From: Eshel Yaron <me@eshelyaron.com>
To: Daniel Radetsky <dradetsky@gmail.com>
Cc: emacs-devel@gnu.org, Stefan Monnier <monnier@iro.umontreal.ca>,
Stefan Kangas <stefankangas@gmail.com>,
Andrea Corallo <acorallo@gnu.org>, Eli Zaretskii <eliz@gnu.org>
Subject: Re: CVE-2024-53920 Emacs arbitrary code execution via unsafe macro-expansion
Date: Wed, 27 Nov 2024 09:40:30 +0100 [thread overview]
Message-ID: <m1ed2xrrwh.fsf@macbookpro.home> (raw)
In-Reply-To: <qq4rkpuoselwrytif2q3xlh6mnzq5kji6ihmaacqr6shxhjfke@sngkph5ac4ps> (Daniel Radetsky's message of "Tue, 26 Nov 2024 23:57:53 -0800")
Hi Daniel,
Daniel Radetsky <dradetsky@gmail.com> writes:
> On Wed, Nov 27, 2024 at 08:02:35AM +0100, Eshel Yaron wrote:
>> Hi all,
>>
>> I've just published an advisory regarding an arbitrary code execution
>> vulnerability in Emacs, which has been assigned CVE-2024-53920:
>>
>> https://eshelyaron.com/posts/2024-11-27-emacs-aritrary-code-execution-and-how-to-avoid-it.html
>
> Slight correction: you wrote:
>
>> In some Emacs “distributions”, such as the popular Doom
>> Emacs and Prelude, either Flymake or Flycheck are enabled
>> by default in ELisp mode.
>
> This is not true of Doom, which I use. I had to modify my
> init form (which is the same as the current default in this
> respect) from
>
> :checkers
> syntax ; tasing you for every semicolon you forget
>
> to
>
> :checkers
> (syntax +flymake) ; tasing you for every semicolon you forget
>
> in order to get your rx poc to create /tmp/owned simply by
> visiting the file. This is the only doom module which can
> activate flymake.
>
> Is the same true of flycheck? It's harder to tell, but I
> think the answer is also no. In any case, while I didn't
> intentionally test this on the literal default
> configuration, I also never explicitly disabled flycheck and
> it isn't running and I had to make the above-mentioned
> change to get your poc to work.
Thanks for the heads up. I have little experience with Doom, but here
with the default Doom configuration I see that Flycheck is enabled and
the POC works, so maybe it does have something to do with your config?
If you or someone else can confirm that Doom is not vulnerable by
default I'll gladly amend the text accordingly (and try to figure out
why here it does reproduce).
Cheers,
Eshel
next prev parent reply other threads:[~2024-11-27 8:40 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-27 7:02 CVE-2024-53920 Emacs arbitrary code execution via unsafe macro-expansion Eshel Yaron
2024-11-27 7:57 ` Daniel Radetsky
2024-11-27 8:40 ` Eshel Yaron [this message]
2024-11-27 9:46 ` Daniel Radetsky
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=m1ed2xrrwh.fsf@macbookpro.home \
--to=me@eshelyaron.com \
--cc=acorallo@gnu.org \
--cc=dradetsky@gmail.com \
--cc=eliz@gnu.org \
--cc=emacs-devel@gnu.org \
--cc=monnier@iro.umontreal.ca \
--cc=stefankangas@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).