* Emacs Arbitrary Code Execution and How to Avoid It @ 2024-12-03 17:53 Christopher Howard 2024-12-03 19:20 ` Gerd Möllmann ` (2 more replies) 0 siblings, 3 replies; 29+ messages in thread From: Christopher Howard @ 2024-12-03 17:53 UTC (permalink / raw) To: Emacs Devel Mailing List Hi, I read the interesting write up here: https://eshelyaron.com/posts/2024-11-27-emacs-aritrary-code-execution-and-how-to-avoid-it.html I wasn't terribly worried about this, as I don't *automatically* activate Flymake or Flycheck. But the article did mention that "code completion runs arbitrary code", and I was wondering more about that. I do not currently use Completion Preview mode. I have used Company in the past but company-mode is not currently activated. So, if I am just viewing an elisp file, i.e., not typing anything it in, nor running dabbrev commands, is there any danger? Should I setup Emacs to, by default, open all elisp files in View Mode? Regarding dabbrev, I know dabbrev can search all buffers but I don't know if it does any macro expansion. I was going to e-mail the author of the post, but cloudflare won't let me see his e-mail address. -- 📛 Christopher Howard 🚀 gemini://gem.librehacker.com 🌐 http://gem.librehacker.com בראשית ברא אלהים את השמים ואת הארץ ^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: Emacs Arbitrary Code Execution and How to Avoid It 2024-12-03 17:53 Emacs Arbitrary Code Execution and How to Avoid It Christopher Howard @ 2024-12-03 19:20 ` Gerd Möllmann 2024-12-03 20:25 ` Eshel Yaron 2024-12-06 4:47 ` Richard Stallman 2024-12-04 9:39 ` Jean Louis 2024-12-06 4:47 ` Richard Stallman 2 siblings, 2 replies; 29+ messages in thread From: Gerd Möllmann @ 2024-12-03 19:20 UTC (permalink / raw) To: Christopher Howard; +Cc: Emacs Devel Mailing List, me Christopher Howard <christopher@librehacker.com> writes: > Hi, I read the interesting write up here: > > https://eshelyaron.com/posts/2024-11-27-emacs-aritrary-code-execution-and-how-to-avoid-it.html > > I wasn't terribly worried about this, as I don't *automatically* > activate Flymake or Flycheck. But the article did mention that "code > completion runs arbitrary code", and I was wondering more about that. > I do not currently use Completion Preview mode. I have used Company in > the past but company-mode is not currently activated. So, if I am just > viewing an elisp file, i.e., not typing anything it in, nor running > dabbrev commands, is there any danger? Should I setup Emacs to, by > default, open all elisp files in View Mode? > > Regarding dabbrev, I know dabbrev can search all buffers but I don't know if it does any macro expansion. > > I was going to e-mail the author of the post, but cloudflare won't let me see his e-mail address. There is an envelope icon in the top right (CC'd). ^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: Emacs Arbitrary Code Execution and How to Avoid It 2024-12-03 19:20 ` Gerd Möllmann @ 2024-12-03 20:25 ` Eshel Yaron 2024-12-08 5:10 ` Richard Stallman 2024-12-06 4:47 ` Richard Stallman 1 sibling, 1 reply; 29+ messages in thread From: Eshel Yaron @ 2024-12-03 20:25 UTC (permalink / raw) To: Gerd Möllmann; +Cc: Christopher Howard, Emacs Devel Mailing List Hi, Gerd Möllmann <gerd.moellmann@gmail.com> writes: > Christopher Howard <christopher@librehacker.com> writes: > >> Hi, I read the interesting write up here: >> >> https://eshelyaron.com/posts/2024-11-27-emacs-aritrary-code-execution-and-how-to-avoid-it.html >> >> I wasn't terribly worried about this, as I don't *automatically* >> activate Flymake or Flycheck. But the article did mention that "code >> completion runs arbitrary code", and I was wondering more about that. >> I do not currently use Completion Preview mode. I have used Company in >> the past but company-mode is not currently activated. So, if I am just >> viewing an elisp file, i.e., not typing anything it in, nor running >> dabbrev commands, is there any danger? Probably not, but this really depends on the specifics of your setup. Namely, the "danger" comes from macro-expanding untrusted code, so if you don't do anything that involves expanding macros, then you're fine. Regarding completion in particular: ELisp mode adds a function elisp-completion-at-point to completion-at-point-functions, so whatever completion mechanism you use that runs completion-at-point-functions