From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Po Lu Newsgroups: gmane.emacs.devel Subject: Re: CVE-2021-36699 report Date: Tue, 25 Apr 2023 13:51:53 +0800 Message-ID: <874jp4ecg6.fsf@yahoo.com> References: <40-63e3c600-3-2d802d00@111202636> <01070187b503303f-1657dcaa-4f53-47da-9679-2f68a682d447-000000@eu-central-1.amazonses.com> <01070187b52a3165-eeb31a4e-fba7-4290-850a-c73ab11eb43f-000000@eu-central-1.amazonses.com> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="10932"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Gnus/5.13 (Gnus v5.13) Cc: emacs-devel@gnu.org To: fuomag9 Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Tue Apr 25 07:53:03 2023 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1prBbq-0002aw-1a for ged-emacs-devel@m.gmane-mx.org; Tue, 25 Apr 2023 07:53:02 +0200 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1prBb9-00035w-4A; Tue, 25 Apr 2023 01:52:19 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1prBay-00035C-0T for emacs-devel@gnu.org; Tue, 25 Apr 2023 01:52:08 -0400 Original-Received: from sonic313-10.consmr.mail.ne1.yahoo.com ([66.163.185.33]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1prBav-0004fv-Ve for emacs-devel@gnu.org; Tue, 25 Apr 2023 01:52:07 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1682401923; bh=5IQagBGETS1/4S7ZdvXb7ggVBrODxMCE4ma+2+JurcU=; h=From:To:Cc:Subject:In-Reply-To:References:Date:From:Subject:Reply-To; b=MKFepLjUzQBtLoKxSJKY2DNvU4m+Q0BLSqyE+Amqf+kFzsP+CNYNqMRZaun4PHActSwA0+nGYavcyRXwIEwmDkTqW4dEkrfiBdyHqfmGlMIADDKtB+tT5u8JqEFRzi3xVpb35q3ULZic0Ov5NwTUBujPGO/HVrPtAgbyTLFguuVIfbdNT4XVJYlU4dbprl366gM0QtwyfAhOkgtfzxXia1e9JkA9LhrHkA1DtY/e0pbgvGOhzP16tdP2KNclZa94NRwSftmbDvfN8+/TfLy0k9ptMrZPgSPLslg3HRkhMjGa18TSKoMou7oAUxWLS6sadEk9lmJ1E4qJjyid8L9/Yg== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1682401923; bh=udQ2LsCBVEL+DIzz8jB5LcEGl4xDlfe2NJRNSvCrR/r=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=RTdbDXTUj2fZwMHenJmeoK2jyBCUGcYHZV21bRj8OP1JtSe51y6nj8oC2TQ3E8EfBPN1dh9eGMJW1al8ydbNMEf3DagxAxJxVKoYfM/N5QZSOck+GSRFRJal11QrEcd+dvz5lKzrF5ykw4w7bscXIc4nAY3z7HNaV0XO6LOHRFzyadLazUQXcYYJxzjTYtbn//hVImexstMTlDysuTVsofblvw1ugANiHIycV04hqMBvnmiqTrsKMshF22tA+Bqa3Nbq+e37XWKaHtWMRgy+MhF+DSphu10TYRoCfMYiJuFhCF/85fO9O/iKgbNROPL73WAYO5oo1P7bBXYPBSgIlQ== X-YMail-OSG: 1rmKkEAVM1nI8iL.6djXRQCbZBjMj46Po48FReVv5RvBduIZ1a2OgyrGg5FKKNa wVsvujLnMqfyXIn4JSfPK5B8DQbZTDw5qEcoTDQ_mLv5RczeqasVN1VgvIpQGNCY0iq4cpmCg_4O VzIJfXjMNVjHsvGERNa0ftcOHgzdOTBnVXJcxsHqgV3aXugAqgjolz_tZtw1pmZhacRUKFd5Ffj. Oj9p.KbEl5dEaJMGwwESlNQGuHOF4iZ5L19DhDQOy7kbvzhPLiHsSGRJPtMgikmtpvuKbVsuYXRX b4oT5Uo93Hs9gUB7cVBybTvI4uRMTgFC31jVTal06NAxVTck6h1OOjJfRHsQ7lIxLMgmab7A3Wau yEbnOm.QPY2vl8VHSafchPkZD3K3Tteku.nh4QTXSAURNOn9SUb46Qh7fXeEzUrjjrkT1DteYhSa AkddZ3bd9j.uqB7FH1Ogoe2AXIqMWo49d70b2PL2exW166R7z0w5q1gvfX5gYhABKiplmFZ7GxoF pEzXDClPpXKzEjrMnIiQ0ALIf.hBYXVfBGGD_I2C1U80NxAvcfTUIesuFsdeLdKULn4ccQqg5q2L QkU8Xbc.9ZuRe8a0.9mh.dYic7Ca0QuLhWKAAJuGpiqCLBN4Q1V.UNaFjiGcFWg3gPtmTYuopxKn