GNU bug report logs - #63063
CVE-2021-36699 report

Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.

Package: emacs; Reported by: Eli Zaretskii <eliz@HIDDEN>; dated Tue, 25 Apr 2023 07:14:02 UTC; Maintainer for emacs is bug-gnu-emacs@HIDDEN.

Message received at 63063 <at> debbugs.gnu.org:


Received: (at 63063) by debbugs.gnu.org; 25 Apr 2023 13:06:25 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Apr 25 09:06:25 2023
Received: from localhost ([127.0.0.1]:51697 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1prINF-00036G-G7
	for submit <at> debbugs.gnu.org; Tue, 25 Apr 2023 09:06:25 -0400
Received: from eggs.gnu.org ([209.51.188.92]:47240)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <eliz@HIDDEN>) id 1prINC-00035r-D8
 for 63063 <at> debbugs.gnu.org; Tue, 25 Apr 2023 09:06:23 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <eliz@HIDDEN>)
 id 1prIN6-00053p-5b; Tue, 25 Apr 2023 09:06:16 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date:
 mime-version; bh=Qhn9T4UR5kSsWmOonr/XCT+zFBcp1Wz/AonZnCeR1jc=; b=oDWoELS1MLFG
 5Myb/Bpmo2nzSvVHyo1SMiZxxq2THm5UahDMhWraGTZxpkEE6izSqpUQl80SC+dRIiiuH7qnRfMcz
 d8VMWmF61dvPyD670VW/szyce69ZAZ7QVkevCFb36aHqI6lcFX6DKwopx7s8lPi4LU7/KMPKonaQ4
 VIRV7crHCd5tVXPF7SKkd6RcgO2k42KNAS4qD2Tu+MDk9cn/EveptkV5oficC7XML/czFztP6am8q
 xwHxyRrovquApITDC4bxBeEGJFd8tUFBRyxC+5jh7fBYwtIcuw3ueJuMM1yHZY+P+RiLMSwU29Tqm
 TtcgP/QRegsBCbFrqcqIEw==;
Received: from [87.69.77.57] (helo=home-c4e4a596f7)
 by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <eliz@HIDDEN>)
 id 1prIN4-0001m3-K6; Tue, 25 Apr 2023 09:06:14 -0400
Date: Tue, 25 Apr 2023 16:06:41 +0300
Message-Id: <83wn20un4u.fsf@HIDDEN>
From: Eli Zaretskii <eliz@HIDDEN>
To: Po Lu <luangruo@HIDDEN>
In-Reply-To: <875y9kce3f.fsf@HIDDEN> (message from Po Lu on Tue, 25 Apr
 2023 20:59:16 +0800)
Subject: Re: bug#63063: CVE-2021-36699 report
References: <40-63e3c600-3-2d802d00@111202636>
 <01070187b503303f-1657dcaa-4f53-47da-9679-2f68a682d447-000000@HIDDEN>
 <bcb96279c47143f403f588dc3f020725029137bd.camel@HIDDEN>
 <01070187b52a3165-eeb31a4e-fba7-4290-850a-c73ab11eb43f-000000@HIDDEN>
 <83mt2wwi0y.fsf@HIDDEN> <87v8hkctlc.fsf@HIDDEN>
 <83fs8owg3r.fsf@HIDDEN> <87r0s8cq6c.fsf@HIDDEN>
 <83a5ywwcow.fsf@HIDDEN> <87mt2wcjtf.fsf@HIDDEN>
 <834jp4w57b.fsf@HIDDEN> <87edo8cflg.fsf@HIDDEN>
 <83zg6wuo0u.fsf@HIDDEN> <875y9kce3f.fsf@HIDDEN>
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 63063
Cc: 63063 <at> debbugs.gnu.org, fuo@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

> From: Po Lu <luangruo@HIDDEN>
> Cc: fuo@HIDDEN,  63063 <at> debbugs.gnu.org
> Date: Tue, 25 Apr 2023 20:59:16 +0800
> 
> Eli Zaretskii <eliz@HIDDEN> writes:
> 
> > The pdumper file is data, not code.  It is loaded into the data
> > segment.  And executable code segments are usually write-protected.
> 
> Only some kinds of CPU make the distinction between executable and
> readable pages.

I think this depends on the OS, not only the CPU?

> > I don't think this is relevant.  But based on what the code does, I
> > don't see why this should be considered a security issue.
> 
> It's not, indeed.
> 
> The glaringly obvious reason being that only the site administrator, or
> the user himself, can replace the dump file with something else.

I'm not sure I agree (there's the symlink attack, for example), but I
don't think it changes the nature of the issue.




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#63063; Package emacs. Full text available.

Message received at 63063 <at> debbugs.gnu.org:


Received: (at 63063) by debbugs.gnu.org; 25 Apr 2023 12:59:33 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Apr 25 08:59:33 2023
Received: from localhost ([127.0.0.1]:51675 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1prIGb-0000RZ-DA
	for submit <at> debbugs.gnu.org; Tue, 25 Apr 2023 08:59:33 -0400
Received: from sonic307-56.consmr.mail.ne1.yahoo.com ([66.163.190.31]:43669)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <luangruo@HIDDEN>) id 1prIGZ-0000RK-6B
 for 63063 <at> debbugs.gnu.org; Tue, 25 Apr 2023 08:59:31 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1682427565; bh=DbXU5YnKQG79VrpGZau9QWj24yVLeWjhmxoCRoDMxzI=;
 h=From:To:Cc:Subject:In-Reply-To:References:Date:From:Subject:Reply-To;
 b=PmLVzNqOVt/OQ53PPZ0c08zy15nCqtKJ2G8a9dHvkXmu9MUWhHX7rxiepOOBt7S/ZwwfV1BvzNvW9xOSBvc+nb/X6IknBIfAv0NNMx+npjVTSPNtnTBXdqzkRsknFgraUx/85Y+EEG4kbCn6m/x4p6tO8kJ8n7X6Ng2HhG8DZ9nJg7IJyLO0lCkE/6SHBRD/QqskUkLZ9LUOFTN6l25lMngV+7jAyBhEeJPR89gFJieIqKHXEM2aPtA7Cjih1bXquq1C+gD14TpgFavSohlM4VdlCXUzA2cVhoBFv2T28uDJCRmX4uZprQ76InSRcDGDXWdO4rRtRnJrdo8YbF+h2w==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1682427565; bh=Cg90boEFx9+kWhxfNMbO5DO+UgmnJTR8OlGNmKMKto5=;
 h=X-Sonic-MF:From:To:Subject:Date:From:Subject;
 b=GM9+l+pwqIMCw3prhOGlNjfduT2iQJiVjDpBAofpUvByUPZaFbfAU+wrKbelk5kRZun2uuh1/vynGxNwl8I+0OeLqpz/TpvF3mJQSqEex2WUVQQBM/JY8E9dR3Ueii8ZmFS3AacFOOoZ9aPRoT126CX2IXbIDosfDosoASQ7YVhtc2iKXyep4j8MxzAGoy6N0ngQoNlb2Zw7IJ2vmFnPALHHxN+ciBY8Nv+LRoE8h+eQzR0yMZrz2ql4v7XhcIyitw8n8YAPXBH5QM/J1B+GBduvxRPyZ64RicxaYog+mFB3PokJAU2Ted1iwyPk5ZRBJz8mzDV6LF9J1mbzPgGSMg==
X-YMail-OSG: dIOYwkwVM1nkjB4qF3Av8Jg5g5uETRUz7nG5jmSv1oNC_PPU2hiBQxRv6AT61Q9
 Su3FL5530GXsHsD4Y2vz7UXm4d5w8TNjcRGjuiDGH3BpKaJt3HRjIFlYNMVwTuJWxDASBufWJKLe
 XoylpV0VUM.WqLuYRh0U0IxDx3RrfCGsj9ZsHDwQXix1rg0XJOasT.qMCgMEZ2amXgh4ThDEDs5u
 xeT6LHQ.cSDfuDWWjMwyEMA5C7_tynnOdUg3FiSRXnasBXaG3foNuWb4Iw6DDFnHDnZEKIJSFm7B
 zAIOevVcrNz3gprxifrebEBdTYDT8CM8aUJb12HXvUBfIEj22DIkLsyEmrQCMJpCEBuWA0BmQMRO
 Jhk.ZckLP2gEk_N_Zi5HjaDOPL7MeoxJmVoB.5OaRm3Xt2j3v1N5TpCrZg8i6qYyRGxlP5yRwFe7
 p_C6.NbwmfefzAwvyYuh5srtWdHkC2fBySyxm.iywI9FBb0k3bVh8iBLUkqVOs2G3YYQry8KOjsO
 _IrZlsOPx4Gt3e.3yzvZioEivmPNEmvprN8xQHvJvqGXZkbFBvZbEsCbGnV7J3k_eC6skmVSL6Db
 kngyIL94iNRe1uD4F_5OeJ59Ba3ZSeQDVBlawrIafw5B6Ab6_AdNnxLQqyomfLUBAWgUcivLdcYL
 NHpkcLyrhomSuRxmerwlO6R7Nj2STYscmkS5gOIzgPqU4MgEyfb4XSJCRgf5voNEf6PBEWQyc7LU
 8ccFpTrF.8_UNvneAMSnp0Bitba7RRzTrQYc_FH34OWMu5yjtOHAxAUslL.VVlKpRtD.njAx98Xs
 Wg7FkCYbfcu9oY1Loa2jtTxBYstOC.IBHL1u2nr7P9jvjG8DBTQcnftF2ROkrHcax7f3M0Et.tQ9
 p6f2EdFS.eJCm5gI7W7RItaHeIFtmSMPrGPaytdfXYU_lrdsj3N1oxOA4BdiJ7lUlNjM__ajfMEN
 clypDZ.SA9Irxx5mBAsnMjfNiPtXTSzXgBicBF57LdsXG4g0.edNM7Cg9OsySA2rMZ.umx75T9oA
 ZrAFMyz8ghAwaiPTzwcMQ6L77BAKHB0RhpYhQq0sCi8pcH3V7rpYNOx_2hQpZ35MDn8tK26E_IOV
 KhY7cPxKM7r6.V3E1KC8ozUxfbDO8JCksBm.bOYIeq40MxPtZPgNk7JeAEwhPnt33rNl8koPxZfr
 _LcH.uRkPIBZMJi60PeQHjiccDsFC5DjO7CiqL7SuSPT0jEbSiayeJGqLfkrr2J06pcWoPmfDYde
 m6CySnSC7xjreUEjw3goGs9cJxpLCTzH2ac00m5aESb5dRkksX9RaPVciLQ9xekg7f2TqOzx6yU1
 mzCPhe5OFIHh6x9aY3bpE.HkRZgEzVsazwMQbhJtY9jTljbtSm1mJ.V28DOdCTzf_WeT_cJoaRox
 ZVIOzNPkaI98lLsBmr6IOq3FwImaS195Sd6.1zu05JwJlVXdcd_1p6hbWpxF2Lem_NlWM.OJ6p_f
 1ZyTSHkGIY.5CBVdyZjpx2ul3_8682mOwf9YtaCQuUSKagUXxsTgxevRFiSZO059fIqkwUxUIywB
 4KIs_xiZqnCI8KWP4auihyxM4.3Njj4QUrfHYAy7zDz6B4R85FjTEFTeTA36G.oQlNiHLYyUrHV7
 zbopjAJLlfpwo5QbSoHnI2AkilnM1Z_JFfFsy0PBtnX_W5IWG9sGEPqBESy5TFqdPzPdSrZWBamK
 mNwb1c4WUf743Dvu0MoteyNj.QtesKagLcfcxYOD6LjxHmWzTSvEXpwqR.zlPYDkxPOhaOz2qfo.
 ffRLsx2P1pq3ReUYNhZZb_pVH8Lw.8f7T1j9z.NZhtqoi_KmZ_hkFTo9rGRY0ZBYK8JgyOPwV0bB
 DwL_5X6YKvkvI9OoZhvnw7Zuodp64Ljo8EXvdbP5TfTvKt9JP83c9qKLnTkzyEoK141lSFd7EWZc
 jiAIWY0evvIM16qkf2JJi_6bKHNrepw9tBDvtaPWtTBQ8NRkx1cMlMn8Wfkp4znmoYbaO8.P8lFd
 9fMYpUwDsA1OYRvLCw9XNj9UeFsCxww9B5vd9rSz.cZL7GJE9pfJK2yoxi5MDL8Dyl6LfTL1HZpV
 AgiF4r6vJsVJk45ae_rPsyd1muxXKWJiGeSvQd1VGYh86JEt3NUBNYyaMpMlV0vJk6.eIjBsuFcM
 ..1jrEocPNMonq8u9jaBeDbQr8xXDOEd7CFn8Ry0.inIL0VXq2ZNrJP..lltODypU9Tj_5BSJKIG
 LQ5nOhr9RO23UqeSZEASRUI9xNfi9hh0t1LUrhOlVwUSlTfqgnc0aNVhAyMdG.JB8J2Yr2w--
X-Sonic-MF: <luangruo@HIDDEN>
X-Sonic-ID: 6ea281f8-8e4c-4c0d-adae-3ef4e2434d99
Received: from sonic.gate.mail.ne1.yahoo.com by
 sonic307.consmr.mail.ne1.yahoo.com with HTTP; Tue, 25 Apr 2023 12:59:25 +0000
Received: by hermes--production-sg3-6d6fb994f6-7thcs (Yahoo Inc. Hermes SMTP
 Server) with ESMTPA ID 2f881867fa9636850c7226153a52b142; 
 Tue, 25 Apr 2023 12:59:22 +0000 (UTC)
From: Po Lu <luangruo@HIDDEN>
To: Eli Zaretskii <eliz@HIDDEN>
Subject: Re: bug#63063: CVE-2021-36699 report
In-Reply-To: <83zg6wuo0u.fsf@HIDDEN> (Eli Zaretskii's message of "Tue, 25 Apr
 2023 15:47:29 +0300")
References: <40-63e3c600-3-2d802d00@111202636>
 <01070187b503303f-1657dcaa-4f53-47da-9679-2f68a682d447-000000@HIDDEN>
 <bcb96279c47143f403f588dc3f020725029137bd.camel@HIDDEN>
 <01070187b52a3165-eeb31a4e-fba7-4290-850a-c73ab11eb43f-000000@HIDDEN>
 <83mt2wwi0y.fsf@HIDDEN> <87v8hkctlc.fsf@HIDDEN>
 <83fs8owg3r.fsf@HIDDEN> <87r0s8cq6c.fsf@HIDDEN>
 <83a5ywwcow.fsf@HIDDEN> <87mt2wcjtf.fsf@HIDDEN>
 <834jp4w57b.fsf@HIDDEN> <87edo8cflg.fsf@HIDDEN>
 <83zg6wuo0u.fsf@HIDDEN>
Date: Tue, 25 Apr 2023 20:59:16 +0800
Message-ID: <875y9kce3f.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain
X-Mailer: WebService/1.1.21365
 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.yahoo
Content-Length: 921
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 63063
Cc: 63063 <at> debbugs.gnu.org, fuo@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Eli Zaretskii <eliz@HIDDEN> writes:

> How do you "easily" figure out the offset from some arbitrary data
> address to the current stack pointer, and do that in advance,
> i.e. before the target program even runs?

The reason I put ``easy'' in quotes was because it's ``easy'' in the
eyes of the people running the CVE registry.  To them, any kind of bug
(or perhaps even intended crash) is a security problem.

> The pdumper file is data, not code.  It is loaded into the data
> segment.  And executable code segments are usually write-protected.

Only some kinds of CPU make the distinction between executable and
readable pages.

> I don't think this is relevant.  But based on what the code does, I
> don't see why this should be considered a security issue.

It's not, indeed.

The glaringly obvious reason being that only the site administrator, or
the user himself, can replace the dump file with something else.




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#63063; Package emacs. Full text available.

Message received at 63063 <at> debbugs.gnu.org:


Received: (at 63063) by debbugs.gnu.org; 25 Apr 2023 12:47:11 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Apr 25 08:47:11 2023
Received: from localhost ([127.0.0.1]:51652 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1prI4d-0008MU-9q
	for submit <at> debbugs.gnu.org; Tue, 25 Apr 2023 08:47:11 -0400
Received: from eggs.gnu.org ([209.51.188.92]:52788)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <eliz@HIDDEN>) id 1prI4b-0008ME-Ve
 for 63063 <at> debbugs.gnu.org; Tue, 25 Apr 2023 08:47:10 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <eliz@HIDDEN>)
 id 1prI4W-0000iK-J5; Tue, 25 Apr 2023 08:47:04 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date:
 mime-version; bh=NTTGTkO0DzGd4xwgvDysIaEazMntrU1f6RqetWiZ9EI=; b=ewJ5ivCgNddd
 HpjfoWM+MNpxWOIJxWbKEh+V1KMncPLkctzekv9+FggvrP5vn8svRV1K2ZoXM2h/GXkshnEAut+n7
 3efI+gLid5tD/A6rg3Cl1y92YWxW6f25SmVkQXBc9YGETI7WXvX5vtFMfMIA8QgcYLl7KuZjjBWIR
 qw93MKPZD4EcOV90c2wPTP3042TsQG/trAhICtgYIlJrx/SZ7MxYeeeix7KMPT9TeXJMCfhdY9MYI
 jyMRpPSQWcBlVP8hU5CE+uacW6OLtVGgmCyBB+1nbkWPwuoJNZadHojRl3DahEVrG9I3HdmnoMc9e
 ZJuUxKTo1N3uDTBA2WKbQw==;
Received: from [87.69.77.57] (helo=home-c4e4a596f7)
 by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <eliz@HIDDEN>)
 id 1prI4V-0004eU-Mv; Tue, 25 Apr 2023 08:47:04 -0400
Date: Tue, 25 Apr 2023 15:47:29 +0300
Message-Id: <83zg6wuo0u.fsf@HIDDEN>
From: Eli Zaretskii <eliz@HIDDEN>
To: Po Lu <luangruo@HIDDEN>
In-Reply-To: <87edo8cflg.fsf@HIDDEN> (message from Po Lu on Tue, 25 Apr
 2023 20:26:51 +0800)
Subject: Re: bug#63063: CVE-2021-36699 report
References: <40-63e3c600-3-2d802d00@111202636>
 <01070187b503303f-1657dcaa-4f53-47da-9679-2f68a682d447-000000@HIDDEN>
 <bcb96279c47143f403f588dc3f020725029137bd.camel@HIDDEN>
 <01070187b52a3165-eeb31a4e-fba7-4290-850a-c73ab11eb43f-000000@HIDDEN>
 <83mt2wwi0y.fsf@HIDDEN> <87v8hkctlc.fsf@HIDDEN>
 <83fs8owg3r.fsf@HIDDEN> <87r0s8cq6c.fsf@HIDDEN>
 <83a5ywwcow.fsf@HIDDEN> <87mt2wcjtf.fsf@HIDDEN>
 <834jp4w57b.fsf@HIDDEN> <87edo8cflg.fsf@HIDDEN>
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 63063
Cc: 63063 <at> debbugs.gnu.org, fuo@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

> From: Po Lu <luangruo@HIDDEN>
> Cc: fuo@HIDDEN,  63063 <at> debbugs.gnu.org
> Date: Tue, 25 Apr 2023 20:26:51 +0800
> 
> Eli Zaretskii <eliz@HIDDEN> writes:
> 
> > That is still insufficient for tricking the program into executing
> > arbitrary code, AFAIU.  For that, you need to point it to an address
> > that is both writable and executable, arrange for that address to hold
> > the malicious code to be executed, and then arrange for the PC to jump
> > to that address.
> 
> This is ``easy'': figure out where the stack is, replace the return
> address in a certain frame with a pointer to some executable code in
> your dump file.

How do you "easily" figure out the offset from some arbitrary data
address to the current stack pointer, and do that in advance,
i.e. before the target program even runs?

> > That's not necessarily true.  The malformed pdumper file could be
> > placed where Emacs usually finds it.  IOW, the perpetrator could
> > overwrite the pdumper file that EMacs loads when it starts.
> 
> But then you might as well overwrite Emacs with your malicious code,
> since the pdumper file is installed with the same access control as the
> Emacs executable.

The pdumper file is data, not code.  It is loaded into the data
segment.  And executable code segments are usually write-protected.

> If you or your site administrator wants to install a virus, you can go
> ahead and just do that.  There's no need to involve Emacs or pdumper
> files.

I don't think this is relevant.  But based on what the code does, I
don't see why this should be considered a security issue.




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#63063; Package emacs. Full text available.

Message received at 63063 <at> debbugs.gnu.org:


