From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED!not-for-mail From: Stefan Monnier Newsgroups: gmane.emacs.bugs Subject: bug#32495: 26.1; Arbitrary code execution when completing inside untrusted elisp code Date: Thu, 23 Aug 2018 14:54:31 -0400 Message-ID: References: NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: blaine.gmane.org 1535050446 25866 195.159.176.226 (23 Aug 2018 18:54:06 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Thu, 23 Aug 2018 18:54:06 +0000 (UTC) User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.0.50 (gnu/linux) Cc: 32495@debbugs.gnu.org To: Wilfred Hughes Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Thu Aug 23 20:54:01 2018 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fsuk3-0006Xm-2w for geb-bug-gnu-emacs@m.gmane.org; Thu, 23 Aug 2018 20:53:59 +0200 Original-Received: from localhost ([::1]:38414 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fsum8-0003Um-PI for geb-bug-gnu-emacs@m.gmane.org; Thu, 23 Aug 2018 14:56:08 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:56880) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fsulz-0003PS-Lw for bug-gnu-emacs@gnu.org; Thu, 23 Aug 2018 14:56:03 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fsul4-00048F-0y for bug-gnu-emacs@gnu.org; Thu, 23 Aug 2018 14:55:05 -0400 Original-Received: from debbugs.gnu.org ([208.118.235.43]:54072) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1fsul3-000489-T9 for bug-gnu-emacs@gnu.org; Thu, 23 Aug 2018 14:55:01 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1fsul3-0003zi-LO for bug-gnu-emacs@gnu.org; Thu, 23 Aug 2018 14:55:01 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Stefan Monnier Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Thu, 23 Aug 2018 18:55:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 32495 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: security Original-Received: via spool by 32495-submit@debbugs.gnu.org id=B32495.153505048115319 (code B ref 32495); Thu, 23 Aug 2018 18:55:01 +0000 Original-Received: (at 32495) by debbugs.gnu.org; 23 Aug 2018 18:54:41 +0000 Original-Received: from localhost ([127.0.0.1]:59090 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fsukj-0003z1-AX for submit@debbugs.gnu.org; Thu, 23 Aug 2018 14:54:41 -0400 Original-Received: from pmta11.teksavvy.com ([76.10.157.34]:42471) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fsukg-0003yk-6e for 32495@debbugs.gnu.org; Thu, 23 Aug 2018 14:54:39 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A2FSCwBbAn9b/+N53mhcHAEBAQQBAQoBAYNPgWSIQ4RBiz4BggwTIAGXZwuEZgQCAoMOIjgUAQIBAQEBAQECAgJpKIU5AQQBViMFCwsOJhIUGA0khS8IpGCKYIk3ggCDdi6KVgKSUohKCZAEiDOGDZM/gVgigVIzGggwgyWCTI4iI45wAQE X-IPAS-Result: A2FSCwBbAn9b/+N53mhcHAEBAQQBAQoBAYNPgWSIQ4RBiz4BggwTIAGXZwuEZgQCAoMOIjgUAQIBAQEBAQECAgJpKIU5AQQBViMFCwsOJhIUGA0khS8IpGCKYIk3ggCDdi6KVgKSUohKCZAEiDOGDZM/gVgigVIzGggwgyWCTI4iI45wAQE X-IronPort-AV: E=Sophos;i="5.53,279,1531800000"; d="scan'208";a="44991267" Original-Received: from 104-222-121-227.cpe.teksavvy.com (HELO fmsmemgm.homelinux.net) ([104.222.121.227]) by smtp.teksavvy.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 23 Aug 2018 14:54:31 -0400 Original-Received: by fmsmemgm.homelinux.net (Postfix, from userid 20848) id 76740AE120; Thu, 23 Aug 2018 14:54:31 -0400 (EDT) In-Reply-To: (Wilfred Hughes's message of "Wed, 22 Aug 2018 01:11:55 +0100") X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 208.118.235.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.org gmane.emacs.bugs:149701 Archived-At: > 1. pass in an environment with all untrusted macros replaced with dummies: Sounds like a good first step. We could even start with a blacklist rather than a whitelist (eval-when-compile, eval-and-compile, cl-eval-when, ...), so the point would be to protect oneself from accidental problems rather than from malign adversaries. > 2. bind all eval-capable functions first (INCOMPLETE, there are other > eval-capable functions, such as load): Trying to plug each and every hole sounds like a losing game (e.g. you can implement `eval` by building a `(lambda () ,exp) and then causing it to be called one way or another). Ideally, we'd have some way to confine Elisp code to a sandbox of some sort (e.g. no access to any I/O and all changes to global vars are ignored). Stefan