may call elisp-completion-at-point. Now, when elisp-completion-at-point thinks that variable names are appropriate completion candidates at the current position, it returns a completion table that, among other things, expands macros when the completion mechanism queries it. So it comes down to whether or not you "trigger completion", and exactly where. Again, which actions trigger completion and which don't depend on your specific setup. >> Should I setup Emacs to, by default, open all elisp files in View >> Mode? Not necessarily. First, editing files that you control and/or trust remains perfectly safe: no need to for such measures in you own config, for example. Second, you can trigger macro-expansion (and therefore run into risk in case of a malicious file) even if you do enable View mode: for example, the elisp-def package sometimes expands macros when you use it to jump to a symbol's definition. >> Regarding dabbrev, I know dabbrev can search all buffers but I don't know if it does any macro expansion. I don't think dabbrev expands macros. Best, Eshel ^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: Emacs Arbitrary Code Execution and How to Avoid It 2024-12-03 20:25 ` Eshel Yaron @ 2024-12-08 5:10 ` Richard Stallman 0 siblings, 0 replies; 29+ messages in thread From: Richard Stallman @ 2024-12-08 5:10 UTC (permalink / raw) To: Eshel Yaron; +Cc: gerd.moellmann, christopher, emacs-devel [[[ To any NSA and FBI agents reading my email: please consider ]]] [[[ whether defending the US Constitution against all enemies, ]]] [[[ foreign or domestic, requires you to follow Snowden's example. ]]] Thanks for sending a clear description of what leads up to the failure. > Regarding completion in particular: ELisp mode adds a function > elisp-completion-at-point to completion-at-point-functions, so whatever > completion mechanism you use that runs completion-at-point-functions may > call elisp-completion-at-point. Now, when elisp-completion-at-point > thinks that variable names are appropriate completion candidates at the > current position, it returns a completion table that, among other things, > expands macros when the completion mechanism queries it. However, the crucial poiht seems not to be included. It appears that something reads and evals macro definitions automatically. Is that true? If so, what triggers that -- and what fix can prevent it? -- Dr Richard Stallman (https://stallman.org) Chief GNUisance of the GNU Project (https://gnu.org) Founder, Free Software Foundation (https://fsf.org) Internet Hall-of-Famer (https://internethalloffame.org) ^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: Emacs Arbitrary Code Execution and How to Avoid It 2024-12-03 19:20 ` Gerd Möllmann 2024-12-03 20:25 ` Eshel Yaron @ 2024-12-06 4:47 ` Richard Stallman 2024-12-06 8:30 ` Eli Zaretskii 1 sibling, 1 reply; 29+ messages in thread From: Richard Stallman @ 2024-12-06 4:47 UTC (permalink / raw) To: Gerd Möllmann; +Cc: emacs-devel [[[ To any NSA and FBI agents reading my email: please consider ]]] [[[ whether defending the US Constitution against all enemies, ]]] [[[ foreign or domestic, requires you to follow Snowden's example. ]]] This sounds like a grave problem, that we had better correct ASAP. Can we reproduce it? Can we see how it happens that Emacs evals code that the user did not specifically say to eval? Users writing Lisp code can cause any sort of vulnerability and it is no use trying to prevent that. But I think we should make sure that no use of advertised features will eval code that the user did specifically say to eval. -- Dr Richard Stallman (https://stallman.org) Chief GNUisance of the GNU Project (https://gnu.org) Founder, Free Software Foundation (https://fsf.org) Internet Hall-of-Famer (https://internethalloffame.org) ^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: Emacs Arbitrary Code Execution and How to Avoid It 2024-12-06 4:47 ` Richard Stallman @ 2024-12-06 8:30 ` Eli Zaretskii 2024-12-09 4:57 ` Richard Stallman 0 siblings, 1 reply; 29+ messages in thread From: Eli Zaretskii @ 2024-12-06 8:30 UTC (permalink / raw) To: rms; +Cc: gerd.moellmann, emacs-devel > From: Richard Stallman <rms@gnu.org> > Cc: emacs-devel@gnu.org > Date: Thu, 05 Dec 2024 23:47:01 -0500 > > This sounds like a grave problem, that we had better correct ASAP. A solution