEIU1dzOjo2pI=; b=PVhF48igTK2Tp/AReWbx
 0zRuAMt6D4JWKHlstE2tSdMD2rq2Cx/YQ1ONj1hPJEONH+uTOtkZV50Nr1OysNSboIpl5OaYm5iSw
 jyW7asLa6mgYTraW/3zU3PFMXniKVNVrP/sBhTNKhdYPrw0bR1LahyUZ6Hg0Hw/ASJ4TpT8VieON6
 7fJ1PYKZgx3aPVy1IVCcly9gRLao5RYDfg9LRKAJEt1B8f1DHCV3gbGw0bhPeWc7OwT0Xn2JC4W5N
 1HgHKBduXb/epObTssCq7cB16I6FJvjlMK0wQdcAURC1Cjp7A/pscBtkLSISy99DLgVyj4dlU1SSC
 FOPHXB//TxcJSg==;
Received: from [87.69.77.57] (helo=home-c4e4a596f7)
 by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <eliz@gnu.org>)
 id 1prDXV-0008Ib-0M; Tue, 25 Apr 2023 03:56:42 -0400
Date: Tue, 25 Apr 2023 10:57:07 +0300
Message-Id: <83edo8wg18.fsf@gnu.org>
From: Eli Zaretskii <eliz@gnu.org>
To: Yuri Khan <yuri.v.khan@gmail.com>
In-Reply-To: <CAP_d_8VnxkBOZ3xwccB_URY7vnSCEA2f7ysXOneiwgLHiLEiiA@mail.gmail.com>
 (message from Yuri Khan on Tue, 25 Apr 2023 14:40:20 +0700)
Subject: Re: CVE-2021-36699 report
References: <40-63e3c600-3-2d802d00@111202636>
 <01070187b503303f-1657dcaa-4f53-47da-9679-2f68a682d447-000000@eu-central-1.amazonses.com>
 <bcb96279c47143f403f588dc3f020725029137bd.camel@josefsson.org>
 <01070187b52a3165-eeb31a4e-fba7-4290-850a-c73ab11eb43f-000000@eu-central-1.amazonses.com>
 <CAP_d_8VnxkBOZ3xwccB_URY7vnSCEA2f7ysXOneiwgLHiLEiiA@mail.gmail.com>
MIME-version: 1.0
Content-type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 63063
Cc: 63063@debbugs.gnu.org, fuo@fuo.fi
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

> From: Yuri Khan <yuri.v.khan@gmail.com>
> Date: Tue, 25 Apr 2023 14:40:20 +0700
> Cc: emacs-devel@gnu.org
> 
> On Tue, 25 Apr 2023 at 12:33, fuomag9 <fuo@fuo.fi> wrote:
> 
> > Hi,
> > I’m a security researcher and I’ve searched for a way to contact the emacs security team but I’ve not found any information online, so I’m reporting this issue here.
> > I’ve discovered a buffer overflow in GNU Emacs 28.0.50 (at the time of writing the exploit still works on GNU Emacs 28.2)
> > The issue is inside the --dump-file functionality of emacs, in particular dump_make_lv_from_reloc at pdumper.c:5239
> > Attached to this email there's is payload used to make the vulnerability work (if emacs complains about a signature error you need to replace the hex bytes inside the payload with the expected one, since every emacs binary will expect a different signature).
> 
> A security report needs to identify a few key pieces of information:
> 
> * Who is the attacker?
> * Who is the victim?
> * What is the attack vector?
> * What does the attacker gain from the attack, that they would not be
> able to do without it?
> 
> If you start thinking about the described case, you will come to a
> conclusion that (1) you are able to attack yourself, or (2) if you can
> persuade another person to run Emacs with a dump file you provided,
> you are able to inflict denial of service for that specific run; or,
> if you provide a differently specially constructed dump file,
> arbitrary code execution as that user.
> 
> However, you could achieve the same by just convincing the victim to
> run an executable file you provide.
> 
> As Raymond Chen <https://devblogs.microsoft.com/oldnewthing/> likes to
> say, this so-called vulnerability involves being on the other side of
> the airtight hatchway.

PLEASE do NOT respond to this on emacs-devel, only to the bug tracker.




From debbugs-submit-bounces@debbugs.gnu.org Tue Apr 25 04:38:35 2023
Received: (at 63063) by debbugs.gnu.org; 25 Apr 2023 08:38:35 +0000
Received: from localhost ([127.0.0.1]:51199 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1prEC3-0004M1-2S
	for submit@debbugs.gnu.org; Tue, 25 Apr 2023 04:38:35 -0400
Received: from sonic307-56.consmr.mail.ne1.yahoo.com ([66.163.190.31]:36253)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <luangruo@yahoo.com>) id 1prEC1-0004Lo-Mn
 for 63063@debbugs.gnu.org; Tue, 25 Apr 2023 04:38:34 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1682411908; bh=kGjOprfQLKVfb2Q4zkVzRHOHU5pu438rdBrT3tAONmw=;
 h=From:To:Cc:Subject:In-Reply-To:References:Date:From:Subject:Reply-To;
 b=ddyWbjSKy1M4DAMhVKN+ArIBajzagRjiUjzO59MIYKrTQQhFEnUl5kCLSb6liJRHMzJETc7uweodRhUul8exm/XNk7LFr1bm/E7cIRP1iE6W4JZgomZs1nZL+T06xoqtkn60TNPP0nl+LYhSnGT9wMMwTnNVKkAN+NEiweYwmA02pRkr5xtDlfOHB66qcLOxMQz3B8TG2wtaQsFcyuQfTecM508ozqpV05Knd1XVp2t/mzYxS2fT2RDMtQDpPvrHr3g51HAio5xbymd4vycJVxTWPi828VvhVxv1CdMJGZ24204qCimCMQ+c2JNu2mV19C65v2hS89OBhc9qfQWvXA==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1682411908; bh=OZmx5gj7lnSQCk8KutgzvRKQaDwc/KwCTixdoaVndG7=;
 h=X-Sonic-MF:From:To:Subject:Date:From:Subject;
 b=edlxSk3aoZqjFn9DVEaZN1O611bHMD2T/Qu91f7+J9a5EZ7Tv7hao1ka+OrPRL2m9oekoSoLrywoCQi8FRoNKHi/TC9k7M9Vp0Gtdn/iyn/PTnbEg+IdWkgwBcf1uV1ZATrtG1UDq0X2Le1dTID1C5vqqL94n6QrwgfF3rNs119VF9rbWr8oHdGYdsgMCePbg465lgM8RjBnZ/cthqcTrO+66Hiz/LYLEU6FCGkJLExm1F85QpjL4pdpiUYCTAOgZveuFnDLjwMqD82C7Cu9ltMWssxYSONCVusXQhoWXdUZsKjAo0gArbya+NvQP6Wl7qlm4TNr4fCz4X+R8WeKTg==
X-YMail-OSG: Z0W_lfoVM1mo6U2w.lvsaYGIOd_gzxSHMKUGpHTIseoAbxXhdmwCaWbE8Ulo4Xe
 N62KEeVe7XOongiQ7gobPYikiarmuHmO3DKfvVVLjFmeo4RV2WpRJ2jb8OswnzaD2IpkfX0GbZMP
 xqKFx8HChNWdDeSwm6uNJcDneFpDx59BFpk_Zfc7QmPXH0cNfdo0gCM2BWK7wtvVxZWqtsJ6N1Mr
 hMnViuGa0mgqJm55b2.MolHO5d55C8R1Ps7cHygZsYIYfz_ZapyOPTniLY6JuL7_Ny09ioimXKX3
 mk5VrvPUYUzZ96F.62fZcfNIJ8JlVosqwoPcPGNr2lmMTObU2O_EhF20LLvvduSniX31_8QhH4pu
 ytRyajFSQkw4u.E_YlEpsI5Qcdw6IhRIjIzuB728xirmogVIPNVviAjq_.1vClsZpuemtKepwp63
 w19io5Zl.W7NQOrGxHTFVXaAezEFlbSLym1xp_WooRMeVhMuG.4pgJeDV7tv2ikXPt.tpU.uCGMV
 jtt44FfHQvVGX1eImI56OfJ1dlyV51KkEzRLpVUok2p5wLI_gRfAMCs9GqNUpZIyza_i8FdSkJu0
 Z4D1rGl3kW45P9.NCskoaexsrkzPQz3GwJN3xDrKBLPiDlRGrIhC4OZPQSRvRwmNyESHrsO.3F73
 laeWxZpMJQUt1EF1lMewux4zpxBc4e0koEs7RxfF31jahKfD6rLDDoxGvkIAQ0YaxVOLpWA_EOd6
 d0zt4JlYVCVPrNNsWDtG9cj7AE_rFG.NAsMj7DJNDzmt6y9U_qAFQwK2G.7teN91lYthlcUGnU38
 cmMnC834iWqKzFRGXgiF72N2Rsfmx9qeNQgu4PNw_qBFUC0vcDBYF_uNxeWKKTV7Bzer1SRVdYAQ
 _vuqnbLnE8WJMIj08seUWwJhcPbHixtOSFFIyiSU2QeN.m.WGbZ4ferJm.bh3QxmkDmNbPtZSeft
 y9vPGAyK4o04WYtQo.BoZQ.O1KPNfLza5xnwd2ogmsRuNJgXYuMntLUpJIcSxSsSkLXngOITDSyg
 xqtdTpvzXl61DidEc.Z4NtHwIJo0vr1Zz34nLTplSHJokqlSTLhqT71ybxUIz41gf8Mj1nekVUP8
 tovZM4j4prckEsvN6D8BP9rieXcNtYDCjKr6oMdDv.SEC.V55FBvP6xiBYafqU5ym5kSoKQm2ZXz
 l8Lahn4lT7CbGKDMgVcRJ6n2No5D3S7dCdLGUUBZRW2Q4J85Edc4odYovs2LfBAOCKGPaIgQjaWB
 FwzsgsnLdyp8j.yIc2qnx0g2DD6fKSYBVtZmMOJRce4Zug.4_yzaPx3ZQ3xeJWUJaJV_98CF5tMC
 quje5xqCcZh67saZhxZXABYobA90x6ZiO5c7zXzRBG8TEj8vOQJHjKtUu0Mb_dQyxFI6k8xPEdQr
 oOB0acguiHB2QatkmtrgijQzkr2zNNcjaduA7SmX6wptBkR2yalDGnMTKXjL8tA1ZHJVIc.pt70S
 0eJfbzb2kmXiItMR3wMgxwdQeKWM40NKcKOxcIvQSfkKStsNbZqPa0U.9p7OoxJi7JFdtZ9pselN
 Vr65rfoBXusoAAHEeK1vUbYSRm7ylPzU8usIVwSU3eAR8sqQd4rMsLUomMIHRh4nuLCM8MmXQ7ty
 xH6KmOTqenkeLlPhyWytdBiPUndHALuicqB01L55tIWkAzD5QwKPwlJqr99tgwut1E0VsHFoTFXe
 NPC3ru50pHD7ollLen46wXx27Tdhf6CYeSnMGFxAVRhSBrG456P0PbrsI5Ne21P_Up4ILMibZGZV
 3axQi4Ny0q7Ktup_nTP1H_akABxT_76ZDtHTJUe_7nJxsYD4GY6vF8LA6RE2Jo6bTubWp7tmQpPu
 lldeW7RqVJNPRPLMRfx1CVNi_rZg9tt2EBx4TdHM8R7548bbJW.LT3s7Cnp1K.vdeGV89UoUG354
 .sFlxPed.ayDF4Db0STOpaAlYkPHeLMI74h7O.nubiOfrVpwhaf40APOjjfh814YdpR33UPluYGk
 2pdgWfqWbH4ACApOw9gpHItOr.rvcq4x53c.9OeXB8UUg4g9PlU7r.Zx9TYctG8OyLp8lVJUZFrf
 uaB6LP2.ZxNBlWsJIAHtUJeQ6CWVyHLbST5UX9VndyWb0MgeqocK0jnp1h7opc6sFtsMLFz2WBDN
 12BmQDeuBFnK3ED4iYBKBeO6EslXb48HfxQH8dJlSF07irv7FHj0enzkn9j0BIyRdMU8wQ9tXhqD
 bX875yyFOunE1.3Tbnc2oqd3UOL3m_u_JONEU3DrGjadoaTYvvsXbpIQcIpgnJWsNoA--
X-Sonic-MF: <luangruo@yahoo.com>
X-Sonic-ID: 5480a3b9-b667-45f7-a3e4-4a9c5f08e114
Received: from sonic.gate.mail.ne1.yahoo.com by
 sonic307.consmr.mail.ne1.yahoo.com with HTTP; Tue, 25 Apr 2023 08:38:28 +0000
Received: by hermes--production-sg3-6d6fb994f6-qwzcd (Yahoo Inc. Hermes SMTP
 Server) with ESMTPA ID 4844dcd7ea475801de30b34bdbcc31b8; 
 Tue, 25 Apr 2023 08:38:23 +0000 (UTC)
From: Po Lu <luangruo@yahoo.com>
To: Eli Zaretskii <eliz@gnu.org>
Subject: Re: bug#63063: CVE-2021-36699 report
In-Reply-To: <83fs8owg3r.fsf@gnu.org> (Eli Zaretskii's message of "Tue, 25 Apr
 2023 10:55:36 +0300")
References: <40-63e3c600-3-2d802d00@111202636>
 <01070187b503303f-1657dcaa-4f53-47da-9679-2f68a682d447-000000@eu-central-1.amazonses.com>
 <bcb96279c47143f403f588dc3f020725029137bd.camel@josefsson.org>
 <01070187b52a3165-eeb31a4e-fba7-4290-850a-c73ab11eb43f-000000@eu-central-1.amazonses.com>
 <83mt2wwi0y.fsf@gnu.org> <87v8hkctlc.fsf@yahoo.com>
 <83fs8owg3r.fsf@gnu.org>
Date: Tue, 25 Apr 2023 16:38:19 +0800
Message-ID: <87r0s8cq6c.fsf@yahoo.com>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain
X-Mailer: WebService/1.1.21365
 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.yahoo
Content-Length: 894
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 63063
Cc: 63063@debbugs.gnu.org, fuo@fuo.fi
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Eli Zaretskii <eliz@gnu.org> writes:

>> From: Po Lu <luangruo@yahoo.com>
>> Cc: fuomag9 <fuo@fuo.fi>,  63063@debbugs.gnu.org
>> Date: Tue, 25 Apr 2023 15:24:31 +0800
>> 
>> Eli Zaretskii <eliz@gnu.org> writes:
>> 
>> > Please tell more about the buffer overflow: where does it happen in
>> > the Emacs sources, which buffer overflows, and why.  I cannot find
>> > these details in your report.
>> 
>> It happens because the dump file is deliberately edited to be invalid.
>
> I didn't ask about the root cause, I asked about the details of the
> problem: where it happens in our sources, and what exactly happens.

The protection fault is in `dump_do_emacs_relocation'.  When the dump
file contains a relocation with an offset outside the heap:

	lv = make_lisp_ptr (obj_ptr, reloc.length);
	memcpy (emacs_ptr_at (reloc.emacs_offset), &lv, sizeof (lv));

will end up copying outside the heap.