Received: (at 63063) by debbugs.gnu.org; 25 Apr 2023 12:27:10 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Apr 25 08:27:10 2023
Received: from localhost ([127.0.0.1]:51597 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1prHlG-0005NG-Ay
	for submit <at> debbugs.gnu.org; Tue, 25 Apr 2023 08:27:10 -0400
Received: from sonic306-20.consmr.mail.ne1.yahoo.com ([66.163.189.82]:42799)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <luangruo@HIDDEN>) id 1prHlE-0005N4-QZ
 for 63063 <at> debbugs.gnu.org; Tue, 25 Apr 2023 08:27:09 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1682425623; bh=gBy27n6Nesn39dxtbmhusjvkQ00Bh52eZ9bnCXnpeOM=;
 h=From:To:Cc:Subject:In-Reply-To:References:Date:From:Subject:Reply-To;
 b=CauIruqmaagKDNWA2mUQu2hmQDK4rjQgBGUI7rSCALy3K3VOYcqq7Lw6LpoA+i1UKetVzP6gVsq+7j0NnFzd7Mrybd8mESa2hEluneHMRvbtD9zdBEgvUjY/ovJ/vV5lOYJw7KNvmBl+/hR29E7kK/QpVFNp60eIPfIWvj515iiglcFmz6I5GVg4XY1nb+Xx74R3DdjeEGOpUtmQTiA0L/5RhsnJ1GPXJ9he3RsWg6kEhaOSCszh7QxCWRae2Xg42zfjZDiIVGJxWW8Jg3j2BRnDItHT8OOghm5evUjNZKXhOCqac5STZFyVrkxFwDYHo6yZeZXZrhFqwP/XsUnwKA==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1682425623; bh=jZMgCIfQQfLbhujEfXRxLXVT0GwDVLSqNh+Zc9hM7jP=;
 h=X-Sonic-MF:From:To:Subject:Date:From:Subject;
 b=YxjhpfXFgdqnLAfLF5cco5hhc8dfYBbgm1AfuWWC77L6msHM3Rt0gTVT0iH6ItICRSvL5F4HshFeCB1OkTfMb14SltdwfY7Y5j+VqEEjwFjCJxgknZkp1CMLPapa0WEOf3MtrFT2bQCnnZTR+OXr7tT+Am47gdt2qzwjSaBSKllk/+t+iRBDfHLTiZrdRhcQtb7MD6iGSvB/z1JBIdN/a94ChPf8Mr8wJW8g+1uqXSGGuc2gLkjhWzSk3JnLGponpZca/utwpmIsgY+SygtoktSzvloEqiO0aeW+8K7mIYJtSAhepw+xCrqwX4GDv0k3t8cIzCd1xDxiYPMP5xBfyw==
X-YMail-OSG: 9GXCnpMVM1mAViCDytNI9uaC0mHRT_5N4JRLHEBSCuv5Wg8TNAz3UYIMLmPpZXK
 JVE6CHCxPh_1Nz5KnOANnHFttIY26TkAzlG1kgkFL4DPaJYH7YWFwKGaK4vLxpUydvN_duuRuQTT
 iSs3dhria.HZ8lAZd4R7Y1YXRMI3TcHX9pg0lQKYQUmZ5iyp95GOoBG9cUGiv3hbXTTBsCr0JZVW
 Jpwv_O9nnZWJNyRwgmpjNOjSx.bY_ACoCmoL3NWFqJGpve3TLrZRPmOciijHKU8XGkhx34EGta.z
 u34kNEi7iTbhtZ1eEbdzfNodf2bBTViSePD5issUTrcV2_ye7xBR6X1uUuAU.oNv.0QbeBuljILy
 LV_4MHKGo82REHDembVKQESZ6MWionePE8n..Di.f8bhn.IuAFpf9mxuMkN02BHargLPd.p2kqPt
 zvZudawgFHH9dg_Hc8Yo4JR9egpjQaykLfFw2r3QS7hqR8oddXRnzV.dIDhQreXsf3G6At29xqb0
 E_ceU.Ixz3dNfVB0U4oQ.0aCagR2rDYg0pN5dlC0EmxqfeYC5cgDxo5uA9KKH4dV9Fcc7ZqZ86u_
 YtZPdm.CQQy39dElPKX7YL4Evj0LYA0TYSGX4HrEHwFRWyKZt7gCLZawy31gKqK4X6MVVsmFXLI8
 0KnuokI3EmQO7U5HvS18t9ZLbsFBVxH_hSMNXJPKa7hs99kjXKgMkDTZ5JrFvBA1ytupkysdIBl7
 LgoqHRcEUtlTBpn1vhoVlpAifK1qv.A5umt7AIVycsTr1ZbZ95ojaI7oE2n1mQpWpB1_cg9pXlao
 vur11XJONpiYzRW4BEGbdT_Tvzh5dnSjSSwlq0lHQNeUx_I2t.mAyBFu75sd_JeCusfB.jpI9xEA
 CeNGeA.2PRUFmbokL_ncS98L7pJykLQyFkuxBm5ixYJ3AOa5vGpP4s9H1DkMyMOu95w6nIT9N7ZF
 Y17jPyarNtok_DP3uyszXTnJp0qOqnjf6STBYCNR2JQrQu_75E5wzgvz2_tw5j6hmiOW5eEapBBd
 7mFb0uH.lnCDBdX2Bg0Q10HD.FuMO4yz_36zdkz9kycHL_5IQoHRDDgztxUC8cEXeqP8NR6rQEmD
 Nr24tKnuTJgIYIlFLidW_K3aMeBwiEv6CrX4HH_41DBgdxFsyoW1n.DPO.1XyzgVFAjY0YIrB_ZY
 LwmIw6uHCvNji9j3SRyRk6tjjaJ18OvF5sFCKzKOnqt7KocCxH20AegW86tVifeaircuVwH82EFb
 lNXfsj8vDUAfqQDB1wWnBNK5vzR5x.Gal2UACKhHu_GNrQCGGKi3QTpDQ0JcQq.65ys5DveJo8zv
 huiuugZWP9YrZ9h1wXhVbDnST4hVw_HoVqZ7eiAwng7qgR0rQpeKAH7sSkUr.wF92u6p5gho43.4
 TFLT_BOoTXz_yiIbvv5t70YVyqS93oKLO3zKZAmumg5o9uvGLqns5DGgUozTJu2wHr7qZHK45iY8
 ccSWM467ZCbng2BqbuCOFmDSZOn2n1_N.riomIuNzQnZkUOBZHXnTcidoxoW50odi73subFTrbs9
 X7Hliz.bB81LPkQn0EjXnPKtR0xhk6Uptvayeonp_j_ylEy3tanx_iCr0Hf2YDsDP4sUJQlQRWLe
 du6l34wz4B6ic2K6AIfVP6QAOJpoJ7zNfDPXQfZo.pVd5w1aY9uSYQT3litH2.bFqtqGtkthrEJY
 1B8.X_5szRRCIOky8Ff390yG6LeZulXOTNn0cX3fHnc3WN61AqTMtBTiaoUbBpn4d9Wn8zQsp1nx
 fPm_zwQ.6uonNcXZhwCF9XxjSjjBTgtHUVCaB0_G6ojDl0HlFCBMSJS2Il1sUAsTGQMb5WctceJu
 Scqt4Eceoy4a4aIPr_nhuhhbriHXIsZgTI9Ts1B8SRpw3GCAE3uyT.kipsfcMGXBJV2xkxN9beYM
 h59SJVYA4o6TtsqywitFUVgaeZTNqucAWbW98mAHxzKRk.42CgJLNYjlncdCiFZORkn7S1xuXzQj
 9toIPWP9TSzlD2Jg2G4pqG0VNSOF25vv_mHK16x9d1Rgx_x_0XO2xI7KGA0rq3kbVJlgYM4snofD
 6vnqw5uMj8nmig2jf68o60j5kMjfXN9AkBKNJUx83W6Nz.zebbP8iHx238k8pBjTwgDeQ2zpTb0W
 JMDQEIz76drQb..imoU83EqBu0nSOAhe0qhi1CP6zH5M8f5sYydK9QFPZdpq95y8422KfVcHu2wL
 5jMUitPexK7jkwhLQ7cEz8cUWjKf4zsAGMmWoywr4elkghLaf.0I4vdVvU4.0S.FnwP_C
X-Sonic-MF: <luangruo@HIDDEN>
X-Sonic-ID: 70a902f1-fa33-443e-9507-53d41c7c4122
Received: from sonic.gate.mail.ne1.yahoo.com by
 sonic306.consmr.mail.ne1.yahoo.com with HTTP; Tue, 25 Apr 2023 12:27:03 +0000
Received: by hermes--production-sg3-6d6fb994f6-m2lhb (Yahoo Inc. Hermes SMTP
 Server) with ESMTPA ID 8f4e38962208cd447755ac99615c54fc; 
 Tue, 25 Apr 2023 12:26:56 +0000 (UTC)
From: Po Lu <luangruo@HIDDEN>
To: Eli Zaretskii <eliz@HIDDEN>
Subject: Re: bug#63063: CVE-2021-36699 report
In-Reply-To: <834jp4w57b.fsf@HIDDEN> (Eli Zaretskii's message of "Tue, 25 Apr
 2023 14:51:04 +0300")
References: <40-63e3c600-3-2d802d00@111202636>
 <01070187b503303f-1657dcaa-4f53-47da-9679-2f68a682d447-000000@HIDDEN>
 <bcb96279c47143f403f588dc3f020725029137bd.camel@HIDDEN>
 <01070187b52a3165-eeb31a4e-fba7-4290-850a-c73ab11eb43f-000000@HIDDEN>
 <83mt2wwi0y.fsf@HIDDEN> <87v8hkctlc.fsf@HIDDEN>
 <83fs8owg3r.fsf@HIDDEN> <87r0s8cq6c.fsf@HIDDEN>
 <83a5ywwcow.fsf@HIDDEN> <87mt2wcjtf.fsf@HIDDEN>
 <834jp4w57b.fsf@HIDDEN>
Date: Tue, 25 Apr 2023 20:26:51 +0800
Message-ID: <87edo8cflg.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain
X-Mailer: WebService/1.1.21365
 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.yahoo
Content-Length: 1248
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 63063
Cc: 63063 <at> debbugs.gnu.org, fuo@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Eli Zaretskii <eliz@HIDDEN> writes:

> That is still insufficient for tricking the program into executing
> arbitrary code, AFAIU.  For that, you need to point it to an address
> that is both writable and executable, arrange for that address to hold
> the malicious code to be executed, and then arrange for the PC to jump
> to that address.

This is ``easy'': figure out where the stack is, replace the return
address in a certain frame with a pointer to some executable code in
your dump file.

> By contrast, the only thing this code does is write some stuff into
> some address, which may or may not be writable.  Where's the rest of
> this scenario, as part of just reading the dumper file, whether
> nefarious or not?

It's not there.

> That's not necessarily true.  The malformed pdumper file could be
> placed where Emacs usually finds it.  IOW, the perpetrator could
> overwrite the pdumper file that EMacs loads when it starts.

But then you might as well overwrite Emacs with your malicious code,
since the pdumper file is installed with the same access control as the
Emacs executable.

If you or your site administrator wants to install a virus, you can go
ahead and just do that.  There's no need to involve Emacs or pdumper
files.




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#63063; Package emacs. Full text available.

Message received at 63063 <at> debbugs.gnu.org:


Received: (at 63063) by debbugs.gnu.org; 25 Apr 2023 11:50:51 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Apr 25 07:50:50 2023
Received: from localhost ([127.0.0.1]:51522 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1prHC6-0004JA-HI
	for submit <at> debbugs.gnu.org; Tue, 25 Apr 2023 07:50:50 -0400
Received: from eggs.gnu.org ([209.51.188.92]:37310)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <eliz@HIDDEN>) id 1prHC1-0004Iq-IW
 for 63063 <at> debbugs.gnu.org; Tue, 25 Apr 2023 07:50:49 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <eliz@HIDDEN>)
 id 1prHBu-0006FN-VC; Tue, 25 Apr 2023 07:50:39 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date:
 mime-version; bh=eqHHOzLEm6wWhkRhnNLuywsuZJtXh3zcoMZHhCMU++k=; b=Q3/CPjX1iW31
 S2asXBcV/Ob7rE+VbXhciEiYkyQp1f1TSr/BI24DKopJ2k8jPu2ATOdwkFOAZUkmIVW60Hskd4eIc
 2AyKnSnGynHi6vbBHEE241m1+TiO9VhceLvm7NDBxlEEGsrgKw2/E9/eqnhy3au5ju1askwhFIxJc
 L+MJZkV8LL3WvNlI3hLB5v0pSs/tFc56RjeUXm0rVBmRqcRTQcDllKw+WthZRkodlWUKbhjN87mL8
 +tYq1LZfnAdb3FNlWLdwyB90oclVeZubTHmhD+VyBuT6ioFkP0snvEDrxrNB5giB0gX5bV8kDds//
 AzfEzEPry30FseNtGWSW3A==;
Received: from [87.69.77.57] (helo=home-c4e4a596f7)
 by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <eliz@HIDDEN>)
 id 1prHBu-0004lZ-7u; Tue, 25 Apr 2023 07:50:38 -0400
Date: Tue, 25 Apr 2023 14:51:04 +0300
Message-Id: <834jp4w57b.fsf@HIDDEN>
From: Eli Zaretskii <eliz@HIDDEN>
To: Po Lu <luangruo@HIDDEN>
In-Reply-To: <87mt2wcjtf.fsf@HIDDEN> (message from Po Lu on Tue, 25 Apr
 2023 18:55:40 +0800)
Subject: Re: bug#63063: CVE-2021-36699 report
References: <40-63e3c600-3-2d802d00@111202636>
 <01070187b503303f-1657dcaa-4f53-47da-9679-2f68a682d447-000000@HIDDEN>
 <bcb96279c47143f403f588dc3f020725029137bd.camel@HIDDEN>
 <01070187b52a3165-eeb31a4e-fba7-4290-850a-c73ab11eb43f-000000@HIDDEN>
 <83mt2wwi0y.fsf@HIDDEN> <87v8hkctlc.fsf@HIDDEN>
 <83fs8owg3r.fsf@HIDDEN> <87r0s8cq6c.fsf@HIDDEN>
 <83a5ywwcow.fsf@HIDDEN> <87mt2wcjtf.fsf@HIDDEN>
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 63063
Cc: 63063 <at> debbugs.gnu.org, fuo@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

> From: Po Lu <luangruo@HIDDEN>
> Cc: fuo@HIDDEN,  63063 <at> debbugs.gnu.org
> Date: Tue, 25 Apr 2023 18:55:40 +0800
> 
> > Also, writing outside of the process's address space will indeed cause
> > protection fault and SIGSEGV, not a buffer-overflow type of problem
> > that can be exploited for executing some arbitrary code.  So I'm not
> > sure I see why is this a security issue?
> 
> The invalid relocation could also point to an address that Emacs has
> mapped, but outside any object, in which case AddressSanitizer will
> report a buffer overflow.