is in the works. ^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: Emacs Arbitrary Code Execution and How to Avoid It 2024-12-06 8:30 ` Eli Zaretskii @ 2024-12-09 4:57 ` Richard Stallman 2024-12-09 13:59 ` Eli Zaretskii 0 siblings, 1 reply; 29+ messages in thread From: Richard Stallman @ 2024-12-09 4:57 UTC (permalink / raw) To: Eli Zaretskii; +Cc: gerd.moellmann, emacs-devel [[[ To any NSA and FBI agents reading my email: please consider ]]] [[[ whether defending the US Constitution against all enemies, ]]] [[[ foreign or domestic, requires you to follow Snowden's example. ]]] > A solution is in the works. Would you please post a brief summary of the planned fix? -- Dr Richard Stallman (https://stallman.org) Chief GNUisance of the GNU Project (https://gnu.org) Founder, Free Software Foundation (https://fsf.org) Internet Hall-of-Famer (https://internethalloffame.org) ^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: Emacs Arbitrary Code Execution and How to Avoid It 2024-12-09 4:57 ` Richard Stallman @ 2024-12-09 13:59 ` Eli Zaretskii 0 siblings, 0 replies; 29+ messages in thread From: Eli Zaretskii @ 2024-12-09 13:59 UTC (permalink / raw) To: rms; +Cc: gerd.moellmann, emacs-devel > From: Richard Stallman <rms@gnu.org> > Cc: gerd.moellmann@gmail.com, emacs-devel@gnu.org > Date: Sun, 08 Dec 2024 23:57:59 -0500 > > > A solution is in the works. > > Would you please post a brief summary of the planned fix? I don't think it's wise to post that publicly, at least not yet. ^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: Emacs Arbitrary Code Execution and How to Avoid It 2024-12-03 17:53 Emacs Arbitrary Code Execution and How to Avoid It Christopher Howard 2024-12-03 19:20 ` Gerd Möllmann @ 2024-12-04 9:39 ` Jean Louis 2024-12-04 15:04 ` Steven Allen 2024-12-06 4:47 ` Richard Stallman 2 siblings, 1 reply; 29+ messages in thread From: Jean Louis @ 2024-12-04 9:39 UTC (permalink / raw) To: Christopher Howard; +Cc: Emacs Devel Mailing List * Christopher Howard <christopher@librehacker.com> [2024-12-03 20:56]: > Hi, I read the interesting write up here: > > https://eshelyaron.com/posts/2024-11-27-emacs-aritrary-code-execution-and-how-to-avoid-it.html > > I wasn't terribly worried about this, as I don't *automatically* activate Flymake or Flycheck. But the article did mention that "code completion runs arbitrary code", and I was wondering more about that. I do not currently use Completion Preview mode. I have used Company in the past but company-mode is not currently activated. So, if I am just viewing an elisp file, i.e., not typing anything it in, nor running dabbrev commands, is there any danger? Should I setup Emacs to, by default, open all elisp files in View Mode? > > Regarding dabbrev, I know dabbrev can search all buffers but I don't know if it does any macro expansion. > > I was going to e-mail the author of the post, but cloudflare won't let me see his e-mail address. In every programming language it is possible to obscure the code and execute arbitrary code. I do not see it as special security issue, it is common, known. -- Jean Louis ^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: Emacs Arbitrary Code Execution and How to Avoid It 2024-12-04 9:39 ` Jean Louis @ 2024-12-04 15:04 ` Steven Allen 2024-12-04 17:02 ` Jean Louis 0 siblings, 1 reply; 29+ messages in thread From: Steven Allen @ 2024-12-04 15:04 UTC (permalink / raw) To: Jean Louis, Christopher Howard; +Cc: Emacs Devel Mailing List Jean Louis <bugs@gnu.support> writes: > In every programming language it is possible to obscure the code and execute arbitrary code. > > I do not see it as special security issue, it is common, known. > > -- > Jean Louis Yes, but opening random text files shouldn't execute arbitrary code. The concern here is that someone can: 1. Create some "document.txt" file. 2. Start it with ";; -*- mode: emacs-lisp -*-". 