From debbugs-submit-bounces@debbugs.gnu.org Tue Apr 25 05:09:11 2023
Received: (at 63063) by debbugs.gnu.org; 25 Apr 2023 09:09:12 +0000
Received: from localhost ([127.0.0.1]:51231 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1prEff-0005JL-Fp
	for submit@debbugs.gnu.org; Tue, 25 Apr 2023 05:09:11 -0400
Received: from eggs.gnu.org ([209.51.188.92]:40676)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <eliz@gnu.org>) id 1prEfT-0005Ij-S7
 for 63063@debbugs.gnu.org; Tue, 25 Apr 2023 05:09:10 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <eliz@gnu.org>)
 id 1prEfO-0002rX-AZ; Tue, 25 Apr 2023 05:08:54 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date:
 mime-version; bh=6MfWPJZ7+abmbHiEod/sbd09AKtx8s5e9emnkoGVPSw=; b=RRUFiJUd40Xn
 Fymv/g6Py7X8XSbnoHiNf0uTqrXwon1GGJWpb9aDXXwFPEagwYEll0FKfKpQVacUEhMdymcCgzndl
 LsdPWBYQvyoZkMYGZxt+VjCrUpfsyKyQXcecBXsgfeRr2JJVz8CW9n3/71XnEWr0YZXN4oPXkNy1s
 mAP3XE3mFL1Msw2hMflsIIcXFBb0mDaUob19JIq5EWMiU3SX1sHwqbclZZN0a4XuBMovmHiC/xCE2
 CTieSeYD2C/v50QWB0iaVcOI7sqOQawzkfMqe2HCK/Nw5/Hn8ruIyX6EQwPmh/v+nXP4sxTFtvaPl
 Pgb0AXbq9VEcRc51h7HBxg==;
Received: from [87.69.77.57] (helo=home-c4e4a596f7)
 by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <eliz@gnu.org>)
 id 1prEfN-0001fo-KB; Tue, 25 Apr 2023 05:08:53 -0400
Date: Tue, 25 Apr 2023 12:09:19 +0300
Message-Id: <83a5ywwcow.fsf@gnu.org>
From: Eli Zaretskii <eliz@gnu.org>
To: Po Lu <luangruo@yahoo.com>
In-Reply-To: <87r0s8cq6c.fsf@yahoo.com> (message from Po Lu on Tue, 25 Apr
 2023 16:38:19 +0800)
Subject: Re: bug#63063: CVE-2021-36699 report
References: <40-63e3c600-3-2d802d00@111202636>
 <01070187b503303f-1657dcaa-4f53-47da-9679-2f68a682d447-000000@eu-central-1.amazonses.com>
 <bcb96279c47143f403f588dc3f020725029137bd.camel@josefsson.org>
 <01070187b52a3165-eeb31a4e-fba7-4290-850a-c73ab11eb43f-000000@eu-central-1.amazonses.com>
 <83mt2wwi0y.fsf@gnu.org> <87v8hkctlc.fsf@yahoo.com>
 <83fs8owg3r.fsf@gnu.org> <87r0s8cq6c.fsf@yahoo.com>
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 63063
Cc: 63063@debbugs.gnu.org, fuo@fuo.fi
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

> From: Po Lu <luangruo@yahoo.com>
> Cc: fuo@fuo.fi,  63063@debbugs.gnu.org
> Date: Tue, 25 Apr 2023 16:38:19 +0800
> 
> The protection fault is in `dump_do_emacs_relocation'.  When the dump
> file contains a relocation with an offset outside the heap:
> 
> 	lv = make_lisp_ptr (obj_ptr, reloc.length);
> 	memcpy (emacs_ptr_at (reloc.emacs_offset), &lv, sizeof (lv));
> 
> will end up copying outside the heap.

Thanks, but that seems to be unrelated to the code to which the OP
pointed.  Are you sure it's the same problem?

Also, writing outside of the process's address space will indeed cause
protection fault and SIGSEGV, not a buffer-overflow type of problem
that can be exploited for executing some arbitrary code.  So I'm not
sure I see why is this a security issue?

emacs_ptr_at has this comment:

  /* TODO: assert somehow that the result is actually in the Emacs
     image.  */

Can we assure that in some reasonable way?  We have valid_pointer_p,
but that's too expensive, I think.





From debbugs-submit-bounces@debbugs.gnu.org Tue Apr 25 06:55:57 2023
Received: (at 63063) by debbugs.gnu.org; 25 Apr 2023 10:55:57 +0000
Received: from localhost ([127.0.0.1]:51494 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1prGKz-0000Rg-5H
	for submit@debbugs.gnu.org; Tue, 25 Apr 2023 06:55:57 -0400
Received: from sonic313-56.consmr.mail.ne1.yahoo.com ([66.163.185.31]:34444)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <luangruo@yahoo.com>) id 1prGKx-0000R5-8v
 for 63063@debbugs.gnu.org; Tue, 25 Apr 2023 06:55:55 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1682420149; bh=i/rLs84K7DliKushTvLKGOJ/OE4SMK0WPjiRlrZ36f8=;
 h=From:To:Cc:Subject:In-Reply-To:References:Date:From:Subject:Reply-To;
 b=Sh/K+CZaWBmpqMAFEn8sa0vPgOGWqNt7+ff6Xi/Ue3imdBdCl8TRDimcZDVfDH1WwEF8FKRIBYU/LnOcQwBOMfrj/iirtTm/jUh/s/2XXc8q44ozYAHaksBZ6v/mxLGoW6oXswYPAOGD5fi6NGw7U5DHpCuEmEmkhVRzIaBdTN/ROVUM9/s9WKQvTNZKq5jwNs5voLf0L6MMehIcii8EMj6milGrNXW53YlfAuN0WhfgOQyCVTF2TkZz24Yy+CP9Za/OgRF42nST8qVr5MusGGtNYj6y7I6OF7GBqk6HoAWVvsvIGt+6V4t3YuTs4Vuip0B/OTPwcpYtLTMmFD1Zew==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1682420149; bh=6JkyQ0+kJc9Gef3c512dupPnmc840LBgkJ7Qm8a31yH=;
 h=X-Sonic-MF:From:To:Subject:Date:From:Subject;
 b=gwHQp8iUeKDMmkPXQP5/BhfJX+JLmNB4vLkKwLpDKEz4HDPyo4nnLUzyJVavWjHYvjockKgYP/pAoBF4jXvwCkci8m0tQE5NOaxElxklDwZiIQq+/BBX2yEpwmJHwBoSjEBtK0WdNs4+xBpRE7Ymuo4+oDzd3vhioP9rUEoBbKy3eJq1ogrCWc4g/ntm/nXT0BXDluejp9cREU8y1fcBxD/4IexrQwRsXCZYHt8Vof3HvhRmjdSQ7p0AbxUP3OIXG0LHfkC+6lIwMfpjuF43ITSC0HlOOAW+CTpPRRQm+gabTqRpjSxPe8buAY5FjomdKjCNYXcX6G6+0kBrLpvIJA==
X-YMail-OSG: C.8jBaQVM1kUbzQbvarZFIST47hhmBJrj0cBZ4l_UwKUVh9cuOB9YSMCzyQpTj6
 QxfFN7O2ylNxVUox5.N9s7Sb6F8uo4yCO9phtPxDaT6E1MzDKkrG1gNC5ZpNt9Hjt9iO7o6GqRor
 o1aavwqDeXkXIzxm0eAmibAjx5OXc1srqVZT6is_.ZYdR4w7vZq5RB_Yj7xgYw4_g2QUS3QJacg6
 TvXbeqmQHVC1FSuFRdSxaCGYstDjP0_DsLg0PGMCod8BqZ1MZrSYh2EaCenjVmovrVdWtJiKrhog
 Oa61tTO23wLlnD3rdubrsMwXP0Z8oeh5y_z1aV_KPjZO162g858TnNbxOwJ4PliEWEkIdWugTgvH
 3OeiGJb4QNXDlTeh5ouheOEstpRQILWsrx9I14bt_NvPkOd3R62ikeFheg0.4l0x.5kpg4sbvb2P
 tF1555jWXwaRjdVXp8go9YLqvkgjss1o7FDxprFKXOROZOOSyU4llshcZ06l4473ki7w3lSJuXlb
 U_0X9HWz2URg73KLZPlU4pnDTWkTmYhgR8aDeDTsjLUsdvxHe8V2BLx_FkyKQ1K7trSLp.wFLVRk
 GmRNaEI44cWWFwKfyO9SSVf2.x3g57hUeSzn7sFHRjNLTatL5KaFLynW_qREbtAvxMg8xUq515LZ
 uHiEZT5vYs6TAG1CcTzgvUjYkdJNNZDisUqE8jgtdpgIK0dCiIBg02xaodvMB0OmkZzwpQk9Y6Wb
 7IEeFDttMEk.wYJGe5gMvCqXXFHIcPvm7dTMLlW.CBQFiCzopCFsTP64UM4cvmmPTNtqOgjMSQhl
 nGhfF3u7sP0cb2Amz_sq1s.mBxedBhw6bmJIKtmx3QaXA9q_Sfb2ZiV4cNzupcCLykqLOoKU.gFP
 WLb7eA0eG76tIUQ9hikrFB7tMHq8FFT5jksKDkjbIc1iUPYXNzp0rnZwooPVawIm2o3BPUhdGhq4
 2adPxZI0xiuDz2bIAiYAQ3PRrfxRxAnZyWGZzhL5A8JGZkI8u2Vx8Pal9lm9.anjGtMt7XGfICss
 8S0mcjcsDiQdMU5pMA30K9hxOcR6qI1fYnJY0vjiFoT35HFrANq8KoI_TemRjon7KoF48l5FCvgS
 QjwKAxb14YApoIAmp3S_Ws2c1_rOZcIqLwUgCeR_780bBOPyLEFxqumigrjOzq1aj2RZimVufzWA
 NNhFMUIm96_6sfX5DdHoBZMGlLBbSvq5S4jf3xpkA.KyEkgW1JV9G0Ajp4YShW7u4RkrQfk_BIop
 uNYPvDLuYXF.gUArka_NCJXPTyJwWP84G1dCMHVIK40SAAp1BAXLV9QTdDfNejnlPrcjaA.puMpG
 W5lmtIqtwimwiUT3yJGBvYtz6l1GbG2t.kz91EJctjnNhDAulnNLUrp4PC3A6_qE0uTVggtDRKhf
 9LqIuzT7qic0ZmHSTN_alw0HtQIkiop3VnfYpdeXRtVRv2byKgnfLRS8Hb7tg8HNvjWv3N8M4916
 C8rBaCeHnyo6WrMoILAlHJGEeQTK17mjVyiq5_GEZAjO8HrFDeoKvFzf5p5u2q0x2yi5BRR5uGQM
 tIs3ZxhHOErMJ13G09_0L0duZksRrSbEW5PO0LKUrJI9nE8z6kOfr4yqfgmVaf0XK8jvnRlZ4KoW
 d20XJVnRPcYmcRZsXgG4j6ZrimNgBPvbs9Ox3lbUDKNgplTMLuppqM79Qy_iScZ7.JK9qmUMGwyO
 rdlKJrWwxVVt5K65tVxEIyekGa7PeOsvYcNuxGzlyVBLU1hQFeaU5QmQ4jlQ73hIWo0A6wGdZKpE
 7rFhWCXFQuvda7wE0xb5RLLCNqKlEzmWMKzaUplxEQlZQ3XoU.nzxj4FpbsjFgx2BXpFk5yoND0q
 YmxqWJicqLGARLkwr3s.jfjK1lPKUpCuQQES3fwgf5hU_0bG7eJiTMDEyh70Kz0gLKWwMWdNuC54
 TetjalKxfYwezad_626MbIIjp5dUvc5byoUzbWLyI0omSQOYo4YFGwL32eYKqZgOO_jPMxrwZeiL
 56VgpNZTRuWxOtuOrIFpZ1H1R3Wv2Tpv2cc2wPo6N6Z29ixDCcEkI7ZESooUEC5cXF5sGRxZ4upC
 TiwG4OoG46lBYpOuGqvQi6EfN1drMIhlcOpYLeGUOU2GCytgQfXjKhJQWX7C4SY9sN6AmmveST5i
 0RwbFKQYj7JvdVst_BhzSphErzywCLpNFQnAsOsvHuEDa.DQZIlnYFdWZt.yAilpLdRQSWHJCNfT
 Vmk51bVrMimiUjyi2PZzDJ7ks1PffCwrpw2znmSe4mABExi4OmFwCSYUQ4ldXpMPwoaM-
X-Sonic-MF: <luangruo@yahoo.com>
X-Sonic-ID: 3f4ed88a-67a7-4ed8-8e5e-790842386090
Received: from sonic.gate.mail.ne1.yahoo.com by
 sonic313.consmr.mail.ne1.yahoo.com with HTTP; Tue, 25 Apr 2023 10:55:49 +0000
Received: by hermes--production-sg3-6d6fb994f6-2fxf8 (Yahoo Inc. Hermes SMTP
 Server) with ESMTPA ID 235dd4be2b40e74a54e248c696842b01; 
 Tue, 25 Apr 2023 10:55:46 +0000 (UTC)
From: Po Lu <luangruo@yahoo.com>
To: Eli Zaretskii <eliz@gnu.org>
Subject: Re: bug#63063: CVE-2021-36699 report
In-Reply-To: <83a5ywwcow.fsf@gnu.org> (Eli Zaretskii's message of "Tue, 25 Apr
 2023 12:09:19 +0300")
References: <40-63e3c600-3-2d802d00@111202636>
 <01070187b503303f-1657dcaa-4f53-47da-9679-2f68a682d447-000000@eu-central-1.amazonses.com>
 <bcb96279c47143f403f588dc3f020725029137bd.camel@josefsson.org>
 <01070187b52a3165-eeb31a4e-fba7-4290-850a-c73ab11eb43f-000000@eu-central-1.amazonses.com>
 <83mt2wwi0y.fsf@gnu.org> <87v8hkctlc.fsf@yahoo.com>
 <83fs8owg3r.fsf@gnu.org> <87r0s8cq6c.fsf@yahoo.com>
 <83a5ywwcow.fsf@gnu.org>
Date: Tue, 25 Apr 2023 18:55:40 +0800
Message-ID: <87mt2wcjtf.fsf@yahoo.com>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain
X-Mailer: WebService/1.1.21365
 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.yahoo
Content-Length: 1309
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 63063
Cc: 63063@debbugs.gnu.org, fuo@fuo.fi
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Eli Zaretskii <eliz@gnu.org> writes:

> Thanks, but that seems to be unrelated to the code to which the OP
> pointed.  Are you sure it's the same problem?

Yes: the debugger output isn't very clear because
`dump_make_lv_from_reloc' has been inlined.  Look at the program counter
in the ASAN report.

> Also, writing outside of the process's address space will indeed cause
> protection fault and SIGSEGV, not a buffer-overflow type of problem
> that can be exploited for executing some arbitrary code.  So I'm not
> sure I see why is this a security issue?

The invalid relocation could also point to an address that Emacs has
mapped, but outside any object, in which case AddressSanitizer will
report a buffer overflow.

In either case, this is not a security vulnerability: if you can make
the user load malformed dump files, you can make him load nefarious
executables as well.  It doesn't even qualify as a bug, since malformed
dump files can cause Emacs to crash in a myriad of other ways.

> emacs_ptr_at has this comment:
>
>   /* TODO: assert somehow that the result is actually in the Emacs
>      image.  */
>
> Can we assure that in some reasonable way?  We have valid_pointer_p,
> but that's too expensive, I think.

It's quite expensive.  Any such check should only be turned on
--with-checking.




