|Subject:||How do I report security issue?|
|Date:||Sun, 11 Jul 2021 19:18:00 +1000|
|User-agent:||Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0|
Hi guys,I found a very simple way to get sudo/root shell in Emacs without passing a password check for launching the shell. While it does rely on actions by a user who does know the sudo password, once these actions are taken, an unattended terminal can be used to gain full sudo shell session with (from what I can tell) no timeout on one's ability to do so.
Unsure exactly where to report this as the public bugtracker seems inappropriate even if reporting it seems unlikely to result in widespread in-the-wild use.
It's totally possible this is also "as intended" behaviour, but that seems unlikely, and if it is, I think changing the default behaviour would be the responsible thing to do. I'm sure I'm not the first person to discover this, but an admittedly cursory search didn't turn up discussion online.
Could someone direct me where to report the replication steps in a responsible manner?
Thanks so much, Kenneth
|[Prev in Thread]||Current Thread||[Next in Thread]|