[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#63063: CVE-2021-36699 report
From: |
Po Lu |
Subject: |
bug#63063: CVE-2021-36699 report |
Date: |
Tue, 25 Apr 2023 21:18:20 +0800 |
User-agent: |
Gnus/5.13 (Gnus v5.13) |
Eli Zaretskii <eliz@gnu.org> writes:
> I think this depends on the OS, not only the CPU?
That too.
>> > I don't think this is relevant. But based on what the code does, I
>> > don't see why this should be considered a security issue.
>>
>> It's not, indeed.
>>
>> The glaringly obvious reason being that only the site administrator, or
>> the user himself, can replace the dump file with something else.
>
> I'm not sure I agree (there's the symlink attack, for example), but I
> don't think it changes the nature of the issue.
How would such a ``symlink attack'' work?
And in any case:
1. How will such a malicious .pdmp file be installed on the user's
system?
2. How will such a malicious .pdmp file end up loaded by the user's
Emacs?
3. What privileges will the user's Emacs have, that whoever installed
the malicious .pdmp file did not?
The answers to questions 1 and 2 can only be ``by user action'', or ``by
administrative action''. The answer to question 3 naturally follows.
- bug#63063: CVE-2021-36699 report, (continued)
- bug#63063: CVE-2021-36699 report, Po Lu, 2023/04/25
- bug#63063: CVE-2021-36699 report, Eli Zaretskii, 2023/04/25
- bug#63063: CVE-2021-36699 report, Po Lu, 2023/04/25
- bug#63063: CVE-2021-36699 report, Eli Zaretskii, 2023/04/25
- bug#63063: CVE-2021-36699 report, Po Lu, 2023/04/25
- bug#63063: CVE-2021-36699 report, Eli Zaretskii, 2023/04/25
- bug#63063: CVE-2021-36699 report, Po Lu, 2023/04/25
- bug#63063: CVE-2021-36699 report, Eli Zaretskii, 2023/04/25
- bug#63063: CVE-2021-36699 report, Po Lu, 2023/04/25
- bug#63063: CVE-2021-36699 report, Eli Zaretskii, 2023/04/25
- bug#63063: CVE-2021-36699 report,
Po Lu <=
- bug#63063: CVE-2021-36699 report, lux, 2023/04/25
- bug#63063: CVE-2021-36699 report, Eli Zaretskii, 2023/04/25
- bug#63063: CVE-2021-36699 report, Robert Pluim, 2023/04/25
- bug#63063: CVE-2021-36699 report, lux, 2023/04/25
- bug#63063: CVE-2021-36699 report, Richard Stallman, 2023/04/25
bug#63063: CVE-2021-36699 report, fuomag9, 2023/04/25
bug#63063: CVE-2021-36699 report, Eli Zaretskii, 2023/04/25
bug#63063: CVE-2021-36699 report, Eli Zaretskii, 2023/04/25
bug#63063: CVE-2021-36699 report, Eli Zaretskii, 2023/04/25