[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: CVE-2021-36699 report
From: |
Nicolas Martyanoff |
Subject: |
Re: CVE-2021-36699 report |
Date: |
Tue, 25 Apr 2023 09:13:34 +0200 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux) |
Po Lu <luangruo@yahoo.com> writes:
> If you create a malformed dump file, of course Emacs cannot possibly
> work. Here, the buffer overflow is not even a bug: signature checks are
> already there to prevent a dump file created for a different copy of
> Emacs from being loaded by mistake. If you deliberately create a
> malformed dump file, Emacs does not guarantee correct operation.
Is there a reason why Emacs does not validate dump files while reading
them as any other program with any other data format? Nothing good ever
comes from buffer overflows.
> We are trying to put together two releases of a very large piece of
> software at the same time, and really should not be wasting our time on
> these CVE reports. It would save us a great deal of trouble if whoever
> runs the CVE registry stopped tracking security ``issues'' with Emacs.
I'm aware that most people simply do not care about security, and it is
your right to do the same. However I sincerely hope it is not the view
of the GNU Emacs project in general.
--
Nicolas Martyanoff
https://n16f.net
nicolas@n16f.net