From debbugs-submit-bounces@debbugs.gnu.org Tue Apr 25 07:50:50 2023
Received: (at 63063) by debbugs.gnu.org; 25 Apr 2023 11:50:51 +0000
Received: from localhost ([127.0.0.1]:51522 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1prHC6-0004JA-HI
	for submit@debbugs.gnu.org; Tue, 25 Apr 2023 07:50:50 -0400
Received: from eggs.gnu.org ([209.51.188.92]:37310)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <eliz@gnu.org>) id 1prHC1-0004Iq-IW
 for 63063@debbugs.gnu.org; Tue, 25 Apr 2023 07:50:49 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <eliz@gnu.org>)
 id 1prHBu-0006FN-VC; Tue, 25 Apr 2023 07:50:39 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date:
 mime-version; bh=eqHHOzLEm6wWhkRhnNLuywsuZJtXh3zcoMZHhCMU++k=; b=Q3/CPjX1iW31
 S2asXBcV/Ob7rE+VbXhciEiYkyQp1f1TSr/BI24DKopJ2k8jPu2ATOdwkFOAZUkmIVW60Hskd4eIc
 2AyKnSnGynHi6vbBHEE241m1+TiO9VhceLvm7NDBxlEEGsrgKw2/E9/eqnhy3au5ju1askwhFIxJc
 L+MJZkV8LL3WvNlI3hLB5v0pSs/tFc56RjeUXm0rVBmRqcRTQcDllKw+WthZRkodlWUKbhjN87mL8
 +tYq1LZfnAdb3FNlWLdwyB90oclVeZubTHmhD+VyBuT6ioFkP0snvEDrxrNB5giB0gX5bV8kDds//
 AzfEzEPry30FseNtGWSW3A==;
Received: from [87.69.77.57] (helo=home-c4e4a596f7)
 by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <eliz@gnu.org>)
 id 1prHBu-0004lZ-7u; Tue, 25 Apr 2023 07:50:38 -0400
Date: Tue, 25 Apr 2023 14:51:04 +0300
Message-Id: <834jp4w57b.fsf@gnu.org>
From: Eli Zaretskii <eliz@gnu.org>
To: Po Lu <luangruo@yahoo.com>
In-Reply-To: <87mt2wcjtf.fsf@yahoo.com> (message from Po Lu on Tue, 25 Apr
 2023 18:55:40 +0800)
Subject: Re: bug#63063: CVE-2021-36699 report
References: <40-63e3c600-3-2d802d00@111202636>
 <01070187b503303f-1657dcaa-4f53-47da-9679-2f68a682d447-000000@eu-central-1.amazonses.com>
 <bcb96279c47143f403f588dc3f020725029137bd.camel@josefsson.org>
 <01070187b52a3165-eeb31a4e-fba7-4290-850a-c73ab11eb43f-000000@eu-central-1.amazonses.com>
 <83mt2wwi0y.fsf@gnu.org> <87v8hkctlc.fsf@yahoo.com>
 <83fs8owg3r.fsf@gnu.org> <87r0s8cq6c.fsf@yahoo.com>
 <83a5ywwcow.fsf@gnu.org> <87mt2wcjtf.fsf@yahoo.com>
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 63063
Cc: 63063@debbugs.gnu.org, fuo@fuo.fi
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

> From: Po Lu <luangruo@yahoo.com>
> Cc: fuo@fuo.fi,  63063@debbugs.gnu.org
> Date: Tue, 25 Apr 2023 18:55:40 +0800
> 
> > Also, writing outside of the process's address space will indeed cause
> > protection fault and SIGSEGV, not a buffer-overflow type of problem
> > that can be exploited for executing some arbitrary code.  So I'm not
> > sure I see why is this a security issue?
> 
> The invalid relocation could also point to an address that Emacs has
> mapped, but outside any object, in which case AddressSanitizer will
> report a buffer overflow.

That is still insufficient for tricking the program into executing
arbitrary code, AFAIU.  For that, you need to point it to an address
that is both writable and executable, arrange for that address to hold
the malicious code to be executed, and then arrange for the PC to jump
to that address.  By contrast, the only thing this code does is write
some stuff into some address, which may or may not be writable.
Where's the rest of this scenario, as part of just reading the dumper
file, whether nefarious or not?

> In either case, this is not a security vulnerability: if you can make
> the user load malformed dump files, you can make him load nefarious
> executables as well.

That's not necessarily true.  The malformed pdumper file could be
placed where Emacs usually finds it.  IOW, the perpetrator could
overwrite the pdumper file that EMacs loads when it starts.




From debbugs-submit-bounces@debbugs.gnu.org Tue Apr 25 08:27:10 2023
Received: (at 63063) by debbugs.gnu.org; 25 Apr 2023 12:27:10 +0000
Received: from localhost ([127.0.0.1]:51597 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1prHlG-0005NG-Ay
	for submit@debbugs.gnu.org; Tue, 25 Apr 2023 08:27:10 -0400
Received: from sonic306-20.consmr.mail.ne1.yahoo.com ([66.163.189.82]:42799)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <luangruo@yahoo.com>) id 1prHlE-0005N4-QZ
 for 63063@debbugs.gnu.org; Tue, 25 Apr 2023 08:27:09 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1682425623; bh=gBy27n6Nesn39dxtbmhusjvkQ00Bh52eZ9bnCXnpeOM=;
 h=From:To:Cc:Subject:In-Reply-To:References:Date:From:Subject:Reply-To;
 b=CauIruqmaagKDNWA2mUQu2hmQDK4rjQgBGUI7rSCALy3K3VOYcqq7Lw6LpoA+i1UKetVzP6gVsq+7j0NnFzd7Mrybd8mESa2hEluneHMRvbtD9zdBEgvUjY/ovJ/vV5lOYJw7KNvmBl+/hR29E7kK/QpVFNp60eIPfIWvj515iiglcFmz6I5GVg4XY1nb+Xx74R3DdjeEGOpUtmQTiA0L/5RhsnJ1GPXJ9he3RsWg6kEhaOSCszh7QxCWRae2Xg42zfjZDiIVGJxWW8Jg3j2BRnDItHT8OOghm5evUjNZKXhOCqac5STZFyVrkxFwDYHo6yZeZXZrhFqwP/XsUnwKA==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1682425623; bh=jZMgCIfQQfLbhujEfXRxLXVT0GwDVLSqNh+Zc9hM7jP=;
 h=X-Sonic-MF:From:To:Subject:Date:From:Subject;
 b=YxjhpfXFgdqnLAfLF5cco5hhc8dfYBbgm1AfuWWC77L6msHM3Rt0gTVT0iH6ItICRSvL5F4HshFeCB1OkTfMb14SltdwfY7Y5j+VqEEjwFjCJxgknZkp1CMLPapa0WEOf3MtrFT2bQCnnZTR+OXr7tT+Am47gdt2qzwjSaBSKllk/+t+iRBDfHLTiZrdRhcQtb7MD6iGSvB/z1JBIdN/a94ChPf8Mr8wJW8g+1uqXSGGuc2gLkjhWzSk3JnLGponpZca/utwpmIsgY+SygtoktSzvloEqiO0aeW+8K7mIYJtSAhepw+xCrqwX4GDv0k3t8cIzCd1xDxiYPMP5xBfyw==
X-YMail-OSG: 9GXCnpMVM1mAViCDytNI9uaC0mHRT_5N4JRLHEBSCuv5Wg8TNAz3UYIMLmPpZXK
 JVE6CHCxPh_1Nz5KnOANnHFttIY26TkAzlG1kgkFL4DPaJYH7YWFwKGaK4vLxpUydvN_duuRuQTT
 iSs3dhria.HZ8lAZd4R7Y1YXRMI3TcHX9pg0lQKYQUmZ5iyp95GOoBG9cUGiv3hbXTTBsCr0JZVW
 Jpwv_O9nnZWJNyRwgmpjNOjSx.bY_ACoCmoL3NWFqJGpve3TLrZRPmOciijHKU8XGkhx34EGta.z
 u34kNEi7iTbhtZ1eEbdzfNodf2bBTViSePD5issUTrcV2_ye7xBR6X1uUuAU.oNv.0QbeBuljILy
 LV_4MHKGo82REHDembVKQESZ6MWionePE8n..Di.f8bhn.IuAFpf9mxuMkN02BHargLPd.p2kqPt
 zvZudawgFHH9dg_Hc8Yo4JR9egpjQaykLfFw2r3QS7hqR8oddXRnzV.dIDhQreXsf3G6At29xqb0
 E_ceU.Ixz3dNfVB0U4oQ.0aCagR2rDYg0pN5dlC0EmxqfeYC5cgDxo5uA9KKH4dV9Fcc7ZqZ86u_
 YtZPdm.CQQy39dElPKX7YL4Evj0LYA0TYSGX4HrEHwFRWyKZt7gCLZawy31gKqK4X6MVVsmFXLI8
 0KnuokI3EmQO7U5HvS18t9ZLbsFBVxH_hSMNXJPKa7hs99kjXKgMkDTZ5JrFvBA1ytupkysdIBl7
 LgoqHRcEUtlTBpn1vhoVlpAifK1qv.A5umt7AIVycsTr1ZbZ95ojaI7oE2n1mQpWpB1_cg9pXlao
 vur11XJONpiYzRW4BEGbdT_Tvzh5dnSjSSwlq0lHQNeUx_I2t.mAyBFu75sd_JeCusfB.jpI9xEA
 CeNGeA.2PRUFmbokL_ncS98L7pJykLQyFkuxBm5ixYJ3AOa5vGpP4s9H1DkMyMOu95w6nIT9N7ZF
 Y17jPyarNtok_DP3uyszXTnJp0qOqnjf6STBYCNR2JQrQu_75E5wzgvz2_tw5j6hmiOW5eEapBBd
 7mFb0uH.lnCDBdX2Bg0Q10HD.FuMO4yz_36zdkz9kycHL_5IQoHRDDgztxUC8cEXeqP8NR6rQEmD
 Nr24tKnuTJgIYIlFLidW_K3aMeBwiEv6CrX4HH_41DBgdxFsyoW1n.DPO.1XyzgVFAjY0YIrB_ZY
 LwmIw6uHCvNji9j3SRyRk6tjjaJ18OvF5sFCKzKOnqt7KocCxH20AegW86tVifeaircuVwH82EFb
 lNXfsj8vDUAfqQDB1wWnBNK5vzR5x.Gal2UACKhHu_GNrQCGGKi3QTpDQ0JcQq.65ys5DveJo8zv
 huiuugZWP9YrZ9h1wXhVbDnST4hVw_HoVqZ7eiAwng7qgR0rQpeKAH7sSkUr.wF92u6p5gho43.4
 TFLT_BOoTXz_yiIbvv5t70YVyqS93oKLO3zKZAmumg5o9uvGLqns5DGgUozTJu2wHr7qZHK45iY8
 ccSWM467ZCbng2BqbuCOFmDSZOn2n1_N.riomIuNzQnZkUOBZHXnTcidoxoW50odi73subFTrbs9
 X7Hliz.bB81LPkQn0EjXnPKtR0xhk6Uptvayeonp_j_ylEy3tanx_iCr0Hf2YDsDP4sUJQlQRWLe
 du6l34wz4B6ic2K6AIfVP6QAOJpoJ7zNfDPXQfZo.pVd5w1aY9uSYQT3litH2.bFqtqGtkthrEJY
 1B8.X_5szRRCIOky8Ff390yG6LeZulXOTNn0cX3fHnc3WN61AqTMtBTiaoUbBpn4d9Wn8zQsp1nx
 fPm_zwQ.6uonNcXZhwCF9XxjSjjBTgtHUVCaB0_G6ojDl0HlFCBMSJS2Il1sUAsTGQMb5WctceJu
 Scqt4Eceoy4a4aIPr_nhuhhbriHXIsZgTI9Ts1B8SRpw3GCAE3uyT.kipsfcMGXBJV2xkxN9beYM
 h59SJVYA4o6TtsqywitFUVgaeZTNqucAWbW98mAHxzKRk.42CgJLNYjlncdCiFZORkn7S1xuXzQj
 9toIPWP9TSzlD2Jg2G4pqG0VNSOF25vv_mHK16x9d1Rgx_x_0XO2xI7KGA0rq3kbVJlgYM4snofD
 6vnqw5uMj8nmig2jf68o60j5kMjfXN9AkBKNJUx83W6Nz.zebbP8iHx238k8pBjTwgDeQ2zpTb0W
 JMDQEIz76drQb..imoU83EqBu0nSOAhe0qhi1CP6zH5M8f5sYydK9QFPZdpq95y8422KfVcHu2wL
 5jMUitPexK7jkwhLQ7cEz8cUWjKf4zsAGMmWoywr4elkghLaf.0I4vdVvU4.0S.FnwP_C
X-Sonic-MF: <luangruo@yahoo.com>
X-Sonic-ID: 70a902f1-fa33-443e-9507-53d41c7c4122
Received: from sonic.gate.mail.ne1.yahoo.com by
 sonic306.consmr.mail.ne1.yahoo.com with HTTP; Tue, 25 Apr 2023 12:27:03 +0000
Received: by hermes--production-sg3-6d6fb994f6-m2lhb (Yahoo Inc. Hermes SMTP
 Server) with ESMTPA ID 8f4e38962208cd447755ac99615c54fc; 
 Tue, 25 Apr 2023 12:26:56 +0000 (UTC)
From: Po Lu <luangruo@yahoo.com>
To: Eli Zaretskii <eliz@gnu.org>
Subject: Re: bug#63063: CVE-2021-36699 report
In-Reply-To: <834jp4w57b.fsf@gnu.org> (Eli Zaretskii's message of "Tue, 25 Apr
 2023 14:51:04 +0300")
References: <40-63e3c600-3-2d802d00@111202636>
 <01070187b503303f-1657dcaa-4f53-47da-9679-2f68a682d447-000000@eu-central-1.amazonses.com>
 <bcb96279c47143f403f588dc3f020725029137bd.camel@josefsson.org>
 <01070187b52a3165-eeb31a4e-fba7-4290-850a-c73ab11eb43f-000000@eu-central-1.amazonses.com>
 <83mt2wwi0y.fsf@gnu.org> <87v8hkctlc.fsf@yahoo.com>
 <83fs8owg3r.fsf@gnu.org> <87r0s8cq6c.fsf@yahoo.com>
 <83a5ywwcow.fsf@gnu.org> <87mt2wcjtf.fsf@yahoo.com>
 <834jp4w57b.fsf@gnu.org>
Date: Tue, 25 Apr 2023 20:26:51 +0800
Message-ID: <87edo8cflg.fsf@yahoo.com>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain
X-Mailer: WebService/1.1.21365
 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.yahoo
Content-Length: 1248
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 63063
Cc: 63063@debbugs.gnu.org, fuo@fuo.fi
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Eli Zaretskii <eliz@gnu.org> writes:

> That is still insufficient for tricking the program into executing
> arbitrary code, AFAIU.  For that, you need to point it to an address
> that is both writable and executable, arrange for that address to hold
> the malicious code to be executed, and then arrange for the PC to jump
> to that address.

This is ``easy'': figure out where the stack is, replace the return
address in a certain frame with a pointer to some executable code in
your dump file.

> By contrast, the only thing this code does is write some stuff into
> some address, which may or may not be writable.  Where's the rest of
> this scenario, as part of just reading the dumper file, whether
> nefarious or not?

It's not there.

> That's not necessarily true.  The malformed pdumper file could be
> placed where Emacs usually finds it.  IOW, the perpetrator could
> overwrite the pdumper file that EMacs loads when it starts.

But then you might as well overwrite Emacs with your malicious code,
since the pdumper file is installed with the same access control as the
Emacs executable.

