From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail
From: lux <lx@shellcodes.org>
Newsgroups: gmane.emacs.bugs
Subject: bug#63063: CVE-2021-36699 report
Date: Tue, 25 Apr 2023 23:54:33 +0800
Message-ID: <tencent_1BD66AD86AA4EFECE403C37D82A138956609@qq.com>
References: <40-63e3c600-3-2d802d00@111202636>
 <01070187b503303f-1657dcaa-4f53-47da-9679-2f68a682d447-000000@eu-central-1.amazonses.com>
 <bcb96279c47143f403f588dc3f020725029137bd.camel@josefsson.org>
 <01070187b52a3165-eeb31a4e-fba7-4290-850a-c73ab11eb43f-000000@eu-central-1.amazonses.com>
 <83mt2wwi0y.fsf@gnu.org> <87v8hkctlc.fsf@yahoo.com>
 <83fs8owg3r.fsf@gnu.org> <87r0s8cq6c.fsf@yahoo.com>
 <83a5ywwcow.fsf@gnu.org> <87mt2wcjtf.fsf@yahoo.com>
 <834jp4w57b.fsf@gnu.org> <87edo8cflg.fsf@yahoo.com>
 <83zg6wuo0u.fsf@gnu.org> <875y9kce3f.fsf@yahoo.com>
 <83wn20un4u.fsf@gnu.org> <87wn20ayn7.fsf@yahoo.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214";
	logging-data="16824"; mail-complaints-to="usenet@ciao.gmane.io"
User-Agent: Evolution 3.48.0 (3.48.0-1.fc38)
Cc: 63063@debbugs.gnu.org, fuo@fuo.fi
To: Po Lu <luangruo@yahoo.com>, Eli Zaretskii <eliz@gnu.org>
Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Tue Apr 25 17:55:25 2023
Return-path: <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>
Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org
Original-Received: from lists.gnu.org ([209.51.188.17])
	by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>)
	id 1prL0m-00049f-U8
	for geb-bug-gnu-emacs@m.gmane-mx.org; Tue, 25 Apr 2023 17:55:25 +0200
Original-Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <bug-gnu-emacs-bounces@gnu.org>)
	id 1prL0T-0002dI-40; Tue, 25 Apr 2023 11:55:06 -0400
Original-Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1prL0R-0002d9-P8
 for bug-gnu-emacs@gnu.org; Tue, 25 Apr 2023 11:55:03 -0400
Original-Received: from debbugs.gnu.org ([209.51.188.43])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1prL0R-00089o-7B
 for bug-gnu-emacs@gnu.org; Tue, 25 Apr 2023 11:55:03 -0400
Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1prL0Q-0002pV-Ja
 for bug-gnu-emacs@gnu.org; Tue, 25 Apr 2023 11:55:02 -0400
X-Loop: help-debbugs@gnu.org
Resent-From: lux <lx@shellcodes.org>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@gnu.org
Resent-Date: Tue, 25 Apr 2023 15:55:02 +0000
Resent-Message-ID: <handler.63063.B63063.168243809410858@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 63063
X-GNU-PR-Package: emacs
Original-Received: via spool by 63063-submit@debbugs.gnu.org id=B63063.168243809410858
 (code B ref 63063); Tue, 25 Apr 2023 15:55:02 +0000
Original-Received: (at 63063) by debbugs.gnu.org; 25 Apr 2023 15:54:54 +0000
Original-Received: from localhost ([127.0.0.1]:53408 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1prL0I-0002p4-7M
 for submit@debbugs.gnu.org; Tue, 25 Apr 2023 11:54:54 -0400
Original-Received: from out162-62-57-137.mail.qq.com ([162.62.57.137]:39067)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <lx@shellcodes.org>) id 1prL0D-0002ol-CJ
 for 63063@debbugs.gnu.org; Tue, 25 Apr 2023 11:54:52 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qq.com; s=s201512;
 t=1682438075; bh=Gg4YYu5m2GtzIPgm7WJR4FaDD6kOPkRmoM4h22CUFWQ=;
 h=Subject:From:To:Cc:Date:In-Reply-To:References;
 b=aTtVHjLmE22nUV+/7hm/CvG+1O+sWTl+Wa7fv0sm+GEn9JoYUR6+IpK8Hk05UKJPJ
 LUlhC2koKraZdjBHVwhMPTx4baMhcnhOSISb4PSd3SJaOEJ/pYlSjf1b5ygm+AIvm8
 fM4LcJM19452NoW7D6KKSkYOC5uhj14l1Kvz+fkc=
Original-Received: from [192.168.31.100] ([222.209.116.171])
 by newxmesmtplogicsvrszc5-0.qq.com (NewEsmtp) with SMTP
 id DA19843F; Tue, 25 Apr 2023 23:54:33 +0800
X-QQ-mid: xmsmtpt1682438073tqcqal48i
X-QQ-XMAILINFO: NzOHSugmTg7XJMAvvcT4lgme9ep3XB7+e+0rqavtxIrVX22vfA6iCXUcrwFGiZ
 02pszWPgpbgFf5ujwCOWZjGvVHtHhAG5juqzn9l2hJEOnZaiBZI5YVOA59FERnOKReICRJw8LftJ
 DNWxP9X/ifx6MawZEY8qMq/4pigjkLPrP5gyV8DbCVDm90kudZM9r3gl79c+Bs7PXpCHIO++ad6q
 QxAtdVDhDdo2rmpuHoz8JtyCz62GNEcPcc1QMzbgDRqQtFy53i55VetUR5dnoxtItJoLuaxgbPDN
 yU1wDLxNFj2SYwF8nKIbrswN6l4cf3FGZbobjHQ627TmyAQVmA2a07b8w49sHUO02f++Hq3/1um6
 IwwU7t8gRaki7j3GbHZ3VoyfkYd54jpV6TtT4+A7cf8HuGgT3CIfOaTIC3jW7JVKDPng/+bZ9MmJ
 KsgNc+ccGgwgVfk9q+1Xk9uMcWRiQ9Fh3pofOPHOoT5me682M1uMDH2yl5Al/Oe6lThSilEAfsox
 xX5TSxEtQhiCw74ZP37EHa4fxf+enMXprBvjuJzg7fTKJN59WLlqXiW8VlupzOdJSLyWt+kR8XD/
 M2/kYJNDZe7OpXi3tUQRboxrJAodmmAgaqxygEEXF4qdkHHa5RdXq1ntbuprQxqT1LLOoFU27bm6
 M9nI6gGj8sMXV0N5fPr/PUrPklf8zURHX5NfQNjm5Ebin6IG16QI1Ic+q6FctOanv2KHf6bF8C/k
 1cU9D519V7mTwOb2dv63wKKB7EQyysQ64BnaK9y0oXQBQTbGuqUV5OKcV2mf0EePSRfkUJpipq5Z
 gs1Xcm8ARoJPhcs7QCmHHgBrLFlqSWYMpLo5kQ3q 
X-OQ-MSGID: <040f391f024304a2a1c75fab25fa9d3e1c4e8b22.camel@shellcodes.org>
In-Reply-To: <87wn20ayn7.fsf@yahoo.com>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: bug-gnu-emacs@gnu.org
List-Id: "Bug reports for GNU Emacs,
 the Swiss army knife of text editors" <bug-gnu-emacs.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-gnu-emacs>,
 <mailto:bug-gnu-emacs-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/bug-gnu-emacs>
List-Post: <mailto:bug-gnu-emacs@gnu.org>
List-Help: <mailto:bug-gnu-emacs-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-gnu-emacs>,
 <mailto:bug-gnu-emacs-request@gnu.org?subject=subscribe>
Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org
Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org
Xref: news.gmane.io gmane.emacs.bugs:260625
Archived-At: <http://permalink.gmane.org/gmane.emacs.bugs/260625>

