From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Newsgroups: gmane.emacs.devel Subject: Re: CVE-2021-36699 report Date: Tue, 25 Apr 2023 08:37:32 +0200 Message-ID: References: <40-63e3c600-3-2d802d00@111202636> <01070187b503303f-1657dcaa-4f53-47da-9679-2f68a682d447-000000@eu-central-1.amazonses.com> <01070187b52a3165-eeb31a4e-fba7-4290-850a-c73ab11eb43f-000000@eu-central-1.amazonses.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="1MAnu+UAKSJpaxA9" Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="33842"; mail-complaints-to="usenet@ciao.gmane.io" To: emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Tue Apr 25 08:38:37 2023 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1prCJt-0008Sr-01 for ged-emacs-devel@m.gmane-mx.org; Tue, 25 Apr 2023 08:38:33 +0200 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1prCJ5-0000Hw-Eu; Tue, 25 Apr 2023 02:37:43 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1prCJ3-0000EF-Vr for emacs-devel@gnu.org; Tue, 25 Apr 2023 02:37:42 -0400 Original-Received: from mail.tuxteam.de ([5.199.139.25]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1prCIy-0003Oy-GK for emacs-devel@gnu.org; Tue, 25 Apr 2023 02:37:41 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=tuxteam.de; s=mail; h=From:In-Reply-To:Content-Type:MIME-Version:References:Message-ID: Subject:To:Date:Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=k0H5U1YcN2dgGzFSNrFKPTgDBaIQ1TMJoUyeE3Xr6mc=; b=Ae5NudPiZ249zUrZG16rD/pha5 T6tFgF0vcnMWtR88h7UQIhaBLi9RiYmMZjP19QfuhJeXg8bCh2aoDn1gYpFcWImak8gNtnb76Fk9+ VGOd1cs5D0ZK3Pg/sI7IOGf7VlLahQ6sdVzIckNBAkZEjY+P+t34JWxlOSa0s8sUIQBbDW9/tqcyh 7GZ8Oy89OMujJUXi7TxLdhmgnQ7H8VMYa3Xh+/7rOEvpkcbwMJMmkiYwo++B+Lf73gs8mnWlmTvsL ggTMrtWhYRL+9rFyjQMmE0+jJ1wi3Lr+XI3555QTMs/ZnwXkrqcbTAe1Ia4Szq/EhuAgIAsCj9F/t cOI0u+og==; Original-Received: from tomas by mail.tuxteam.de with local (Exim 4.94.2) (envelope-from ) id 1prCIu-0000YB-Lu for emacs-devel@gnu.org; Tue, 25 Apr 2023 08:37:32 +0200 Content-Disposition: inline In-Reply-To: <01070187b52a3165-eeb31a4e-fba7-4290-850a-c73ab11eb43f-000000@eu-central-1.amazonses.com> Received-SPF: pass client-ip=5.199.139.25; envelope-from=tomas@tuxteam.de; helo=mail.tuxteam.de X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.devel:305634 Archived-At: --1MAnu+UAKSJpaxA9 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Apr 24, 2023 at 09:27:34PM +0000, fuomag9 wrote: > Hi, >=20 > This email was forwarded to you as suggested by simon@josefsson.org as I was forwarded to this person when contacting s= ecurity@gnu.org >=20 >=20 >=20 > Hi, > I=E2=80=99m a security researcher and I=E2=80=99ve searched for a way to = contact the emacs security team but I=E2=80=99ve not found any information = online, so I=E2=80=99m reporting this issue here. > I=E2=80=99ve discovered a buffer overflow in GNU Emacs 28.0.50 (at the ti= me of writing the exploit still works on GNU Emacs 28.2) > The issue is inside the --dump-file functionality of emacs, in particular= dump_make_lv_from_reloc at pdumper.c:5239 > Attached to this email there's is payload used to make the vulnerability = work (if emacs complains about a signature error you need to replace the he= x bytes inside the payload with the expected one, since every emacs binary = will expect a different signature). [...] Hm. The way I see this: the dump file is part of the Emacs program. Creating a vulnerability by replacing part of a program (e.g. a shared library) seems to be possible everywhere, no? Cheers --=20 t --1MAnu+UAKSJpaxA9 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iF0EABECAB0WIQRp53liolZD6iXhAoIFyCz1etHaRgUCZEd1LAAKCRAFyCz1etHa RkIrAJsHPH/gcdJ5Ysm+figTsrZoenZcjwCfWUntvYFT720tZ5k39AhkX/GawXY= =2lNX -----END PGP SIGNATURE----- --1MAnu+UAKSJpaxA9--