From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED.blaine.gmane.org!not-for-mail From: Stefan Monnier Newsgroups: gmane.emacs.bugs Subject: bug#37656: 27.0.50; Opening file with specially crafted local variables can cause arbitrary code execution Inbox x Date: Wed, 16 Oct 2019 09:13:43 -0400 Message-ID: References: Mime-Version: 1.0 Content-Type: text/plain Injection-Info: blaine.gmane.org; posting-host="blaine.gmane.org:195.159.176.226"; logging-data="40832"; mail-complaints-to="usenet@blaine.gmane.org" User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.0.50 (gnu/linux) Cc: 37656@debbugs.gnu.org To: adam plaice Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Wed Oct 16 15:14:11 2019 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([209.51.188.17]) by blaine.gmane.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1iKj7z-000AVN-Nv for geb-bug-gnu-emacs@m.gmane.org; Wed, 16 Oct 2019 15:14:11 +0200 Original-Received: from localhost ([::1]:42564 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iKj7y-0002fC-F9 for geb-bug-gnu-emacs@m.gmane.org; Wed, 16 Oct 2019 09:14:10 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:55379) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iKj7s-0002cQ-8H for bug-gnu-emacs@gnu.org; Wed, 16 Oct 2019 09:14:05 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1iKj7r-0000rD-7k for bug-gnu-emacs@gnu.org; Wed, 16 Oct 2019 09:14:04 -0400 Original-Received: from debbugs.gnu.org ([209.51.188.43]:36585) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1iKj7r-0000r0-1t for bug-gnu-emacs@gnu.org; Wed, 16 Oct 2019 09:14:03 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1iKj7q-00087q-CK for bug-gnu-emacs@gnu.org; Wed, 16 Oct 2019 09:14:02 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Stefan Monnier Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Wed, 16 Oct 2019 13:14:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 37656 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: security Original-Received: via spool by 37656-submit@debbugs.gnu.org id=B37656.157123164131219 (code B ref 37656); Wed, 16 Oct 2019 13:14:02 +0000 Original-Received: (at 37656) by debbugs.gnu.org; 16 Oct 2019 13:14:01 +0000 Original-Received: from localhost ([127.0.0.1]:45406 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iKj7p-00087T-8X for submit@debbugs.gnu.org; Wed, 16 Oct 2019 09:14:01 -0400 Original-Received: from mailscanner.iro.umontreal.ca ([132.204.25.50]:3287) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iKj7n-00087G-6e for 37656@debbugs.gnu.org; Wed, 16 Oct 2019 09:13:59 -0400 Original-Received: from pmg2.iro.umontreal.ca (localhost.localdomain [127.0.0.1]) by pmg2.iro.umontreal.ca (Proxmox) with ESMTP id 5AF30811EE; Wed, 16 Oct 2019 09:13:53 -0400 (EDT) Original-Received: from mail01.iro.umontreal.ca (unknown [172.31.2.1]) by pmg2.iro.umontreal.ca (Proxmox) with ESMTP id 183E480E08; Wed, 16 Oct 2019 09:13:52 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=iro.umontreal.ca; s=mail; t=1571231632; bh=lEcfEaZw4aIkIgnvdPKnupxZZNg2jhnOcMMayiMC6n8=; h=From:To:Cc:Subject:References:Date:In-Reply-To:From; b=GZafytbZlObMmHkmrrT5iUHgRXyQkIzTZFEXLe3WSdn478YnGiOChhxOFhZV1O5nS MoQp0eecLPKMAUb5j/PJ9G//HHO6qZ+6npP8RDXrvpzmEILP19wApc/qakMgFappDI IemUNjyiX+76eMWtLmcxcwE4dG1nwGwCIM6u1xYZDHa576DXinFsBqewRn/aXe33dg ZnqcXCZ47LBoGOWXvhTacVCQQmX1LveR4FC2XFAusWru1Vfq1/gwsQsUlxVcz1tc9P etnbRoyjOVyz4gtQXrWcen5nzZAyJ9styYsFFjzr7bfOSn/kOiAdV+qtVaC3MdDvx8 ISWiStY2JvSIA== Original-Received: from pastel (unknown [216.154.15.203]) by mail01.iro.umontreal.ca (Postfix) with ESMTPSA id 7FA70120AAB; Wed, 16 Oct 2019 09:13:50 -0400 (EDT) In-Reply-To: (adam plaice's message of "Tue, 8 Oct 2019 10:48:32 +0200") X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 209.51.188.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.org gmane.emacs.bugs:169446 Archived-At: > -*- mode: emacs-lisp; mode: flymake -*- > > (eval-when-compile > (with-temp-file "~/emacs_flymake_security_bug" > (insert "Could have also executed any code."))) Yes, it's a serious (and, sadly, known) problem. I think it goes further than just flymake support for Elisp: flymake support for other major modes may also end up running arbitrary code (tho it will depend on the specifics). So, I think flymake should have a list of "safe" places where it can treat files like it does know, and any file found elsewhere should be treated with more care either by simply disabling flymake or disabling some of its backends, or making its backends more careful (e.g. to compile those files in a mode where `eval-when-compile` is not executed or is only executed after passing it through a stringent safety test). Stefan