On Tue, 2023-04-25 at 21:18 +0800, Po Lu via Bug reports for GNU Emacs,
the Swiss army knife of text editors wrote:
> Eli Zaretskii <eliz@gnu.org> writes:
>=20
> > I think this depends on the OS, not only the CPU?
>=20
> That too.
>=20
> > > > I don't think this is relevant.=C2=A0 But based on what the code
> > > > does, I
> > > > don't see why this should be considered a security issue.
> > >=20
> > > It's not, indeed.
> > >=20
> > > The glaringly obvious reason being that only the site
> > > administrator, or
> > > the user himself, can replace the dump file with something else.
> >=20
> > I'm not sure I agree (there's the symlink attack, for example), but
> > I
> > don't think it changes the nature of the issue.
>=20
> How would such a ``symlink attack'' work?
> And in any case:
>=20
> =C2=A0 1. How will such a malicious .pdmp file be installed on the user's
> =C2=A0=C2=A0=C2=A0=C2=A0 system?
> =C2=A0 2. How will such a malicious .pdmp file end up loaded by the user'=
s
> =C2=A0=C2=A0=C2=A0=C2=A0 Emacs?
> =C2=A0 3. What privileges will the user's Emacs have, that whoever
> installed
> =C2=A0=C2=A0=C2=A0=C2=A0 the malicious .pdmp file did not?
>=20
> The answers to questions 1 and 2 can only be ``by user action'', or
> ``by
> administrative action''.=C2=A0 The answer to question 3 naturally follows=
.
>=20
>=20
>=20
How the vulnerability is exploited depends on the scenario and what
color hat is attacker (black hat, white hat).

Attackers do not use conventional thinking to exploit vulnerabilities,
and turn many local vulnerabilities, from 'impossible' to 'possible'.

For reference, take a look at some APT (Advanced Persistent Threat)
reports,
https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections

I think if the reported CVEs are real and valid, they should be taken
seriously.