From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail
From: Eshel Yaron <me@eshelyaron.com>
Newsgroups: gmane.emacs.devel
Subject: Re: CVE-2024-53920 Emacs arbitrary code execution via unsafe
 macro-expansion
Date: Wed, 27 Nov 2024 09:40:30 +0100
Message-ID: <m1ed2xrrwh.fsf@macbookpro.home>
References: <m1a5dltb04.fsf@macbookpro.home>
 <qq4rkpuoselwrytif2q3xlh6mnzq5kji6ihmaacqr6shxhjfke@sngkph5ac4ps>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214";
	logging-data="1236"; mail-complaints-to="usenet@ciao.gmane.io"
User-Agent: Gnus/5.13 (Gnus v5.13)
Cc: emacs-devel@gnu.org,  Stefan Monnier <monnier@iro.umontreal.ca>,  Stefan
 Kangas <stefankangas@gmail.com>,  Andrea Corallo <acorallo@gnu.org>,  Eli
 Zaretskii <eliz@gnu.org>
To: Daniel Radetsky <dradetsky@gmail.com>
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Wed Nov 27 09:41:27 2024
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane-mx.org
Original-Received: from lists.gnu.org ([209.51.188.17])
	by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org>)
	id 1tGDby-00006s-0y
	for ged-emacs-devel@m.gmane-mx.org; Wed, 27 Nov 2024 09:41:26 +0100
Original-Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <emacs-devel-bounces@gnu.org>)
	id 1tGDbG-0003lP-HX; Wed, 27 Nov 2024 03:40:42 -0500
Original-Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <me@eshelyaron.com>) id 1tGDbA-0003l5-Vv
 for emacs-devel@gnu.org; Wed, 27 Nov 2024 03:40:37 -0500
Original-Received: from mail.eshelyaron.com ([107.175.124.16] helo=eshelyaron.com)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <me@eshelyaron.com>)
 id 1tGDb8-0006RO-5N; Wed, 27 Nov 2024 03:40:35 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=eshelyaron.com;
 s=mail; t=1732696832;
 bh=OkKK8ZYHjqXRm3MrwQStherH39rwf2uDM3AlRiTLxV4=;
 h=From:To:Cc:Subject:In-Reply-To:References:Date:From;
 b=ZM1KZMnmfV4w+YDAQchv1A2jOO8dJUo4U9TflfpxgSkUpuVWuwqK9sF4LKZZ6+UFt
 CC81Pg6D+RpIwCVe2HKRwjIFiCPnS8WDsNZh94YAWykovjxuNy6cbz1khyhpeAN2SA
 rzOe6pGhTz9fIQQZN+Z/jhgm6vv7PNep8fd4craXQ2sgcqgQg+XlPCNGZGrR3fx07Z
 prjnLEalZDDqxaHRtPHR8kEkj2I9IGNpZBPOD1miLC22UhTHU3FRZH3bktmP6hbh9J
 IkvKY2zE5kZoZiIospxzLI4Oa3oycW/4yru1cFegPXT46i1JhlsDGxejUtNSUYuk0z
 363q+5VG6J36Q==
In-Reply-To: <qq4rkpuoselwrytif2q3xlh6mnzq5kji6ihmaacqr6shxhjfke@sngkph5ac4ps>
 (Daniel Radetsky's message of "Tue, 26 Nov 2024 23:57:53 -0800")
Received-SPF: pass client-ip=107.175.124.16; envelope-from=me@eshelyaron.com;
 helo=eshelyaron.com
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001,
 SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-devel>,
 <mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/emacs-devel>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-devel>,
 <mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org
Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org
Xref: news.gmane.io gmane.emacs.devel:325740
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/325740>

Hi Daniel,

Daniel Radetsky <dradetsky@gmail.com> writes:

> On Wed, Nov 27, 2024 at 08:02:35AM +0100, Eshel Yaron wrote:
>> Hi all,
>>=20
>> I've just published an advisory regarding an arbitrary code execution
>> vulnerability in Emacs, which has been assigned CVE-2024-53920:
>>=20
>> https://eshelyaron.com/posts/2024-11-27-emacs-aritrary-code-execution-an=
d-how-to-avoid-it.html
>
> Slight correction: you wrote:
>
>> In some Emacs =E2=80=9Cdistributions=E2=80=9D, such as the popular Doom
>> Emacs and Prelude, either Flymake or Flycheck are enabled
>> by default in ELisp mode.
>
> This is not true of Doom, which I use. I had to modify my
> init form (which is the same as the current default in this
> respect) from
>
>        :checkers
>        syntax              ; tasing you for every semicolon you forget
>
> to
>
>        :checkers
>        (syntax +flymake)              ; tasing you for every semicolon yo=
u forget
>
> in order to get your rx poc to create /tmp/owned simply by
> visiting the file. This is the only doom module which can
> activate flymake.
>
> Is the same true of flycheck? It's harder to tell, but I
> think the answer is also no. In any case, while I didn't
> intentionally test this on the literal default
> configuration, I also never explicitly disabled flycheck and
> it isn't running and I had to make the above-mentioned
> change to get your poc to work.

Thanks for the heads up.  I have little experience with Doom, but here
with the default Doom configuration I see that Flycheck is enabled and
the POC works, so maybe it does have something to do with your config?

If you or someone else can confirm that Doom is not vulnerable by
default I'll gladly amend the text accordingly (and try to figure out
why here it does reproduce).


Cheers,

Eshel