From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED.blaine.gmane.org!not-for-mail From: adam plaice Newsgroups: gmane.emacs.bugs Subject: bug#37656: 27.0.50; Arbitrary code execution with special `mode:' Date: Tue, 15 Oct 2019 23:05:01 +0200 Message-ID: References: Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Injection-Info: blaine.gmane.org; posting-host="blaine.gmane.org:195.159.176.226"; logging-data="100306"; mail-complaints-to="usenet@blaine.gmane.org" Cc: 37656@debbugs.gnu.org To: emacs-devel@gnu.org Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Tue Oct 15 23:06:28 2019 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([209.51.188.17]) by blaine.gmane.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1iKU1T-000Pxa-IK for geb-bug-gnu-emacs@m.gmane.org; Tue, 15 Oct 2019 23:06:28 +0200 Original-Received: from localhost ([::1]:59478 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iKU1S-0001PF-D5 for geb-bug-gnu-emacs@m.gmane.org; Tue, 15 Oct 2019 17:06:26 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:56176) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iKU17-0001Ky-41 for bug-gnu-emacs@gnu.org; Tue, 15 Oct 2019 17:06:06 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1iKU14-00051Q-Nc for bug-gnu-emacs@gnu.org; Tue, 15 Oct 2019 17:06:05 -0400 Original-Received: from debbugs.gnu.org ([209.51.188.43]:36117) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1iKU14-00051M-Ke for bug-gnu-emacs@gnu.org; Tue, 15 Oct 2019 17:06:02 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1iKU14-0000um-Cr for bug-gnu-emacs@gnu.org; Tue, 15 Oct 2019 17:06:02 -0400 X-Loop: help-debbugs@gnu.org In-Reply-To: Resent-From: adam plaice Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Tue, 15 Oct 2019 21:06:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 37656 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: security Original-Received: via spool by 37656-submit@debbugs.gnu.org id=B37656.15711735213459 (code B ref 37656); Tue, 15 Oct 2019 21:06:02 +0000 Original-Received: (at 37656) by debbugs.gnu.org; 15 Oct 2019 21:05:21 +0000 Original-Received: from localhost ([127.0.0.1]:44938 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iKU0O-0000ti-Sf for submit@debbugs.gnu.org; Tue, 15 Oct 2019 17:05:21 -0400 Original-Received: from mail-lj1-f178.google.com ([209.85.208.178]:38686) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iKU0N-0000tT-7p for 37656@debbugs.gnu.org; Tue, 15 Oct 2019 17:05:19 -0400 Original-Received: by mail-lj1-f178.google.com with SMTP id b20so21743917ljj.5 for <37656@debbugs.gnu.org>; Tue, 15 Oct 2019 14:05:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc; bh=IIgqrbq4gITi0Wy/qtpu1BXDUG4Kuyu8m2IKhgb91cY=; b=euc9kLw+y3HL/KSa/GmZth6vJInozdn9yJuhK7mN1TkJy8A9eQWzL6QH/flGwIhEf5 bSC8ccw+UY2wpQdDgeBgFKey6grv0a0Wb7y3Ft0y6c/qc635w+XBUIwRPlgC7XzlEKjD /ciHKefMCF6S0yLzB5ztOMSnBZhNPlRf76jaKxoDGphbsK1FDj9Odisfp+4tlZiVof7f Hj0sSdVBPOvi5bqqQV0pKoILXEO0JlnRPMVi3zFpEwXsjbknaLPGFh6eIWMAm7z2LVKw 6j/zSeWKhdv1w/6K8mC5dphpI0ttARsjC2VRl/5Y8vXDnzd0ljG47dRdxgJhiyEt0BCt VKpA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=IIgqrbq4gITi0Wy/qtpu1BXDUG4Kuyu8m2IKhgb91cY=; b=uBQiFVSj1ej4b7yY92fNjh8wgf//z4UloIJW0/JK6MxPBGd6ryaWcB9MyRUgG4Oa/2 IaTsqMmKN0Pn6RA3LOhWU1xDfFdMIwfaILseEkjAZXeLvlKF62+TWTShxLqBNnFT+DEy I0nopoJvNQvpBLsVWPNCKNjqPLAAUwGtQm1Qt54OshNIQ5f+vokSp1oJAVaq530zanxr sa1vL0LO+lLPVvJTNdDMXAPQnBZR6D447L+8jEAyB2VF2uwTVMqXqfZqda6fPLskFpzE x34BmHEAmIac0Rpv2LOiVFWvsk8OMadiUKopG0rh35k3XMUcdDy0UlxDADlo5zM0pyqj h9mA== X-Gm-Message-State: APjAAAWOaPCGGNbPmBGEYLZ7vDXmmdvsPqGqG4BmecagrZyASDc0kg6y t4rURhGKgLqaqBw7ngMvm3nBgZSMldTG4zxuz/XUiw== X-Google-Smtp-Source: APXvYqzHtAwMHennez4RYHebuF+Plo0Lyv7NBLcVF4Rb6HVi7m2aACxFjNd7f9Bzr+WcaLnamuheEnAA7vZVihlcn60= X-Received: by 2002:a2e:7e0f:: with SMTP id z15mr21890324ljc.55.1571173512618; Tue, 15 Oct 2019 14:05:12 -0700 (PDT) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 209.51.188.