From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail
From: Daniel Radetsky <dradetsky@gmail.com>
Newsgroups: gmane.emacs.devel
Subject: Re: CVE-2024-53920 Emacs arbitrary code execution via unsafe
 macro-expansion
Date: Tue, 26 Nov 2024 23:57:53 -0800
Message-ID: <qq4rkpuoselwrytif2q3xlh6mnzq5kji6ihmaacqr6shxhjfke@sngkph5ac4ps>
References: <m1a5dltb04.fsf@macbookpro.home>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214";
	logging-data="39631"; mail-complaints-to="usenet@ciao.gmane.io"
Cc: emacs-devel@gnu.org, Stefan Monnier <monnier@iro.umontreal.ca>, 
 Stefan Kangas <stefankangas@gmail.com>, Andrea Corallo <acorallo@gnu.org>,
 Eli Zaretskii <eliz@gnu.org>
To: Eshel Yaron <me@eshelyaron.com>
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Wed Nov 27 08:58:35 2024
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane-mx.org
Original-Received: from lists.gnu.org ([209.51.188.17])
	by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org>)
	id 1tGCwV-000AAA-5T
	for ged-emacs-devel@m.gmane-mx.org; Wed, 27 Nov 2024 08:58:35 +0100
Original-Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <emacs-devel-bounces@gnu.org>)
	id 1tGCvz-0005f0-N4; Wed, 27 Nov 2024 02:58:03 -0500
Original-Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <dradetsky@gmail.com>)
 id 1tGCvy-0005ei-Ou
 for emacs-devel@gnu.org; Wed, 27 Nov 2024 02:58:02 -0500
Original-Received: from mail-pl1-x62f.google.com ([2607:f8b0:4864:20::62f])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <dradetsky@gmail.com>)
 id 1tGCvu-0007U0-J1; Wed, 27 Nov 2024 02:58:02 -0500
Original-Received: by mail-pl1-x62f.google.com with SMTP id
 d9443c01a7336-21210eaa803so59687035ad.2; 
 Tue, 26 Nov 2024 23:57:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1732694276; x=1733299076; darn=gnu.org;
 h=in-reply-to:content-transfer-encoding:content-disposition
 :mime-version:references:message-id:subject:cc:to:from:date:from:to
 :cc:subject:date:message-id:reply-to;
 bh=EVLnU1CFUlXG85sFzn6adlXS1nhSFREQRRXHY1mNsZ4=;
 b=MW/13pZLX5A4MvGgSB8SQgmPd8peZGQVNUDFbj3NlYzljJfnFIezHyC2G0lLOJAnCy
 JJ29lmY48j7K5MhUsFAuOEVV63igb6cLDF5QDT5taY6OQEW8tvIFrjlw/qDaNPYY+9Wx
 oqefijujV74MN+fwcmXjBHKcRik8z51iSOuqqRDuN17nt9Y6cJA1XhrZeQzjpN/k6Ali
 Mrd78rYKKbpeEaU5Omq/mN3Mnr8YMZBzgH1feVKMdfnrghnUrPE0acWUKFA1Oo8XauvX
 DgPB4no1O25zILfZ61fbfIlucHWg7g1zOp0AL/DbOTGVG+FyPuHlejHrz5wKAzYbzJAJ
 b7Wg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1732694276; x=1733299076;
 h=in-reply-to:content-transfer-encoding:content-disposition
 :mime-version:references:message-id:subject:cc:to:from:date
 :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
 bh=EVLnU1CFUlXG85sFzn6adlXS1nhSFREQRRXHY1mNsZ4=;
 b=L/Ww+S3UNUEaHCBqOvdBI585Fm9W5kRzrQCJT+MvUmjTHoejcUpuZFR7Ef8F859Knc
 j+Vez+i5Qgfn6aeDUNZR2CCja/HL4NQXGGZK10teK5pOgn/I/WiVeVcqqu3iufa8V5jI
 aZthrpfb9YvOdBaFevq9BLamsikAR61u0Prt5ppVLta2webZzzKkTK5ryJZAASwKKutk
 atmXAi1f0QzSFqHcIApx2OTbNxOZkg3et84RKup7Uc9dlX2+Iflbp5BB+kIpndQbo8Op
 2fxFsfj9vgpyOMWl3Jo5xkFjpfAOSLQauKhcol2QRw3WySoC932cJgrMif7mZVHRLpWN
 Dhbw==
X-Forwarded-Encrypted: i=1;