That is still insufficient for tricking the program into executing
arbitrary code, AFAIU.  For that, you need to point it to an address
that is both writable and executable, arrange for that address to hold
the malicious code to be executed, and then arrange for the PC to jump
to that address.  By contrast, the only thing this code does is write
some stuff into some address, which may or may not be writable.
Where's the rest of this scenario, as part of just reading the dumper
file, whether nefarious or not?

> In either case, this is not a security vulnerability: if you can make
> the user load malformed dump files, you can make him load nefarious
> executables as well.

That's not necessarily true.  The malformed pdumper file could be
placed where Emacs usually finds it.  IOW, the perpetrator could
overwrite the pdumper file that EMacs loads when it starts.




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#63063; Package emacs. Full text available.

Message received at 63063 <at> debbugs.gnu.org:


Received: (at 63063) by debbugs.gnu.org; 25 Apr 2023 10:55:57 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Apr 25 06:55:57 2023
Received: from localhost ([127.0.0.1]:51494 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1prGKz-0000Rg-5H
	for submit <at> debbugs.gnu.org; Tue, 25 Apr 2023 06:55:57 -0400
Received: from sonic313-56.consmr.mail.ne1.yahoo.com ([66.163.185.31]:34444)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <luangruo@HIDDEN>) id 1prGKx-0000R5-8v
 for 63063 <at> debbugs.gnu.org; Tue, 25 Apr 2023 06:55:55 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1682420149; bh=i/rLs84K7DliKushTvLKGOJ/OE4SMK0WPjiRlrZ36f8=;
 h=From:To:Cc:Subject:In-Reply-To:References:Date:From:Subject:Reply-To;
 b=Sh/K+CZaWBmpqMAFEn8sa0vPgOGWqNt7+ff6Xi/Ue3imdBdCl8TRDimcZDVfDH1WwEF8FKRIBYU/LnOcQwBOMfrj/iirtTm/jUh/s/2XXc8q44ozYAHaksBZ6v/mxLGoW6oXswYPAOGD5fi6NGw7U5DHpCuEmEmkhVRzIaBdTN/ROVUM9/s9WKQvTNZKq5jwNs5voLf0L6MMehIcii8EMj6milGrNXW53YlfAuN0WhfgOQyCVTF2TkZz24Yy+CP9Za/OgRF42nST8qVr5MusGGtNYj6y7I6OF7GBqk6HoAWVvsvIGt+6V4t3YuTs4Vuip0B/OTPwcpYtLTMmFD1Zew==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1682420149; bh=6JkyQ0+kJc9Gef3c512dupPnmc840LBgkJ7Qm8a31yH=;
 h=X-Sonic-MF:From:To:Subject:Date:From:Subject;
 b=gwHQp8iUeKDMmkPXQP5/BhfJX+JLmNB4vLkKwLpDKEz4HDPyo4nnLUzyJVavWjHYvjockKgYP/pAoBF4jXvwCkci8m0tQE5NOaxElxklDwZiIQq+/BBX2yEpwmJHwBoSjEBtK0WdNs4+xBpRE7Ymuo4+oDzd3vhioP9rUEoBbKy3eJq1ogrCWc4g/ntm/nXT0BXDluejp9cREU8y1fcBxD/4IexrQwRsXCZYHt8Vof3HvhRmjdSQ7p0AbxUP3OIXG0LHfkC+6lIwMfpjuF43ITSC0HlOOAW+CTpPRRQm+gabTqRpjSxPe8buAY5FjomdKjCNYXcX6G6+0kBrLpvIJA==
X-YMail-OSG: C.8jBaQVM1kUbzQbvarZFIST47hhmBJrj0cBZ4l_UwKUVh9cuOB9YSMCzyQpTj6
 QxfFN7O2ylNxVUox5.N9s7Sb6F8uo4yCO9phtPxDaT6E1MzDKkrG1gNC5ZpNt9Hjt9iO7o6GqRor
 o1aavwqDeXkXIzxm0eAmibAjx5OXc1srqVZT6is_.ZYdR4w7vZq5RB_Yj7xgYw4_g2QUS3QJacg6
 TvXbeqmQHVC1FSuFRdSxaCGYstDjP0_DsLg0PGMCod8BqZ1MZrSYh2EaCenjVmovrVdWtJiKrhog
 Oa61tTO23wLlnD3rdubrsMwXP0Z8oeh5y_z1aV_KPjZO162g858TnNbxOwJ4PliEWEkIdWugTgvH
 3OeiGJb4QNXDlTeh5ouheOEstpRQILWsrx9I14bt_NvPkOd3R62ikeFheg0.4l0x.5kpg4sbvb2P
 tF1555jWXwaRjdVXp8go9YLqvkgjss1o7FDxprFKXOROZOOSyU4llshcZ06l4473ki7w3lSJuXlb
 U_0X9HWz2URg73KLZPlU4pnDTWkTmYhgR8aDeDTsjLUsdvxHe8V2BLx_FkyKQ1K7trSLp.wFLVRk
 GmRNaEI44cWWFwKfyO9SSVf2.x3g57hUeSzn7sFHRjNLTatL5KaFLynW_qREbtAvxMg8xUq515LZ
 uHiEZT5vYs6TAG1CcTzgvUjYkdJNNZDisUqE8jgtdpgIK0dCiIBg02xaodvMB0OmkZzwpQk9Y6Wb
 7IEeFDttMEk.wYJGe5gMvCqXXFHIcPvm7dTMLlW.CBQFiCzopCFsTP64UM4cvmmPTNtqOgjMSQhl
 nGhfF3u7sP0cb2Amz_sq1s.mBxedBhw6bmJIKtmx3QaXA9q_Sfb2ZiV4cNzupcCLykqLOoKU.gFP
 WLb7eA0eG76tIUQ9hikrFB7tMHq8FFT5jksKDkjbIc1iUPYXNzp0rnZwooPVawIm2o3BPUhdGhq4
 2adPxZI0xiuDz2bIAiYAQ3PRrfxRxAnZyWGZzhL5A8JGZkI8u2Vx8Pal9lm9.anjGtMt7XGfICss
 8S0mcjcsDiQdMU5pMA30K9hxOcR6qI1fYnJY0vjiFoT35HFrANq8KoI_TemRjon7KoF48l5FCvgS
 QjwKAxb14YApoIAmp3S_Ws2c1_rOZcIqLwUgCeR_780bBOPyLEFxqumigrjOzq1aj2RZimVufzWA
 NNhFMUIm96_6sfX5DdHoBZMGlLBbSvq5S4jf3xpkA.KyEkgW1JV9G0Ajp4YShW7u4RkrQfk_BIop
 uNYPvDLuYXF.gUArka_NCJXPTyJwWP84G1dCMHVIK40SAAp1BAXLV9QTdDfNejnlPrcjaA.puMpG
 W5lmtIqtwimwiUT3yJGBvYtz6l1GbG2t.kz91EJctjnNhDAulnNLUrp4PC3A6_qE0uTVggtDRKhf
 9LqIuzT7qic0ZmHSTN_alw0HtQIkiop3VnfYpdeXRtVRv2byKgnfLRS8Hb7tg8HNvjWv3N8M4916
 C8rBaCeHnyo6WrMoILAlHJGEeQTK17mjVyiq5_GEZAjO8HrFDeoKvFzf5p5u2q0x2yi5BRR5uGQM
 tIs3ZxhHOErMJ13G09_0L0duZksRrSbEW5PO0LKUrJI9nE8z6kOfr4yqfgmVaf0XK8jvnRlZ4KoW
 d20XJVnRPcYmcRZsXgG4j6ZrimNgBPvbs9Ox3lbUDKNgplTMLuppqM79Qy_iScZ7.JK9qmUMGwyO
 rdlKJrWwxVVt5K65tVxEIyekGa7PeOsvYcNuxGzlyVBLU1hQFeaU5QmQ4jlQ73hIWo0A6wGdZKpE
 7rFhWCXFQuvda7wE0xb5RLLCNqKlEzmWMKzaUplxEQlZQ3XoU.nzxj4FpbsjFgx2BXpFk5yoND0q
 YmxqWJicqLGARLkwr3s.jfjK1lPKUpCuQQES3fwgf5hU_0bG7eJiTMDEyh70Kz0gLKWwMWdNuC54
 TetjalKxfYwezad_626MbIIjp5dUvc5byoUzbWLyI0omSQOYo4YFGwL32eYKqZgOO_jPMxrwZeiL
 56VgpNZTRuWxOtuOrIFpZ1H1R3Wv2Tpv2cc2wPo6N6Z29ixDCcEkI7ZESooUEC5cXF5sGRxZ4upC
 TiwG4OoG46lBYpOuGqvQi6EfN1drMIhlcOpYLeGUOU2GCytgQfXjKhJQWX7C4SY9sN6AmmveST5i
 0RwbFKQYj7JvdVst_BhzSphErzywCLpNFQnAsOsvHuEDa.DQZIlnYFdWZt.yAilpLdRQSWHJCNfT
 Vmk51bVrMimiUjyi2PZzDJ7ks1PffCwrpw2znmSe4mABExi4OmFwCSYUQ4ldXpMPwoaM-
X-Sonic-MF: <luangruo@HIDDEN>
X-Sonic-ID: 3f4ed88a-67a7-4ed8-8e5e-790842386090
Received: from sonic.gate.mail.ne1.yahoo.com by
 sonic313.consmr.mail.ne1.yahoo.com with HTTP; Tue, 25 Apr 2023 10:55:49 +0000
Received: by hermes--production-sg3-6d6fb994f6-2fxf8 (Yahoo Inc. Hermes SMTP
 Server) with ESMTPA ID 235dd4be2b40e74a54e248c696842b01; 
 Tue, 25 Apr 2023 10:55:46 +0000 (UTC)
From: Po Lu <luangruo@HIDDEN>
To: Eli Zaretskii <eliz@HIDDEN>
Subject: Re: bug#63063: CVE-2021-36699 report
In-Reply-To: <83a5ywwcow.fsf@HIDDEN> (Eli Zaretskii's message of "Tue, 25 Apr
 2023 12:09:19 +0300")
References: <40-63e3c600-3-2d802d00@111202636>
 <01070187b503303f-1657dcaa-4f53-47da-9679-2f68a682d447-000000@HIDDEN>
 <bcb96279c47143f403f588dc3f020725029137bd.camel@HIDDEN>
 <01070187b52a3165-eeb31a4e-fba7-4290-850a-c73ab11eb43f-000000@HIDDEN>
 <83mt2wwi0y.fsf@HIDDEN> <87v8hkctlc.fsf@HIDDEN>
 <83fs8owg3r.fsf@HIDDEN> <87r0s8cq6c.fsf@HIDDEN>
 <83a5ywwcow.fsf@HIDDEN>
Date: Tue, 25 Apr 2023 18:55:40 +0800
Message-ID: <87mt2wcjtf.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain
X-Mailer: WebService/1.1.21365
 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.yahoo
Content-Length: 1309
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 63063
Cc: 63063 <at> debbugs.gnu.org, fuo@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Eli Zaretskii <eliz@HIDDEN> writes:

> Thanks, but that seems to be unrelated to the code to which the OP
> pointed.  Are you sure it's the same problem?

Yes: the debugger output isn't very clear because
`dump_make_lv_from_reloc' has been inlined.  Look at the program counter
in the ASAN report.

> Also, writing outside of the process's address space will indeed cause
> protection fault and SIGSEGV, not a buffer-overflow type of problem
> that can be exploited for executing some arbitrary code.  So I'm not
> sure I see why is this a security issue?

The invalid relocation could also point to an address that Emacs has
mapped, but outside any object, in which case AddressSanitizer will
report a buffer overflow.

In either case, this is not a security vulnerability: if you can make
the user load malformed dump files, you can make him load nefarious
executables as well.  It doesn't even qualify as a bug, since malformed
dump files can cause Emacs to crash in a myriad of other ways.