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.org gmane.emacs.bugs:169396 Archived-At: Since the bug allows an attacker to execute arbitrary code if the victim opens a payload file, and hence opening any file from an untrusted source becomes dangerous, it seems to be rather serious. The bug relies on the fact that flymake-mode can execute arbitrary code, that minor modes (in particular, flymake-mode) can be set with local variables (with `mode:') and that when a minor-mode is set in this way, the major-mode is not unset. (See the linked bug or below for details.) I'm not sure whether I should be bringing greater attention to it, but given that it's already in the open, and malicious actors can find it (or just come up with it themselves, as it's not a particularly complex idea), increasing the likelihood of getting it fixed hopefully outweighs the disadvantages. I'd offer to provide a patch, but I'm neither very proficient with Emacs lisp, nor a security expert. I also haven't signed any copyright papers. Some thoughts on potential solutions (from a well-intentioned, but possibly misguided layman): AFAICT the easiest way to prevent this specific bug would be to prevent more than one mode being set by the file and directory local-variables machinery. Perhaps also only allowing major modes to be set with `mode' in local variables (and only allowing minor-modes to be set with `eval', as is already encouraged in the manual), might decrease the "attack surface" for similar such attacks. I'm not sure whether any major modes are "unsafe" (in the way flymake is), but possibly it might make sense to mark major modes as safe, similarly to the way variables are, though that would be a far more extensive change. Thank you, Adam PS Should Emacs have some policies on reporting security issues? I was encouraged (via an earlier e-mail exchange) to post the bug to debbugs, as normal, but it might perhaps be useful if the process (specifically for security vulnerabilities, not bugs in general) were mentioned in the manual. > https://debbugs.gnu.org/cgi/bugreport.cgi?bug=37656 > > * To reproduce: > > 1. Create a file, say `~/foobar', (it could have an arbitrary > extension) with the following contents: > > -*- mode: emacs-lisp; mode: flymake -*- > > (eval-when-compile > (with-temp-file "~/emacs_flymake_security_bug" > (insert "Could have also executed any code."))) > > 2. Open the file with emacs: > > emacs -Q ~/foobar > > 3. Inspect ~/emacs_flymake_security_bug: > > cat ~/emacs_flymake_security_bug > > * Expected result > > ~/emacs_flymake_security_bug does not exist. > > * Actual result > > ~/emacs_flymake_security_bug does exist. > > * Further information > > This relies on the "deprecated" feature of allowing `mode: ' to be > repeated more than once, to also specify minor modes. Just having: > > -*- mode: flymake -*- > > in, say, `~/foobar.el' would not trigger the security bug. There may, > however, be alternative ways of triggering it, that I haven't come up > with. > > > This was "inspired" by a very similar bug (concerning an external > package, editorconfig), described here: > > https://illikainen.dev/blog/2019-10-06-editorconfig > > Thank you and best regards, > Adam > >