From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!not-for-mail
From: Chong Yidong <cyd@gnu.org>
Newsgroups: gmane.emacs.devel
Subject: Security flaw in enable-local-eval; new release plan
Date: Mon, 13 Aug 2012 11:10:57 +0800
Message-ID: <87obmfsczi.fsf@gnu.org>
NNTP-Posting-Host: plane.gmane.org
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
X-Trace: dough.gmane.org 1344827472 1973 80.91.229.3 (13 Aug 2012 03:11:12 GMT)
X-Complaints-To: usenet@dough.gmane.org
NNTP-Posting-Date: Mon, 13 Aug 2012 03:11:12 +0000 (UTC)
To: emacs-devel@gnu.org
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Mon Aug 13 05:11:12 2012
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by plane.gmane.org with esmtp (Exim 4.69)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1T0l3e-0005nX-Jd
	for ged-emacs-devel@m.gmane.org; Mon, 13 Aug 2012 05:11:10 +0200
Original-Received: from localhost ([::1]:39256 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1T0l3d-00054A-6d
	for ged-emacs-devel@m.gmane.org; Sun, 12 Aug 2012 23:11:09 -0400
Original-Received: from eggs.gnu.org ([208.118.235.92]:46033)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <seewhydee@gmail.com>) id 1T0l3Z-000543-5h
	for emacs-devel@gnu.org; Sun, 12 Aug 2012 23:11:07 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <seewhydee@gmail.com>) id 1T0l3X-0004no-Kk
	for emacs-devel@gnu.org; Sun, 12 Aug 2012 23:11:05 -0400
Original-Received: from mail-pb0-f41.google.com ([209.85.160.41]:62222)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <seewhydee@gmail.com>) id 1T0l3X-0004lW-Du
	for emacs-devel@gnu.org; Sun, 12 Aug 2012 23:11:03 -0400
Original-Received: by pbbro12 with SMTP id ro12so7227364pbb.0
	for <emacs-devel@gnu.org>; Sun, 12 Aug 2012 20:11:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=sender:from:to:subject:date:message-id:mime-version:content-type;
	bh=F05DjWqdSX3kVFtQ0wBxVtOVF2fKcVoNs6kKEwNJGqA=;
	b=aSo0GBxGEY6DSSyoobJP1uBOY7I0qWSfFJstQFhaMtHvYGayuwKVI+H8mIcjJ/DEfE
	hnfOG+LyUgBbmxA8DWxDnmNLx892+vfqn95H5hx0lg5ObBYTMGoCvGq4wZxwE6hLGdKV
	VpPjHGzf35iqdF8My8gWLJfGjp8qSHU64EFRw0pjBry4U4ijIa5URq9aoCIGptw3QLYG
	KGCuv/2JuThQ2SEgbT+kPKHc18VEkfv2MRsOs4+1hNET75vaWcyXbaql1sjtuHoPaIbI
	Pl+zdGXzUGllmmIN5ipgMGEiDUhGqSv2seMcPPrZq9YCp4TG2KAB5/bqyWTLMvqjiqRF
	b3nA==
Original-Received: by 10.68.116.37 with SMTP id jt5mr17052262pbb.6.1344827462570;
	Sun, 12 Aug 2012 20:11:02 -0700 (PDT)
Original-Received: from ulysses ([155.69.16.255])
	by mx.google.com with ESMTPS id st6sm4444266pbc.58.2012.08.12.20.10.59
	(version=SSLv3 cipher=OTHER); Sun, 12 Aug 2012 20:11:01 -0700 (PDT)
X-detected-operating-system: by eggs.gnu.org: Genre and OS details not
	recognized.
X-Received-From: 209.85.160.41
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/emacs-devel>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Xref: news.gmane.org gmane.emacs.devel:152457
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/152457>

--=-=-=
Content-Type: text/plain

Paul Ling has found a security flaw in the file-local variables code in
GNU Emacs.  When the user option `enable-local-variables' is set to
`:safe' (the default value is t), Emacs should automatically refuse to
evaluate `eval' forms in file-local variable sections.  Due to the bug,
Emacs instead automatically evaluates such `eval' forms.

Thus, if the user changes the value of `enable-local-variables' to
`:safe', visiting a malicious file can cause automatic execution of
arbitrary Emacs Lisp code with the permissions of the user.

