From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail
From: fuomag9 via "Bug reports for GNU Emacs,
 the Swiss army knife of text editors" <bug-gnu-emacs@gnu.org>
Newsgroups: gmane.emacs.bugs
Subject: bug#63063: CVE-2021-36699 report
Date: Tue, 25 Apr 2023 08:45:06 +0000
Message-ID: <01070187b7967feb-2f16162d-52c2-4bea-b3bd-fb31f04a600e-000000@eu-central-1.amazonses.com>
References: <40-63e3c600-3-2d802d00@111202636>
 <01070187b503303f-1657dcaa-4f53-47da-9679-2f68a682d447-000000@eu-central-1.amazonses.com>
 <bcb96279c47143f403f588dc3f020725029137bd.camel@josefsson.org>
 <01070187b52a3165-eeb31a4e-fba7-4290-850a-c73ab11eb43f-000000@eu-central-1.amazonses.com>
 <83mt2wwi0y.fsf@gnu.org>
Reply-To: fuomag9 <fuo@fuo.fi>
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.500.231\))
Content-Type: multipart/alternative;
 boundary="Apple-Mail=_00001F13-A406-4648-86B4-151487ED9F03"
Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214";
	logging-data="31160"; mail-complaints-to="usenet@ciao.gmane.io"
Cc: 63063@debbugs.gnu.org
To: Eli Zaretskii <eliz@gnu.org>
Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Tue Apr 25 16:56:31 2023
Return-path: <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>
Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org
Original-Received: from lists.gnu.org ([209.51.188.17])
	by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>)
	id 1prK5l-0007tG-VE
	for geb-bug-gnu-emacs@m.gmane-mx.org; Tue, 25 Apr 2023 16:56:30 +0200
Original-Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <bug-gnu-emacs-bounces@gnu.org>)
	id 1prK5O-0004YJ-Qg; Tue, 25 Apr 2023 10:56:06 -0400
Original-Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1prK5K-0004R0-MA
 for bug-gnu-emacs@gnu.org; Tue, 25 Apr 2023 10:56:03 -0400
Original-Received: from debbugs.gnu.org ([209.51.188.43])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1prK5K-0003gm-9k
 for bug-gnu-emacs@gnu.org; Tue, 25 Apr 2023 10:56:02 -0400
Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1prK5J-00014Y-JF
 for bug-gnu-emacs@gnu.org; Tue, 25 Apr 2023 10:56:01 -0400
X-Loop: help-debbugs@gnu.org
Resent-From: fuomag9 <fuo@fuo.fi>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@gnu.org
Resent-Date: Tue, 25 Apr 2023 14:56:01 +0000
Resent-Message-ID: <handler.63063.B.16824345464036@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 63063
X-GNU-PR-Package: emacs
X-Debbugs-Original-Cc: bug-gnu-emacs@gnu.org
Original-Received: via spool by submit@debbugs.gnu.org id=B.16824345464036
 (code B ref -1); Tue, 25 Apr 2023 14:56:01 +0000
Original-Received: (at submit) by debbugs.gnu.org; 25 Apr 2023 14:55:46 +0000
Original-Received: from localhost ([127.0.0.1]:53362 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1prK51-00012l-Jn
 for submit@debbugs.gnu.org; Tue, 25 Apr 2023 10:55:46 -0400
Original-Received: from lists.gnu.org ([209.51.188.17]:50194)
 by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from
 <01070187b7967feb-2f16162d-52c2-4bea-b3bd-fb31f04a600e-000000@mail.fuo.fi>)
 id 1prEIU-0004W6-K1
 for submit@debbugs.gnu.org; Tue, 25 Apr 2023 04:45:15 -0400
Original-Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from
 <01070187b7967feb-2f16162d-52c2-4bea-b3bd-fb31f04a600e-000000@mail.fuo.fi>)
 id 1prEIU-0003Vt-93
 for bug-gnu-emacs@gnu.org; Tue, 25 Apr 2023 04:45:14 -0400
