bug#63063: CVE-2021-36699 report

bug-gnu-emacs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#63063: CVE-2021-36699 report

From:	Richard Stallman
Subject:	bug#63063: CVE-2021-36699 report
Date:	Tue, 25 Apr 2023 21:28:51 -0400

[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

  > > In either case, this is not a security vulnerability: if you can make
  > > the user load malformed dump files, you can make him load nefarious
  > > executables as well.

  > That's not necessarily true.  The malformed pdumper file could be
  > placed where Emacs usually finds it.  IOW, the perpetrator could
  > overwrite the pdumper file that EMacs loads when it starts.

If the pdumper file is writable by you, you could mess it up in all
sorts of ways.  You wouldn't need this feature -- you could do it with
truncate, or cat.  So I think it is incorrect to describe this feature
as being a security problem.

-- 
Dr Richard Stallman (https://stallman.org)
Chief GNUisance of the GNU Project (https://gnu.org)
Founder, Free Software Foundation (https://fsf.org)
Internet Hall-of-Famer (https://internethalloffame.org)

[Prev in Thread]

Current Thread

[Next in Thread]

bug#63063: CVE-2021-36699 report, (continued)
- bug#63063: CVE-2021-36699 report, fuomag9, 2023/04/25
- bug#63063: CVE-2021-36699 report, Eli Zaretskii, 2023/04/25
- bug#63063: CVE-2021-36699 report, Eli Zaretskii, 2023/04/25
- bug#63063: CVE-2021-36699 report, Eli Zaretskii, 2023/04/25

Prev by Date: bug#63078: 26.1; Sentinels are sometimes unexpectedly only invoked in script mode
Next by Date: bug#63067: 30.0.50; configure prints error with CONFIG_SHELL=/bin/sh
Previous by thread: bug#63063: CVE-2021-36699 report
Next by thread: bug#63063: CVE-2021-36699 report
Index(es):
- Date
- Thread