bug#63063: CVE-2021-36699 report

[lux]

On Tue, 2023-04-25 at 21:18 +0800, Po Lu via Bug reports for GNU Emacs,
the Swiss army knife of text editors wrote:
> Eli Zaretskii <eliz@gnu.org> writes:
> 
> > I think this depends on the OS, not only the CPU?
> 
> That too.
> 
> > > > I don't think this is relevant.  But based on what the code
> > > > does, I
> > > > don't see why this should be considered a security issue.
> > > 
> > > It's not, indeed.
> > > 
> > > The glaringly obvious reason being that only the site
> > > administrator, or
> > > the user himself, can replace the dump file with something else.
> > 
> > I'm not sure I agree (there's the symlink attack, for example), but
> > I
> > don't think it changes the nature of the issue.
> 
> How would such a ``symlink attack'' work?
> And in any case:
> 
>   1. How will such a malicious .pdmp file be installed on the user's
>      system?
>   2. How will such a malicious .pdmp file end up loaded by the user's
>      Emacs?
>   3. What privileges will the user's Emacs have, that whoever
> installed
>      the malicious .pdmp file did not?
> 
> The answers to questions 1 and 2 can only be ``by user action'', or
> ``by
> administrative action''.  The answer to question 3 naturally follows.
> 
> 
> 
How the vulnerability is exploited depends on the scenario and what
color hat is attacker (black hat, white hat).

Attackers do not use conventional thinking to exploit vulnerabilities,
and turn many local vulnerabilities, from 'impossible' to 'possible'.

For reference, take a look at some APT (Advanced Persistent Threat)
reports,
https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections

I think if the reported CVEs are real and valid, they should be taken
seriously.