If you or your site administrator wants to install a virus, you can go
ahead and just do that.  There's no need to involve Emacs or pdumper
files.




From debbugs-submit-bounces@debbugs.gnu.org Tue Apr 25 08:47:11 2023
Received: (at 63063) by debbugs.gnu.org; 25 Apr 2023 12:47:11 +0000
Received: from localhost ([127.0.0.1]:51652 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1prI4d-0008MU-9q
	for submit@debbugs.gnu.org; Tue, 25 Apr 2023 08:47:11 -0400
Received: from eggs.gnu.org ([209.51.188.92]:52788)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <eliz@gnu.org>) id 1prI4b-0008ME-Ve
 for 63063@debbugs.gnu.org; Tue, 25 Apr 2023 08:47:10 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <eliz@gnu.org>)
 id 1prI4W-0000iK-J5; Tue, 25 Apr 2023 08:47:04 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date:
 mime-version; bh=NTTGTkO0DzGd4xwgvDysIaEazMntrU1f6RqetWiZ9EI=; b=ewJ5ivCgNddd
 HpjfoWM+MNpxWOIJxWbKEh+V1KMncPLkctzekv9+FggvrP5vn8svRV1K2ZoXM2h/GXkshnEAut+n7
 3efI+gLid5tD/A6rg3Cl1y92YWxW6f25SmVkQXBc9YGETI7WXvX5vtFMfMIA8QgcYLl7KuZjjBWIR
 qw93MKPZD4EcOV90c2wPTP3042TsQG/trAhICtgYIlJrx/SZ7MxYeeeix7KMPT9TeXJMCfhdY9MYI
 jyMRpPSQWcBlVP8hU5CE+uacW6OLtVGgmCyBB+1nbkWPwuoJNZadHojRl3DahEVrG9I3HdmnoMc9e
 ZJuUxKTo1N3uDTBA2WKbQw==;
Received: from [87.69.77.57] (helo=home-c4e4a596f7)
 by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <eliz@gnu.org>)
 id 1prI4V-0004eU-Mv; Tue, 25 Apr 2023 08:47:04 -0400
Date: Tue, 25 Apr 2023 15:47:29 +0300
Message-Id: <83zg6wuo0u.fsf@gnu.org>
From: Eli Zaretskii <eliz@gnu.org>
To: Po Lu <luangruo@yahoo.com>
In-Reply-To: <87edo8cflg.fsf@yahoo.com> (message from Po Lu on Tue, 25 Apr
 2023 20:26:51 +0800)
Subject: Re: bug#63063: CVE-2021-36699 report
References: <40-63e3c600-3-2d802d00@111202636>
 <01070187b503303f-1657dcaa-4f53-47da-9679-2f68a682d447-000000@eu-central-1.amazonses.com>
 <bcb96279c47143f403f588dc3f020725029137bd.camel@josefsson.org>
 <01070187b52a3165-eeb31a4e-fba7-4290-850a-c73ab11eb43f-000000@eu-central-1.amazonses.com>
 <83mt2wwi0y.fsf@gnu.org> <87v8hkctlc.fsf@yahoo.com>
 <83fs8owg3r.fsf@gnu.org> <87r0s8cq6c.fsf@yahoo.com>
 <83a5ywwcow.fsf@gnu.org> <87mt2wcjtf.fsf@yahoo.com>
 <834jp4w57b.fsf@gnu.org> <87edo8cflg.fsf@yahoo.com>
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 63063
Cc: 63063@debbugs.gnu.org, fuo@fuo.fi
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

> From: Po Lu <luangruo@yahoo.com>
> Cc: fuo@fuo.fi,  63063@debbugs.gnu.org
> Date: Tue, 25 Apr 2023 20:26:51 +0800
> 
> Eli Zaretskii <eliz@gnu.org> writes:
> 
> > That is still insufficient for tricking the program into executing
> > arbitrary code, AFAIU.  For that, you need to point it to an address
> > that is both writable and executable, arrange for that address to hold
> > the malicious code to be executed, and then arrange for the PC to jump
> > to that address.
> 
> This is ``easy'': figure out where the stack is, replace the return
> address in a certain frame with a pointer to some executable code in
> your dump file.

How do you "easily" figure out the offset from some arbitrary data
address to the current stack pointer, and do that in advance,
i.e. before the target program even runs?

> > That's not necessarily true.  The malformed pdumper file could be
> > placed where Emacs usually finds it.  IOW, the perpetrator could
> > overwrite the pdumper file that EMacs loads when it starts.
> 
> But then you might as well overwrite Emacs with your malicious code,
> since the pdumper file is installed with the same access control as the
> Emacs executable.

The pdumper file is data, not code.  It is loaded into the data
segment.  And executable code segments are usually write-protected.

> If you or your site administrator wants to install a virus, you can go
> ahead and just do that.  There's no need to involve Emacs or pdumper
> files.

I don't think this is relevant.  But based on what the code does, I
don't see why this should be considered a security issue.




From debbugs-submit-bounces@debbugs.gnu.org Tue Apr 25 08:59:33 2023
Received: (at 63063) by debbugs.gnu.org; 25 Apr 2023 12:59:33 +0000
Received: from localhost ([127.0.0.1]:51675 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1prIGb-0000RZ-DA
	for submit@debbugs.gnu.org; Tue, 25 Apr 2023 08:59:33 -0400
Received: from sonic307-56.consmr.mail.ne1.yahoo.com ([66.163.190.31]:43669)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <luangruo@yahoo.com>) id 1prIGZ-0000RK-6B
 for 63063@debbugs.gnu.org; Tue, 25 Apr 2023 08:59:31 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1682427565; bh=DbXU5YnKQG79VrpGZau9QWj24yVLeWjhmxoCRoDMxzI=;
 h=From:To:Cc:Subject:In-Reply-To:References:Date:From:Subject:Reply-To;
 b=PmLVzNqOVt/OQ53PPZ0c08zy15nCqtKJ2G8a9dHvkXmu9MUWhHX7rxiepOOBt7S/ZwwfV1BvzNvW9xOSBvc+nb/X6IknBIfAv0NNMx+npjVTSPNtnTBXdqzkRsknFgraUx/85Y+EEG4kbCn6m/x4p6tO8kJ8n7X6Ng2HhG8DZ9nJg7IJyLO0lCkE/6SHBRD/QqskUkLZ9LUOFTN6l25lMngV+7jAyBhEeJPR89gFJieIqKHXEM2aPtA7Cjih1bXquq1C+gD14TpgFavSohlM4VdlCXUzA2cVhoBFv2T28uDJCRmX4uZprQ76InSRcDGDXWdO4rRtRnJrdo8YbF+h2w==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1682427565; bh=Cg90boEFx9+kWhxfNMbO5DO+UgmnJTR8OlGNmKMKto5=;
 h=X-Sonic-MF:From:To:Subject:Date:From:Subject;
 b=GM9+l+pwqIMCw3prhOGlNjfduT2iQJiVjDpBAofpUvByUPZaFbfAU+wrKbelk5kRZun2uuh1/vynGxNwl8I+0OeLqpz/TpvF3mJQSqEex2WUVQQBM/JY8E9dR3Ueii8ZmFS3AacFOOoZ9aPRoT126CX2IXbIDosfDosoASQ7YVhtc2iKXyep4j8MxzAGoy6N0ngQoNlb2Zw7IJ2vmFnPALHHxN+ciBY8Nv+LRoE8h+eQzR0yMZrz2ql4v7XhcIyitw8n8YAPXBH5QM/J1B+GBduvxRPyZ64RicxaYog+mFB3PokJAU2Ted1iwyPk5ZRBJz8mzDV6LF9J1mbzPgGSMg==
X-YMail-OSG: dIOYwkwVM1nkjB4qF3Av8Jg5g5uETRUz7nG5jmSv1oNC_PPU2hiBQxRv6AT61Q9
 Su3FL5530GXsHsD4Y2vz7UXm4d5w8TNjcRGjuiDGH3BpKaJt3HRjIFlYNMVwTuJWxDASBufWJKLe
 XoylpV0VUM.WqLuYRh0U0IxDx3RrfCGsj9ZsHDwQXix1rg0XJOasT.qMCgMEZ2amXgh4ThDEDs5u
 xeT6LHQ.cSDfuDWWjMwyEMA5C7_tynnOdUg3FiSRXnasBXaG3foNuWb4Iw6DDFnHDnZEKIJSFm7B
 zAIOevVcrNz3gprxifrebEBdTYDT8CM8aUJb12HXvUBfIEj22DIkLsyEmrQCMJpCEBuWA0BmQMRO
 Jhk.ZckLP2gEk_N_Zi5HjaDOPL7MeoxJmVoB.5OaRm3Xt2j3v1N5TpCrZg8i6qYyRGxlP5yRwFe7
 p_C6.NbwmfefzAwvyYuh5srtWdHkC2fBySyxm.iywI9FBb0k3bVh8iBLUkqVOs2G3YYQry8KOjsO
 _IrZlsOPx4Gt3e.3yzvZioEivmPNEmvprN8xQHvJvqGXZkbFBvZbEsCbGnV7J3k_eC6skmVSL6Db
 kngyIL94iNRe1uD4F_5OeJ59Ba3ZSeQDVBlawrIafw5B6Ab6_AdNnxLQqyomfLUBAWgUcivLdcYL
 NHpkcLyrhomSuRxmerwlO6R7Nj2STYscmkS5gOIzgPqU4MgEyfb4XSJCRgf5voNEf6PBEWQyc7LU
 8ccFpTrF.8_UNvneAMSnp0Bitba7RRzTrQYc_FH34OWMu5yjtOHAxAUslL.VVlKpRtD.njAx98Xs
 Wg7FkCYbfcu9oY1Loa2jtTxBYstOC.IBHL1u2nr7P9jvjG8DBTQcnftF2ROkrHcax7f3M0Et.tQ9
 p6f2EdFS.eJCm5gI7W7RItaHeIFtmSMPrGPaytdfXYU_lrdsj3N1oxOA4BdiJ7lUlNjM__ajfMEN
 clypDZ.SA9Irxx5mBAsnMjfNiPtXTSzXgBicBF57LdsXG4g0.edNM7Cg9OsySA2rMZ.umx75T9oA
 ZrAFMyz8ghAwaiPTzwcMQ6L77BAKHB0RhpYhQq0sCi8pcH3V7rpYNOx_2hQpZ35MDn8tK26E_IOV
 KhY7cPxKM7r6.V3E1KC8ozUxfbDO8JCksBm.bOYIeq40MxPtZPgNk7JeAEwhPnt33rNl8koPxZfr
 _LcH.uRkPIBZMJi60PeQHjiccDsFC5DjO7CiqL7SuSPT0jEbSiayeJGqLfkrr2J06pcWoPmfDYde
 m6CySnSC7xjreUEjw3goGs9cJxpLCTzH2ac00m5aESb5dRkksX9RaPVciLQ9xekg7f2TqOzx6yU1
 mzCPhe5OFIHh6x9aY3bpE.HkRZgEzVsazwMQbhJtY9jTljbtSm1mJ.V28DOdCTzf_WeT_cJoaRox
 ZVIOzNPkaI98lLsBmr6IOq3FwImaS195Sd6.1zu05JwJlVXdcd_1p6hbWpxF2Lem_NlWM.OJ6p_f
 1ZyTSHkGIY.5CBVdyZjpx2ul3_8682mOwf9YtaCQuUSKagUXxsTgxevRFiSZO059fIqkwUxUIywB
 4KIs_xiZqnCI8KWP4auihyxM4.3Njj4QUrfHYAy7zDz6B4R85FjTEFTeTA36G.oQlNiHLYyUrHV7
 zbopjAJLlfpwo5QbSoHnI2AkilnM1Z_JFfFsy0PBtnX_W5IWG9sGEPqBESy5TFqdPzPdSrZWBamK
 mNwb1c4WUf743Dvu0MoteyNj.QtesKagLcfcxYOD6LjxHmWzTSvEXpwqR.zlPYDkxPOhaOz2qfo.
 ffRLsx2P1pq3ReUYNhZZb_pVH8Lw.8f7T1j9z.NZhtqoi_KmZ_hkFTo9rGRY0ZBYK8JgyOPwV0bB
 DwL_5X6YKvkvI9OoZhvnw7Zuodp64Ljo8EXvdbP5TfTvKt9JP83c9qKLnTkzyEoK141lSFd7EWZc
 jiAIWY0evvIM16qkf2JJi_6bKHNrepw9tBDvtaPWtTBQ8NRkx1cMlMn8Wfkp4znmoYbaO8.P8lFd
 9fMYpUwDsA1OYRvLCw9XNj9UeFsCxww9B5vd9rSz.cZL7GJE9pfJK2yoxi5MDL8Dyl6LfTL1HZpV
 AgiF4r6vJsVJk45ae_rPsyd1muxXKWJiGeSvQd1VGYh86JEt3NUBNYyaMpMlV0vJk6.eIjBsuFcM
 ..1jrEocPNMonq8u9jaBeDbQr8xXDOEd7CFn8Ry0.inIL0VXq2ZNrJP..lltODypU9Tj_5BSJKIG
 LQ5nOhr9RO23UqeSZEASRUI9xNfi9hh0t1LUrhOlVwUSlTfqgnc0aNVhAyMdG.JB8J2Yr2w--
X-Sonic-MF: <luangruo@yahoo.com>
X-Sonic-ID: 6ea281f8-8e4c-4c0d-adae-3ef4e2434d99
Received: from sonic.gate.mail.ne1.yahoo.com by
 sonic307.consmr.mail.ne1.yahoo.com with HTTP; Tue, 25 Apr 2023 12:59:25 +0000
Received: by hermes--production-sg3-6d6fb994f6-7thcs (Yahoo Inc. Hermes SMTP
 Server) with ESMTPA ID 2f881867fa9636850c7226153a52b142; 
 Tue, 25 Apr 2023 12:59:22 +0000 (UTC)
From: Po Lu <luangruo@yahoo.com>
To: Eli Zaretskii <eliz@gnu.org>
Subject: Re: bug#63063: CVE-2021-36699 report
In-Reply-To: <83zg6wuo0u.fsf@gnu.org> (Eli Zaretskii's message of "Tue, 25 Apr
 2023 15:47:29 +0300")
References: <40-63e3c600-3-2d802d00@111202636>
 <01070187b503303f-1657dcaa-4f53-47da-9679-2f68a682d447-000000@eu-central-1.amazonses.com>
 <bcb96279c47143f403f588dc3f020725029137bd.camel@josefsson.org>
 <01070187b52a3165-eeb31a4e-fba7-4290-850a-c73ab11eb43f-000000@eu-central-1.amazonses.com>
 <83mt2wwi0y.fsf@gnu.org> <87v8hkctlc.fsf@yahoo.com>
 <83fs8owg3r.fsf@gnu.org> <87r0s8cq6c.fsf@yahoo.com>
 <83a5ywwcow.fsf@gnu.org> <87mt2wcjtf.fsf@yahoo.com>
 <834jp4w57b.fsf@gnu.org> <87edo8cflg.fsf@yahoo.com>
 <83zg6wuo0u.fsf@gnu.org>
Date: Tue, 25 Apr 2023 20:59:16 +0800
Message-ID: <875y9kce3f.fsf@yahoo.com>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain
X-Mailer: WebService/1.1.21365
 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.yahoo
Content-Length: 921
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 63063
Cc: 63063@debbugs.gnu.org, fuo@fuo.fi
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Eli Zaretskii <eliz@gnu.org> writes:

> How do you "easily" figure out the offset from some arbitrary data
> address to the current stack pointer, and do that in advance,
> i.e. before the target program even runs?

