unofficial mirror of emacs-devel@gnu.org 
 help / color / mirror / code / Atom feed
* Emacs Arbitrary Code Execution and How to Avoid It
@ 2024-12-03 17:53 Christopher Howard
  2024-12-03 19:20 ` Gerd Möllmann
  2024-12-04  9:39 ` Jean Louis
  0 siblings, 2 replies; 7+ messages in thread
From: Christopher Howard @ 2024-12-03 17:53 UTC (permalink / raw)
  To: Emacs Devel Mailing List

Hi, I read the interesting write up here:

https://eshelyaron.com/posts/2024-11-27-emacs-aritrary-code-execution-and-how-to-avoid-it.html

I wasn't terribly worried about this, as I don't *automatically* activate Flymake or Flycheck. But the article did mention that "code completion runs arbitrary code", and I was wondering more about that. I do not currently use Completion Preview mode. I have used Company in the past but company-mode is not currently activated. So, if I am just viewing an elisp file, i.e., not typing anything it in, nor running dabbrev commands, is there any danger? Should I setup Emacs to, by default, open all elisp files in View Mode?

Regarding dabbrev, I know dabbrev can search all buffers but I don't know if it does any macro expansion.

I was going to e-mail the author of the post, but cloudflare won't let me see his e-mail address.

-- 
📛 Christopher Howard
🚀 gemini://gem.librehacker.com
🌐 http://gem.librehacker.com

בראשית ברא אלהים את השמים ואת הארץ



^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Emacs Arbitrary Code Execution and How to Avoid It
  2024-12-03 17:53 Emacs Arbitrary Code Execution and How to Avoid It Christopher Howard
@ 2024-12-03 19:20 ` Gerd Möllmann
  2024-12-03 20:25   ` Eshel Yaron
  2024-12-04  9:39 ` Jean Louis
  1 sibling, 1 reply; 7+ messages in thread
From: Gerd Möllmann @ 2024-12-03 19:20 UTC (permalink / raw)
  To: Christopher Howard; +Cc: Emacs Devel Mailing List, me

Christopher Howard <christopher@librehacker.com> writes:

> Hi, I read the interesting write up here:
>
> https://eshelyaron.com/posts/2024-11-27-emacs-aritrary-code-execution-and-how-to-avoid-it.html
>
> I wasn't terribly worried about this, as I don't *automatically*
> activate Flymake or Flycheck. But the article did mention that "code
> completion runs arbitrary code", and I was wondering more about that.
> I do not currently use Completion Preview mode. I have used Company in
> the past but company-mode is not currently activated. So, if I am just
> viewing an elisp file, i.e., not typing anything it in, nor running
> dabbrev commands, is there any danger? Should I setup Emacs to, by
> default, open all elisp files in View Mode?
>
> Regarding dabbrev, I know dabbrev can search all buffers but I don't know if it does any macro expansion.
>
> I was going to e-mail the author of the post, but cloudflare won't let me see his e-mail address.

There is an envelope icon in the top right (CC'd).



^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Emacs Arbitrary Code Execution and How to Avoid It
  2024-12-03 19:20 ` Gerd Möllmann
@ 2024-12-03 20:25   ` Eshel Yaron
  0 siblings, 0 replies; 7+ messages in thread
From: Eshel Yaron @ 2024-12-03 20:25 UTC (permalink / raw)
  To: Gerd Möllmann; +Cc: Christopher Howard, Emacs Devel Mailing List

Hi,

Gerd Möllmann <gerd.moellmann@gmail.com> writes:

> Christopher Howard <christopher@librehacker.com> writes:
>
>> Hi, I read the interesting write up here:
>>
>> https://eshelyaron.com/posts/2024-11-27-emacs-aritrary-code-execution-and-how-to-avoid-it.html
>>
>> I wasn't terribly worried about this, as I don't *automatically*
>> activate Flymake or Flycheck. But the article did mention that "code
>> completion runs arbitrary code", and I was wondering more about that.
>> I do not currently use Completion Preview mode. I have used Company in
>> the past but company-mode is not currently activated. So, if I am just
>> viewing an elisp file, i.e., not typing anything it in, nor running
>> dabbrev commands, is there any danger? 