 AJvYcCUH9wnW8RAvGlZwt0hPvv7izSIJFvZths8mlrs2sBTid/EYPSscvAG/a7hcf2SXyhlQQAEsG8RDjA==@gnu.org,
 AJvYcCXKvMwM4Gou6KO/cb8IOfQ2uebcjIUz1kjJOd8C+8YDJvgwR7QFIOza3fSntZy/tojPPQhtDg==@gnu.org
X-Gm-Message-State: AOJu0Yw4rzDbDnKWOPdiTAyEyuVgEpeLm4ejUwZJU/U/XBRaUSIYuo03
 b5AmSuvk3i6SQ89P0TefYm9BKXWPU3pia/KZkVlmVO+cMpxSI+Tt
X-Gm-Gg: ASbGnctigRuyPTgZLSDLwg01OKTu8SNp+iuVlj07McV2FFWpUbfZXxG4tzo4DAEdwfm
 ZAzWIxmuyAJk2FBNF5mpzYYoeMd2huknj9WrweaNnKcHRvA52521Hk+x6XGLkF8tVhZBHb8lqoJ
 2/Odcblgw1cKjHkMkLqBSUZForlWgericZJnZ89nGzmc2V4AsvY8z+AkLXjgxdQa3gShNmMf2sc
 sUi7lQ/b0Ei2T/qrYEYwWG2qUuDWfyOXQWPpqIYFs8=
X-Google-Smtp-Source: AGHT+IEK6Ib3rNI3GqUzGCTGAj42AlOXoEYctHMLzBFs2XmeUeYrq4O8C5zw3dm4VJEaax4Dzs7lXg==
X-Received: by 2002:a17:902:cec4:b0:20b:7388:f74 with SMTP id
 d9443c01a7336-21501083aa9mr33731725ad.12.1732694276473; 
 Tue, 26 Nov 2024 23:57:56 -0800 (PST)
Original-Received: from flap ([2601:645:8a81:69c0:11a4:3198:90ad:2957])
 by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-2129dc1f9c0sm96595695ad.234.2024.11.26.23.57.55
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 26 Nov 2024 23:57:56 -0800 (PST)
Content-Disposition: inline
In-Reply-To: <m1a5dltb04.fsf@macbookpro.home>
Received-SPF: pass client-ip=2607:f8b0:4864:20::62f;
 envelope-from=dradetsky@gmail.com; helo=mail-pl1-x62f.google.com
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
 RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-devel>,
 <mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/emacs-devel>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-devel>,
 <mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org
Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org
Xref: news.gmane.io gmane.emacs.devel:325739
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/325739>

On Wed, Nov 27, 2024 at 08:02:35AM +0100, Eshel Yaron wrote:
> Hi all,
> 
> I've just published an advisory regarding an arbitrary code execution
> vulnerability in Emacs, which has been assigned CVE-2024-53920:
> 
> https://eshelyaron.com/posts/2024-11-27-emacs-aritrary-code-execution-and-how-to-avoid-it.html

Slight correction: you wrote:

> In some Emacs “distributions”, such as the popular Doom
> Emacs and Prelude, either Flymake or Flycheck are enabled
> by default in ELisp mode.

This is not true of Doom, which I use. I had to modify my
init form (which is the same as the current default in this
respect) from

       :checkers
       syntax              ; tasing you for every semicolon you forget

to

       :checkers
       (syntax +flymake)              ; tasing you for every semicolon you forget

in order to get your rx poc to create /tmp/owned simply by
visiting the file. This is the only doom module which can
activate flymake.

Is the same true of flycheck? It's harder to tell, but I
think the answer is also no. In any case, while I didn't
intentionally test this on the literal default
configuration, I also never explicitly disabled flycheck and
it isn't running and I had to make the above-mentioned
change to get your poc to work.

--dmr