gWXlcGvIVzv8l6mpzIKWu50ZYrKvWpseVVInHcwCwuiUqKI6muGqJkEANczpZ9oVEK0KY.1CwQz. 2l7uEUz5VFGUVgWIHb1DbOs2SPVg_cvSexxCmFQHLPquv9IO4.cXCJNbzOWfni2KHsMrYxHWhn9B Drm4diaTe_09hWM4Ruh_cbFZUn3xfyfQXWr6r1kNAu X-Sonic-MF: X-Sonic-ID: 667ec5a5-ed03-48d3-a65c-a0fe6e40a2b2 Original-Received: from sonic.gate.mail.ne1.yahoo.com by sonic313.consmr.mail.ne1.yahoo.com with HTTP; Tue, 25 Apr 2023 05:52:03 +0000 Original-Received: by hermes--production-sg3-6d6fb994f6-f9862 (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 983c14d1b9a95ff20f93d3d61692e5e9; Tue, 25 Apr 2023 05:51:58 +0000 (UTC) In-Reply-To: <01070187b52a3165-eeb31a4e-fba7-4290-850a-c73ab11eb43f-000000@eu-central-1.amazonses.com> (fuomag9's message of "Mon, 24 Apr 2023 21:27:34 +0000") X-Mailer: WebService/1.1.21365 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.yahoo Received-SPF: pass client-ip=66.163.185.33; envelope-from=luangruo@yahoo.com; helo=sonic313-10.consmr.mail.ne1.yahoo.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.devel:305632 Archived-At: Please never CC the bug tracker and emacs-devel at the same time! fuomag9 writes: > Hi, > > This email was forwarded to you as suggested by simon@josefsson.org as I = was forwarded to this person when contacting security@gnu.org > > Hi, > I=E2=80=99m a security researcher and I=E2=80=99ve searched for a way to = contact the emacs security team but I=E2=80=99ve not found any information = online, so I=E2=80=99m > reporting this issue here. > I=E2=80=99ve discovered a buffer overflow in GNU Emacs 28.0.50 (at the ti= me of writing the exploit still works on GNU Emacs 28.2) > The issue is inside the --dump-file functionality of emacs, in particular= dump_make_lv_from_reloc at pdumper.c:5239 > Attached to this email there's is payload used to make the vulnerability = work (if emacs complains about a signature error you need to replace > the hex bytes inside the payload with the expected one, since every emacs= binary will expect a different signature). > This issue has been assigned CVE-2021-36699 and thus I=E2=80=99m notifyin= g you of this. (I do not think the emacs team is aware of this security iss= ue) > The POC is simple: > Launch emacs --dump-file exploit, where exploit is a custom crafted emacs= dump file > Here's the program execution via GDB > Starting program: /home/fuomag9/emacs-std/src/emacs --dump-file > exploit_p1/3_1.dat > ERROR: Could not find ELF base! If you create a malformed dump file, of course Emacs cannot possibly work. Here, the buffer overflow is not even a bug: signature checks are already there to prevent a dump file created for a different copy of Emacs from being loaded by mistake. If you deliberately create a malformed dump file, Emacs does not guarantee correct operation. We are trying to put together two releases of a very large piece of software at the same time, and really should not be wasting our time on these CVE reports. It would save us a great deal of trouble if whoever runs the CVE registry stopped tracking security ``issues'' with Emacs. Thanks.