Mitigate Baron SameEdit (CVE-2021-3156) vulnerability

sles 15.2
misc weakness #32

5

Weakness Breakdown


Definition:

The software specifies permissions for a security-critical resource in a way that allows the resource to be read or modified by unintended actors.

Warning code(s):

Never create NULL ACLs; an attacker can set it to Everyone.

File Name:

emacs-25.3/src/w32proc.c

Context:

The highlighted line of code below is the trigger point of this particular Sles 15.2 misc weakness.

   char *p;
  const char *ext;

  if (cp == NULL) emacs_abort ();

  memset (&start, 0, sizeof (start));
  start.cb = sizeof (start);

#ifdef HAVE_NTGUI
  if (NILP (Vw32_start_process_show_window) && !is_gui_app)
    start.dwFlags = STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW;
  else
    start.dwFlags = STARTF_USESTDHANDLES;
  start.wShowWindow = SW_HIDE;

  start.hStdInput = GetStdHandle (STD_INPUT_HANDLE);
  start.hStdOutput = GetStdHandle (STD_OUTPUT_HANDLE);
  start.hStdError = GetStdHandle (STD_ERROR_HANDLE);
#endif /* HAVE_NTGUI */

#if 0
  /* Explicitly specify no security */
  if (!InitializeSecurityDescriptor (&sec_desc, SECURITY_DESCRIPTOR_REVISION))
    goto EH_Fail;
  if (!SetSecurityDescriptorDacl (&sec_desc, TRUE, NULL, FALSE))
    goto EH_Fail;
#endif
  sec_attrs.nLength = sizeof (sec_attrs);
  sec_attrs.lpSecurityDescriptor = NULL /* &sec_desc */;
  sec_attrs.bInheritHandle = FALSE;

  filename_to_ansi (process_dir, dir);
  /* Can't use unixtodos_filename here, since that needs its file name
     argument encoded in UTF-8.  OTOH, process_dir, which _is_ in
     UTF-8, points, to the directory computed by our caller, and we
     don't want to modify that, either.  */
  for (p = dir; *p; p = CharNextA (p))
    if (*p == '/')
      *p = '\\';

  /* CreateProcess handles batch files as exe specially.  This special
     handling fails when both the batch file and arguments are quoted.
     We pass NULL as exe to avoid the special handling. */
  if (exe && cmdline[0] == '"' &&
      (ext = strrchr (exe, '.')) &&
      (xstrcasecmp (ext, ".bat") == 0
       || xstrcasecmp (ext, ".cmd") == 0))
      exe = NULL;

  flags = (!NILP (Vw32_start_process_share_console) 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.