> emacs_ptr_at has this comment:
>
>   /* TODO: assert somehow that the result is actually in the Emacs
>      image.  */
>
> Can we assure that in some reasonable way?  We have valid_pointer_p,
> but that's too expensive, I think.

It's quite expensive.  Any such check should only be turned on
--with-checking.




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#63063; Package emacs. Full text available.

Message received at 63063 <at> debbugs.gnu.org:


Received: (at 63063) by debbugs.gnu.org; 25 Apr 2023 09:09:12 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Apr 25 05:09:11 2023
Received: from localhost ([127.0.0.1]:51231 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1prEff-0005JL-Fp
	for submit <at> debbugs.gnu.org; Tue, 25 Apr 2023 05:09:11 -0400
Received: from eggs.gnu.org ([209.51.188.92]:40676)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <eliz@HIDDEN>) id 1prEfT-0005Ij-S7
 for 63063 <at> debbugs.gnu.org; Tue, 25 Apr 2023 05:09:10 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <eliz@HIDDEN>)
 id 1prEfO-0002rX-AZ; Tue, 25 Apr 2023 05:08:54 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date:
 mime-version; bh=6MfWPJZ7+abmbHiEod/sbd09AKtx8s5e9emnkoGVPSw=; b=RRUFiJUd40Xn
 Fymv/g6Py7X8XSbnoHiNf0uTqrXwon1GGJWpb9aDXXwFPEagwYEll0FKfKpQVacUEhMdymcCgzndl
 LsdPWBYQvyoZkMYGZxt+VjCrUpfsyKyQXcecBXsgfeRr2JJVz8CW9n3/71XnEWr0YZXN4oPXkNy1s
 mAP3XE3mFL1Msw2hMflsIIcXFBb0mDaUob19JIq5EWMiU3SX1sHwqbclZZN0a4XuBMovmHiC/xCE2
 CTieSeYD2C/v50QWB0iaVcOI7sqOQawzkfMqe2HCK/Nw5/Hn8ruIyX6EQwPmh/v+nXP4sxTFtvaPl
 Pgb0AXbq9VEcRc51h7HBxg==;
Received: from [87.69.77.57] (helo=home-c4e4a596f7)
 by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <eliz@HIDDEN>)
 id 1prEfN-0001fo-KB; Tue, 25 Apr 2023 05:08:53 -0400
Date: Tue, 25 Apr 2023 12:09:19 +0300
Message-Id: <83a5ywwcow.fsf@HIDDEN>
From: Eli Zaretskii <eliz@HIDDEN>
To: Po Lu <luangruo@HIDDEN>
In-Reply-To: <87r0s8cq6c.fsf@HIDDEN> (message from Po Lu on Tue, 25 Apr
 2023 16:38:19 +0800)
Subject: Re: bug#63063: CVE-2021-36699 report
References: <40-63e3c600-3-2d802d00@111202636>
 <01070187b503303f-1657dcaa-4f53-47da-9679-2f68a682d447-000000@HIDDEN>
 <bcb96279c47143f403f588dc3f020725029137bd.camel@HIDDEN>
 <01070187b52a3165-eeb31a4e-fba7-4290-850a-c73ab11eb43f-000000@HIDDEN>
 <83mt2wwi0y.fsf@HIDDEN> <87v8hkctlc.fsf@HIDDEN>
 <83fs8owg3r.fsf@HIDDEN> <87r0s8cq6c.fsf@HIDDEN>
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 63063
Cc: 63063 <at> debbugs.gnu.org, fuo@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

> From: Po Lu <luangruo@HIDDEN>
> Cc: fuo@HIDDEN,  63063 <at> debbugs.gnu.org
> Date: Tue, 25 Apr 2023 16:38:19 +0800
> 
> The protection fault is in `dump_do_emacs_relocation'.  When the dump
> file contains a relocation with an offset outside the heap:
> 
> 	lv = make_lisp_ptr (obj_ptr, reloc.length);
> 	memcpy (emacs_ptr_at (reloc.emacs_offset), &lv, sizeof (lv));
> 
> will end up copying outside the heap.

Thanks, but that seems to be unrelated to the code to which the OP
pointed.  Are you sure it's the same problem?

Also, writing outside of the process's address space will indeed cause
protection fault and SIGSEGV, not a buffer-overflow type of problem
that can be exploited for executing some arbitrary code.  So I'm not
sure I see why is this a security issue?

emacs_ptr_at has this comment:

  /* TODO: assert somehow that the result is actually in the Emacs
     image.  */

Can we assure that in some reasonable way?  We have valid_pointer_p,
but that's too expensive, I think.





Information forwarded to bug-gnu-emacs@HIDDEN:
bug#63063; Package emacs. Full text available.

Message received at 63063 <at> debbugs.gnu.org:


Received: (at 63063) by debbugs.gnu.org; 25 Apr 2023 08:38:35 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Apr 25 04:38:35 2023
Received: from localhost ([127.0.0.1]:51199 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1prEC3-0004M1-2S
	for submit <at> debbugs.gnu.org; Tue, 25 Apr 2023 04:38:35 -0400
Received: from sonic307-56.consmr.mail.ne1.yahoo.com ([66.163.190.31]:36253)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <luangruo@HIDDEN>) id 1prEC1-0004Lo-Mn
 for 63063 <at> debbugs.gnu.org; Tue, 25 Apr 2023 04:38:34 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1682411908; bh=kGjOprfQLKVfb2Q4zkVzRHOHU5pu438rdBrT3tAONmw=;
 h=From:To:Cc:Subject:In-Reply-To:References:Date:From:Subject:Reply-To;
 b=ddyWbjSKy1M4DAMhVKN+ArIBajzagRjiUjzO59MIYKrTQQhFEnUl5kCLSb6liJRHMzJETc7uweodRhUul8exm/XNk7LFr1bm/E7cIRP1iE6W4JZgomZs1nZL+T06xoqtkn60TNPP0nl+LYhSnGT9wMMwTnNVKkAN+NEiweYwmA02pRkr5xtDlfOHB66qcLOxMQz3B8TG2wtaQsFcyuQfTecM508ozqpV05Knd1XVp2t/mzYxS2fT2RDMtQDpPvrHr3g51HAio5xbymd4vycJVxTWPi828VvhVxv1CdMJGZ24204qCimCMQ+c2JNu2mV19C65v2hS89OBhc9qfQWvXA==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1682411908; bh=OZmx5gj7lnSQCk8KutgzvRKQaDwc/KwCTixdoaVndG7=;
 h=X-Sonic-MF:From:To:Subject:Date:From:Subject;
 b=edlxSk3aoZqjFn9DVEaZN1O611bHMD2T/Qu91f7+J9a5EZ7Tv7hao1ka+OrPRL2m9oekoSoLrywoCQi8FRoNKHi/TC9k7M9Vp0Gtdn/iyn/PTnbEg+IdWkgwBcf1uV1ZATrtG1UDq0X2Le1dTID1C5vqqL94n6QrwgfF3rNs119VF9rbWr8oHdGYdsgMCePbg465lgM8RjBnZ/cthqcTrO+66Hiz/LYLEU6FCGkJLExm1F85QpjL4pdpiUYCTAOgZveuFnDLjwMqD82C7Cu9ltMWssxYSONCVusXQhoWXdUZsKjAo0gArbya+NvQP6Wl7qlm4TNr4fCz4X+R8WeKTg==
X-YMail-OSG: Z0W_lfoVM1mo6U2w.lvsaYGIOd_gzxSHMKUGpHTIseoAbxXhdmwCaWbE8Ulo4Xe
 N62KEeVe7XOongiQ7gobPYikiarmuHmO3DKfvVVLjFmeo4RV2WpRJ2jb8OswnzaD2IpkfX0GbZMP
 xqKFx8HChNWdDeSwm6uNJcDneFpDx59BFpk_Zfc7QmPXH0cNfdo0gCM2BWK7wtvVxZWqtsJ6N1Mr
 hMnViuGa0mgqJm55b2.MolHO5d55C8R1Ps7cHygZsYIYfz_ZapyOPTniLY6JuL7_Ny09ioimXKX3
 mk5VrvPUYUzZ96F.62fZcfNIJ8JlVosqwoPcPGNr2lmMTObU2O_EhF20LLvvduSniX31_8QhH4pu
 ytRyajFSQkw4u.E_YlEpsI5Qcdw6IhRIjIzuB728xirmogVIPNVviAjq_.1vClsZpuemtKepwp63
 w19io5Zl.W7NQOrGxHTFVXaAezEFlbSLym1xp_WooRMeVhMuG.4pgJeDV7tv2ikXPt.tpU.uCGMV
 jtt44FfHQvVGX1eImI56OfJ1dlyV51KkEzRLpVUok2p5wLI_gRfAMCs9GqNUpZIyza_i8FdSkJu0
 Z4D1rGl3kW45P9.NCskoaexsrkzPQz3GwJN3xDrKBLPiDlRGrIhC4OZPQSRvRwmNyESHrsO.3F73
 laeWxZpMJQUt1EF1lMewux4zpxBc4e0koEs7RxfF31jahKfD6rLDDoxGvkIAQ0YaxVOLpWA_EOd6
 d0zt4JlYVCVPrNNsWDtG9cj7AE_rFG.NAsMj7DJNDzmt6y9U_qAFQwK2G.7teN91lYthlcUGnU38
 cmMnC834iWqKzFRGXgiF72N2Rsfmx9qeNQgu4PNw_qBFUC0vcDBYF_uNxeWKKTV7Bzer1SRVdYAQ
 _vuqnbLnE8WJMIj08seUWwJhcPbHixtOSFFIyiSU2QeN.m.WGbZ4ferJm.bh3QxmkDmNbPtZSeft
 y9vPGAyK4o04WYtQo.BoZQ.O1KPNfLza5xnwd2ogmsRuNJgXYuMntLUpJIcSxSsSkLXngOITDSyg
 xqtdTpvzXl61DidEc.Z4NtHwIJo0vr1Zz34nLTplSHJokqlSTLhqT71ybxUIz41gf8Mj1nekVUP8
 tovZM4j4prckEsvN6D8BP9rieXcNtYDCjKr6oMdDv.SEC.V55FBvP6xiBYafqU5ym5kSoKQm2ZXz
 l8Lahn4lT7CbGKDMgVcRJ6n2No5D3S7dCdLGUUBZRW2Q4J85Edc4odYovs2LfBAOCKGPaIgQjaWB
 FwzsgsnLdyp8j.yIc2qnx0g2DD6fKSYBVtZmMOJRce4Zug.4_yzaPx3ZQ3xeJWUJaJV_98CF5tMC
 quje5xqCcZh67saZhxZXABYobA90x6ZiO5c7zXzRBG8TEj8vOQJHjKtUu0Mb_dQyxFI6k8xPEdQr
 oOB0acguiHB2QatkmtrgijQzkr2zNNcjaduA7SmX6wptBkR2yalDGnMTKXjL8tA1ZHJVIc.pt70S
 0eJfbzb2kmXiItMR3wMgxwdQeKWM40NKcKOxcIvQSfkKStsNbZqPa0U.9p7OoxJi7JFdtZ9pselN
 Vr65rfoBXusoAAHEeK1vUbYSRm7ylPzU8usIVwSU3eAR8sqQd4rMsLUomMIHRh4nuLCM8MmXQ7ty
 xH6KmOTqenkeLlPhyWytdBiPUndHALuicqB01L55tIWkAzD5QwKPwlJqr99tgwut1E0VsHFoTFXe
 NPC3ru50pHD7ollLen46wXx27Tdhf6CYeSnMGFxAVRhSBrG456P0PbrsI5Ne21P_Up4ILMibZGZV
 3axQi4Ny0q7Ktup_nTP1H_akABxT_76ZDtHTJUe_7nJxsYD4GY6vF8LA6RE2Jo6bTubWp7tmQpPu
 lldeW7RqVJNPRPLMRfx1CVNi_rZg9tt2EBx4TdHM8R7548bbJW.LT3s7Cnp1K.vdeGV89UoUG354
 .sFlxPed.ayDF4Db0STOpaAlYkPHeLMI74h7O.nubiOfrVpwhaf40APOjjfh814YdpR33UPluYGk
 2pdgWfqWbH4ACApOw9gpHItOr.rvcq4x53c.9OeXB8UUg4g9PlU7r.Zx9TYctG8OyLp8lVJUZFrf
 uaB6LP2.ZxNBlWsJIAHtUJeQ6CWVyHLbST5UX9VndyWb0MgeqocK0jnp1h7opc6sFtsMLFz2WBDN
 12BmQDeuBFnK3ED4iYBKBeO6EslXb48HfxQH8dJlSF07irv7FHj0enzkn9j0BIyRdMU8wQ9tXhqD
 bX875yyFOunE1.3Tbnc2oqd3UOL3m_u_JONEU3DrGjadoaTYvvsXbpIQcIpgnJWsNoA--
X-Sonic-MF: <luangruo@HIDDEN>
X-Sonic-ID: 5480a3b9-b667-45f7-a3e4-4a9c5f08e114
Received: from sonic.gate.mail.ne1.yahoo.com by
 sonic307.consmr.mail.ne1.yahoo.com with HTTP; Tue, 25 Apr 2023 08:38:28 +0000
Received: by hermes--production-sg3-6d6fb994f6-qwzcd (Yahoo Inc. Hermes SMTP
 Server) with ESMTPA ID 4844dcd7ea475801de30b34bdbcc31b8; 
 Tue, 25 Apr 2023 08:38:23 +0000 (UTC)
From: Po Lu <luangruo@HIDDEN>
To: Eli Zaretskii <eliz@HIDDEN>
Subject: Re: bug#63063: CVE-2021-36699 report
In-Reply-To: <83fs8owg3r.fsf@HIDDEN> (Eli Zaretskii's message of "Tue, 25 Apr
 2023 10:55:36 +0300")
References: <40-63e3c600-3-2d802d00@111202636>
 <01070187b503303f-1657dcaa-4f53-47da-9679-2f68a682d447-000000@HIDDEN>
 <bcb96279c47143f403f588dc3f020725029137bd.camel@HIDDEN>
 <01070187b52a3165-eeb31a4e-fba7-4290-850a-c73ab11eb43f-000000@HIDDEN>
 <83mt2wwi0y.fsf@HIDDEN> <87v8hkctlc.fsf@HIDDEN>
 <83fs8owg3r.fsf@HIDDEN>
Date: Tue, 25 Apr 2023 16:38:19 +0800
Message-ID: <87r0s8cq6c.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain
X-Mailer: WebService/1.1.21365
 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.yahoo
Content-Length: 894
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 63063
Cc: 63063 <at> debbugs.gnu.org, fuo@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Eli Zaretskii <eliz@HIDDEN> writes:

>> From: Po Lu <luangruo@HIDDEN>
>> Cc: fuomag9 <fuo@HIDDEN>,  63063 <at> debbugs.gnu.org
>> Date: Tue, 25 Apr 2023 15:24:31 +0800
>> 
>> Eli Zaretskii <eliz@HIDDEN> writes:
>> 
>> > Please tell more about the buffer overflow: where does it happen in
>> > the Emacs sources, which buffer overflows, and why.  I cannot find
>> > these details in your report.
>> 
>> It happens because the dump file is deliberately edited to be invalid.
>
> I didn't ask about the root cause, I asked about the details of the
> problem: where it happens in our sources, and what exactly happens.

The protection fault is in `dump_do_emacs_relocation'.  When the dump
file contains a relocation with an offset outside the heap:

	lv = make_lisp_ptr (obj_ptr, reloc.length);
	memcpy (emacs_ptr_at (reloc.emacs_offset), &lv, sizeof (lv));

will end up copying outside the heap.




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#63063; Package emacs. Full text available.

Message received at 63063 <at> debbugs.gnu.org:


Received: (at 63063) by debbugs.gnu.org; 25 Apr 2023 07:56:50 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Apr 25 03:56:50 2023
Received: from localhost ([127.0.0.1]:51179 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1prDXd-0003L0-VO
	for submit <at> debbugs.gnu.org; Tue, 25 Apr 2023 03:56:50 -0400
Received: from eggs.gnu.org ([209.51.188.92]:56834)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <eliz@HIDDEN>) id 1prDXb-0003Kk-Nr
 for 63063 <at> debbugs.gnu.org; Tue, 25 Apr 2023 03:56:48 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <eliz@HIDDEN>)
 id 1prDXW-0000IV-GZ; Tue, 25 Apr 2023 03:56:42 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=MIME-version:References:Subject:In-Reply-To:To:From:
 Date; bh=LwppUyijvc7de2gOIA7nLu8V2q0JUruEIU1dzOjo2pI=; b=PVhF48igTK2Tp/AReWbx
 0zRuAMt6D4JWKHlstE2tSdMD2rq2Cx/YQ1ONj1hPJEONH+uTOtkZV50Nr1OysNSboIpl5OaYm5iSw
 jyW7asLa6mgYTraW/3zU3PFMXniKVNVrP/sBhTNKhdYPrw0bR1LahyUZ6Hg0Hw/ASJ4TpT8VieON6
 7fJ1PYKZgx3aPVy1IVCcly9gRLao5RYDfg9LRKAJEt1B8f1DHCV3gbGw0bhPeWc7OwT0Xn2JC4W5N
 1HgHKBduXb/epObTssCq7cB16I6FJvjlMK0wQdcAURC1Cjp7A/pscBtkLSISy99DLgVyj4dlU1SSC
 FOPHXB//TxcJSg==;
Received: from [87.69.77.57] (helo=home-c4e4a596f7)
 by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <eliz@HIDDEN>)
 id 1prDXV-0008Ib-0M; Tue, 25 Apr 2023 03:56:42 -0400
Date: Tue, 25 Apr 2023 10:57:07 +0300
Message-Id: <83edo8wg18.fsf@HIDDEN>
From: Eli Zaretskii <eliz@HIDDEN>
To: Yuri Khan <yuri.v.khan@HIDDEN>
In-Reply-To: <CAP_d_8VnxkBOZ3xwccB_URY7vnSCEA2f7ysXOneiwgLHiLEiiA@HIDDEN>
 (message from Yuri Khan on Tue, 25 Apr 2023 14:40:20 +0700)
Subject: Re: CVE-2021-36699 report
References: <40-63e3c600-3-2d802d00@111202636>
 <01070187b503303f-1657dcaa-4f53-47da-9679-2f68a682d447-000000@HIDDEN>
 <bcb96279c47143f403f588dc3f020725029137bd.camel@HIDDEN>
 <01070187b52a3165-eeb31a4e-fba7-4290-850a-c73ab11eb43f-000000@HIDDEN>
 <CAP_d_8VnxkBOZ3xwccB_URY7vnSCEA2f7ysXOneiwgLHiLEiiA@HIDDEN>
MIME-version: 1.0
Content-type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 63063
Cc: 63063 <at> debbugs.gnu.org, fuo@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

> From: Yuri Khan <yuri.v.khan@HIDDEN>
> Date: Tue, 25 Apr 2023 14:40:20 +0700
> Cc: emacs-devel@HIDDEN
> 
> On Tue, 25 Apr 2023 at 12:33, fuomag9 <fuo@HIDDEN> wrote:
> 
> > Hi,
> > I’m a security researcher and I’ve searched for a way to contact the emacs security team but I’ve not found any information online, so I’m reporting this issue here.
> > I’ve discovered a buffer overflow in GNU Emacs 28.0.50 (at the time of writing the exploit still works on GNU Emacs 28.2)
> > The issue is inside the --dump-file functionality of emacs, in particular dump_make_lv_from_reloc at pdumper.c:5239
> > Attached to this email there's is payload used to make the vulnerability work (if emacs complains about a signature error you need to replace the hex bytes inside the payload with the expected one, since every emacs binary will expect a different signature).
> 
> A security report needs to identify a few key pieces of information:
> 
> * Who is the attacker?
> * Who is the victim?
> * What is the attack vector?
> * What does the attacker gain from the attack, that they would not be
> able to do without it?
> 
> If you start thinking about the described case, you will come to a
> conclusion that (1) you are able to attack yourself, or (2) if you can
> persuade another person to run Emacs with a dump file you provided,
> you are able to inflict denial of service for that specific run; or,
> if you provide a differently specially constructed dump file,
> arbitrary code execution as that user.
> 
> However, you could achieve the same by just convincing the victim to
> run an executable file you provide.
> 
> As Raymond Chen <https://devblogs.microsoft.com/oldnewthing/> likes to
> say, this so-called vulnerability involves being on the other side of
> the airtight hatchway.

PLEASE do NOT respond to this on emacs-devel, only to the bug tracker.




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#63063; Package emacs. Full text available.

Message received at 63063 <at> debbugs.gnu.org:


Received: (at 63063) by debbugs.gnu.org; 25 Apr 2023 07:55:17 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Apr 25 03:55:17 2023
Received: from localhost ([127.0.0.1]:51166 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1prDW9-0003F4-H3
	for submit <at> debbugs.gnu.org; Tue, 25 Apr 2023 03:55:17 -0400
Received: from eggs.gnu.org ([209.51.188.92]:55514)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <eliz@HIDDEN>) id 1prDW7-0003ED-HM
 for 63063 <at> debbugs.gnu.org; Tue, 25 Apr 2023 03:55:15 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <eliz@HIDDEN>)
 id 1prDW2-0008Tq-42; Tue, 25 Apr 2023 03:55:10 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date:
 mime-version; bh=5bjeSOGnt2Y3/q2oK9GH5FjME0mPtJYnVO7y+Ou7Fm8=; b=a3Oq+0GzA3O8
 mrvTpyH6bpH7s+7lu29j6uMNbjPh8Jq7RMxHdMQHL67D6OThwxJXvD4RqASzB042iyFOduhT6bTjP
 ZOGXgLxPBgzrFpQQvaKfSEPkHVpyOEK6kkUX0WNcqGdiea8usXdN/+N0D3ATIF7W0XzLpKrLBMIi9
 7biCqg2SHYyQY4/PuePfohHQrpRs+YqD0azfDdDUlyRuKewVQR1Ah19ZdSVybiFrg4Xe3cEB/zTF8
 6cFabXEVABJDGDk3Dv6AZ8u7lpRUWYsQK3GI6+YXof/6fLWdquGFX32IvGC/v4xbayflikzjR7mik
 6IigDG0itAUpNV4J13XX9Q==;
Received: from [87.69.77.57] (helo=home-c4e4a596f7)
 by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <eliz@HIDDEN>)
 id 1prDW1-0007wB-Jz; Tue, 25 Apr 2023 03:55:09 -0400
Date: Tue, 25 Apr 2023 10:55:36 +0300
Message-Id: <83fs8owg3r.fsf@HIDDEN>
From: Eli Zaretskii <eliz@HIDDEN>
To: Po Lu <luangruo@HIDDEN>
In-Reply-To: <87v8hkctlc.fsf@HIDDEN> (message from Po Lu on Tue, 25 Apr
 2023 15:24:31 +0800)
Subject: Re: bug#63063: CVE-2021-36699 report
References: <40-63e3c600-3-2d802d00@111202636>
 <01070187b503303f-1657dcaa-4f53-47da-9679-2f68a682d447-000000@HIDDEN>
 <bcb96279c47143f403f588dc3f020725029137bd.camel@HIDDEN>
 <01070187b52a3165-eeb31a4e-fba7-4290-850a-c73ab11eb43f-000000@HIDDEN>
 <83mt2wwi0y.fsf@HIDDEN> <87v8hkctlc.fsf@HIDDEN>
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 63063
Cc: 63063 <at> debbugs.gnu.org, fuo@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

> From: Po Lu <luangruo@HIDDEN>
> Cc: fuomag9 <fuo@HIDDEN>,  63063 <at> debbugs.gnu.org
> Date: Tue, 25 Apr 2023 15:24:31 +0800
> 
> Eli Zaretskii <eliz@HIDDEN> writes:
> 
> > Please tell more about the buffer overflow: where does it happen in
> > the Emacs sources, which buffer overflows, and why.  I cannot find
> > these details in your report.
> 
> It happens because the dump file is deliberately edited to be invalid.