The reason I put ``easy'' in quotes was because it's ``easy'' in the
eyes of the people running the CVE registry.  To them, any kind of bug
(or perhaps even intended crash) is a security problem.

> The pdumper file is data, not code.  It is loaded into the data
> segment.  And executable code segments are usually write-protected.

Only some kinds of CPU make the distinction between executable and
readable pages.

> I don't think this is relevant.  But based on what the code does, I
> don't see why this should be considered a security issue.

It's not, indeed.

The glaringly obvious reason being that only the site administrator, or
the user himself, can replace the dump file with something else.




From debbugs-submit-bounces@debbugs.gnu.org Tue Apr 25 09:06:25 2023
Received: (at 63063) by debbugs.gnu.org; 25 Apr 2023 13:06:25 +0000
Received: from localhost ([127.0.0.1]:51697 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1prINF-00036G-G7
	for submit@debbugs.gnu.org; Tue, 25 Apr 2023 09:06:25 -0400
Received: from eggs.gnu.org ([209.51.188.92]:47240)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <eliz@gnu.org>) id 1prINC-00035r-D8
 for 63063@debbugs.gnu.org; Tue, 25 Apr 2023 09:06:23 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <eliz@gnu.org>)
 id 1prIN6-00053p-5b; Tue, 25 Apr 2023 09:06:16 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date:
 mime-version; bh=Qhn9T4UR5kSsWmOonr/XCT+zFBcp1Wz/AonZnCeR1jc=; b=oDWoELS1MLFG
 5Myb/Bpmo2nzSvVHyo1SMiZxxq2THm5UahDMhWraGTZxpkEE6izSqpUQl80SC+dRIiiuH7qnRfMcz
 d8VMWmF61dvPyD670VW/szyce69ZAZ7QVkevCFb36aHqI6lcFX6DKwopx7s8lPi4LU7/KMPKonaQ4
 VIRV7crHCd5tVXPF7SKkd6RcgO2k42KNAS4qD2Tu+MDk9cn/EveptkV5oficC7XML/czFztP6am8q
 xwHxyRrovquApITDC4bxBeEGJFd8tUFBRyxC+5jh7fBYwtIcuw3ueJuMM1yHZY+P+RiLMSwU29Tqm
 TtcgP/QRegsBCbFrqcqIEw==;
Received: from [87.69.77.57] (helo=home-c4e4a596f7)
 by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <eliz@gnu.org>)
 id 1prIN4-0001m3-K6; Tue, 25 Apr 2023 09:06:14 -0400
Date: Tue, 25 Apr 2023 16:06:41 +0300
Message-Id: <83wn20un4u.fsf@gnu.org>
From: Eli Zaretskii <eliz@gnu.org>
To: Po Lu <luangruo@yahoo.com>
In-Reply-To: <875y9kce3f.fsf@yahoo.com> (message from Po Lu on Tue, 25 Apr
 2023 20:59:16 +0800)
Subject: Re: bug#63063: CVE-2021-36699 report
References: <40-63e3c600-3-2d802d00@111202636>
 <01070187b503303f-1657dcaa-4f53-47da-9679-2f68a682d447-000000@eu-central-1.amazonses.com>
 <bcb96279c47143f403f588dc3f020725029137bd.camel@josefsson.org>
 <01070187b52a3165-eeb31a4e-fba7-4290-850a-c73ab11eb43f-000000@eu-central-1.amazonses.com>
 <83mt2wwi0y.fsf@gnu.org> <87v8hkctlc.fsf@yahoo.com>
 <83fs8owg3r.fsf@gnu.org> <87r0s8cq6c.fsf@yahoo.com>
 <83a5ywwcow.fsf@gnu.org> <87mt2wcjtf.fsf@yahoo.com>
 <834jp4w57b.fsf@gnu.org> <87edo8cflg.fsf@yahoo.com>
 <83zg6wuo0u.fsf@gnu.org> <875y9kce3f.fsf@yahoo.com>
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 63063
Cc: 63063@debbugs.gnu.org, fuo@fuo.fi
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

> From: Po Lu <luangruo@yahoo.com>
> Cc: fuo@fuo.fi,  63063@debbugs.gnu.org
> Date: Tue, 25 Apr 2023 20:59:16 +0800
> 
> Eli Zaretskii <eliz@gnu.org> writes:
> 
> > The pdumper file is data, not code.  It is loaded into the data
> > segment.  And executable code segments are usually write-protected.
> 
> Only some kinds of CPU make the distinction between executable and
> readable pages.

I think this depends on the OS, not only the CPU?

> > I don't think this is relevant.  But based on what the code does, I
> > don't see why this should be considered a security issue.
> 
> It's not, indeed.
> 
> The glaringly obvious reason being that only the site administrator, or
> the user himself, can replace the dump file with something else.

I'm not sure I agree (there's the symlink attack, for example), but I
don't think it changes the nature of the issue.




From debbugs-submit-bounces@debbugs.gnu.org Tue Apr 25 09:18:43 2023
Received: (at 63063) by debbugs.gnu.org; 25 Apr 2023 13:18:43 +0000
Received: from localhost ([127.0.0.1]:51724 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1prIZ9-0005tH-Ag
	for submit@debbugs.gnu.org; Tue, 25 Apr 2023 09:18:43 -0400
Received: from sonic307-56.consmr.mail.ne1.yahoo.com ([66.163.190.31]:39630)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <luangruo@yahoo.com>) id 1prIZ4-0005st-M9
 for 63063@debbugs.gnu.org; Tue, 25 Apr 2023 09:18:41 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1682428713; bh=5QPYvhL1tDxIMBDnxXSOqYVI9dXdEmugQe89Gx2+Nt8=;
 h=From:To:Cc:Subject:In-Reply-To:References:Date:From:Subject:Reply-To;
 b=i4LQcN05Qm3Pjs5nuJ0FPGRWCsvrkovV9ESNKlCruVm/PtaoY6+cGBv6rd+4mMttoVXAIXBh4ejs0rDzgiIm3PadiW/DYe/VYySna5Ipvn4ZwNabXDA0jbHUR5933BVMZ/oNBATcaIl5etmHdRLAlh9F4TD0x+Dm8RwP4kwNSwU5/g2XaqFbG/DWNtv70S+hMnKjH+Lq3JzkomHOTa1uQiV/1o3k39lhwluAbSKdg55LZhTyZsPa7pVT6hjlczBx3sjFQvTiy7OCkcyQwUAYDV3FhhC/+X8mbmzeO8AVcky4icS1Kn5/XC70nAwua9vS4RaLgkA9Hlf4xvKnAor+2w==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1682428713; bh=4DaKbbTzxPLa2SbeLrwWezAV6yj4HPASL9nMBWbZaag=;
 h=X-Sonic-MF:From:To:Subject:Date:From:Subject;
 b=D5Fzf2yIE5b0nPEUmi3tGh7AlYVRSYPTzErcvMDU/NvdV4Itg1W1TUEu2AuE7ZaiKcFm16Ht14B/iWL0gV8avNB/ex+GDG5qKv9Yed/WXdWzStaO/wzqt7LAbQmJ8+cfrKwD7lZlNn4Wh+lwnDzJFE6Mn7mhC8HdgKsnbYrzreScpwRpWXrv7OUMin12HrgOYysc8v+WgU8lNaMXRdNAPkS2XUY4Na447P/E273CZlU05JbAe7WhD3YmIOKB1+44A+Vy6lgqhrTnKCUZMgTVGgI0zd7vdHHYymsAh0xBB+cK92Xqn4tp5Bncpls6Zk/M6Nlmw/K0bi0iX4W6pK+mfw==
X-YMail-OSG: ztu4DFYVM1l03AzVEtQzUxGqAvdAlT5CvmcBzk36QYqf0122cf.bNFdnprGw4MC
 iX_QQKAoN8aqnimJnKBoBJ2ZB8tm7hpcssS_u_TGBUZZV6y1CxYXXqIeWGj_VvGGQ4cdboa8beXp
 yZrVakGsY9eLDJuFUdErTMsuP868fLml6t51ya9CJQyZBYMCeRJ3Sa91BjRXCrPBbolCjdtgmW79
 DJLrq8kSnRlX.4Dj.IS67dl7WgjtSngBPZb2WJ5vb.Kx_oOKxo47h4m_ELXwM7f4CNE8kAIbOojD
 T2CFGrgFQ.0PkNavPZC62OLSka.zPbz13wg61Sh.UZlXAhz8dwWKNj7ObISHQTJAnj4KZFXPHn9a
 nxrvSMllFTelgeujFne_SXLBhhqoIHPcDruzX_8XYHunvp_nPPWwEfZqMm8fBrN3eVGrMVGHY1wd
 RnNnEKpvBDLt87qZkm9H_uYlsjF5g2hO44YrvFyxWymZH3f.GaJGhad16CX.4HKMk47YKFBAJ2wE
 FxOPzU.PJyhl6Art7vsRw3Cf4YPheAk5FpMwXE82il443s.T769NaRNUq45dE14tJ0qjceWmPi2n
 dnac.wrq0lhjdfFUJiCA6Gac9AczgHbLHUaVwvRV8wQt3QtOPNbcoJxVOl5q2DkbY.509Utw5JeY
 sXYj3_9hYtZTNTyj22c_y6NJNz7PPWu4ZaPJ2APmaTMYOTKw5aQhK0Yu0DdlFzugVb5CsDxQ7nC1
 vne3QhFVGtaSZXKVzWkuEZLkHeLAPFjNR4Fo0yi7pU02tWONX4R4RZ38fYaVZc8CQNsVayWRtZrT
 aXm5jv_2cGjoQbRSkF3gjb1p5ZuZpHwxhiwOFZhx7DC5lm.eUsO4iZAuSMpq0Zxey_4yHcG1CrU4
 YT08MVxca5I6EvD7YMGnDSPwwavhRSzH3pJFRzUkeWE5VO6AP1i0fyCFXXVfxuw0mgjKC__2tL3u
 OTSe1Hbh6tTYeKl9y27vd6gIm81495iwtkmxBOCdVZlU_fjZwo06HGrjpnsp0xFnEHFcT1fZXwyM
 lj2ELBMIBx.2FnR0VWSZEs8ntPoGycZ5RiNJAWcV2jswEyKhRXXjRPtgGM6964iyCzDfi44x_nxm
 4amP2S1jj9fn01v9MGN7QJ3FI0PGDN_DUsIKyO2aPz9q15VR_ciM6ON6m3N9LlGL2BvHZqv2A5kt
 DlKWHnB.zhKep5UUHA88KDqa9FmLEF8jCsKeWOdDU5LKy8iPcdDXXQ3hDgBWsTHtS06vCTQ3LGEQ
 KKZMyfJUk4Dhh8Zki3xyMQOICNaELQDOWsqimgFKzSSkiaA6fA3X8_B2bHr6w6SAvfZiXpZbfOxJ
 z_6gAksMOxZ2nX5Ctl2hq7dDt9wg9OoHOWfdimEyT2MZ3LoWkDPMUZhxTqwmaS27zvo3CZSchXPR
 YTaowFScgjKvalRuz3mKxDGt8KIxJVhKW1D5reaElT_mqlqkHI1Q1CQiRm.erIOPiUwpQ0NqTpqd
 r2_LBdF9c2xQaZeROEf1w10Nuj874IrtDf5lshhZwpnOzoIzyweWbIkNlOxkspxKZ7kWE02v7685
 F2.hS5S18YBaUZLnS6NCTy_.CgGnCAIAFyorG7De6pWfk7mUH5r2IElro4_g52eVBtf8_YJ6I0xJ
 aGAGksm3dULJOKQel8.L6fVyWLnBnX4npeto1XU76chXFRSX.eJGSLdmLdqzioB4gPJFGRq4N2cf
 Wl4p2YzE1EhhhsqzJYRJBQJlSjIEdRB0RM5dfzUH5C8SL5gCoUAhTQQnevFW9fdbyl5uRLa8hh4h
 BBFZoXOHoqU.RN1JpconPooFfg7Et5A51HbOFyn7Qkbob_VgVeQeNO9O.AxgB.XSjPS73_JiOHOV
 eGM1EYVZXpSvBjJYprw4ON9CEURHHetOF9ga5maBPZgEmzv7vEt2YyWT93vN07Xzh5JJDF6ykAA1
 NDvsiM_qGqmecO8uk_fo23Lo7byg8QZFHRi2GhJCg57CZg_l01CCj4SrYS_5zIedk7mLzIGP7_bA
 UW4Uho6Zsh6n4J59WBgKCUMZIUD1ZbJrFmgiUSZcmAcFucIdkAxoeith6KaB9Mjlp8qYRkuH2Z4_
 lsWyYUDSUlUMQdvr4fq8SzFSa7ZcaFMyJdhOOzOZlKk_KpOA1mqAXBWQrh83cvwFGsODeBkqltPD
 J7rDGxkpbWlsaDk9mQvv_R09BmI9hv_5334RrdDilQoAlOkRy6LWuJKpQeSWYBQwjbFvaXXF1Dyw
 1p8D_Ao9TVDwin0YUaqZ0wWhz7st5n_qiTrHISklLakmkSkXHB2LVPjDvQ1h.N0OAFI0ofq3G1TQ
 -
X-Sonic-MF: <luangruo@yahoo.com>
X-Sonic-ID: 9ec56af5-3025-4afa-ac4d-92ad09eaefaa
Received: from sonic.gate.mail.ne1.yahoo.com by
 sonic307.consmr.mail.ne1.yahoo.com with HTTP; Tue, 25 Apr 2023 13:18:33 +0000
Received: by hermes--production-sg3-6d6fb994f6-jx956 (Yahoo Inc. Hermes SMTP
 Server) with ESMTPA ID 46b7b21cb42fdc16e2db4a9d298f7bd5; 
 Tue, 25 Apr 2023 13:18:25 +0000 (UTC)
From: Po Lu <luangruo@yahoo.com>
To: Eli Zaretskii <eliz@gnu.org>
Subject: Re: bug#63063: CVE-2021-36699 report
In-Reply-To: <83wn20un4u.fsf@gnu.org> (Eli Zaretskii's message of "Tue, 25 Apr
 2023 16:06:41 +0300")
References: <40-63e3c600-3-2d802d00@111202636>
 <01070187b503303f-1657dcaa-4f53-47da-9679-2f68a682d447-000000@eu-central-1.amazonses.com>
 <bcb96279c47143f403f588dc3f020725029137bd.camel@josefsson.org>
 <01070187b52a3165-eeb31a4e-fba7-4290-850a-c73ab11eb43f-000000@eu-central-1.amazonses.com>
 <83mt2wwi0y.fsf@gnu.org> <87v8hkctlc.fsf@yahoo.com>
 <83fs8owg3r.fsf@gnu.org> <87r0s8cq6c.fsf@yahoo.com>
 <83a5ywwcow.fsf@gnu.org> <87mt2wcjtf.fsf@yahoo.com>
 <834jp4w57b.fsf@gnu.org> <87edo8cflg.fsf@yahoo.com>
 <83zg6wuo0u.fsf@gnu.org> <875y9kce3f.fsf@yahoo.com>
 <83wn20un4u.fsf@gnu.org>
Date: Tue, 25 Apr 2023 21:18:20 +0800
Message-ID: <87wn20ayn7.fsf@yahoo.com>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain
X-Mailer: WebService/1.1.21365
 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.yahoo
Content-Length: 1014
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 63063
Cc: 63063@debbugs.gnu.org, fuo@fuo.fi
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Eli Zaretskii <eliz@gnu.org> writes:

> I think this depends on the OS, not only the CPU?

