bug#37656: 27.0.50; Opening file with specially crafted local variables can cause arbitrary code execution Inbox x

unofficial mirror of bug-gnu-emacs@gnu.org 
 help / color / mirror / code / Atom feed

From: Stefan Monnier <monnier@iro.umontreal.ca>
To: adam plaice <plaice.adam+lists@gmail.com>
Cc: 37656@debbugs.gnu.org
Subject: bug#37656: 27.0.50; Opening file with specially crafted local variables can cause arbitrary code execution Inbox x
Date: Wed, 16 Oct 2019 09:13:43 -0400	[thread overview]
Message-ID: <jwvmue0x2ek.fsf-monnier+emacs@gnu.org> (raw)
In-Reply-To: <CAJw81da4=R1jMJ0enx6SbO7G1rzaL61K2kqbY+jxhe=AM-3vtQ@mail.gmail.com> (adam plaice's message of "Tue, 8 Oct 2019 10:48:32 +0200")

> -*- mode: emacs-lisp; mode: flymake -*-
>
> (eval-when-compile
>   (with-temp-file "~/emacs_flymake_security_bug"
>       (insert "Could have also executed any code.")))

Yes, it's a serious (and, sadly, known) problem.

I think it goes further than just flymake support for Elisp: flymake
support for other major modes may also end up running arbitrary code
(tho it will depend on the specifics).

So, I think flymake should have a list of "safe" places where it can
treat files like it does know, and any file found elsewhere should be
treated with more care either by simply disabling flymake or disabling
some of its backends, or making its backends more careful (e.g. to
compile those files in a mode where `eval-when-compile` is not executed
or is only executed after passing it through a stringent safety test).

        Stefan

     prev parent reply	other threads:[~2019-10-16 13:13 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-10-08  8:48 bug#37656: 27.0.50; Opening file with specially crafted local variables can cause arbitrary code execution Inbox x adam plaice
2019-10-15 21:05 ` bug#37656: 27.0.50; Arbitrary code execution with special `mode:' adam plaice
2019-10-16 13:13 ` Stefan Monnier [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://www.gnu.org/software/emacs/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=jwvmue0x2ek.fsf-monnier+emacs@gnu.org \
    --to=monnier@iro.umontreal.ca \
    --cc=37656@debbugs.gnu.org \
    --cc=plaice.adam+lists@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/emacs.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).