3. Include a macro that executes some malicious lisp code. 4. Send it to some unsuspecting victim. Opening this file will run arbitrary code if flymake is enabled for emacs-lisp files, even though the file looks like it should be an innocent ".txt" file. ^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: Emacs Arbitrary Code Execution and How to Avoid It 2024-12-04 15:04 ` Steven Allen @ 2024-12-04 17:02 ` Jean Louis 2024-12-04 17:23 ` Christopher Howard 2024-12-07 4:23 ` Richard Stallman 0 siblings, 2 replies; 29+ messages in thread From: Jean Louis @ 2024-12-04 17:02 UTC (permalink / raw) To: Steven Allen; +Cc: Christopher Howard, Emacs Devel Mailing List * Steven Allen <steven@stebalien.com> [2024-12-04 18:05]: > > Jean Louis <bugs@gnu.support> writes: > > In every programming language it is possible to obscure the code and execute arbitrary code. > > > > I do not see it as special security issue, it is common, known. > > > > -- > > Jean Louis > > Yes, but opening random text files shouldn't execute arbitrary code. The > concern here is that someone can: > > 1. Create some "document.txt" file. > 2. Start it with ";; -*- mode: emacs-lisp -*-". > 3. Include a macro that executes some malicious lisp code. > 4. Send it to some unsuspecting victim. > > Opening this file will run arbitrary code if flymake is enabled for > emacs-lisp files, even though the file looks like it should be an > innocent ".txt" file. I get it, though similar concepts are in many editors. As you said, "if flymake is enabled" which means that user enabling flymake should get informed of it. There is myriad of packages that can be created, so "if" they are enabled to do specific things on specific triggers that does not constitute and serious "security hole". It is all conditional, and there are many conditions that may provide an open door for malicious friends to execute whatever code. It is anyway coming by spam. It requires 21st century literacy to recognize something is wrong. We talk hypothetically, so far there is zero victims, nothing happened, no damage, just sensationalism. -- Jean Louis ^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: Emacs Arbitrary Code Execution and How to Avoid It 2024-12-04 17:02 ` Jean Louis @ 2024-12-04 17:23 ` Christopher Howard 2024-12-07 4:23 ` Richard Stallman 1 sibling, 0 replies; 29+ messages in thread From: Christopher Howard @ 2024-12-04 17:23 UTC (permalink / raw) To: Steven Allen; +Cc: Emacs Devel Mailing List Jean Louis <bugs@gnu.support> writes: > I get it, though similar concepts are in many editors. As you said, > "if flymake is enabled" which means that user enabling flymake should > get informed of it. There is myriad of packages that can be created, > so "if" they are enabled to do specific things on specific triggers > that does not constitute and serious "security hole". It is all > conditional, and there are many conditions that may provide an open > door for malicious friends to execute whatever code. It is anyway > coming by spam. It requires 21st century literacy to recognize > something is wrong. We talk hypothetically, so far there is zero > victims, nothing happened, no damage, just sensationalism. It seems like a "significant" concern, if maybe not a "serious" one. I highly doubt I would every be caught in this way by a spam e-mail attachment. But something I do very frequently is clone random repositories, including obscure new packages and advertised init.el code, and peruse through the elisp code with my Emacs editor. I don't think it is sensational to wonder about whether simply inspecting the code file (find-file) is going to allow for immediate code execution that could do things like delete my ssh keys or paste them to a bin Web site. With directory local variables, there is a mechanism in place that asks you first if you want to apply the variables. So this sort of thing has been considered a valid concern. Perhaps, at the moment, a vanilla Emacs setup does not trigger this, but it is something users should be aware of as they are considering various features to enable or install. If completion-preview-mode activates this, which is a built-in feature, that seems worthy of note. And maybe some mitigation could be programmed into Emacs — I'm not sure. -- Christopher Howard ^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: Emacs Arbitrary Code Execution and How to Avoid It 2024-12-04 17:02 ` Jean Louis 2024-12-04 17:23 ` Christopher Howard @ 2024-12-07 4:23 ` Richard Stallman 2024-12-10 18:03 ` Daniel Radetsky 1 sibling, 1 reply; 29+ messages in thread From: Richard Stallman @ 2024-12-07 4:23 UTC (permalink / raw) To: Jean Louis; +Cc: steven, christopher, emacs-devel [[[ To any NSA and FBI agents reading my email: please consider ]]] [[[ whether defending the US Constitution