That too.

>> > I don't think this is relevant.  But based on what the code does, I
>> > don't see why this should be considered a security issue.
>> 
>> It's not, indeed.
>> 
>> The glaringly obvious reason being that only the site administrator, or
>> the user himself, can replace the dump file with something else.
>
> I'm not sure I agree (there's the symlink attack, for example), but I
> don't think it changes the nature of the issue.

How would such a ``symlink attack'' work?
And in any case:

  1. How will such a malicious .pdmp file be installed on the user's
     system?
  2. How will such a malicious .pdmp file end up loaded by the user's
     Emacs?
  3. What privileges will the user's Emacs have, that whoever installed
     the malicious .pdmp file did not?

The answers to questions 1 and 2 can only be ``by user action'', or ``by
administrative action''.  The answer to question 3 naturally follows.




From debbugs-submit-bounces@debbugs.gnu.org Tue Apr 25 10:55:46 2023
Received: (at submit) by debbugs.gnu.org; 25 Apr 2023 14:55:46 +0000
Received: from localhost ([127.0.0.1]:53362 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1prK51-00012l-Jn
	for submit@debbugs.gnu.org; Tue, 25 Apr 2023 10:55:46 -0400
Received: from lists.gnu.org ([209.51.188.17]:50194)
 by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from
 <01070187b7967feb-2f16162d-52c2-4bea-b3bd-fb31f04a600e-000000@mail.fuo.fi>)
 id 1prEIU-0004W6-K1
 for submit@debbugs.gnu.org; Tue, 25 Apr 2023 04:45:15 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from
 <01070187b7967feb-2f16162d-52c2-4bea-b3bd-fb31f04a600e-000000@mail.fuo.fi>)
 id 1prEIU-0003Vt-93
 for bug-gnu-emacs@gnu.org; Tue, 25 Apr 2023 04:45:14 -0400
Received: from b224-14.smtp-out.eu-central-1.amazonses.com ([69.169.224.14])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_CBC_SHA1:128)
 (Exim 4.90_1) (envelope-from
 <01070187b7967feb-2f16162d-52c2-4bea-b3bd-fb31f04a600e-000000@mail.fuo.fi>)
 id 1prEIQ-0007fE-9y; Tue, 25 Apr 2023 04:45:13 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
 s=szn4245w3aja4hgdfrty2czrygyjr6wf; d=fuo.fi; t=1682412306;
 h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:In-Reply-To:Cc:To:References;
 bh=+luFf7OFP45wjd1RHV8+u2YoC8Sg2qf9Ii/NuLbjrS4=;
 b=GipvS51NqaSzqhRo6XxERT5obi/IFHv20kQ/ZnH9X25AApivx5wKO7PLva8b9zXA
 4f8MF/We0v1upYXb83S/y7Qt7ElH8EKZw2PDKctrW//IphCm8bnedU4/lZ8HzQxRUFE
 kDxCDWVJJ9EKXAbPoXxqgvwu6ssVWXL0YUrRiu+YImTtNWGec8mJHEuor/u5R4QXt92
 4TVKgPNAoo0gHBZ1BQjDNDr30gGeI2dMZWXLVPjAh6ptqrx//Oj4Ajo9G8e6+aYxtgJ
 gnMXVTBpxMqS6a0i34Jgch/cfxXEUuIo3EesmBanZf2vYM14/nfhxxhmos1P/s/CmP5
 zWN6fhvPoA==
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
 s=sokbgaaqhfgd6qjht2wmdajpuuanpimv; d=amazonses.com; t=1682412306;
 h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:In-Reply-To:Cc:To:References:Feedback-ID;
 bh=+luFf7OFP45wjd1RHV8+u2YoC8Sg2qf9Ii/NuLbjrS4=;
 b=lGiKp4+N7Mljh1VZbodGS5o+qk2ygJBzCdoIcEZZ7zEpknMkSrJ9kKa5JwM9+2xj
 tHhbY6cGu71+wL8IWLL6tQg1n2/atOLERSklqT5W0b56XLlKD8SxiYqiuBA/m0JAdeE
 QHBRh2SAsUzyZD9ALFo90Q3/JG/OPzeMBzn4EomM=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fuo.fi; s=dkim;
 t=1682412305; h=from:subject:date:message-id:to:cc:mime-version:content-type:
 in-reply-to:references; bh=IKvBds26OUIB1dVgDSkUv9Y+U34CB87YFJP3yC3cfoQ=;
 b=l+8G13GkMOKZ4B5rg0CXHhS4aQEeyLsaYjepp4lmPn/Zkzg+mho9paYhrEu/4dlT/flFWr
 s36YohChKiq8mFh0ZrLtBuAPpYKCrabjGzahrE499ANzsmEEuCvYpCMmBfA0vjjG4b2lhz
 bTGp3mlCIJTAEaG9GgAr2deXp3JO7nN4DiwZWbIe8S8Hq7yBKUF1dHXdNUHdb+l2fU3ceK
 UAvlQHj+U46oDvZ2k2e9BI1nzg10/G0ZsVEZLkU/yhd47GJqW1iB7g8tOaM92lqpP/L2s0
 piZlCbwtlKqN5Wt8OUo6d1oqWxGOIQNnhJQJF9pg/edNgCKoQB8xIBX0N1TVNA==
From: fuomag9 <fuo@fuo.fi>
Message-ID: <01070187b7967feb-2f16162d-52c2-4bea-b3bd-fb31f04a600e-000000@eu-central-1.amazonses.com>
Content-Type: multipart/alternative;
 boundary="Apple-Mail=_00001F13-A406-4648-86B4-151487ED9F03"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.500.231\))
Subject: Re: CVE-2021-36699 report
Date: Tue, 25 Apr 2023 08:45:06 +0000
In-Reply-To: <83mt2wwi0y.fsf@gnu.org>
To: Eli Zaretskii <eliz@gnu.org>
References: <40-63e3c600-3-2d802d00@111202636>
 <01070187b503303f-1657dcaa-4f53-47da-9679-2f68a682d447-000000@eu-central-1.amazonses.com>
 <bcb96279c47143f403f588dc3f020725029137bd.camel@josefsson.org>
 <01070187b52a3165-eeb31a4e-fba7-4290-850a-c73ab11eb43f-000000@eu-central-1.amazonses.com>
 <83mt2wwi0y.fsf@gnu.org>
X-Last-TLS-Session-Version: TLSv1.2
Feedback-ID: 1.eu-central-1.n5W87jH/ZQaoQ5IIYkOPVy+kueHXOQU2ukicR55seJA=:AmazonSES
X-SES-Outgoing: 2023.04.25-69.169.224.14
Received-SPF: pass client-ip=69.169.224.14;
 envelope-from=01070187b7967feb-2f16162d-52c2-4bea-b3bd-fb31f04a600e-000000@mail.fuo.fi;
 helo=b224-14.smtp-out.eu-central-1.amazonses.com
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001,
 RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001,
 SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.3 (-)
X-Debbugs-Envelope-To: submit
X-Mailman-Approved-At: Tue, 25 Apr 2023 10:55:41 -0400
Cc: bug-gnu-emacs@gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -2.3 (--)


--Apple-Mail=_00001F13-A406-4648-86B4-151487ED9F03
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8

Hi, the CVE is currently unpublished. So when visiting this URL you=E2=80=99=
ll see that it=E2=80=99s reserved =
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=3DCVE-2021-36699


> On 25 Apr 2023, at 09:14, Eli Zaretskii <eliz@gnu.org> wrote:
>=20
>> From: fuomag9 <fuo@fuo.fi>
>> Date: Mon, 24 Apr 2023 21:27:34 +0000
>>=20
>> I=E2=80=99m a security researcher and I=E2=80=99ve searched for a way =
to contact the emacs security team but I=E2=80=99ve not found any =
information online, so I=E2=80=99m reporting this issue here.
>> I=E2=80=99ve discovered a buffer overflow in GNU Emacs 28.0.50 (at =
the time of writing the exploit still works on GNU Emacs 28.2)
>> The issue is inside the --dump-file functionality of emacs, in =
particular dump_make_lv_from_reloc at pdumper.c:5239
>> Attached to this email there's is payload used to make the =
vulnerability work (if emacs complains about a signature error you need =
to replace the hex bytes inside the payload with the expected one, since =
every emacs binary will expect a different signature).
>> This issue has been assigned CVE-2021-36699 and thus I=E2=80=99m =
notifying you of this. (I do not think the emacs team is aware of this =
security issue)
>> The POC is simple:
>> Launch emacs --dump-file exploit, where exploit is a custom crafted =
emacs dump file
>=20
> Please tell more about the buffer overflow: where does it happen in
> the Emacs sources, which buffer overflows, and why.  I cannot find
> these details in your report.
>=20
> Also, the CVE ID seems to be incorrect: if I look it up, I get some
> SQL related issue, not an Emacs issue.


--Apple-Mail=_00001F13-A406-4648-86B4-151487ED9F03
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=utf-8

<html><head><meta http-equiv=3D"content-type" content=3D"text/html; =
charset=3Dutf-8"></head><body style=3D"overflow-wrap: break-word; =
-webkit-nbsp-mode: space; line-break: after-white-space;"><div>Hi, the =
CVE is currently unpublished. So when visiting this URL you=E2=80=99ll =
see that it=E2=80=99s reserved&nbsp;<a =
href=3D"https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=3DCVE-2021-36699"=
>https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=3DCVE-2021-36699</a></di=
v><br class=3D"Apple-interchange-newline" style=3D"caret-color: rgb(0, =
0, 0); color: rgb(0, 0, 0);"><div><br><blockquote type=3D"cite"><div>On =
25 Apr 2023, at 09:14, Eli Zaretskii &lt;eliz@gnu.org&gt; =
wrote:</div><br class=3D"Apple-interchange-newline"><div><div><blockquote =
type=3D"cite">From: fuomag9 &lt;fuo@fuo.fi&gt;<br>Date: Mon, 24 Apr 2023 =
21:27:34 +0000<br><br>I=E2=80=99m a security researcher and I=E2=80=99ve =
searched for a way to contact the emacs security team but I=E2=80=99ve =
not found any information online, so I=E2=80=99m reporting this issue =
here.<br>I=E2=80=99ve discovered a buffer overflow in GNU Emacs 28.0.50 =
(at the time of writing the exploit still works on GNU Emacs =
28.2)<br>The issue is inside the --dump-file functionality of emacs, in =
particular dump_make_lv_from_reloc at pdumper.c:5239<br>Attached to this =
email there's is payload used to make the vulnerability work (if emacs =
complains about a signature error you need to replace the hex bytes =
inside the payload with the expected one, since every emacs binary will =
expect a different signature).<br>This issue has been assigned =
CVE-2021-36699 and thus I=E2=80=99m notifying you of this. (I do not =
think the emacs team is aware of this security issue)<br>The POC is =
simple:<br>Launch emacs --dump-file exploit, where exploit is a custom =
crafted emacs dump file<br></blockquote><br>Please tell more about the =
buffer overflow: where does it happen in<br>the Emacs sources, which =
buffer overflows, and why. &nbsp;I cannot find<br>these details in your =
report.<br><br>Also, the CVE ID seems to be incorrect: if I look it up, =
I get some<br>SQL related issue, not an Emacs =
issue.<br></div></div></blockquote></div><br></body></html>=

--Apple-Mail=_00001F13-A406-4648-86B4-151487ED9F03--




From debbugs-submit-bounces@debbugs.gnu.org Tue Apr 25 11:54:54 2023
Received: (at 63063) by debbugs.gnu.org; 25 Apr 2023 15:54:54 +0000
Received: from localhost ([127.0.0.1]:53408 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1prL0I-0002p4-7M
	for submit@debbugs.gnu.org; Tue, 25 Apr 2023 11:54:54 -0400
Received: from out162-62-57-137.mail.qq.com ([162.62.57.137]:39067)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <lx@shellcodes.org>) id 1prL0D-0002ol-CJ
 for 63063@debbugs.gnu.org; Tue, 25 Apr 2023 11:54:52 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qq.com; s=s201512;
 t=1682438075; bh=Gg4YYu5m2GtzIPgm7WJR4FaDD6kOPkRmoM4h22CUFWQ=;
 h=Subject:From:To:Cc:Date:In-Reply-To:References;
 b=aTtVHjLmE22nUV+/7hm/CvG+1O+sWTl+Wa7fv0sm+GEn9JoYUR6+IpK8Hk05UKJPJ
 LUlhC2koKraZdjBHVwhMPTx4baMhcnhOSISb4PSd3SJaOEJ/pYlSjf1b5ygm+AIvm8
 fM4LcJM19452NoW7D6KKSkYOC5uhj14l1Kvz+fkc=
Received: from [192.168.31.100] ([222.209.116.171])
 by newxmesmtplogicsvrszc5-0.qq.com (NewEsmtp) with SMTP
 id DA19843F; Tue, 25 Apr 2023 23:54:33 +0800
X-QQ-mid: xmsmtpt1682438073tqcqal48i
Message-ID: <tencent_1BD66AD86AA4EFECE403C37D82A138956609@qq.com>
X-QQ-XMAILINFO: NzOHSugmTg7XJMAvvcT4lgme9ep3XB7+e+0rqavtxIrVX22vfA6iCXUcrwFGiZ
 02pszWPgpbgFf5ujwCOWZjGvVHtHhAG5juqzn9l2hJEOnZaiBZI5YVOA59FERnOKReICRJw8LftJ
 DNWxP9X/ifx6MawZEY8qMq/4pigjkLPrP5gyV8DbCVDm90kudZM9r3gl79c+Bs7PXpCHIO++ad6q
 QxAtdVDhDdo2rmpuHoz8JtyCz62GNEcPcc1QMzbgDRqQtFy53i55VetUR5dnoxtItJoLuaxgbPDN
 yU1wDLxNFj2SYwF8nKIbrswN6l4cf3FGZbobjHQ627TmyAQVmA2a07b8w49sHUO02f++Hq3/1um6
 IwwU7t8gRaki7j3GbHZ3VoyfkYd54jpV6TtT4+A7cf8HuGgT3CIfOaTIC3jW7JVKDPng/+bZ9MmJ
 KsgNc+ccGgwgVfk9q+1Xk9uMcWRiQ9Fh3pofOPHOoT5me682M1uMDH2yl5Al/Oe6lThSilEAfsox
 xX5TSxEtQhiCw74ZP37EHa4fxf+enMXprBvjuJzg7fTKJN59WLlqXiW8VlupzOdJSLyWt+kR8XD/
 M2/kYJNDZe7OpXi3tUQRboxrJAodmmAgaqxygEEXF4qdkHHa5RdXq1ntbuprQxqT1LLOoFU27bm6
 M9nI6gGj8sMXV0N5fPr/PUrPklf8zURHX5NfQNjm5Ebin6IG16QI1Ic+q6FctOanv2KHf6bF8C/k
 1cU9D519V7mTwOb2dv63wKKB7EQyysQ64BnaK9y0oXQBQTbGuqUV5OKcV2mf0EePSRfkUJpipq5Z
 gs1Xcm8ARoJPhcs7QCmHHgBrLFlqSWYMpLo5kQ3qfsIzVxJdiSy+xLlzDXpGl1zADDXUSkYm3jKs
 h8+Evf2ZTMjhalttgVDP/TS6F1H4ZrEXaR+vrS92PTjZ17Sr36wUC8x8GSwe81rxHUgA8rx+Egz4
 PzzGm/SE2t6pOMJ7xVjY6kMmXPvBFpnxniRL7bbzcuar8HvUmEHA==
X-OQ-MSGID: <040f391f024304a2a1c75fab25fa9d3e1c4e8b22.camel@shellcodes.org>
Subject: Re: bug#63063: CVE-2021-36699 report
From: lux <lx@shellcodes.org>
To: Po Lu <luangruo@yahoo.com>, Eli Zaretskii <eliz@gnu.org>
Date: Tue, 25 Apr 2023 23:54:33 +0800
In-Reply-To: <87wn20ayn7.fsf@yahoo.com>
References: <40-63e3c600-3-2d802d00@111202636>
 <01070187b503303f-1657dcaa-4f53-47da-9679-2f68a682d447-000000@eu-central-1.amazonses.com>
 <bcb96279c47143f403f588dc3f020725029137bd.camel@josefsson.org>
 <01070187b52a3165-eeb31a4e-fba7-4290-850a-c73ab11eb43f-000000@eu-central-1.amazonses.com>
 <83mt2wwi0y.fsf@gnu.org> <87v8hkctlc.fsf@yahoo.com>
 <83fs8owg3r.fsf@gnu.org> <87r0s8cq6c.fsf@yahoo.com>
 <83a5ywwcow.fsf@gnu.org> <87mt2wcjtf.fsf@yahoo.com>
 <834jp4w57b.fsf@gnu.org> <87edo8cflg.fsf@yahoo.com>
 <83zg6wuo0u.fsf@gnu.org> <875y9kce3f.fsf@yahoo.com>
 <83wn20un4u.fsf@gnu.org> <87wn20ayn7.fsf@yahoo.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
User-Agent: Evolution 3.48.0 (3.48.0-1.fc38) 
MIME-Version: 1.0
X-Spam-Score: 3.6 (+++)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview:  On Tue, 2023-04-25 at 21:18 +0800, Po Lu via Bug reports for
 GNU Emacs,
 the Swiss army knife of text editors wrote: > Eli Zaretskii <eliz@gnu.org>
 writes: > > > I think this depends on the OS, not onl [...] 
 Content analysis details:   (3.6 points, 10.0 required)
 pts rule name              description
 ---- ---------------------- --------------------------------------------------
 -0.0 RCVD_IN_MSPIKE_H2      RBL: Average reputation (+2)
 [162.62.57.137 listed in wl.mailspike.net]
 -0.0 RCVD_IN_DNSWL_NONE     RBL: Sender listed at https://www.dnswl.org/,
 no trust [162.62.57.137 listed in list.dnswl.org]
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 0.0 SPF_NONE               SPF: sender does not publish an SPF Record
 0.4 RDNS_DYNAMIC           Delivered to internal network by host with
 dynamic-looking rDNS
 3.2 HELO_DYNAMIC_IPADDR    Relay HELO'd using suspicious hostname (IP
 addr 1)
X-Debbugs-Envelope-To: 63063
Cc: 63063@debbugs.gnu.org, fuo@fuo.fi
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: 2.6 (++)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 
 Content preview:  On Tue, 2023-04-25 at 21:18 +0800, Po Lu via Bug reports for
    GNU Emacs, the Swiss army knife of text editors wrote: > Eli Zaretskii <eliz@gnu.org>
    writes: > > > I think this depends on the OS, not onl [...] 
 
