[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Emacs master, security concernes, ms-windows

From: Andy Moreton
Subject: Re: Emacs master, security concernes, ms-windows
Date: Thu, 14 Sep 2017 15:13:39 +0100
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/25.2.50 (windows-nt)

On Thu 14 Sep 2017, Fabrice Popineau wrote:

> Since there seems to be a lot of concerns wrt to security,
> I am submitting the attached patch.
> The reason for this patch is to limit the search for dlls loaded at
> runtime to the win32 system directory and/or the emacs application
> directory.
> In the current state, dlls can be picked up in any directory in the path.
> Some one could fake one of these dlls (xpm, png, etc.) and use it for
> mean reasons.
> It is not bullet proof, but it levels up security and
> many other projects have applied such a restriction.

Restricting the path used to locate DLLs is reasonable, but this is too

For an emacs built from source and run from the build tree (i.e. not
installed), this requires copying all of the distro DLLs to the emacs
build directory, and keeping them up to date.

Also note that the patch uses LOAD_LIBRARY_SEARCH_* flags, which won't
work at all on Windows XP, or on newer Windows versions that do not have
the correct updates installed. See:

Dynamic-Link Library Security:

Dynamic-Link Library Search Order:



reply via email to

[Prev in Thread] Current Thread [Next in Thread]