From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED.blaine.gmane.org!not-for-mail From: Adam Plaice Newsgroups: gmane.emacs.bugs,gmane.emacs.devel Subject: bug#37656: 27.0.50; Arbitrary code execution with special `mode:' Date: Wed, 16 Oct 2019 02:35:58 +0200 Message-ID: References: Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Injection-Info: blaine.gmane.org; posting-host="blaine.gmane.org:195.159.176.226"; logging-data="143747"; mail-complaints-to="usenet@blaine.gmane.org" Cc: 37656@debbugs.gnu.org, Emacs developers To: Stefan Kangas Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Wed Oct 16 02:37:14 2019 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([209.51.188.17]) by blaine.gmane.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1iKXJP-000bCj-Kg for geb-bug-gnu-emacs@m.gmane.org; Wed, 16 Oct 2019 02:37:11 +0200 Original-Received: from localhost ([::1]:34256 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iKXJO-0000KJ-8c for geb-bug-gnu-emacs@m.gmane.org; Tue, 15 Oct 2019 20:37:10 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:51829) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iKXJH-0000HJ-OM for bug-gnu-emacs@gnu.org; Tue, 15 Oct 2019 20:37:04 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1iKXJG-00046n-LK for bug-gnu-emacs@gnu.org; Tue, 15 Oct 2019 20:37:03 -0400 Original-Received: from debbugs.gnu.org ([209.51.188.43]:36210) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1iKXJG-00046i-Gm for bug-gnu-emacs@gnu.org; Tue, 15 Oct 2019 20:37:02 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1iKXJG-0008R6-Ch for bug-gnu-emacs@gnu.org; Tue, 15 Oct 2019 20:37:02 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Adam Plaice Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Wed, 16 Oct 2019 00:37:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 37656 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: security Original-Received: via spool by 37656-submit@debbugs.gnu.org id=B37656.157118617832356 (code B ref 37656); Wed, 16 Oct 2019 00:37:02 +0000 Original-Received: (at 37656) by debbugs.gnu.org; 16 Oct 2019 00:36:18 +0000 Original-Received: from localhost ([127.0.0.1]:45031 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iKXIX-0008Po-KE for submit@debbugs.gnu.org; Tue, 15 Oct 2019 20:36:17 -0400 Original-Received: from mail-lj1-f171.google.com ([209.85.208.171]:44630) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iKXIW-0008PT-3f for 37656@debbugs.gnu.org; Tue, 15 Oct 2019 20:36:16 -0400 Original-Received: by mail-lj1-f171.google.com with SMTP id m13so22059585ljj.11 for <37656@debbugs.gnu.org>; Tue, 15 Oct 2019 17:36:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=4xA6lpLzTqjbeWovaHgbL+kHM3tNE8jQa4WtXvScT9c=; b=icWqeOpQzOXj0ZjoCCq5u/Wir/MycndGhSAP44a9kLydZo8Dac6/j2Q3bgbmvcjPdJ tMM+F3AOTB3+ELtWMwhNi0qPMnjihYP20SRQua985robxL2zDIPnqVETHO4Bi73U1C1y ArrJLKOgre7LT7jQEpQdedI7dmZ6u58jcC8N9DNn86YJk/l3B9mLJhyrpTdp9dSQBCFd /5v2TM4E86GhQr3V19wZxlGgm8E9+WTBBdYa2jZMlh7Gt0RYqS6EItMX8j90cYkaNssR mZXA2iJuPjzZrlJIY9ot+XWtWbNZwoYHwWao/8mlV9PkmdRUQE9B4i7tIBW0kmSaAuYC WY/g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=4xA6lpLzTqjbeWovaHgbL+kHM3tNE8jQa4WtXvScT9c=; b=ok+1oeKPaVOC4lnAHEIENERkNYy0zxi5L+kx39GHB25edyBldgCyTRWbq7/XuXQl7U F9VMNaxnCalDr7NWvjwypNMFvli5K2+TmPCLGGvyxkWsPUEBsxKLLKlgdZLTz9O35JQ4 9Kb4YEAIysg5szE7XSDIAx4W6YAAeO5ow8f2lVaNEIJRIrvVlj3uohMBLYXFqnwV8Ylj dV90m/1xh4aVj8fJBpeUTE92S28oLx9b58jPY1IRUjJMWsp45v2yFnbR4WvLXdQscbRN sA5xjASgm5zakTG2mU1VeEjWqfqYzseuZb0VrjTU7HoARyyR1bdsnckC1oUxoo9PJhet GDog== X-Gm-Message-State: APjAAAXYn2XVywItuUCZ91vG4T2fPVpClxGMtSoU87jsfP0ze+AWSWZq ItGQuPZ1xIOuNaYMqq2tsgBAfPGP20+o0xGWAXLmPw== X-Google-Smtp-Source: APXvYqwvTuM1RHGeTuc4dz0oV5eScI1GOyBgCBgTHALjzgPz2fw11bbAhSFMVqOqhjvglrNKnJgWk8zhqfbo9XOZrJk= X-Received: by 2002:a2e:9a03:: with SMTP id o3mr24358388lji.67.1571186170005; Tue, 15 Oct 2019 17:36:10 -0700 (PDT) In-Reply-To: X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 209.51.188.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.org gmane.emacs.bugs:169408 gmane.emacs.devel:241076 Archived-At: > Here is a more complete patch. Does it look like the right fix? This indeed fixes the issue! Thanks for dealing with it so quickly! (Though I'm obviously not qualified to say whether it's _the_ right fix for this.) > I think the relevant node in the documentation is: > (info "(emacs)Choosing Modes") That, and part of: (info "(emacs)Specifying File Variables") Unfortunately, I've realised that a similar problem can be introduced with directory variables. (Should I file separate bug for this as it's closely related but not quite the same?) This requires at least two files, so it's not quite as serious: In .dir-locals.el: ((nil . ((mode . flymake)))) In, say, foobar, in the same directory: -*- mode: emacs-lisp -*- (eval-when-compile (with-temp-file "~/emacs_flymake_security_bug" (insert "Could have also executed any code."))) (Some other, equivalent arrangements (e.g. (mode . emacs-lisp) directly in .dir-locals.el), or simply an .el extension, also "work".) According to the manual (info "(emacs)Directory Variables"): > The special =E2=80=98mode=E2=80=99 element specifies the minor mode to be > enabled. So =E2=80=98(mode . auto-fill)=E2=80=99 specifies that the mino= r mode > =E2=80=98auto-fill-mode=E2=80=99 needs to be enabled. so in this case setting the minor mode _is_ the intended/documented behavio= ur, which might make resolving the bug harder. (OTOH (info "(emacs)Directory Variables") also states: > You can specify the variables =E2=80=98mode=E2=80=99, =E2=80=98eval=E2=80= =99, and =E2=80=98unibyte=E2=80=99 in your > =E2=80=98.dir-locals.el=E2=80=99, and they have the same meanings as they= would have in > file local variables. while (info "(emacs)Specifying File Variables") says: > The special variable/value pair =E2=80=98mode: > MODENAME;=E2=80=99, if present, specifies a major mode. so there's some inconsistency on what `mode' in .dir-locals.el is actually "supposed" to specify =E2=80=94 a major mode, a minor mode or either.) Thanks, Adam