The bug is present in Emacs 23.2, 23.3, 23.4, and 24.1.

Attached are patches to fix this bug for Emacs 23.4 and Emacs 24.1,
written by Glenn Morris.  (The 23.4 patch should apply to the rest of
the Emacs 23.x series.)

Due to this problem, I plan to make a 24.2 release from the emacs-24
development branch.  The fix has already been committed to the emacs-24
branch, as well as the trunk.  I would like to make the release in a few
days; say, by the end of the week.  If there are any obviously-safe
bugfixes in the trunk which you would like to see backported to the
emacs-24 branch, please point these out ASAP.  Note also that this means
the current development trunk will be scheduled for Emacs 24.3.


--=-=-=
Content-Type: text/x-diff
Content-Disposition: inline; filename=local-vars-patch-23.4.patch

*** emacs-23.4/lisp/files.el~	2012-08-13 10:50:42.340171173 +0800
--- emacs-23.4/lisp/files.el	2012-08-13 10:51:12.528172450 +0800
***************
*** 2986,2996 ****
  	      ;; Obey `enable-local-eval'.
  	      ((eq var 'eval)
  	       (when enable-local-eval
! 		 (push elt all-vars)
! 		 (or (eq enable-local-eval t)
! 		     (hack-one-local-variable-eval-safep (eval (quote val)))
! 		     (safe-local-variable-p var val)
! 		     (push elt unsafe-vars))))
  	      ;; Ignore duplicates (except `mode') in the present list.
  	      ((and (assq var all-vars) (not (eq var 'mode))) nil)
  	      ;; Accept known-safe variables.
--- 2986,3001 ----
  	      ;; Obey `enable-local-eval'.
  	      ((eq var 'eval)
  	       (when enable-local-eval
! 		 (let ((safe (or (hack-one-local-variable-eval-safep
! 				  (eval (quote val)))
! 				 ;; In case previously marked safe (bug#5636).
! 				 (safe-local-variable-p var val))))
! 		   ;; If not safe and e-l-v = :safe, ignore totally.
! 		   (when (or safe (not (eq enable-local-variables :safe)))
! 		     (push elt all-vars)
! 		     (or (eq enable-local-eval t)
! 			 safe
! 			 (push elt unsafe-vars))))))
  	      ;; Ignore duplicates (except `mode') in the present list.
  	      ((and (assq var all-vars) (not (eq var 'mode))) nil)
  	      ;; Accept known-safe variables.

Diff finished.  Mon Aug 13 10:53:45 2012

--=-=-=
Content-Type: text/x-diff
Content-Disposition: inline; filename=local-vars-patch-24.1.patch

*** emacs-24.1/lisp/files.el~	2012-08-13 10:54:50.256181658 +0800
--- emacs-24.1/lisp/files.el	2012-08-13 10:54:58.076181990 +0800
***************
*** 3107,3117 ****
  	      ;; Obey `enable-local-eval'.
  	      ((eq var 'eval)
  	       (when enable-local-eval
! 		 (push elt all-vars)
! 		 (or (eq enable-local-eval t)
! 		     (hack-one-local-variable-eval-safep (eval (quote val)))
! 		     (safe-local-variable-p var val)
! 		     (push elt unsafe-vars))))
  	      ;; Ignore duplicates (except `mode') in the present list.
  	      ((and (assq var all-vars) (not (eq var 'mode))) nil)
  	      ;; Accept known-safe variables.
--- 3107,3122 ----
  	      ;; Obey `enable-local-eval'.
  	      ((eq var 'eval)
  	       (when enable-local-eval
! 		 (let ((safe (or (hack-one-local-variable-eval-safep
! 				  (eval (quote val)))
! 				 ;; In case previously marked safe (bug#5636).
! 				 (safe-local-variable-p var val))))
! 		   ;; If not safe and e-l-v = :safe, ignore totally.
! 		   (when (or safe (not (eq enable-local-variables :safe)))
! 		     (push elt all-vars)
! 		     (or (eq enable-local-eval t)
! 			 safe
! 			 (push elt unsafe-vars))))))
  	      ;; Ignore duplicates (except `mode') in the present list.
  	      ((and (assq var all-vars) (not (eq var 'mode))) nil)
  	      ;; Accept known-safe variables.

Diff finished.  Mon Aug 13 10:55:03 2012

--=-=-=--