 Content analysis details:   (2.6 points, 10.0 required)
 
  pts rule name              description
 ---- ---------------------- --------------------------------------------------
 -0.0 RCVD_IN_MSPIKE_H2      RBL: Average reputation (+2)
                             [162.62.57.137 listed in wl.mailspike.net]
 -0.0 RCVD_IN_DNSWL_NONE     RBL: Sender listed at https://www.dnswl.org/,
                              no trust
                             [162.62.57.137 listed in list.dnswl.org]
  0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
  0.0 SPF_NONE               SPF: sender does not publish an SPF Record
  0.4 RDNS_DYNAMIC           Delivered to internal network by host with
                             dynamic-looking rDNS
  3.2 HELO_DYNAMIC_IPADDR    Relay HELO'd using suspicious hostname (IP
                             addr 1)
 -1.0 MAILING_LIST_MULTI     Multiple indicators imply a widely-seen list
                             manager

On Tue, 2023-04-25 at 21:18 +0800, Po Lu via Bug reports for GNU Emacs,
the Swiss army knife of text editors wrote:
> Eli Zaretskii <eliz@gnu.org> writes:
>=20
> > I think this depends on the OS, not only the CPU?
>=20
> That too.
>=20
> > > > I don't think this is relevant.=C2=A0 But based on what the code
> > > > does, I
> > > > don't see why this should be considered a security issue.
> > >=20
> > > It's not, indeed.
> > >=20
> > > The glaringly obvious reason being that only the site
> > > administrator, or
> > > the user himself, can replace the dump file with something else.
> >=20
> > I'm not sure I agree (there's the symlink attack, for example), but
> > I
> > don't think it changes the nature of the issue.
>=20
> How would such a ``symlink attack'' work?
> And in any case:
>=20
> =C2=A0 1. How will such a malicious .pdmp file be installed on the user's
> =C2=A0=C2=A0=C2=A0=C2=A0 system?
> =C2=A0 2. How will such a malicious .pdmp file end up loaded by the user'=
s
> =C2=A0=C2=A0=C2=A0=C2=A0 Emacs?
> =C2=A0 3. What privileges will the user's Emacs have, that whoever
> installed
> =C2=A0=C2=A0=C2=A0=C2=A0 the malicious .pdmp file did not?
>=20
> The answers to questions 1 and 2 can only be ``by user action'', or
> ``by
> administrative action''.=C2=A0 The answer to question 3 naturally follows=
.
>=20
>=20
>=20
How the vulnerability is exploited depends on the scenario and what
color hat is attacker (black hat, white hat).

Attackers do not use conventional thinking to exploit vulnerabilities,
and turn many local vulnerabilities, from 'impossible' to 'possible'.

For reference, take a look at some APT (Advanced Persistent Threat)
reports,
https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections

I think if the reported CVEs are real and valid, they should be taken
seriously.





From debbugs-submit-bounces@debbugs.gnu.org Tue Apr 25 12:01:33 2023
Received: (at 63063) by debbugs.gnu.org; 25 Apr 2023 16:01:34 +0000
Received: from localhost ([127.0.0.1]:53418 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1prL6j-00035W-MW
	for submit@debbugs.gnu.org; Tue, 25 Apr 2023 12:01:33 -0400
Received: from eggs.gnu.org ([209.51.188.92]:39576)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <eliz@gnu.org>) id 1prL6e-00035E-RZ
 for 63063@debbugs.gnu.org; Tue, 25 Apr 2023 12:01:32 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <eliz@gnu.org>)
 id 1prL6Y-0001MW-TF; Tue, 25 Apr 2023 12:01:22 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date:
 mime-version; bh=eYcpzp65Eudgh9SYa0PgAyM6Rifj5aZ+Y5dfdwPUtN0=; b=AAR6iznYKnEf
 x8BXCQIo/L5VWN+L/pW67YCxd70nacxyFBIircdKLo3smkiJx+9U7CIIdqqoZw3phKglKZ+7/R47e
 BYfgA5kfOqJ8jlBhaIBp8GQbfTPRgp8M7ebVpz/ZT2dDDLv9F2pPCVF85JakSerd+3EUQ3uS9PTag
 YU1EahMhQVgMeBMPrOdFzSFIJUZF4iCZfL2afSMRdZFonjIMWX9g3iBgs0CFQFdYpDpFM6PBA7a58
 blR1tLyZD3lbpeppViXKOKlDh3NIhzaY0XUTxyiAjE3vF6OqxSr6vsDSrSDDC8hLhLqQrEFi0QE0q
 g7cb3smMff7jcQKzqkX6BQ==;
Received: from [87.69.77.57] (helo=home-c4e4a596f7)
 by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <eliz@gnu.org>)
 id 1prL6X-0001m0-U0; Tue, 25 Apr 2023 12:01:22 -0400
Date: Tue, 25 Apr 2023 19:01:47 +0300
Message-Id: <83o7ncuf10.fsf@gnu.org>
From: Eli Zaretskii <eliz@gnu.org>
To: lux <lx@shellcodes.org>
In-Reply-To: <tencent_1BD66AD86AA4EFECE403C37D82A138956609@qq.com> (message
 from lux on Tue, 25 Apr 2023 23:54:33 +0800)
Subject: Re: bug#63063: CVE-2021-36699 report
References: <40-63e3c600-3-2d802d00@111202636>
 <01070187b503303f-1657dcaa-4f53-47da-9679-2f68a682d447-000000@eu-central-1.amazonses.com>
 <bcb96279c47143f403f588dc3f020725029137bd.camel@josefsson.org>
 <01070187b52a3165-eeb31a4e-fba7-4290-850a-c73ab11eb43f-000000@eu-central-1.amazonses.com>
 <83mt2wwi0y.fsf@gnu.org> <87v8hkctlc.fsf@yahoo.com>
 <83fs8owg3r.fsf@gnu.org> <87r0s8cq6c.fsf@yahoo.com>
 <83a5ywwcow.fsf@gnu.org> <87mt2wcjtf.fsf@yahoo.com>
 <834jp4w57b.fsf@gnu.org> <87edo8cflg.fsf@yahoo.com>
 <83zg6wuo0u.fsf@gnu.org> <875y9kce3f.fsf@yahoo.com>
 <83wn20un4u.fsf@gnu.org> <87wn20ayn7.fsf@yahoo.com>
 <tencent_1BD66AD86AA4EFECE403C37D82A138956609@qq.com>
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 63063
Cc: luangruo@yahoo.com, 63063@debbugs.gnu.org, fuo@fuo.fi
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

> From: lux <lx@shellcodes.org>
> Cc: 63063@debbugs.gnu.org, fuo@fuo.fi
> Date: Tue, 25 Apr 2023 23:54:33 +0800
> 
> I think if the reported CVEs are real and valid, they should be taken
> seriously.

I agree, but in this case all I see is a convoluted way of having
Emacs crash.  That's not a security problem in my book.




From debbugs-submit-bounces@debbugs.gnu.org Tue Apr 25 12:17:38 2023
Received: (at 63063) by debbugs.gnu.org; 25 Apr 2023 16:17:38 +0000
Received: from localhost ([127.0.0.1]:53429 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1prLMI-0003Tn-Gu
	for submit@debbugs.gnu.org; Tue, 25 Apr 2023 12:17:38 -0400
Received: from mail-wr1-f44.google.com ([209.85.221.44]:57693)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <rpluim@gmail.com>) id 1prLME-0003TY-Fj
 for 63063@debbugs.gnu.org; Tue, 25 Apr 2023 12:17:37 -0400
Received: by mail-wr1-f44.google.com with SMTP id
 ffacd0b85a97d-2fa0ce30ac2so5417964f8f.3
 for <63063@debbugs.gnu.org>; Tue, 25 Apr 2023 09:17:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20221208; t=1682439448; x=1685031448;
 h=content-transfer-encoding:mime-version:message-id:date:references
 :in-reply-to:subject:cc:to:from:from:to:cc:subject:date:message-id
 :reply-to; bh=Kaq0Bu3cfIYG+8m2kXriWwazrCtveXdD4PXXRyFjUFk=;
 b=gcEzrnm82Wm4l9mVYLm0ZXJftGTDpy4iSapcdJYXrHTDbFpnwGXbRau44G8mi8W3Dl
 Ven6YvubcWueefhtUupbilj9q4OLF+L8Eok2G4I8mmhLps96RYoQp1z8swL9JNNbnSzO
 5KI/wQxVj4hsvZNm/NXCfvJXj93CL8SobDqwYD9nsdc0dwwfwJD3eKYjLLhazuxvTnf7
 f0mXIH/qp0d/5jgtlpKarpuDvOkOi83t9ffnXhX5OLz4CytTmQ3rCdelv3ddGJifm8Wn
 8WBsH1I0fS9ZY0LPUcGOCNjdC8zVogqcsnTjHivW8AiPMWAnI+PRMcTQyqA0X+f2BXBX
 BgJA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20221208; t=1682439448; x=1685031448;
 h=content-transfer-encoding:mime-version:message-id:date:references
 :in-reply-to:subject:cc:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=Kaq0Bu3cfIYG+8m2kXriWwazrCtveXdD4PXXRyFjUFk=;
 b=bccYz+BCJ4ZzTDx5F318uOQWaGcHQBgL1la2i9HCepcbHMdliAo52qza1EjVXsCDch
 Pz8JioF7CGpSPLcd6ha5dgy9dZrbEAghNxlhuR1N95cMIQXuLnjg6Y1F4KfBtwLW184y
 E/8cG3iDCPPFy9A81lU716PwFFibPEt46gyD6gaHglmtNqtSzreU7hSS3x1lvapKs7Z4
 ZTOe28x4NI1XvFqKScBsIFvX0ErnRR2RMRHtq4ecfIpEUkzJC2T7hmvTGtiaddNPxIpk
 JcyvrTtMZoEuBUtfFQ5240h1cAXla3dGsTNKOuAc9rQWvQ4jbQjFhocilC5H4vGni9pI
 zv/w==
X-Gm-Message-State: AAQBX9dYtA+G5PXJ0MxTp9qF9Emak4sjJD6+SILx5pIjGoeUOBcvsInC
 ODERerBFVPPvUfffWBxqWww=
X-Google-Smtp-Source: AKy350Y7FL3x8Xt9/Nk2pRC5E7skxMt3HK+KNp1CVjLXFD27YsIcjNMUjY4Sr3uldmA3YyrZwaZKSg==
X-Received: by 2002:a05:6000:1084:b0:2ff:613c:af5f with SMTP id
 y4-20020a056000108400b002ff613caf5fmr11658063wrw.30.1682439448143; 
 Tue, 25 Apr 2023 09:17:28 -0700 (PDT)
Received: from rltb ([82.66.8.55]) by smtp.gmail.com with ESMTPSA id
 z14-20020a5d4d0e000000b002efb4f2d240sm13441681wrt.87.2023.04.25.09.17.26
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 25 Apr 2023 09:17:27 -0700 (PDT)
From: Robert Pluim <rpluim@gmail.com>
To: Eli Zaretskii <eliz@gnu.org>
Subject: Re: bug#63063: CVE-2021-36699 report
In-Reply-To: <83o7ncuf10.fsf@gnu.org> (Eli Zaretskii's message of "Tue, 25 Apr
 2023 19:01:47 +0300")
References: <40-63e3c600-3-2d802d00@111202636>
 <01070187b503303f-1657dcaa-4f53-47da-9679-2f68a682d447-000000@eu-central-1.amazonses.com>
 <bcb96279c47143f403f588dc3f020725029137bd.camel@josefsson.org>
 <01070187b52a3165-eeb31a4e-fba7-4290-850a-c73ab11eb43f-000000@eu-central-1.amazonses.com>
 <83mt2wwi0y.fsf@gnu.org> <87v8hkctlc.fsf@yahoo.com>
 <83fs8owg3r.fsf@gnu.org> <87r0s8cq6c.fsf@yahoo.com>
 <83a5ywwcow.fsf@gnu.org> <87mt2wcjtf.fsf@yahoo.com>
 <834jp4w57b.fsf@gnu.org> <87edo8cflg.fsf@yahoo.com>
 <83zg6wuo0u.fsf@gnu.org> <875y9kce3f.fsf@yahoo.com>
 <83wn20un4u.fsf@gnu.org> <87wn20ayn7.fsf@yahoo.com>
 <tencent_1BD66AD86AA4EFECE403C37D82A138956609@qq.com>
 <83o7ncuf10.fsf@gnu.org>
Date: Tue, 25 Apr 2023 18:17:24 +0200
Message-ID: <87mt2w7x7v.fsf@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 63063
Cc: luangruo@yahoo.com, lux <lx@shellcodes.org>, fuo@fuo.fi,
 63063@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

>>>>> On Tue, 25 Apr 2023 19:01:47 +0300, Eli Zaretskii <eliz@gnu.org> said:

    >> From: lux <lx@shellcodes.org>
    >> Cc: 63063@debbugs.gnu.org, fuo@fuo.fi
    >> Date: Tue, 25 Apr 2023 23:54:33 +0800
    >>=20
    >> I think if the reported CVEs are real and valid, they should be taken
    >> seriously.

