[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Emacs master, security concernes, ms-windows

From: Óscar Fuentes
Subject: Re: Emacs master, security concernes, ms-windows
Date: Thu, 14 Sep 2017 15:33:40 +0200
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/26.0.50 (gnu/linux)

Fabrice Popineau <address@hidden> writes:

> Since there seems to be a lot of concerns wrt to security,
> I am submitting the attached patch.
> The reason for this patch is to limit the search for dlls loaded at
> runtime to the win32 system directory and/or the emacs application
> directory.
> In the current state, dlls can be picked up in any directory in the path.
> Some one could fake one of these dlls (xpm, png, etc.) and use it for
> mean reasons.
> It is not bullet proof, but it levels up security and
> many other projects have applied such a restriction.
> Best regards,
> Fabrice
> diff --git a/src/unexw32.c b/src/unexw32.c
> index 5259b2a52b..10f720f734 100644
> --- a/src/unexw32.c
> +++ b/src/unexw32.c
> @@ -772,7 +820,7 @@ unexec (const char *new_name, const char *old_name)
>    {
>      PIMAGE_DOS_HEADER dos_header;
>      PIMAGE_NT_HEADERS nt_header;
> -    HANDLE hImagehelp = LoadLibrary ("imagehlp.dll");
> +    HANDLE hImagehelp = LoadLibraryEx ("imagehlp.dll", NULL, 

According do MSDN, LoadLibraryEx does not support
Windows XP, and on Windows 7 and some other version it requires certain
security system patch to be installed.

Apart from that, the security provided by this approach is questionable.
If the attacker has enough control to install a DLL and modify the PATH,
it is game over.

Finally, this patch can be a hindrance for those who build Emacs. After
the build is over, you need to copy the required extra dlls (for image
support, etc) to the build binary directory to test or use Emacs. Not a
huge inconvenience, but it isn't irrelevant either.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]