against all enemies, ]]] [[[ foreign or domestic, requires you to follow Snowden's example. ]]] > I get it, though similar concepts are in many editors. As you said, > "if flymake is enabled" which means that user enabling flymake should > get informed of it. I firmly disagree. For Emacs to spontaneously execute code in files that users did not say should be executed is simply unaccetable. Warning users that this may happen is not sufficient -- we need to _fix_ the problem. I have never used Flymake, so I can't suggest, so I can't propose a fix that would seem reasonable ot users of Flymake. But I think it should involve somehow explicitly specifying the namss of all files that Flymaoe can treat as Elisp source to be loaded automatically. If a file has not been labeled that way, Flymake should never spontaneously load any of that file. WDPT? -- Dr Richard Stallman (https://stallman.org) Chief GNUisance of the GNU Project (https://gnu.org) Founder, Free Software Foundation (https://fsf.org) Internet Hall-of-Famer (https://internethalloffame.org) ^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: Emacs Arbitrary Code Execution and How to Avoid It 2024-12-07 4:23 ` Richard Stallman @ 2024-12-10 18:03 ` Daniel Radetsky 2024-12-11 8:35 ` Eshel Yaron 2024-12-12 4:48 ` Richard Stallman 0 siblings, 2 replies; 29+ messages in thread From: Daniel Radetsky @ 2024-12-10 18:03 UTC (permalink / raw) To: Richard Stallman; +Cc: Jean Louis, steven, christopher, emacs-devel On Fri, Dec 06, 2024 at 11:23:20PM -0500, Richard Stallman wrote: > [[[ To any NSA and FBI agents reading my email: please consider ]]] > [[[ whether defending the US Constitution against all enemies, ]]] > [[[ foreign or domestic, requires you to follow Snowden's example. ]]] > > > I get it, though similar concepts are in many editors. As you said, > > "if flymake is enabled" which means that user enabling flymake should > > get informed of it. > > I firmly disagree. For Emacs to spontaneously execute code in files > that users did not say should be executed is simply unaccetable. As I understand it, the issue is that the user has already said "execute elisp code in any elisp-mode files," and that it is common for the user to have said this. This is why the reporter mentioned that popular emacs distros like doom enable this behavior by default. I don't believe there was any suggestion that vanilla emacs allowed this. > Warning users that this may happen is not sufficient -- we need to > _fix_ the problem. If the user has already asked emacs to execute elisp, the only thing that could IMO count as a fix is to _prevent_ them from doing this. Or at least to require that they reconfirm that this is what they want when emacs wants to execute the elisp, like with disabled commands. ^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: Emacs Arbitrary Code Execution and How to Avoid It 2024-12-10 18:03 ` Daniel Radetsky @ 2024-12-11 8:35 ` Eshel Yaron 2024-12-11 9:25 ` Jean Louis 2024-12-12 4:48 ` Richard Stallman 1 sibling, 1 reply; 29+ messages in thread From: Eshel Yaron @ 2024-12-11 8:35 UTC (permalink / raw) To: Daniel Radetsky Cc: Richard Stallman, Jean Louis, steven, christopher, emacs-devel Hi, Daniel Radetsky <dradetsky@gmail.com> writes: > On Fri, Dec 06, 2024 at 11:23:20PM -0500, Richard Stallman wrote: >> [[[ To any NSA and FBI agents reading my email: please consider ]]] >> [[[ whether defending the US Constitution against all enemies, ]]] >> [[[ foreign or domestic, requires you to follow Snowden's example. ]]] >> >> > I get it, though similar concepts are in many editors. As you said, >> > "if flymake is enabled" which means that user enabling flymake should >> > get informed of it. >> >> I firmly disagree. For Emacs to spontaneously execute code in files >> that users did not say should be executed is simply unaccetable. > > As I understand it, the issue is that the user has already > said "execute elisp code in any elisp-mode files," and that > it is common for the user to have said this. That's not quite right. Users do not say "execute arbitrary ELisp in any elisp-mode buffer". They often say something like "diagnose issues (e.g. with Flymake) in all such buffers". The fact that this feature involves arbitrary code execution is a security defect, not a necessity. Moreover, Emacs never mentions (in the