CVE-2024-53920 Emacs arbitrary code execution via unsafe macro-expansion

unofficial mirror of emacs-devel@gnu.org 
 help / color / mirror / code / Atom feed

* CVE-2024-53920 Emacs arbitrary code execution via unsafe macro-expansion
@ 2024-11-27  7:02 Eshel Yaron
  2024-11-27  7:57 ` Daniel Radetsky
  0 siblings, 1 reply; 4+ messages in thread
From: Eshel Yaron @ 2024-11-27  7:02 UTC (permalink / raw)
  To: emacs-devel; +Cc: Stefan Monnier, Stefan Kangas, Andrea Corallo, Eli Zaretskii

Hi all,

I've just published an advisory regarding an arbitrary code execution
vulnerability in Emacs, which has been assigned CVE-2024-53920:

https://eshelyaron.com/posts/2024-11-27-emacs-aritrary-code-execution-and-how-to-avoid-it.html

The vulnerability itself is not new and it has been brought up in the
past (as I learned from Stefan K. after reporting this issue privately),
but no CVE has been assigned previously.  I tried to spell out the issue
in clear and simple terms in this advisory, if someone spots a mistake
or something that deserves further clarification, please let me know.

Best regards and safe hacking,

Eshel

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: CVE-2024-53920 Emacs arbitrary code execution via unsafe macro-expansion
  2024-11-27  7:02 CVE-2024-53920 Emacs arbitrary code execution via unsafe macro-expansion Eshel Yaron
@ 2024-11-27  7:57 ` Daniel Radetsky
  2024-11-27  8:40   ` Eshel Yaron
  0 siblings, 1 reply; 4+ messages in thread
From: Daniel Radetsky @ 2024-11-27  7:57 UTC (permalink / raw)
  To: Eshel Yaron
  Cc: emacs-devel, Stefan Monnier, Stefan Kangas, Andrea Corallo,
	Eli Zaretskii

On Wed, Nov 27, 2024 at 08:02:35AM +0100, Eshel Yaron wrote:
> Hi all,
> 
> I've just published an advisory regarding an arbitrary code execution
> vulnerability in Emacs, which has been assigned CVE-2024-53920:
> 
> https://eshelyaron.com/posts/2024-11-27-emacs-aritrary-code-execution-and-how-to-avoid-it.html

Slight correction: you wrote:

> In some Emacs “distributions”, such as the popular Doom
> Emacs and Prelude, either Flymake or Flycheck are enabled
> by default in ELisp mode.

This is not true of Doom, which I use. I had to modify my
init form (which is the same as the current default in this
respect) from

       :checkers
       syntax              ; tasing you for every semicolon you forget

to

       :checkers
       (syntax +flymake)              ; tasing you for every semicolon you forget

in order to get your rx poc to create /tmp/owned simply by
visiting the file. This is the only doom module which can
activate flymake.

Is the same true of flycheck? It's harder to tell, but I
think the answer is also no. In any case, while I didn't
intentionally test this on the literal default
configuration, I also never explicitly disabled flycheck and
it isn't running and I had to make the above-mentioned
change to get your poc to work.

--dmr

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: CVE-2024-53920 Emacs arbitrary code execution via unsafe macro-expansion
  2024-11-27  7:57 ` Daniel Radetsky
@ 2024-11-27  8:40   ` Eshel Yaron
  2024-11-27  9:46     ` Daniel Radetsky
  0 siblings, 1 reply; 4+ messages in thread
From: Eshel Yaron @ 2024-11-27  8:40 UTC (permalink / raw)
  To: Daniel Radetsky
  Cc: emacs-devel, Stefan Monnier, Stefan Kangas, Andrea Corallo,
	Eli Zaretskii

Hi Daniel,

Daniel Radetsky <dradetsky@gmail.com> writes:

> On Wed, Nov 27, 2024 at 08:02:35AM +0100, Eshel Yaron wrote:
>> Hi all,
>> 
>> I've just published an advisory regarding an arbitrary code execution
>> vulnerability in Emacs, which has been assigned CVE-2024-53920:
>> 
>> https://eshelyaron.com/posts/2024-11-27-emacs-aritrary-code-execution-and-how-to-avoid-it.html
>
> Slight correction: you wrote:
>
>> In some Emacs “distributions”, such as the popular Doom
>> Emacs and Prelude, either Flymake or Flycheck are enabled
>> by default in ELisp mode.
>
> This is not true of Doom, which I use. I had to modify my
> init form (which is the same as the current default in this
> respect) from
>
>        :checkers
>        syntax              ; tasing you for every semicolon you forget
>
> to
>
>        :checkers
>        (syntax +flymake)              ; tasing you for every semicolon you forget
>
> in order to get your rx poc to create /tmp/owned simply by
> visiting the file. This is the only doom module which can
> activate flymake.
>
> Is the same true of flycheck? It's harder to tell, but I
> think the answer is also no. In any case, while I didn't
> intentionally test this on the literal default
> configuration, I also never explicitly disabled flycheck and
> it isn't running and I had to make the above-mentioned
> change to get your poc to work.

Thanks for the heads up.  I have little experience with Doom, but here
with the default Doom configuration I see that Flycheck is enabled and
the POC works, so maybe it does have something to do with your config?

If you or someone else can confirm that Doom is not vulnerable by
default I'll gladly amend the text accordingly (and try to figure out
why here it does reproduce).


Cheers,

Eshel



^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: CVE-2024-53920 Emacs arbitrary code execution via unsafe macro-expansion
  2024-11-27  8:40   ` Eshel Yaron
@ 2024-11-27  9:46     ` Daniel Radetsky
  0 siblings, 0 replies; 4+ messages in thread
From: Daniel Radetsky @ 2024-11-27  9:46 UTC (permalink / raw)
  To: Eshel Yaron
  Cc: emacs-devel, Stefan Monnier, Stefan Kangas, Andrea Corallo,
	Eli Zaretskii

On Wed, Nov 27, 2024 at 09:40:30AM +0100, Eshel Yaron wrote:
> Thanks for the heads up.  I have little experience with Doom, but here
> with the default Doom configuration I see that Flycheck is enabled and
> the POC works, so maybe it does have something to do with your config?

Actually, it probably does. In order to solve an unrelated
issue with (IIRC) LSP, I added

(remove-hook 'doom-first-buffer-hook #'global-flycheck-mode)

and then forgot about it completely (I'm very much a
turn-on-checks-when-I-want-them-checked kind of developer).
So I could test it, but I think you're probably just
correct.

--dmr



^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2024-11-27  9:46 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-11-27  7:02 CVE-2024-53920 Emacs arbitrary code execution via unsafe macro-expansion Eshel Yaron
2024-11-27  7:57 ` Daniel Radetsky
2024-11-27  8:40   ` Eshel Yaron
2024-11-27  9:46     ` Daniel Radetsky

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/emacs.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).