I didn't ask about the root cause, I asked about the details of the
problem: where it happens in our sources, and what exactly happens.

> It is not a dump file that Emacs will generate under any circumstance,
> and as such it's not a bug; by the same means, a pointer to an invalid
> Lisp object could be created, causing a similar crash.  Emacs is not
> expected to operate from a corrupt dump file any more than it is
> expected to operate from a corrupt executable.

Noted.  But please let me make up my own mind about this issue, once I
understand the details.  OK?




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#63063; Package emacs. Full text available.

Message received at 63063 <at> debbugs.gnu.org:


Received: (at 63063) by debbugs.gnu.org; 25 Apr 2023 07:53:36 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Apr 25 03:53:36 2023
Received: from localhost ([127.0.0.1]:51135 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1prDUW-0003A2-0E
	for submit <at> debbugs.gnu.org; Tue, 25 Apr 2023 03:53:36 -0400
Received: from eggs.gnu.org ([209.51.188.92]:34294)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <eliz@HIDDEN>) id 1prDUU-00039o-1S
 for 63063 <at> debbugs.gnu.org; Tue, 25 Apr 2023 03:53:34 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <eliz@HIDDEN>)
 id 1prDUO-00087P-NR; Tue, 25 Apr 2023 03:53:28 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date:
 mime-version; bh=R3a5eApDOG0Ps/hzSgLHZFakpd61+eel08/ZYdPtyd4=; b=qg+KWnYTRtgs
 RKWEHZnnV5X+3k5o68t9EDg+CqaHri4fOkCAM0wjcVig2XP+hOzo0/X4tUcg/uRFvcstS+0cheWIR
 +jcabDaor95aGUCH7KOmw03HolUX6PD9sPHXCzN2/qioryf9OAMS4lA3m71FxSX/Ou+ns/axCbQK4
 makFVTioat5YOuW6GAEzN5B17iYHVrScTwX5kDhfwaZ6NCa7A/n0p8Rk/3G8Mn/+H166AS4qwPsaK
 i0KiMc7XqUXElcOIwNbpioRfN96xlfHAfCDExDCQId26SrJneKQXJy4qA72PukI0FyI7ox/4hk1WL
 o5Uzt/TOO6IYIrJ75lzPHQ==;
Received: from [87.69.77.57] (helo=home-c4e4a596f7)
 by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <eliz@HIDDEN>)
 id 1prDUN-0007n8-Tl; Tue, 25 Apr 2023 03:53:28 -0400
Date: Tue, 25 Apr 2023 10:53:54 +0300
Message-Id: <83h6t4wg6l.fsf@HIDDEN>
From: Eli Zaretskii <eliz@HIDDEN>
To: Po Lu <luangruo@HIDDEN>
In-Reply-To: <87zg6wctqg.fsf@HIDDEN> (message from Po Lu on Tue, 25 Apr
 2023 15:21:27 +0800)
Subject: Re: CVE-2021-36699 report
References: <40-63e3c600-3-2d802d00@111202636>
 <01070187b503303f-1657dcaa-4f53-47da-9679-2f68a682d447-000000@HIDDEN>
 <bcb96279c47143f403f588dc3f020725029137bd.camel@HIDDEN>
 <01070187b52a3165-eeb31a4e-fba7-4290-850a-c73ab11eb43f-000000@HIDDEN>
 <874jp4ecg6.fsf@HIDDEN> <87o7nc77tt.fsf@HIDDEN>
 <87zg6wctqg.fsf@HIDDEN>
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 63063
Cc: 63063 <at> debbugs.gnu.org, fuo@HIDDEN, nicolas@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

> From: Po Lu <luangruo@HIDDEN>
> Cc: fuomag9 <fuo@HIDDEN>,  emacs-devel@HIDDEN
> Date: Tue, 25 Apr 2023 15:21:27 +0800
> 
> Nicolas Martyanoff <nicolas@HIDDEN> writes:
> 
> > Is there a reason why Emacs does not validate dump files while reading
> > them as any other program with any other data format? Nothing good ever
> > comes from buffer overflows.
> 
> Is there any reason Unix does not verify that machine code is free of
> bugs before loading an a.out into memory?

Please keep this discussion on the bug tracker, not on emacs-devel.

PLEASE!!




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#63063; Package emacs. Full text available.

Message received at 63063 <at> debbugs.gnu.org:


Received: (at 63063) by debbugs.gnu.org; 25 Apr 2023 07:52:52 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Apr 25 03:52:51 2023
Received: from localhost ([127.0.0.1]:51130 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1prDTn-00038f-KE
	for submit <at> debbugs.gnu.org; Tue, 25 Apr 2023 03:52:51 -0400
Received: from eggs.gnu.org ([209.51.188.92]:50804)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <eliz@HIDDEN>) id 1prDTl-00038S-H7
 for 63063 <at> debbugs.gnu.org; Tue, 25 Apr 2023 03:52:50 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <eliz@HIDDEN>)
 id 1prDTf-0007wU-8s; Tue, 25 Apr 2023 03:52:43 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date:
 mime-version; bh=d5HkmmmTlNFdL6b/nGK86eGqIbVfUFEZ+GPHnrDmglY=; b=UU0mPdFgdhfk
 aDtuMfh0lBg3P6pxB+eESNCcQ2kkPhyBUd38tKDj1QSAwfrrojzDwYoM7CNx24Fyg3RA+CrBMiibE
 FE1CER0AC8sSGSKreq0pLTrofaTtWCkvlWi93poENSRlPjDA8/10oWKvz1vVXrJdSBR7ypuJ42hPl
 EAp+MXJBXEAG818Z1lYYMTSqVJrnG/M+IlHF8GWtr2RYcqO5Xtpk6wPXc/LWO6yXZYF8AtqoGT95o
 XrPLzO7raaXeEziceMzpoaVk6o0W1PT7dlG1+OO2AVJkgUn8Jve2weUABdcT+9xlI6EZjDYhkEJqx
 a/Gpn5cf1XL2fnHgH1xfPw==;
Received: from [87.69.77.57] (helo=home-c4e4a596f7)
 by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <eliz@HIDDEN>)
 id 1prDTe-0007hT-7P; Tue, 25 Apr 2023 03:52:42 -0400
Date: Tue, 25 Apr 2023 10:53:09 +0300
Message-Id: <83ildkwg7u.fsf@HIDDEN>
From: Eli Zaretskii <eliz@HIDDEN>
To: Nicolas Martyanoff <nicolas@HIDDEN>
In-Reply-To: <87o7nc77tt.fsf@HIDDEN> (message from Nicolas
 Martyanoff on Tue, 25 Apr 2023 09:13:34 +0200)
Subject: Re: CVE-2021-36699 report
References: <40-63e3c600-3-2d802d00@111202636>
 <01070187b503303f-1657dcaa-4f53-47da-9679-2f68a682d447-000000@HIDDEN>
 <bcb96279c47143f403f588dc3f020725029137bd.camel@HIDDEN>
 <01070187b52a3165-eeb31a4e-fba7-4290-850a-c73ab11eb43f-000000@HIDDEN>
 <874jp4ecg6.fsf@HIDDEN> <87o7nc77tt.fsf@HIDDEN>
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 63063
Cc: luangruo@HIDDEN, 63063 <at> debbugs.gnu.org, fuo@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

> From: Nicolas Martyanoff <nicolas@HIDDEN>
> Cc: fuomag9 <fuo@HIDDEN>,  emacs-devel@HIDDEN
> Date: Tue, 25 Apr 2023 09:13:34 +0200
> 
> Po Lu <luangruo@HIDDEN> writes:
> 
> > If you create a malformed dump file, of course Emacs cannot possibly
> > work.  Here, the buffer overflow is not even a bug: signature checks are
> > already there to prevent a dump file created for a different copy of
> > Emacs from being loaded by mistake.  If you deliberately create a
> > malformed dump file, Emacs does not guarantee correct operation.
> Is there a reason why Emacs does not validate dump files while reading
> them as any other program with any other data format? Nothing good ever
> comes from buffer overflows.
> 
> > We are trying to put together two releases of a very large piece of
> > software at the same time, and really should not be wasting our time on
> > these CVE reports.  It would save us a great deal of trouble if whoever
> > runs the CVE registry stopped tracking security ``issues'' with Emacs.
> I'm aware that most people simply do not care about security, and it is
> your right to do the same. However I sincerely hope it is not the view
> of the GNU Emacs project in general.

Please do NOT respond on emacs-devel, only to the bug tracker.

I've redirected the response.




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#63063; Package emacs. Full text available.

Message received at 63063 <at> debbugs.gnu.org:


Received: (at 63063) by debbugs.gnu.org; 25 Apr 2023 07:24:48 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Apr 25 03:24:48 2023
Received: from localhost ([127.0.0.1]:51089 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1prD2d-0002II-S8
	for submit <at> debbugs.gnu.org; Tue, 25 Apr 2023 03:24:48 -0400
Received: from sonic310-23.consmr.mail.ne1.yahoo.com ([66.163.186.204]:33471)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <luangruo@HIDDEN>) id 1prD2b-0002I2-JO
 for 63063 <at> debbugs.gnu.org; Tue, 25 Apr 2023 03:24:46 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1682407480; bh=od/E9RwuuAnNRejEc8o6j3NF6SHbb+Y2TZpu+lkT47o=;
 h=From:To:Cc:Subject:In-Reply-To:References:Date:From:Subject:Reply-To;
 b=Wzm5tu5hJkcHH5IBL2ZSa1+vyzlb6oEVErG6wzMvdWzuJ+IHexy+hHMr2QK/9am8LIw4mfSDkhq0z7fUo9l/tYV+j8QYU8zRSMPyqRhznru1V46LOrkFKeS28h66ABzuqhw+ZucXUCAOhR6FqjdmIdhEnCSe0eXwgSZjT/IY0OPItCdRd1mgs27EzUfgtwyJnGvuI4AMFA6Btr5igBrMztAuSwhMkRm5R+UsHL109QznadggVlEIV9ISM/B3idkp1t3VrypsQdR3mnRhrMY3Z0P4/mfEFMTVQ1ksUTkOHyvvCTDPmMviWnYeTYe/FoPo7RSGTGN20SsUggpKm2YRNA==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1682407480; bh=P6Rn+YRqRvF+z6BVrbjZIaij1vx+FP7o27pT1jusxzb=;
 h=X-Sonic-MF:From:To:Subject:Date:From:Subject;
 b=hsc33KcJZOY+hzeNc8PexRhu/QV6jB3pYPDjDcimpongudXbqyJlvTVBRCk8rmqHDd/ONpiJ0q+hDrHJoURHL2a+/qpMfZPu9LkeFg2VmkpT9XZWdbZT28TQ3KcGhPrk3bwk6sQUccUIcpISHNdItaz27tPCi+YWonIo0nzldk6ekjsBwIJFHkfCkaOBo4UJsjKwv9HDs8kQVeg5sgwLmUAU73r7X35cUO+uApow6r3eCu3YrZrc+P/NgeB5CzENESxLNDJPydBA1DEgxAPjr0SoWYTAh+3GAy5tcFfHd3WajOJip9cvGYgKf+gS1ASh1MhuUrrk/Y3aG63+etZWvg==
X-YMail-OSG: K3zwn6UVM1murryLsDxdg1.J.u82OLasXvCNBNd1YWa2B_0RSeXi3EABUhppEeH
 Tz41wZ2XdX2JH5103t0OC5J3wQN.Yo4go3cmzqBC.Dj9AHOsKlRg0FQpOJaRjrxXlLVNwJaARAmv
 7ZzitGRWQ_Ae7xtlxPmNnR9Vs41T6v8byOBXmNUoYmdFy.H2TPMQFpY0rYfEWo_K2nzEweYiekxM
 bVnAoxWNPGQC8yRqRmO.1vOSPE3.OpR238hdPc8fXP.4CW8pPZLw9kBW2rS2P3tFrs8SIz86ab0n
 72gL.s6beIdiFiKYf_Ve8VK58_VGRFNzICWeaYFALZYsIv75iiVNupkM9453MBEOhSXi300fEB4d
 wvH5OU7JOpJC7.iLkIbKanI3RGnC6Ubw6IOQ4fmdybg4n9ktoQ4jYsutzrJnKxWoA5uBqrDj9wwa
 4k50_SpFNz3EI_Fkd6306D4Hq4TCIXfkCI3C4IJYSynUI4.WApIFLWDC7NPkj3v14fO03FlaEn3i
 kS4mNFTTjb7kW.2y1r8QLluypbvpPXY3e0dhCCLeNNbZ25GXqZoOkOXKlJalKDgAMcHf_AIZlWhQ
 4dDAW0swr64ziEFEjI1egMBJx8PxkFb.R5PcaCcYkp3986mDQNS4Raxb1xYdU7SMJJUeuCwra.VZ
 LXnVW7mv19DRrYzv9mueA9Ig9mWrPaazFjgNPLF5MjF.1cGj1igCNulM2Yp51SYZlinzgKJUfxmZ
 P6.62q9psE031DvePfofeKDD_JxnX4QAxQytDcy510yDOOqLimvY1.XgqnZFrGvZKWQkxp6sH9tE
 5JKit9oiXoD_PdfxwdTlMrmP6ZR8A1K9nYYhm3glOyKaf4RHxsfMNOtYALDzyqr.p1U5N8QjV.UB
 DpmSUPC.Ol85AjfT0pShD6q3Ci.u1NZrt8rorvxwJ2_yFK56s7y_yWaqq5Tnn3DEpHAUL0DZtkA3
 NPMBtb_J7s3auZzL.THNIB9hLv8APyvN8Tl7EQKQmwoI3gNptQyoTpC4wjU4WD8T7rvaRd7GpexN
 z8gRjuWzsdel1_klIwJShDp0rfxWlP_OOArZCDK7sVwWgbSBj5Eq7a8Tb6wTaDHuokGAXMEbkZAz
 i1j8bNko0.TpRDOJpFc.Dcl_55_ceqT4hHUpK.207alVDlMb6qdNC7Ds0CKl1UNbmJ85t0vgO1Jm
 bhfQPP78_FUlaJZxwMFKTVoeWeAG0k74ok_xrQkH7MZgO5e464joEIlazMUtQ0EKT5N2SQcN.47r
 V660HOmeK97pvutGXebzHBhhWwdZoDRM4T3tRXuvp2Ve8kpKf42gUcXV9ldS3hW9pGFoVL0SrK_8
 AirB9Sam6h5fVqZR20LSipOuBd5TF90IGyEnOvUToBB0bqQ2zGEfjHDioOUiW2CY2mr7yRoE_EjN
 iwaAAbYUuqH9M3qSzIUxXO2X8YKxWOlHxSgHd7.62gNJqSlsU7OL8lJjNJeaFDOGNtE0xtpgY58O
 RVXARZwIfNmFpWS_B3L5o2PMsfDX4L.hFoaeRIC.0uSuchtmi4cf1XqmFAf9K_GOed7xga4ujfu2
 4gIxHqAtYKbMPHhSmiFqUK1FsoBcPMadpWidu9JMru5JGJHwZLAwgfq2IQzfR0BfDwrcTTsUBBpE
 ITktrjE7hnDnXR47P4HkjxfzJXwOcACdwqSSwwY_c6iaV9wHlhllWgf7JnNTcxEyZ4wq8Vz8rce0
 N6wdPaaeaEyUqIYmu46Do6WXAaOaJC.kcuAbZuItKK3yeFUSv5AUdGFzX4zQuYLbUuN5F5JYiKUu
 FmGLz1GqatMyiqw3B8y5l6YlnobU4oWCp1SVc43W_a6ZXvBtdfX.FQtKkqz3JPehEYGFm_.Br7HI
 .ZUZFu4UEMepFeaqoGuoTeYrsD21gTLe3uddZzUore5QtPHpqt0xkA62dO5W7HU2RgrWTGMw_xeC
 ljNxwIGfg7IYJvXdpDOOgi1kP8SDztZ06lHmMBuD_tjhxsJi6dQiUu.UmCm8ylmoQVwngLmBIqGg
 evhQGMd16jSH1jpZMNAK_tIYKrNEzFG6DF_OCqYHuUboZsIJsgchQEFt8CmK4GLAR_6UStzL9Yve
 KRvrd42upTphJgwo5nTlxWKTsnnWzp9UxhKWKzAzNVH84cR3761dyg18zh9GAA.kCY_nuTRgpVCp
 S5d0b7PxK6c6nnf9rN400JrROtiAX9ybnMypPw05hdOaqxZZz6ClML9ZFUA1.RxbYwRehI.87PHH
 DBcdP7aBxGP_PMLuVMJ.k.4HHPHc_wCL3ANkniqF9LOT6Y167FMuxBtOmmMJEGYRG
X-Sonic-MF: <luangruo@HIDDEN>
X-Sonic-ID: fd23c4ab-4ef5-4292-a726-7d6be1379d1d
Received: from sonic.gate.mail.ne1.yahoo.com by
 sonic310.consmr.mail.ne1.yahoo.com with HTTP; Tue, 25 Apr 2023 07:24:40 +0000
Received: by hermes--production-sg3-6d6fb994f6-5v57h (Yahoo Inc. Hermes SMTP
 Server) with ESMTPA ID eba1d9fd6e607b1193dcb00ba7d39ae9; 
 Tue, 25 Apr 2023 07:24:36 +0000 (UTC)
From: Po Lu <luangruo@HIDDEN>
To: Eli Zaretskii <eliz@HIDDEN>
Subject: Re: bug#63063: CVE-2021-36699 report
In-Reply-To: <83mt2wwi0y.fsf@HIDDEN> (Eli Zaretskii's message of "Tue, 25 Apr
 2023 10:14:05 +0300")
References: <40-63e3c600-3-2d802d00@111202636>
 <01070187b503303f-1657dcaa-4f53-47da-9679-2f68a682d447-000000@HIDDEN>
 <bcb96279c47143f403f588dc3f020725029137bd.camel@HIDDEN>
 <01070187b52a3165-eeb31a4e-fba7-4290-850a-c73ab11eb43f-000000@HIDDEN>
 <83mt2wwi0y.fsf@HIDDEN>
Date: Tue, 25 Apr 2023 15:24:31 +0800
Message-ID: <87v8hkctlc.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain
X-Mailer: WebService/1.1.21365
 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.yahoo
Content-Length: 604
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 63063
Cc: 63063 <at> debbugs.gnu.org, fuomag9 <fuo@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Eli Zaretskii <eliz@HIDDEN> writes:

> Please tell more about the buffer overflow: where does it happen in
> the Emacs sources, which buffer overflows, and why.  I cannot find
> these details in your report.

It happens because the dump file is deliberately edited to be invalid.
It is not a dump file that Emacs will generate under any circumstance,
and as such it's not a bug; by the same means, a pointer to an invalid
Lisp object could be created, causing a similar crash.  Emacs is not
expected to operate from a corrupt dump file any more than it is
expected to operate from a corrupt executable.




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#63063; Package emacs. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 25 Apr 2023 07:13:45 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Apr 25 03:13:45 2023
Received: from localhost ([127.0.0.1]:51077 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1prCrx-0001zn-EB
	for submit <at> debbugs.gnu.org; Tue, 25 Apr 2023 03:13:45 -0400
Received: from lists.gnu.org ([209.51.188.17]:48824)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <eliz@HIDDEN>) id 1prCrv-0001zf-Qi
 for submit <at> debbugs.gnu.org; Tue, 25 Apr 2023 03:13:44 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <eliz@HIDDEN>) id 1prCrv-0004g6-Cc
 for bug-gnu-emacs@HIDDEN; Tue, 25 Apr 2023 03:13:43 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <eliz@HIDDEN>)
 id 1prCrv-0001bO-0B; Tue, 25 Apr 2023 03:13:43 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=MIME-version:References:Subject:In-Reply-To:To:From:
 Date; bh=3d6Ufrh0P6q+KQMs3ruTsOvBaIwvimbBOxVf+zst8kQ=; b=BgPCAjMN/9eiyDxrPYaU
 4i6NGM3EOCpJCWZ6dngGr0NEAPkQ8JLaGwBr6aD2yXwPWeyOghph71UpiCUkQWhsZVmFt5eEjcXOh
 gtn3Nk0dPN9mQk2ap6CYAKcPHjtPoW51+5FdygUPmpwpTV/wsnZEB7gE9UP51qCHbzK7FDQwMDPd4
 2EGMynUlXXEXfGw5HGyCtX8lyWt+oik5bFyIYvBuYNxq9rDFhAim4G73e+gH+n0xcUT0MmFaN8Zsz
 oFJ8cZeBpAv1lbshEz311GdLepMvUpnZaQCr4z/ZyVmx85uRvc0ZIxe2y134OkILfCKFf5qhdPDCN
 2BOpX7C5xg1oWA==;
Received: from [87.69.77.57] (helo=home-c4e4a596f7)
 by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <eliz@HIDDEN>)
 id 1prCrs-0007hX-Js; Tue, 25 Apr 2023 03:13:41 -0400
Date: Tue, 25 Apr 2023 10:14:05 +0300
Message-Id: <83mt2wwi0y.fsf@HIDDEN>
From: Eli Zaretskii <eliz@HIDDEN>
To: fuomag9 <fuo@HIDDEN>
In-Reply-To: <01070187b52a3165-eeb31a4e-fba7-4290-850a-c73ab11eb43f-000000@HIDDEN>
 (message from fuomag9 on Mon, 24 Apr 2023 21:27:34 +0000)
Subject: Re: CVE-2021-36699 report
References: <40-63e3c600-3-2d802d00@111202636>
 <01070187b503303f-1657dcaa-4f53-47da-9679-2f68a682d447-000000@HIDDEN>
 <bcb96279c47143f403f588dc3f020725029137bd.camel@HIDDEN>
 <01070187b52a3165-eeb31a4e-fba7-4290-850a-c73ab11eb43f-000000@HIDDEN>
MIME-version: 1.0
Content-type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: submit
Cc: bug-gnu-emacs@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

> From: fuomag9 <fuo@HIDDEN>
> Date: Mon, 24 Apr 2023 21:27:34 +0000
> 
> I’m a security researcher and I’ve searched for a way to contact the emacs security team but I’ve not found any information online, so I’m reporting this issue here.
> I’ve discovered a buffer overflow in GNU Emacs 28.0.50 (at the time of writing the exploit still works on GNU Emacs 28.2)
> The issue is inside the --dump-file functionality of emacs, in particular dump_make_lv_from_reloc at pdumper.c:5239
> Attached to this email there's is payload used to make the vulnerability work (if emacs complains about a signature error you need to replace the hex bytes inside the payload with the expected one, since every emacs binary will expect a different signature).
> This issue has been assigned CVE-2021-36699 and thus I’m notifying you of this. (I do not think the emacs team is aware of this security issue)
> The POC is simple:
> Launch emacs --dump-file exploit, where exploit is a custom crafted emacs dump file

Please tell more about the buffer overflow: where does it happen in
the Emacs sources, which buffer overflows, and why.  I cannot find
these details in your report.

Also, the CVE ID seems to be incorrect: if I look it up, I get some
SQL related issue, not an Emacs issue.




Acknowledgement sent to Eli Zaretskii <eliz@HIDDEN>:
New bug report received and forwarded. Copy sent to bug-gnu-emacs@HIDDEN. Full text available.
Report forwarded to bug-gnu-emacs@HIDDEN:
bug#63063; Package emacs. Full text available.
Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Last modified: Tue, 25 Apr 2023 13:15:02 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.