From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED!not-for-mail From: Demi Obenour Newsgroups: gmane.emacs.bugs Subject: bug#19350: #19350 24.4; Incorrect quoting of %-signs for Windows command shell Date: Sun, 14 Aug 2016 20:44:17 -0400 Message-ID: References: <87k2fmyg16.fsf@users.sourceforge.net> NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: multipart/alternative; boundary=001a11488d8c37640e053a118810 X-Trace: blaine.gmane.org 1471222461 20006 195.159.176.226 (15 Aug 2016 00:54:21 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Mon, 15 Aug 2016 00:54:21 +0000 (UTC) Cc: 19350@debbugs.gnu.org To: Noam Postavsky Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Mon Aug 15 02:54:17 2016 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bZ6AR-0004w2-Ac for geb-bug-gnu-emacs@m.gmane.org; Mon, 15 Aug 2016 02:54:15 +0200 Original-Received: from localhost ([::1]:34424 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bZ6AO-0007L2-Bi for geb-bug-gnu-emacs@m.gmane.org; Sun, 14 Aug 2016 20:54:12 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:55361) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bZ61a-0007lW-NN for bug-gnu-emacs@gnu.org; Sun, 14 Aug 2016 20:45:07 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bZ61W-0002Gx-JI for bug-gnu-emacs@gnu.org; Sun, 14 Aug 2016 20:45:05 -0400 Original-Received: from debbugs.gnu.org ([208.118.235.43]:59968) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bZ61W-0002Gt-Fz for bug-gnu-emacs@gnu.org; Sun, 14 Aug 2016 20:45:02 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1bZ61W-0001BS-3Y for bug-gnu-emacs@gnu.org; Sun, 14 Aug 2016 20:45:02 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Demi Obenour Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Mon, 15 Aug 2016 00:45:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 19350 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: wontfix confirmed Original-Received: via spool by 19350-submit@debbugs.gnu.org id=B19350.14712218644488 (code B ref 19350); Mon, 15 Aug 2016 00:45:02 +0000 Original-Received: (at 19350) by debbugs.gnu.org; 15 Aug 2016 00:44:24 +0000 Original-Received: from localhost ([127.0.0.1]:57680 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bZ60u-0001AK-EV for submit@debbugs.gnu.org; Sun, 14 Aug 2016 20:44:24 -0400 Original-Received: from mail-ua0-f170.google.com ([209.85.217.170]:35536) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bZ60t-0001A7-Cs for 19350@debbugs.gnu.org; Sun, 14 Aug 2016 20:44:23 -0400 Original-Received: by mail-ua0-f170.google.com with SMTP id n59so54490859uan.2 for <19350@debbugs.gnu.org>; Sun, 14 Aug 2016 17:44:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=1eVfQnEk1Lio/bQWl2mMMH696foJMD4zs9xHHyFoO8Q=; b=EBwHsJaBMokQNJ0/SD2aTStF32ePgwTIUfQMq7434w3QZwcJeYatmcM7i34PwW9mLL btbgNngSWeFYbrxrZ1ZdXnkEwZc9zg0TpUpuNDYZVfR9ujUM7MQGH8Q0UlmlQfEAaAPa 3rU9r3UJIbKIrbdvUwR2OBG4WkY0SbpmLh3TFIQY1+zTPOlqrsSmWcq2FCnHLYLjUvQr WjWCrAYqirvlPHRg4ADvsPysLpsHbWj9F9jcoxnnzlICWQCg1xmxBXZJylrVi2egCdva GK4ps32PiGfKojNtf8/YzTyFyfn+jelDdo/ficuTqQirFjQnhOvuiv5nfLd1sH2GDHK/ a2Gg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=1eVfQnEk1Lio/bQWl2mMMH696foJMD4zs9xHHyFoO8Q=; b=F8b8fCp3zpJgZePJPROnmo6viJjpwEjG1u+uhQ6OJknnKLV034xUk+fincsYnsiFIX 4gOLnlMOMcMD15R27G2Fb7/UaLyBAT97oZWUnV9yF7pSaqaSjZcDTA6qx+ZsrjrPTkza c1JG7C4IXR9rUvsWz2bLszwmIWvSBe3iAqamMygu9EE/2boU31thLbIxEgHzZYyGFndL PSMptSs4784P3q8tgtq91QJgRZVXMI0o99rpIlxcjWL73uxAhl3dw9MG9/ovZADFDMIT vg4UPmbNun4S+STCXoKRyWGqOpJO+5PvdjfZAiPaC9MJpP19bYOPjKKq9Wg1JyBioHFv fmdg== X-Gm-Message-State: AEkooutXOJQwbtVrgNfRpLsTlrXZ18pybpVM/PrNNi3x6AboqHHawkjudixg23sTPRt5EKL2KKI174lz015GwA== X-Received: by 10.31.200.198 with SMTP id y189mr11696503vkf.118.1471221857738; Sun, 14 Aug 2016 17:44:17 -0700 (PDT) Original-Received: by 10.176.69.131 with HTTP; Sun, 14 Aug 2016 17:44:17 -0700 (PDT) Original-Received: by 10.176.69.131 with HTTP; Sun, 14 Aug 2016 17:44:17 -0700 (PDT) In-Reply-To: X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 208.118.235.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.org gmane.emacs.bugs:122222 Archived-At: --001a11488d8c37640e053a118810 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable We don't know what this is being used for. For all we know, someone has written an Emacs plugin that passes a file with an attacker-controlled basename (ex. downloaded from the Internet) and uses this function to escape the filename before passing it to an external command, and in a context where there are unbalanced double quotes (say) in a known env var. Result: remote execution of arbitrary code. On Aug 11, 2016 8:41 PM, wrote: Demi Obenour writes: > I think that this needs to be fixed 100% =E2=80=94 it is a security issue= . Doesn't it require the attacker to already control Emacs' environment? --001a11488d8c37640e053a118810 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

We don't know what this is being used for.=C2=A0 For all= we know, someone has written an Emacs plugin that passes a file with an at= tacker-controlled basename (ex. downloaded from the Internet) and uses this= function to escape the filename before passing it to an external command, = and in a context where there are unbalanced double quotes (say) in a known = env var.=C2=A0 Result: remote execution of arbitrary code.


On Aug 11, 2016 8= :41 PM, <npostavs@use= rs.sourceforge.net> wrote:
Demi Obenour <demiobeno= ur@gmail.com> writes:

> I think that this needs to be fixed 100% =E2=80=94 it is a security is= sue.

Doesn't it require the attacker to already control Emacs' environme= nt?

--001a11488d8c37640e053a118810--