From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!not-for-mail
From: Eli Zaretskii <eliz@gnu.org>
Newsgroups: gmane.emacs.devel
Subject: [mwelinder@gmail.com: Emacs security bug]
Date: Sat, 10 May 2008 00:44:44 +0300
Message-ID: <u3aorm9tf.fsf@gnu.org>
Reply-To: Eli Zaretskii <eliz@gnu.org>
NNTP-Posting-Host: lo.gmane.org
X-Trace: ger.gmane.org 1210369643 9566 80.91.229.12 (9 May 2008 21:47:23 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Fri, 9 May 2008 21:47:23 +0000 (UTC)
To: emacs-devel@gnu.org
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Fri May 09 23:47:58 2008
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane.org
Original-Received: from lists.gnu.org ([199.232.76.165])
	by lo.gmane.org with esmtp (Exim 4.50)
	id 1JuaQb-0005sr-DD
	for ged-emacs-devel@m.gmane.org; Fri, 09 May 2008 23:46:57 +0200
Original-Received: from localhost ([127.0.0.1]:36105 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43)
	id 1JuaPt-0008Ht-3H
	for ged-emacs-devel@m.gmane.org; Fri, 09 May 2008 17:46:13 -0400
Original-Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1JuaPo-0008G9-Op
	for emacs-devel@gnu.org; Fri, 09 May 2008 17:46:08 -0400
Original-Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1JuaPo-0008FG-2U
	for emacs-devel@gnu.org; Fri, 09 May 2008 17:46:08 -0400
Original-Received: from [199.232.76.173] (port=53257 helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1JuaPn-0008F9-V6
	for emacs-devel@gnu.org; Fri, 09 May 2008 17:46:07 -0400
Original-Received: from mtaout6.012.net.il ([84.95.2.16]:50231)
	by monty-python.gnu.org with esmtp (Exim 4.60)
	(envelope-from <eliz@gnu.org>) id 1JuaPn-0004rI-K3
	for emacs-devel@gnu.org; Fri, 09 May 2008 17:46:07 -0400
Original-Received: from HOME-C4E4A596F7 ([83.130.255.47]) by i-mtaout6.012.net.il
	(HyperSendmail v2007.08) with ESMTPA id
	<0K0M0029FFQM57A0@i-mtaout6.012.net.il> for emacs-devel@gnu.org;
	Sat, 10 May 2008 00:59:10 +0300 (IDT)
X-012-Sender: halo1@inter.net.il
X-detected-kernel: by monty-python.gnu.org: Solaris 10 (1203?)
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <http://lists.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/emacs-devel>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <http://lists.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=subscribe>
Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Xref: news.gmane.org gmane.emacs.devel:96903
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/96903>


------- Start of forwarded message -------
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00 autolearn=ham 
	version=3.1.0
Date: Fri, 9 May 2008 12:45:25 -0400
From: "Morten Welinder" <mwelinder@gmail.com>
To: eliz@gnu.org
Subject: Emacs security bug

Hi there,

it's been a while or two -- DJGPP was hot, new technology when we last
spoke, :-)

It's unclear to me where to send Emacs security concerns, so I am sending
this one to you.  Please forward appropriately.

1. Create .emacs with contents
    (global-font-lock-mode t)
    (seq font-lock-support-mode 'fast-lock-mode)

2. Create foo.c with contents /* Nothing to see here */

3. Create foo.c.flc with contents (message "Something to see here!")

4. Start Emacs and load foo.c

- --> Observe that code from foo.c.flc is run.  Not good.
(This is with Emacs 21.3.1; XEmacs is also affected, although step 1 needs to
be adjusted.)

Suggestions:

a. Remove "." from fast-lock-cache-directories.  Littering little
files everywhere
    is not a good idea anyway.

b. Don't use load to handle the .flc file.  Instead read it into a
buffer and read
    one s-expression at a time and verify that it is sane before evaluating it.

c. Don't use files owned by anyone else.  This cannot stand alone, though, as
    it has a race condition.

Morten Welinder
------- End of forwarded message -------