Original-Received: from b224-14.smtp-out.eu-central-1.amazonses.com ([69.169.224.14])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_CBC_SHA1:128)
 (Exim 4.90_1) (envelope-from
 <01070187b7967feb-2f16162d-52c2-4bea-b3bd-fb31f04a600e-000000@mail.fuo.fi>)
 id 1prEIQ-0007fE-9y; Tue, 25 Apr 2023 04:45:13 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
 s=szn4245w3aja4hgdfrty2czrygyjr6wf; d=fuo.fi; t=1682412306;
 h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:In-Reply-To:Cc:To:References;
 bh=+luFf7OFP45wjd1RHV8+u2YoC8Sg2qf9Ii/NuLbjrS4=;
 b=GipvS51NqaSzqhRo6XxERT5obi/IFHv20kQ/ZnH9X25AApivx5wKO7PLva8b9zXA
 4f8MF/We0v1upYXb83S/y7Qt7ElH8EKZw2PDKctrW//IphCm8bnedU4/lZ8HzQxRUFE
 kDxCDWVJJ9EKXAbPoXxqgvwu6ssVWXL0YUrRiu+YImTtNWGec8mJHEuor/u5R4QXt92
 4TVKgPNAoo0gHBZ1BQjDNDr30gGeI2dMZWXLVPjAh6ptqrx//Oj4Ajo9G8e6+aYxtgJ
 gnMXVTBpxMqS6a0i34Jgch/cfxXEUuIo3EesmBanZf2vYM14/nfhxxhmos1P/s/CmP5
 zWN6fhvPoA==
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
 s=sokbgaaqhfgd6qjht2wmdajpuuanpimv; d=amazonses.com; t=1682412306;
 h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:In-Reply-To:Cc:To:References:Feedback-ID;
 bh=+luFf7OFP45wjd1RHV8+u2YoC8Sg2qf9Ii/NuLbjrS4=;
 b=lGiKp4+N7Mljh1VZbodGS5o+qk2ygJBzCdoIcEZZ7zEpknMkSrJ9kKa5JwM9+2xj
 tHhbY6cGu71+wL8IWLL6tQg1n2/atOLERSklqT5W0b56XLlKD8SxiYqiuBA/m0JAdeE
 QHBRh2SAsUzyZD9ALFo90Q3/JG/OPzeMBzn4EomM=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fuo.fi; s=dkim;
 t=1682412305; h=from:subject:date:message-id:to:cc:mime-version:content-type:
 in-reply-to:references; bh=IKvBds26OUIB1dVgDSkUv9Y+U34CB87YFJP3yC3cfoQ=;
 b=l+8G13GkMOKZ4B5rg0CXHhS4aQEeyLsaYjepp4lmPn/Zkzg+mho9paYhrEu/4dlT/flFWr
 s36YohChKiq8mFh0ZrLtBuAPpYKCrabjGzahrE499ANzsmEEuCvYpCMmBfA0vjjG4b2lhz
 bTGp3mlCIJTAEaG9GgAr2deXp3JO7nN4DiwZWbIe8S8Hq7yBKUF1dHXdNUHdb+l2fU3ceK
 UAvlQHj+U46oDvZ2k2e9BI1nzg10/G0ZsVEZLkU/yhd47GJqW1iB7g8tOaM92lqpP/L2s0
 piZlCbwtlKqN5Wt8OUo6d1oqWxGOIQNnhJQJF9pg/edNgCKoQB8xIBX0N1TVNA==
In-Reply-To: <83mt2wwi0y.fsf@gnu.org>
X-Last-TLS-Session-Version: TLSv1.2
Feedback-ID: 1.eu-central-1.n5W87jH/ZQaoQ5IIYkOPVy+kueHXOQU2ukicR55seJA=:AmazonSES
X-SES-Outgoing: 2023.04.25-69.169.224.14
Received-SPF: pass client-ip=69.169.224.14;
 envelope-from=01070187b7967feb-2f16162d-52c2-4bea-b3bd-fb31f04a600e-000000@mail.fuo.fi;
 helo=b224-14.smtp-out.eu-central-1.amazonses.com
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001,
 RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001,
 SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Mailman-Approved-At: Tue, 25 Apr 2023 10:55:41 -0400
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: bug-gnu-emacs@gnu.org
List-Id: "Bug reports for GNU Emacs,
 the Swiss army knife of text editors" <bug-gnu-emacs.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-gnu-emacs>,
 <mailto:bug-gnu-emacs-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/bug-gnu-emacs>
List-Post: <mailto:bug-gnu-emacs@gnu.org>
List-Help: <mailto:bug-gnu-emacs-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-gnu-emacs>,
 <mailto:bug-gnu-emacs-request@gnu.org?subject=subscribe>
Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org
Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org
Xref: news.gmane.io gmane.emacs.bugs:260624
Archived-At: <http://permalink.gmane.org/gmane.emacs.bugs/260624>


