From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Kenneth Wyatt Newsgroups: gmane.emacs.devel Subject: How do I report security issue? Date: Sun, 11 Jul 2021 19:18:00 +1000 Message-ID: <58d23d65-a7de-cc89-de47-22776316a330@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="17588"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0 To: emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Sun Jul 11 12:22:50 2021 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1m2Wbq-0004SA-9R for ged-emacs-devel@m.gmane-mx.org; Sun, 11 Jul 2021 12:22:50 +0200 Original-Received: from localhost ([::1]:47604 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1m2Wbp-0007h1-BP for ged-emacs-devel@m.gmane-mx.org; Sun, 11 Jul 2021 06:22:49 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:60524) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1m2VbF-00067U-Sv for emacs-devel@gnu.org; Sun, 11 Jul 2021 05:18:09 -0400 Original-Received: from mail-pg1-x536.google.com ([2607:f8b0:4864:20::536]:45924) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1m2VbD-0001dk-8E for emacs-devel@gnu.org; Sun, 11 Jul 2021 05:18:09 -0400 Original-Received: by mail-pg1-x536.google.com with SMTP id y17so14831293pgf.12 for ; Sun, 11 Jul 2021 02:18:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:subject:to:message-id:date:user-agent:mime-version :content-transfer-encoding:content-language; bh=vrx8VH5dsit3rhOxuSj94GFf2lVV/nOJBV8fUWd3Iis=; b=odSAevplO3BlN2wqFit/Yypb3JIkzbtGxzSiZE0vWAqUvgN2jnXt12TdD6W5nXt8GD yQeEAdaL6x4huuSiFcHdQ6Xtsq3yHOAUG7VvsJkkEZYOLCsBvO49LXw+VEcVO9yIzyjO Wv9LHk8NFk3I+1a/IeFfx7jzuA3u1TFGtIrDjlMq93CVv2s9FoJAvZk2uhyMaA03r9z0 L1Vy+Ib8UVg+R9C3ZcPHCBhpKpOhosT+3z/3+RdxNAI0ECxKtLWiX0MtBSDJoFzkE8jQ uZlt9hvriLW2gBeefr68+VpHYeekIl6V498d19hEqJO18RGeIh8kLnv78BqBKxzqFcF2 WpJQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:subject:to:message-id:date:user-agent :mime-version:content-transfer-encoding:content-language; bh=vrx8VH5dsit3rhOxuSj94GFf2lVV/nOJBV8fUWd3Iis=; b=OCM4PoraIY1k3Ipk8QL9Kd2opNL7hFl+qxKSvQs7BHrvuN/RuA9cRVYbpSl7+fBB9V uF/XzMYKOaUjOukQ6eFOItnPedsCm6NaTVrQof8W58TRt6wTLlG12sbzYqA/AHnln4nw sh3u3tlPncmkPJdTLL3VSVMaCj7z5YiE7llu6RG8ul8IpBQ5k6iRnY6E7lhTMnf1458Y 5IDu9nfl0pa+Ts4HNMmDZwlA1v4pW7A9TbnuKHNZeBVv0h69bdEd4zIgDRPosDGGyslh wEURdAZN9lk7SK3S/EmsXbQT1TZPZrCUvqxfZCjjdlnk+ZO4Pz5h7FiU9jRiXZF6ZIev zFnQ== X-Gm-Message-State: AOAM5301MTsZhAfoNx56pR5FLKXned8ef/9h3trfJ+wBAE82DZSkTK1T cLlDl4Kp8qsYhPbqJKK+ZzCJkGc/c/vKRQ== X-Google-Smtp-Source: ABdhPJyU7P0FJWuYEdr6ejIVqILiBA2a4cApHDunily6Zb+JuAaMzRW1EG2qlQ+m5slDEiMZSAj08g== X-Received: by 2002:a63:f346:: with SMTP id t6mr47554334pgj.277.1625995084291; Sun, 11 Jul 2021 02:18:04 -0700 (PDT) Original-Received: from [192.168.0.106] (n49-192-63-218.sun3.vic.optusnet.com.au. [49.192.63.218]) by smtp.gmail.com with ESMTPSA id y15sm1381152pfn.63.2021.07.11.02.18.02 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 11 Jul 2021 02:18:03 -0700 (PDT) Content-Language: en-US Received-SPF: pass client-ip=2607:f8b0:4864:20::536; envelope-from=soy.el.gato.negro@gmail.com; helo=mail-pg1-x536.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Mailman-Approved-At: Sun, 11 Jul 2021 06:21:50 -0400 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.io gmane.emacs.devel:271176 Archived-At: Hi guys, I found a very simple way to get sudo/root shell in Emacs without passing a password check for launching the shell. While it does rely on actions by a user who does know the sudo password, once these actions are taken, an unattended terminal can be used to gain full sudo shell session with (from what I can tell) no timeout on one's ability to do so. Unsure exactly where to report this as the public bugtracker seems inappropriate even if reporting it seems unlikely to result in widespread in-the-wild use. It's totally possible this is also "as intended" behaviour, but that seems unlikely, and if it is, I think changing the default behaviour would be the responsible thing to do. I'm sure I'm not the first person to discover this, but an admittedly cursory search didn't turn up discussion online. Could someone direct me where to report the replication steps in a responsible manner? Thanks so much, Kenneth