GNU bug report logs - #63063
CVE-2021-36699 report

Previous Next

Full log

View this message in rfc822 format

From: Eli Zaretskii <eliz <at> gnu.org>
To: Nicolas Martyanoff <nicolas <at> n16f.net>
Cc: luangruo <at> yahoo.com, 63063 <at> debbugs.gnu.org, fuo <at> fuo.fi
Subject: bug#63063: CVE-2021-36699 report
Date: Tue, 25 Apr 2023 10:53:09 +0300

> From: Nicolas Martyanoff <nicolas <at> n16f.net>
> Cc: fuomag9 <fuo <at> fuo.fi>,  emacs-devel <at> gnu.org
> Date: Tue, 25 Apr 2023 09:13:34 +0200
> 
> Po Lu <luangruo <at> yahoo.com> writes:
> 
> > If you create a malformed dump file, of course Emacs cannot possibly
> > work.  Here, the buffer overflow is not even a bug: signature checks are
> > already there to prevent a dump file created for a different copy of
> > Emacs from being loaded by mistake.  If you deliberately create a
> > malformed dump file, Emacs does not guarantee correct operation.
> Is there a reason why Emacs does not validate dump files while reading
> them as any other program with any other data format? Nothing good ever
> comes from buffer overflows.
> 
> > We are trying to put together two releases of a very large piece of
> > software at the same time, and really should not be wasting our time on
> > these CVE reports.  It would save us a great deal of trouble if whoever
> > runs the CVE registry stopped tracking security ``issues'' with Emacs.
> I'm aware that most people simply do not care about security, and it is
> your right to do the same. However I sincerely hope it is not the view
> of the GNU Emacs project in general.

Please do NOT respond on emacs-devel, only to the bug tracker.

I've redirected the response.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.