From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Eli Zaretskii Newsgroups: gmane.emacs.bugs Subject: bug#63063: CVE-2021-36699 report Date: Tue, 25 Apr 2023 15:47:29 +0300 Message-ID: <83zg6wuo0u.fsf@gnu.org> References: <40-63e3c600-3-2d802d00@111202636> <01070187b503303f-1657dcaa-4f53-47da-9679-2f68a682d447-000000@eu-central-1.amazonses.com> <01070187b52a3165-eeb31a4e-fba7-4290-850a-c73ab11eb43f-000000@eu-central-1.amazonses.com> <83mt2wwi0y.fsf@gnu.org> <87v8hkctlc.fsf@yahoo.com> <83fs8owg3r.fsf@gnu.org> <87r0s8cq6c.fsf@yahoo.com> <83a5ywwcow.fsf@gnu.org> <87mt2wcjtf.fsf@yahoo.com> <834jp4w57b.fsf@gnu.org> <87edo8cflg.fsf@yahoo.com> Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="40178"; mail-complaints-to="usenet@ciao.gmane.io" Cc: 63063@debbugs.gnu.org, fuo@fuo.fi To: Po Lu Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Tue Apr 25 14:48:40 2023 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1prI63-000AAS-Mp for geb-bug-gnu-emacs@m.gmane-mx.org; Tue, 25 Apr 2023 14:48:39 +0200 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1prI5v-0003n9-Hf; Tue, 25 Apr 2023 08:48:31 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1prI5S-0003R8-Kl for bug-gnu-emacs@gnu.org; Tue, 25 Apr 2023 08:48:10 -0400 Original-Received: from debbugs.gnu.org ([209.51.188.43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1prI5R-0000mQ-Rf for bug-gnu-emacs@gnu.org; Tue, 25 Apr 2023 08:48:02 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1prI5R-0008PX-NG for bug-gnu-emacs@gnu.org; Tue, 25 Apr 2023 08:48:01 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Eli Zaretskii Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Tue, 25 Apr 2023 12:48:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 63063 X-GNU-PR-Package: emacs Original-Received: via spool by 63063-submit@debbugs.gnu.org id=B63063.168242683132150 (code B ref 63063); Tue, 25 Apr 2023 12:48:01 +0000 Original-Received: (at 63063) by debbugs.gnu.org; 25 Apr 2023 12:47:11 +0000 Original-Received: from localhost ([127.0.0.1]:51652 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1prI4d-0008MU-9q for submit@debbugs.gnu.org; Tue, 25 Apr 2023 08:47:11 -0400 Original-Received: from eggs.gnu.org ([209.51.188.92]:52788) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1prI4b-0008ME-Ve for 63063@debbugs.gnu.org; Tue, 25 Apr 2023 08:47:10 -0400 Original-Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1prI4W-0000iK-J5; Tue, 25 Apr 2023 08:47:04 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date: mime-version; bh=NTTGTkO0DzGd4xwgvDysIaEazMntrU1f6RqetWiZ9EI=; b=ewJ5ivCgNddd HpjfoWM+MNpxWOIJxWbKEh+V1KMncPLkctzekv9+FggvrP5vn8svRV1K2ZoXM2h/GXkshnEAut+n7 3efI+gLid5tD/A6rg3Cl1y92YWxW6f25SmVkQXBc9YGETI7WXvX5vtFMfMIA8QgcYLl7KuZjjBWIR qw93MKPZD4EcOV90c2wPTP3042TsQG/trAhICtgYIlJrx/SZ7MxYeeeix7KMPT9TeXJMCfhdY9MYI jyMRpPSQWcBlVP8hU5CE+uacW6OLtVGgmCyBB+1nbkWPwuoJNZadHojRl3DahEVrG9I3HdmnoMc9e ZJuUxKTo1N3uDTBA2WKbQw==; Original-Received: from [87.69.77.57] (helo=home-c4e4a596f7) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1prI4V-0004eU-Mv; Tue, 25 Apr 2023 08:47:04 -0400 In-Reply-To: <87edo8cflg.fsf@yahoo.com> (message from Po Lu on Tue, 25 Apr 2023 20:26:51 +0800) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.bugs:260618 Archived-At: > From: Po Lu > Cc: fuo@fuo.fi, 63063@debbugs.gnu.org > Date: Tue, 25 Apr 2023 20:26:51 +0800 > > Eli Zaretskii writes: > > > That is still insufficient for tricking the program into executing > > arbitrary code, AFAIU. For that, you need to point it to an address > > that is both writable and executable, arrange for that address to hold > > the malicious code to be executed, and then arrange for the PC to jump > > to that address. > > This is ``easy'': figure out where the stack is, replace the return > address in a certain frame with a pointer to some executable code in > your dump file. How do you "easily" figure out the offset from some arbitrary data address to the current stack pointer, and do that in advance, i.e. before the target program even runs? > > That's not necessarily true. The malformed pdumper file could be > > placed where Emacs usually finds it. IOW, the perpetrator could > > overwrite the pdumper file that EMacs loads when it starts. > > But then you might as well overwrite Emacs with your malicious code, > since the pdumper file is installed with the same access control as the > Emacs executable. The pdumper file is data, not code. It is loaded into the data segment. And executable code segments are usually write-protected. > If you or your site administrator wants to install a virus, you can go > ahead and just do that. There's no need to involve Emacs or pdumper > files. I don't think this is relevant. But based on what the code does, I don't see why this should be considered a security issue.