Probably not, but this really depends on the specifics of your setup.
Namely, the "danger" comes from macro-expanding untrusted code, so if
you don't do anything that involves expanding macros, then you're fine.

Regarding completion in particular: ELisp mode adds a function
elisp-completion-at-point to completion-at-point-functions, so whatever
completion mechanism you use that runs completion-at-point-functions may
call elisp-completion-at-point.  Now, when elisp-completion-at-point
thinks that variable names are appropriate completion candidates at the
current position, it returns a completion table that, among other things,
expands macros when the completion mechanism queries it.  So it comes
down to whether or not you "trigger completion", and exactly where.
Again, which actions trigger completion and which don't depend on your
specific setup.

>> Should I setup Emacs to, by default, open all elisp files in View
>> Mode?

Not necessarily.  First, editing files that you control and/or trust
remains perfectly safe: no need to for such measures in you own config,
for example.  Second, you can trigger macro-expansion (and therefore run
into risk in case of a malicious file) even if you do enable View mode:
for example, the elisp-def package sometimes expands macros when you use
it to jump to a symbol's definition.

>> Regarding dabbrev, I know dabbrev can search all buffers but I don't know if it does any macro expansion.

I don't think dabbrev expands macros.


Best,

Eshel



^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Emacs Arbitrary Code Execution and How to Avoid It
  2024-12-03 17:53 Emacs Arbitrary Code Execution and How to Avoid It Christopher Howard
  2024-12-03 19:20 ` Gerd Möllmann
@ 2024-12-04  9:39 ` Jean Louis
  2024-12-04 15:04   ` Steven Allen
  1 sibling, 1 reply; 7+ messages in thread
From: Jean Louis @ 2024-12-04  9:39 UTC (permalink / raw)
  To: Christopher Howard; +Cc: Emacs Devel Mailing List

* Christopher Howard <christopher@librehacker.com> [2024-12-03 20:56]:
> Hi, I read the interesting write up here:
> 
> https://eshelyaron.com/posts/2024-11-27-emacs-aritrary-code-execution-and-how-to-avoid-it.html
> 
> I wasn't terribly worried about this, as I don't *automatically* activate Flymake or Flycheck. But the article did mention that "code completion runs arbitrary code", and I was wondering more about that. I do not currently use Completion Preview mode. I have used Company in the past but company-mode is not currently activated. So, if I am just viewing an elisp file, i.e., not typing anything it in, nor running dabbrev commands, is there any danger? Should I setup Emacs to, by default, open all elisp files in View Mode?
> 
> Regarding dabbrev, I know dabbrev can search all buffers but I don't know if it does any macro expansion.
> 
> I was going to e-mail the author of the post, but cloudflare won't let me see his e-mail address.

In every programming language it is possible to obscure the code and execute arbitrary code.

I do not see it as special security issue, it is common, known.

-- 
Jean Louis



^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Emacs Arbitrary Code Execution and How to Avoid It
  2024-12-04  9:39 ` Jean Louis
@ 2024-12-04 15:04   ` Steven Allen
  2024-12-04 17:02     ` Jean Louis
  0 siblings, 1 reply; 7+ messages in thread
From: Steven Allen @ 2024-12-04 15:04 UTC (permalink / raw)
  To: Jean Louis, Christopher Howard; +Cc: Emacs Devel Mailing List


Jean Louis <bugs@gnu.support> writes:
> In every programming language it is possible to obscure the code and execute arbitrary code.
>
> I do not see it as special security issue, it is common, known.
>
> -- 
> Jean Louis

Yes, but opening random text files shouldn't execute arbitrary code. The
concern here is that someone can:

1. Create some "document.txt" file.
2. Start it with ";; -*- mode: emacs-lisp -*-".
3. Include a macro that executes some malicious lisp code.
4. Send it to some unsuspecting victim.

Opening this file will run arbitrary code if flymake is enabled for
emacs-lisp files, even though the file looks like it should be an
innocent ".txt" file.



