From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Steven Allen Newsgroups: gmane.emacs.devel Subject: Re: Emacs Arbitrary Code Execution and How to Avoid It Date: Wed, 04 Dec 2024 07:04:42 -0800 Message-ID: <87v7vzh4l1.fsf@stebalien.com> References: <878qswfya2.fsf@librehacker.com> Mime-Version: 1.0 Content-Type: text/plain Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="25241"; mail-complaints-to="usenet@ciao.gmane.io" Cc: Emacs Devel Mailing List To: Jean Louis , Christopher Howard Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Wed Dec 04 16:05:36 2024 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1tIqwY-0006IA-9k for ged-emacs-devel@m.gmane-mx.org; Wed, 04 Dec 2024 16:05:35 +0100 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tIqvs-00005O-7R; Wed, 04 Dec 2024 10:04:52 -0500 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tIqvp-00005E-Tw for emacs-devel@gnu.org; Wed, 04 Dec 2024 10:04:50 -0500 Original-Received: from fhigh-a2-smtp.messagingengine.com ([103.168.172.153]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tIqvn-0004tg-Ol for emacs-devel@gnu.org; Wed, 04 Dec 2024 10:04:49 -0500 Original-Received: from phl-compute-12.internal (phl-compute-12.phl.internal [10.202.2.52]) by mailfhigh.phl.internal (Postfix) with ESMTP id B0A9F1140200; Wed, 4 Dec 2024 10:04:44 -0500 (EST) Original-Received: from phl-mailfrontend-01 ([10.202.2.162]) by phl-compute-12.internal (MEProxy); Wed, 04 Dec 2024 10:04:44 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=stebalien.com; h=cc:cc:content-type:content-type:date:date:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:subject:subject:to:to; s=fm3; t=1733324684; x= 1733411084; bh=7GgcDxYdZc6Nl15ofhAP2TV4nvpX+qOvjvQEeqB9z1M=; b=k i8nc1wsSs8AREbN1TzHWXTgS8ZoHSZwFOf3ff77qXf1+cG4HSQJMzIkABerd/uGF GYPu7o22fQX1knPP4jGdEy4yQKKTcvLrvEMr62FeruOfAyfUZZAmk5zpPBrrzpse hV9LvRAiSuVgVnDin416NZh3Gxibg2lq7sUGepGJRCemPE/qyfK+jmpxDWHrtINw cwDT8RBDW4R4VtYrJ6Y661LnKAJiYIJDThc9SKooZzVobZJvDX5r+7RdxFUOiUZl WFjeneh+DVkzOp+dWJrhSeOizKQ571wi03HimcBPjKYyePT7bJjPfG7V10Bv09ib UhIBftneCNJwNovz3spNA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t= 1733324684; x=1733411084; bh=7GgcDxYdZc6Nl15ofhAP2TV4nvpX+qOvjvQ EeqB9z1M=; b=LIc/OGzP5Z+qDV0/Om9YI/AEgGzvpj4VNejps/vQ2L1qfXF3sQ0 8vpfTmpFRcyuCt9p60aIakfETQch3Ve9vNacRkiLgOBJldTSqDNWGktB8G8CCoGA jkFarzYHHLgobsEmppZUlI0zUCkxppBQv69s24kMzt+FQY5xXTxxnQ5SJW9kjM/p tbqbNG/dnAgOdjVRyr4VlEqdo1DhEy1YJ522HyOZLOVQo4rv4VmdC0BZQLpiIjBb 0y0veku5JKGYWPang2ouLQohTc6X0ufnlxxbluwvcQiFRS1s/1qD8Di+wQIM9klY o2SU5ayNTPXGl2dgGJmP6y/vwEpxCHcSInw== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefuddrieehgdeikecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpggftfghnshhusghstghrihgsvgdpuffr tefokffrpgfnqfghnecuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnth hsucdlqddutddtmdenucfjughrpefhvfevufgjfhffkfggtgesthdtredttddttdenucfh rhhomhepufhtvghvvghnucetlhhlvghnuceoshhtvghvvghnsehsthgvsggrlhhivghnrd gtohhmqeenucggtffrrghtthgvrhhnpedvkeehkeegleehheeggfduleektefhhffgueff teekgedtvdefuddutddtjeejvdenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmh epmhgrihhlfhhrohhmpehsthgvvhgvnhesshhtvggsrghlihgvnhdrtghomhdpnhgspghr tghpthhtohepfedpmhhouggvpehsmhhtphhouhhtpdhrtghpthhtohepsghughhssehgnh hurdhsuhhpphhorhhtpdhrtghpthhtoheptghhrhhishhtohhphhgvrheslhhisghrvghh rggtkhgvrhdrtghomhdprhgtphhtthhopegvmhgrtghsqdguvghvvghlsehgnhhurdhorh hg X-ME-Proxy: Feedback-ID: ie8a146a7:Fastmail Original-Received: by mail.messagingengine.com (Postfix) with ESMTPA; Wed, 4 Dec 2024 10:04:43 -0500 (EST) In-Reply-To: Received-SPF: pass client-ip=103.168.172.153; envelope-from=steven@stebalien.com; helo=fhigh-a2-smtp.messagingengine.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.devel:326031 Archived-At: Jean Louis writes: > In every programming language it is possible to obscure the code and execute arbitrary code. > > I do not see it as special security issue, it is common, known. > > -- > Jean Louis Yes, but opening random text files shouldn't execute arbitrary code. The concern here is that someone can: 1. Create some "document.txt" file. 2. Start it with ";; -*- mode: emacs-lisp -*-". 3. Include a macro that executes some malicious lisp code. 4. Send it to some unsuspecting victim. Opening this file will run arbitrary code if flymake is enabled for emacs-lisp files, even though the file looks like it should be an innocent ".txt" file.