--Apple-Mail=_00001F13-A406-4648-86B4-151487ED9F03
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8

Hi, the CVE is currently unpublished. So when visiting this URL you=E2=80=99=
ll see that it=E2=80=99s reserved =
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=3DCVE-2021-36699


> On 25 Apr 2023, at 09:14, Eli Zaretskii <eliz@gnu.org> wrote:
>=20
>> From: fuomag9 <fuo@fuo.fi>
>> Date: Mon, 24 Apr 2023 21:27:34 +0000
>>=20
>> I=E2=80=99m a security researcher and I=E2=80=99ve searched for a way =
to contact the emacs security team but I=E2=80=99ve not found any =
information online, so I=E2=80=99m reporting this issue here.
>> I=E2=80=99ve discovered a buffer overflow in GNU Emacs 28.0.50 (at =
the time of writing the exploit still works on GNU Emacs 28.2)
>> The issue is inside the --dump-file functionality of emacs, in =
particular dump_make_lv_from_reloc at pdumper.c:5239
>> Attached to this email there's is payload used to make the =
vulnerability work (if emacs complains about a signature error you need =
to replace the hex bytes inside the payload with the expected one, since =
every emacs binary will expect a different signature).
>> This issue has been assigned CVE-2021-36699 and thus I=E2=80=99m =
notifying you of this. (I do not think the emacs team is aware of this =
security issue)
>> The POC is simple:
>> Launch emacs --dump-file exploit, where exploit is a custom crafted =
emacs dump file
>=20
> Please tell more about the buffer overflow: where does it happen in
> the Emacs sources, which buffer overflows, and why.  I cannot find
> these details in your report.
>=20
> Also, the CVE ID seems to be incorrect: if I look it up, I get some
> SQL related issue, not an Emacs issue.


--Apple-Mail=_00001F13-A406-4648-86B4-151487ED9F03
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=utf-8

<html><head><meta http-equiv=3D"content-type" content=3D"text/html; =
charset=3Dutf-8"></head><body style=3D"overflow-wrap: break-word; =
-webkit-nbsp-mode: space; line-break: after-white-space;"><div>Hi, the =
CVE is currently unpublished. So when visiting this URL you=E2=80=99ll =
see that it=E2=80=99s reserved&nbsp;<a =
href=3D"https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=3DCVE-2021-36699"=
>https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=3DCVE-2021-36699</a></di=
v><br class=3D"Apple-interchange-newline" style=3D"caret-color: rgb(0, =
0, 0); color: rgb(0, 0, 0);"><div><br><blockquote type=3D"cite"><div>On =
25 Apr 2023, at 09:14, Eli Zaretskii &lt;eliz@gnu.org&gt; =
wrote:</div><br class=3D"Apple-interchange-newline"><div><div><blockquote =
type=3D"cite">From: fuomag9 &lt;fuo@fuo.fi&gt;<br>Date: Mon, 24 Apr 2023 =
21:27:34 +0000<br><br>I=E2=80=99m a security researcher and I=E2=80=99ve =
searched for a way to contact the emacs security team but I=E2=80=99ve =
not found any information online, so I=E2=80=99m reporting this issue =
here.<br>I=E2=80=99ve discovered a buffer overflow in GNU Emacs 28.0.50 =
(at the time of writing the exploit still works on GNU Emacs =
28.2)<br>The issue is inside the --dump-file functionality of emacs, in =
particular dump_make_lv_from_reloc at pdumper.c:5239<br>Attached to this =
email there's is payload used to make the vulnerability work (if emacs =
complains about a signature error you need to replace the hex bytes =
inside the payload with the expected one, since every emacs binary will =
expect a different signature).<br>This issue has been assigned =
CVE-2021-36699 and thus I=E2=80=99m notifying you of this. (I do not =
think the emacs team is aware of this security issue)<br>The POC is =
simple:<br>Launch emacs --dump-file exploit, where exploit is a custom =
crafted emacs dump file<br></blockquote><br>Please tell more about the =
buffer overflow: where does it happen in<br>the Emacs sources, which =
buffer overflows, and why. &nbsp;I cannot find<br>these details in your =
report.<br><br>Also, the CVE ID seems to be incorrect: if I look it up, =
I get some<br>SQL related issue, not an Emacs =
issue.<br></div></div></blockquote></div><br></body></html>=

--Apple-Mail=_00001F13-A406-4648-86B4-151487ED9F03--