^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Emacs Arbitrary Code Execution and How to Avoid It
  2024-12-04 15:04   ` Steven Allen
@ 2024-12-04 17:02     ` Jean Louis
  2024-12-04 17:23       ` Christopher Howard
  0 siblings, 1 reply; 7+ messages in thread
From: Jean Louis @ 2024-12-04 17:02 UTC (permalink / raw)
  To: Steven Allen; +Cc: Christopher Howard, Emacs Devel Mailing List

* Steven Allen <steven@stebalien.com> [2024-12-04 18:05]:
> 
> Jean Louis <bugs@gnu.support> writes:
> > In every programming language it is possible to obscure the code and execute arbitrary code.
> >
> > I do not see it as special security issue, it is common, known.
> >
> > -- 
> > Jean Louis
> 
> Yes, but opening random text files shouldn't execute arbitrary code. The
> concern here is that someone can:
> 
> 1. Create some "document.txt" file.
> 2. Start it with ";; -*- mode: emacs-lisp -*-".
> 3. Include a macro that executes some malicious lisp code.
> 4. Send it to some unsuspecting victim.
> 
> Opening this file will run arbitrary code if flymake is enabled for
> emacs-lisp files, even though the file looks like it should be an
> innocent ".txt" file.

I get it, though similar concepts are in many editors. As you said,
"if flymake is enabled" which means that user enabling flymake should
get informed of it. There is myriad of packages that can be created,
so "if" they are enabled to do specific things on specific triggers
that does not constitute and serious "security hole". It is all
conditional, and there are many conditions that may provide an open
door for malicious friends to execute whatever code. It is anyway
coming by spam. It requires 21st century literacy to recognize
something is wrong. We talk hypothetically, so far there is zero
victims, nothing happened, no damage, just sensationalism.

-- 
Jean Louis



^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Emacs Arbitrary Code Execution and How to Avoid It
  2024-12-04 17:02     ` Jean Louis
@ 2024-12-04 17:23       ` Christopher Howard
  0 siblings, 0 replies; 7+ messages in thread
From: Christopher Howard @ 2024-12-04 17:23 UTC (permalink / raw)
  To: Steven Allen; +Cc: Emacs Devel Mailing List

Jean Louis <bugs@gnu.support> writes:

> I get it, though similar concepts are in many editors. As you said,
> "if flymake is enabled" which means that user enabling flymake should
> get informed of it. There is myriad of packages that can be created,
> so "if" they are enabled to do specific things on specific triggers
> that does not constitute and serious "security hole". It is all
> conditional, and there are many conditions that may provide an open
> door for malicious friends to execute whatever code. It is anyway
> coming by spam. It requires 21st century literacy to recognize
> something is wrong. We talk hypothetically, so far there is zero
> victims, nothing happened, no damage, just sensationalism.

It seems like a "significant" concern, if maybe not a "serious" one. I highly doubt I would every be caught in this way by a spam e-mail attachment. But something I do very frequently is clone random repositories, including obscure new packages and advertised init.el code, and peruse through the elisp code with my Emacs editor. I don't think it is sensational to wonder about whether simply inspecting the code file (find-file) is going to allow for immediate code execution that could do things like delete my ssh keys or paste them to a bin Web site.

With directory local variables, there is a mechanism in place that asks you first if you want to apply the variables. So this sort of thing has been considered a valid concern.

Perhaps, at the moment, a vanilla Emacs setup does not trigger this, but it is something users should be aware of as they are considering various features to enable or install. If completion-preview-mode activates this, which is a built-in feature, that seems worthy of note. And maybe some mitigation could be programmed into Emacs — I'm not sure.

-- 
Christopher Howard



^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2024-12-04 17:23 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-12-03 17:53 Emacs Arbitrary Code Execution and How to Avoid It Christopher Howard
2024-12-03 19:20 ` Gerd Möllmann
2024-12-03 20:25   ` Eshel Yaron
2024-12-04  9:39 ` Jean Louis
2024-12-04 15:04   ` Steven Allen
2024-12-04 17:02     ` Jean Louis
2024-12-04 17:23       ` Christopher Howard

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/emacs.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).