bug-gnu-emacs
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#63063: CVE-2021-36699 report

From: Po Lu
Subject: bug#63063: CVE-2021-36699 report
Date: Tue, 25 Apr 2023 21:18:20 +0800
User-agent: Gnus/5.13 (Gnus v5.13) 
Eli Zaretskii <eliz@gnu.org> writes:

> I think this depends on the OS, not only the CPU?

That too.

>> > I don't think this is relevant.  But based on what the code does, I
>> > don't see why this should be considered a security issue.
>> 
>> It's not, indeed.
>> 
>> The glaringly obvious reason being that only the site administrator, or
>> the user himself, can replace the dump file with something else.
>
> I'm not sure I agree (there's the symlink attack, for example), but I
> don't think it changes the nature of the issue.

How would such a ``symlink attack'' work?
And in any case:

  1. How will such a malicious .pdmp file be installed on the user's
     system?
  2. How will such a malicious .pdmp file end up loaded by the user's
     Emacs?
  3. What privileges will the user's Emacs have, that whoever installed
     the malicious .pdmp file did not?

The answers to questions 1 and 2 can only be ``by user action'', or ``by
administrative action''.  The answer to question 3 naturally follows.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]