    Eli> I agree, but in this case all I see is a convoluted way of having
    Eli> Emacs crash.  That's not a security problem in my book.

"It=CA=BCs a denial of service attack. You MUST fix it. Where=CA=BCs my fee=
?"

(sorry, I too deal with this kind of stuff far too often).

Robert
--=20




From debbugs-submit-bounces@debbugs.gnu.org Tue Apr 25 12:42:54 2023
Received: (at 63063) by debbugs.gnu.org; 25 Apr 2023 16:42:54 +0000
Received: from localhost ([127.0.0.1]:53453 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1prLkk-00048P-3W
	for submit@debbugs.gnu.org; Tue, 25 Apr 2023 12:42:54 -0400
Received: from out162-62-57-210.mail.qq.com ([162.62.57.210]:47633)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <lx@shellcodes.org>) id 1prLkg-000486-Er
 for 63063@debbugs.gnu.org; Tue, 25 Apr 2023 12:42:53 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qq.com; s=s201512;
 t=1682440655; bh=YAoFJuIHGW31v6FdHYbEWKEO+rRyB/bGV4WN+fAp7JI=;
 h=Subject:From:To:Cc:Date:In-Reply-To:References;
 b=PguBSwUb71PkItOTo/NY7Ehwge7VpMQ+UOboaSF3YtiBc1RJVc4QLNgxe8dz2lc+y
 8ZmynCZRjVCedQi0vEJJWsT5LrZEQLkG+Prudk6wT0YLduQOMC8Xn5YrxDsN/Q0SVf
 Y8NjXXPsQGfltXwFnIe3KZPDdwF3qXZaTQAbzrsY=
Received: from [192.168.31.100] ([222.209.116.171])
 by newxmesmtplogicsvrszb1-0.qq.com (NewEsmtp) with SMTP
 id 96184E9C; Wed, 26 Apr 2023 00:37:33 +0800
X-QQ-mid: xmsmtpt1682440653torfdk1bb
Message-ID: <tencent_B014E537C281836B39DF67A66AD66B1EEF09@qq.com>
X-QQ-XMAILINFO: OQhZ3T0tjf0aB6mflMugD6PtYiUKe7ST/p6WDlHfGr8WCUi1/xcJcJV8aAsyVM
 7Zdsgnt6OBa19nGZRPbrKUzlLioHN24Nu9l+jzrRj+2BnH2bH4ahI0EzAF5l7AqkFVB3hpDlgZBI
 PRn3z6WiC4Ucb0oj77VNHtx073zHGEztP3KXcVwb7EXVov7LWFeIAHQBu8QG/56iER9ESDY5w9T2
 M+Cb7FjWBWlV4wrSMFTkWOCikZEBoZJSHfZ+aw0ITvGoJY7WdN9gl/rVIHg7r4MnDqSwOXjyNLkg
 4ePp/I49gl2kRitTGFzT2qSnttDYvbWJ9ckqKQaeewAttqVjbwjxdnCCy9U9+wk3KDXadarNHlEZ
 EOX0l6zsti7pWldPI9mC86bYoNUJ3JkoBrXmfXqyBQcghKK+inWhpDF+Lmcwau0o2S5qJ1720Q8M
 hucZKGgreFIFg9zitc2oq8Whb2NLi+3LrycAR+ZHFGdmdCHjWc/yxVdcZxrrPlArV5lJKPam+cUj
 wTugjBzeJl5OojBppJfZnPhhek4Rd0iXhiPov1hUSH22i5WCmVQLqQcsYDKLaSylsfpsZkDdan74
 oTVpSACVujG8o0tHc1xTBB1pS115QCoABlN7S+1+6CfWxfdecXSkA1KidEWKNm6YehXA054DLwC+
 xJZJiOYy5EhD72LIwpBkdtQhMmm2Tw3BmLJXQyQHJ4PtGWhxTNUlOI8y/w2FKIKeJXlKZYeAnwtw
 NwWZisEMpUB4Ol8zuA+5pD3Lz4E9gOuH2HaZDZmo1JYk6r9SLRP++Iv42FdAQwCH86BI6EXszqpA
 zFZvkBvVXLEOUKpfQr9XWe1lLPkbVD4UWxmOExpzYKbIszMidpFnayDbND/vJiG/zt+mpiSnsCe+
 gjQtppXaPvFF7NTqFIkX68figa6ULehncLnSjIYZqMx3wuZxd7pcizB+HSiwlAr95Rh79uvv+p
X-OQ-MSGID: <1700eccfb849ae10c9c869d5616cc8979df9bb7b.camel@shellcodes.org>
Subject: Re: bug#63063: CVE-2021-36699 report
From: lux <lx@shellcodes.org>
To: Robert Pluim <rpluim@gmail.com>, Eli Zaretskii <eliz@gnu.org>
Date: Wed, 26 Apr 2023 00:37:33 +0800
In-Reply-To: <87mt2w7x7v.fsf@gmail.com>
References: <40-63e3c600-3-2d802d00@111202636>
 <01070187b503303f-1657dcaa-4f53-47da-9679-2f68a682d447-000000@eu-central-1.amazonses.com>
 <bcb96279c47143f403f588dc3f020725029137bd.camel@josefsson.org>
 <01070187b52a3165-eeb31a4e-fba7-4290-850a-c73ab11eb43f-000000@eu-central-1.amazonses.com>
 <83mt2wwi0y.fsf@gnu.org> <87v8hkctlc.fsf@yahoo.com>
 <83fs8owg3r.fsf@gnu.org> <87r0s8cq6c.fsf@yahoo.com>
 <83a5ywwcow.fsf@gnu.org> <87mt2wcjtf.fsf@yahoo.com>
 <834jp4w57b.fsf@gnu.org> <87edo8cflg.fsf@yahoo.com>
 <83zg6wuo0u.fsf@gnu.org> <875y9kce3f.fsf@yahoo.com>
 <83wn20un4u.fsf@gnu.org> <87wn20ayn7.fsf@yahoo.com>
 <tencent_1BD66AD86AA4EFECE403C37D82A138956609@qq.com>
 <83o7ncuf10.fsf@gnu.org> <87mt2w7x7v.fsf@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
User-Agent: Evolution 3.48.0 (3.48.0-1.fc38) 
MIME-Version: 1.0
X-Spam-Score: 3.6 (+++)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 
 Content preview:  On Tue, 2023-04-25 at 18:17 +0200, Robert Pluim wrote: > >
    > > > > On Tue, 25 Apr 2023 19:01:47 +0300, Eli Zaretskii > > > > > > <eliz@gnu.org>
    said: > >     >> From: lux <lx@shellcodes.org> >    [...] 
 
 Content analysis details:   (3.6 points, 10.0 required)
 
  pts rule name              description
 ---- ---------------------- --------------------------------------------------
 -0.0 RCVD_IN_MSPIKE_H2      RBL: Average reputation (+2)
                             [162.62.57.210 listed in wl.mailspike.net]
  0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
  0.0 SPF_NONE               SPF: sender does not publish an SPF Record
 -0.0 RCVD_IN_DNSWL_NONE     RBL: Sender listed at https://www.dnswl.org/,
                              no trust
                             [162.62.57.210 listed in list.dnswl.org]
  0.4 RDNS_DYNAMIC           Delivered to internal network by host with
                             dynamic-looking rDNS
  3.2 HELO_DYNAMIC_IPADDR    Relay HELO'd using suspicious hostname (IP
                             addr 1)
X-Debbugs-Envelope-To: 63063
Cc: luangruo@yahoo.com, 63063@debbugs.gnu.org, fuo@fuo.fi
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: 2.6 (++)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 
 Content preview:  On Tue, 2023-04-25 at 18:17 +0200, Robert Pluim wrote: > >
    > > > > On Tue, 25 Apr 2023 19:01:47 +0300, Eli Zaretskii > > > > > > <eliz@gnu.org>
    said: > >     >> From: lux <lx@shellcodes.org> >    [...] 
 
 Content analysis details:   (2.6 points, 10.0 required)
 
  pts rule name              description
 ---- ---------------------- --------------------------------------------------
 -0.0 RCVD_IN_MSPIKE_H2      RBL: Average reputation (+2)
                             [162.62.57.210 listed in wl.mailspike.net]
 -0.0 RCVD_IN_DNSWL_NONE     RBL: Sender listed at https://www.dnswl.org/,
                              no trust
                             [162.62.57.210 listed in list.dnswl.org]
  0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
  0.0 SPF_NONE               SPF: sender does not publish an SPF Record
  0.4 RDNS_DYNAMIC           Delivered to internal network by host with
                             dynamic-looking rDNS
  3.2 HELO_DYNAMIC_IPADDR    Relay HELO'd using suspicious hostname (IP
                             addr 1)
 -1.0 MAILING_LIST_MULTI     Multiple indicators imply a widely-seen list
                             manager

On Tue, 2023-04-25 at 18:17 +0200, Robert Pluim wrote:
> > > > > > On Tue, 25 Apr 2023 19:01:47 +0300, Eli Zaretskii
> > > > > > <eliz@gnu.org> said:
>=20
> =C2=A0=C2=A0=C2=A0 >> From: lux <lx@shellcodes.org>
> =C2=A0=C2=A0=C2=A0 >> Cc: 63063@debbugs.gnu.org, fuo@fuo.fi
> =C2=A0=C2=A0=C2=A0 >> Date: Tue, 25 Apr 2023 23:54:33 +0800
> =C2=A0=C2=A0=C2=A0 >>=20
> =C2=A0=C2=A0=C2=A0 >> I think if the reported CVEs are real and valid, th=
ey should
> be taken
> =C2=A0=C2=A0=C2=A0 >> seriously.
>=20
> =C2=A0=C2=A0=C2=A0 Eli> I agree, but in this case all I see is a convolut=
ed way of
> having
> =C2=A0=C2=A0=C2=A0 Eli> Emacs crash.=C2=A0 That's not a security problem =
in my book.
>=20
> "It=CA=BCs a denial of service attack. You MUST fix it. Where=CA=BCs my f=
ee?"
>=20
> (sorry, I too deal with this kind of stuff far too often).
>=20
> Robert

I have to face this problem every day.

Yes, I'm faced with many meaningless CVE numbers every day.

So I hope the submitter will give the details and the developer will
decide to ignore, fix urgently, or postpone the fix depending on the
level of harm.





From debbugs-submit-bounces@debbugs.gnu.org Tue Apr 25 21:29:03 2023
Received: (at 63063) by debbugs.gnu.org; 26 Apr 2023 01:29:03 +0000
Received: from localhost ([127.0.0.1]:53869 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1prTxu-0002MW-M5
	for submit@debbugs.gnu.org; Tue, 25 Apr 2023 21:29:02 -0400
Received: from eggs.gnu.org ([209.51.188.92]:35668)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <rms@gnu.org>) id 1prTxq-0002M2-DE
 for 63063@debbugs.gnu.org; Tue, 25 Apr 2023 21:29:01 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <rms@gnu.org>)
 id 1prTxk-00082B-C1; Tue, 25 Apr 2023 21:28:52 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=Date:References:Subject:In-Reply-To:To:From:
 mime-version; bh=wkrOL5dfvknCdFDhzNs6OSAmZ/MEIf/u+EhbDE92A7Y=; b=GiezM8QkRo3a
 EvSOEjad0EOjEFNNBt3rnGhRZNpQivCB+weLo9KFUafjnIxDqrTQPBwkkG36A1ubeR8Q8BGwnV3jN
 JQQTgzI6Fat1LS9x16gyKkg4/IJKVN1vPG3wx4yY8/OmpNQIGC+agiWkq8oirXUZWt0Ke6M+B/tpy
 IDmr/F32RA7SVbRyOywJHJGwJSC0EbjH250BEIKdjwvIYGh8s0ZlAQI2OmWr0lSNX4Ie+1Wz60iQG
 ILKGtvUEBPwoZ8gko6NHfC+NaskdMMcK24bzurXut92dVCPkoUZK/zl56pmNRHzxoWzUqS//lgmkS
 Oc/zD17Y7K2b90LI7lv5Gw==;
Received: from rms by fencepost.gnu.org with local (Exim 4.90_1)
 (envelope-from <rms@gnu.org>)
 id 1prTxj-0004v1-By; Tue, 25 Apr 2023 21:28:51 -0400
Content-Type: text/plain; charset=Utf-8
From: Richard Stallman <rms@gnu.org>
To: Eli Zaretskii <eliz@gnu.org>
In-Reply-To: <834jp4w57b.fsf@gnu.org> (message from Eli Zaretskii on Tue, 25
 Apr 2023 14:51:04 +0300)
Subject: Re: bug#63063: CVE-2021-36699 report
References: <40-63e3c600-3-2d802d00@111202636>
 <01070187b503303f-1657dcaa-4f53-47da-9679-2f68a682d447-000000@eu-central-1.amazonses.com>
 <bcb96279c47143f403f588dc3f020725029137bd.camel@josefsson.org>
 <01070187b52a3165-eeb31a4e-fba7-4290-850a-c73ab11eb43f-000000@eu-central-1.amazonses.com>
 <83mt2wwi0y.fsf@gnu.org> <87v8hkctlc.fsf@yahoo.com>
 <83fs8owg3r.fsf@gnu.org> <87r0s8cq6c.fsf@yahoo.com>
 <83a5ywwcow.fsf@gnu.org> <87mt2wcjtf.fsf@yahoo.com> <834jp4w57b.fsf@gnu.org>
Message-Id: <E1prTxj-0004v1-By@fencepost.gnu.org>
Date: Tue, 25 Apr 2023 21:28:51 -0400
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 63063
Cc: luangruo@yahoo.com, 63063@debbugs.gnu.org, fuo@fuo.fi
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Reply-To: rms@gnu.org
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

  > > In either case, this is not a security vulnerability: if you can make
  > > the user load malformed dump files, you can make him load nefarious
  > > executables as well.

  > That's not necessarily true.  The malformed pdumper file could be
  > placed where Emacs usually finds it.  IOW, the perpetrator could
  > overwrite the pdumper file that EMacs loads when it starts.

If the pdumper file is writable by you, you could mess it up in all
sorts of ways.  You wouldn't need this feature -- you could do it with
truncate, or cat.  So I think it is incorrect to describe this feature
as being a security problem.

-- 
Dr Richard Stallman (https://stallman.org)
Chief GNUisance of the GNU Project (https://gnu.org)
Founder, Free Software Foundation (https://fsf.org)
Internet Hall-of-Famer (https://internethalloffame.org)