From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Eli Zaretskii Newsgroups: gmane.emacs.bugs Subject: bug#63063: CVE-2021-36699 report Date: Tue, 25 Apr 2023 10:53:09 +0300 Message-ID: <83ildkwg7u.fsf@gnu.org> References: <40-63e3c600-3-2d802d00@111202636> <01070187b503303f-1657dcaa-4f53-47da-9679-2f68a682d447-000000@eu-central-1.amazonses.com> <01070187b52a3165-eeb31a4e-fba7-4290-850a-c73ab11eb43f-000000@eu-central-1.amazonses.com> <874jp4ecg6.fsf@yahoo.com> <87o7nc77tt.fsf@valhala.localdomain> Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="31899"; mail-complaints-to="usenet@ciao.gmane.io" Cc: luangruo@yahoo.com, 63063@debbugs.gnu.org, fuo@fuo.fi To: Nicolas Martyanoff Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Tue Apr 25 09:53:15 2023 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1prDUB-00084H-Jg for geb-bug-gnu-emacs@m.gmane-mx.org; Tue, 25 Apr 2023 09:53:15 +0200 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1prDTz-0001Af-SS; Tue, 25 Apr 2023 03:53:03 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1prDTy-0001AO-5R for bug-gnu-emacs@gnu.org; Tue, 25 Apr 2023 03:53:02 -0400 Original-Received: from debbugs.gnu.org ([209.51.188.43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1prDTx-00081j-Tl for bug-gnu-emacs@gnu.org; Tue, 25 Apr 2023 03:53:01 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1prDTx-000393-QK for bug-gnu-emacs@gnu.org; Tue, 25 Apr 2023 03:53:01 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Eli Zaretskii Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Tue, 25 Apr 2023 07:53:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 63063 X-GNU-PR-Package: emacs Original-Received: via spool by 63063-submit@debbugs.gnu.org id=B63063.168240917212073 (code B ref 63063); Tue, 25 Apr 2023 07:53:01 +0000 Original-Received: (at 63063) by debbugs.gnu.org; 25 Apr 2023 07:52:52 +0000 Original-Received: from localhost ([127.0.0.1]:51130 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1prDTn-00038f-KE for submit@debbugs.gnu.org; Tue, 25 Apr 2023 03:52:51 -0400 Original-Received: from eggs.gnu.org ([209.51.188.92]:50804) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1prDTl-00038S-H7 for 63063@debbugs.gnu.org; Tue, 25 Apr 2023 03:52:50 -0400 Original-Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1prDTf-0007wU-8s; Tue, 25 Apr 2023 03:52:43 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date: mime-version; bh=d5HkmmmTlNFdL6b/nGK86eGqIbVfUFEZ+GPHnrDmglY=; b=UU0mPdFgdhfk aDtuMfh0lBg3P6pxB+eESNCcQ2kkPhyBUd38tKDj1QSAwfrrojzDwYoM7CNx24Fyg3RA+CrBMiibE FE1CER0AC8sSGSKreq0pLTrofaTtWCkvlWi93poENSRlPjDA8/10oWKvz1vVXrJdSBR7ypuJ42hPl EAp+MXJBXEAG818Z1lYYMTSqVJrnG/M+IlHF8GWtr2RYcqO5Xtpk6wPXc/LWO6yXZYF8AtqoGT95o XrPLzO7raaXeEziceMzpoaVk6o0W1PT7dlG1+OO2AVJkgUn8Jve2weUABdcT+9xlI6EZjDYhkEJqx a/Gpn5cf1XL2fnHgH1xfPw==; Original-Received: from [87.69.77.57] (helo=home-c4e4a596f7) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1prDTe-0007hT-7P; Tue, 25 Apr 2023 03:52:42 -0400 In-Reply-To: <87o7nc77tt.fsf@valhala.localdomain> (message from Nicolas Martyanoff on Tue, 25 Apr 2023 09:13:34 +0200) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.bugs:260597 Archived-At: > From: Nicolas Martyanoff > Cc: fuomag9 , emacs-devel@gnu.org > Date: Tue, 25 Apr 2023 09:13:34 +0200 > > Po Lu writes: > > > If you create a malformed dump file, of course Emacs cannot possibly > > work. Here, the buffer overflow is not even a bug: signature checks are > > already there to prevent a dump file created for a different copy of > > Emacs from being loaded by mistake. If you deliberately create a > > malformed dump file, Emacs does not guarantee correct operation. > Is there a reason why Emacs does not validate dump files while reading > them as any other program with any other data format? Nothing good ever > comes from buffer overflows. > > > We are trying to put together two releases of a very large piece of > > software at the same time, and really should not be wasting our time on > > these CVE reports. It would save us a great deal of trouble if whoever > > runs the CVE registry stopped tracking security ``issues'' with Emacs. > I'm aware that most people simply do not care about security, and it is > your right to do the same. However I sincerely hope it is not the view > of the GNU Emacs project in general. Please do NOT respond on emacs-devel, only to the bug tracker. I've redirected the response.