From: Jean Louis <bugs@gnu.support>
To: Steven Allen <steven@stebalien.com>
Cc: Christopher Howard <christopher@librehacker.com>,
Emacs Devel Mailing List <emacs-devel@gnu.org>
Subject: Re: Emacs Arbitrary Code Execution and How to Avoid It
Date: Wed, 4 Dec 2024 20:02:57 +0300 [thread overview]
Message-ID: <Z1CLQbLlB7KA2vDS@lco2> (raw)
In-Reply-To: <87v7vzh4l1.fsf@stebalien.com>
* Steven Allen <steven@stebalien.com> [2024-12-04 18:05]:
>
> Jean Louis <bugs@gnu.support> writes:
> > In every programming language it is possible to obscure the code and execute arbitrary code.
> >
> > I do not see it as special security issue, it is common, known.
> >
> > --
> > Jean Louis
>
> Yes, but opening random text files shouldn't execute arbitrary code. The
> concern here is that someone can:
>
> 1. Create some "document.txt" file.
> 2. Start it with ";; -*- mode: emacs-lisp -*-".
> 3. Include a macro that executes some malicious lisp code.
> 4. Send it to some unsuspecting victim.
>
> Opening this file will run arbitrary code if flymake is enabled for
> emacs-lisp files, even though the file looks like it should be an
> innocent ".txt" file.
I get it, though similar concepts are in many editors. As you said,
"if flymake is enabled" which means that user enabling flymake should
get informed of it. There is myriad of packages that can be created,
so "if" they are enabled to do specific things on specific triggers
that does not constitute and serious "security hole". It is all
conditional, and there are many conditions that may provide an open
door for malicious friends to execute whatever code. It is anyway
coming by spam. It requires 21st century literacy to recognize
something is wrong. We talk hypothetically, so far there is zero
victims, nothing happened, no damage, just sensationalism.
--
Jean Louis
next prev parent reply other threads:[~2024-12-04 17:02 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-12-03 17:53 Emacs Arbitrary Code Execution and How to Avoid It Christopher Howard
2024-12-03 19:20 ` Gerd Möllmann
2024-12-03 20:25 ` Eshel Yaron
2024-12-08 5:10 ` Richard Stallman
2024-12-06 4:47 ` Richard Stallman
2024-12-06 8:30 ` Eli Zaretskii
2024-12-09 4:57 ` Richard Stallman
2024-12-09 13:59 ` Eli Zaretskii
2024-12-04 9:39 ` Jean Louis
2024-12-04 15:04 ` Steven Allen
2024-12-04 17:02 ` Jean Louis [this message]
2024-12-04 17:23 ` Christopher Howard
2024-12-07 4:23 ` Richard Stallman
2024-12-10 18:03 ` Daniel Radetsky
2024-12-11 8:35 ` Eshel Yaron
2024-12-11 9:25 ` Jean Louis
2024-12-11 9:37 ` Daniel Radetsky
2024-12-11 10:38 ` Jean Louis
2024-12-11 10:42 ` tomas
2024-12-11 12:50 ` Daniel Radetsky
2024-12-11 13:10 ` tomas
2024-12-12 4:48 ` Richard Stallman
2024-12-12 7:39 ` Jean Louis
2024-12-06 4:47 ` Richard Stallman
2024-12-06 5:30 ` Jim Porter
2024-12-06 8:32 ` Eli Zaretskii
2024-12-06 8:29 ` Eli Zaretskii
2024-12-06 16:51 ` Philip Kaludercic
2024-12-08 5:15 ` Richard Stallman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Z1CLQbLlB7KA2vDS@lco2 \
--to=bugs@gnu.support \
--cc=christopher@librehacker.com \
--cc=emacs-devel@gnu.org \
--cc=steven@stebalien.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).