docs, warnings, or otherwise) that using this feature comes with the risk of arbitrary code execution. > This is why the reporter mentioned that popular emacs distros like > doom enable this behavior by default. I don't believe there was any > suggestion that vanilla emacs allowed this. Not exactly: even in "vanilla" emacs -Q, macro expansion is unsafe, and important features rely on macro expansion. emacs -Q is only safer in the sense that it doesn't enable these important features automatically. But they remain important for anybody that actually wants to use Emacs to edit ELisp. >> Warning users that this may happen is not sufficient -- we need to >> _fix_ the problem. > > If the user has already asked emacs to execute elisp, the > only thing that could IMO count as a fix is to _prevent_ > them from doing this. Or at least to require that they > reconfirm that this is what they want when emacs wants to > execute the elisp, like with disabled commands. Emacs could (and should) facilitate safe macro expansion, so features that require macro expansion could carry on without exposing the user to such hazards. Safe macro expansion means restricting the set of things that macros can do (sandboxing), such as denying network access. For example, SWI-Prolog has a nice safe mode for executing untrusted code, see https://www.swi-prolog.org/pldoc/doc/_SWI_/library/sandbox.pl Best, Eshel ^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: Emacs Arbitrary Code Execution and How to Avoid It 2024-12-11 8:35 ` Eshel Yaron @ 2024-12-11 9:25 ` Jean Louis 2024-12-11 9:37 ` Daniel Radetsky 0 siblings, 1 reply; 29+ messages in thread From: Jean Louis @ 2024-12-11 9:25 UTC (permalink / raw) To: Eshel Yaron; +Cc: emacs-devel * Eshel Yaron <me@eshelyaron.com> [2024-12-11 11:37]: > That's not quite right. Users do not say "execute arbitrary ELisp in > any elisp-mode buffer". They often say something like "diagnose issues > (e.g. with Flymake) in all such buffers". The fact that this feature > involves arbitrary code execution is a security defect, not a necessity. > Moreover, Emacs never mentions (in the docs, warnings, or otherwise) > that using this feature comes with the risk of arbitrary code execution. Send me the working example of dangerous macro, that I can see how it works, thank you. Make -- Jean Louis ^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: Emacs Arbitrary Code Execution and How to Avoid It 2024-12-11 9:25 ` Jean Louis @ 2024-12-11 9:37 ` Daniel Radetsky 2024-12-11 10:38 ` Jean Louis 0 siblings, 1 reply; 29+ messages in thread From: Daniel Radetsky @ 2024-12-11 9:37 UTC (permalink / raw) To: Jean Louis; +Cc: emacs-devel On Wed, Dec 11, 2024 at 12:25:24PM +0300, Jean Louis wrote: > Send me the working example of dangerous macro, that I can see how it > works, thank you. Make (rx (eval (call-process "touch" nil nil nil "/tmp/owned"))) see also: https://eshelyaron.com/posts/2024-11-27-emacs-aritrary-code-execution-and-how-to-avoid-it.html ^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: Emacs Arbitrary Code Execution and How to Avoid It 2024-12-11 9:37 ` Daniel Radetsky @ 2024-12-11 10:38 ` Jean Louis 2024-12-11 10:42 ` tomas 2024-12-11 12:50 ` Daniel Radetsky 0 siblings, 2 replies; 29+ messages in thread From: Jean Louis @ 2024-12-11 10:38 UTC (permalink / raw) To: Daniel Radetsky; +Cc: emacs-devel * Daniel Radetsky <dradetsky@gmail.com> [2024-12-11 12:37]: > On Wed, Dec 11, 2024 at 12:25:24PM +0300, Jean Louis wrote: > > Send me the working example of dangerous macro, that I can see how it > > works, thank you. Make > > (rx (eval (call-process "touch" nil nil nil "/tmp/owned"))) I see it executes and makes the file by opening ex.el with the above. It doesn't work with .txt file though. I hope there are no toher issues like that. -- Jean Louis ^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: Emacs Arbitrary Code Execution and How to Avoid It 2024-12-11 10:38 ` Jean Louis @ 2024-12-11 10:42 ` tomas 2024-12-11 12:50 ` Daniel Radetsky 1 sibling, 0 replies; 29+ messages in thread From: tomas @ 2024-12-11 10:42 UTC (permalink / raw) To: Daniel Radetsky, emacs-devel [-- Attachment #1: Type: text/plain, Size: 602 bytes --] On Wed, Dec 11, 2024 at 01:38:44PM +0300, Jean Louis wrote: > * Daniel Radetsky <dradetsky@gmail.com> [2024-12-11 12:37]: > > On Wed, Dec 11, 2024 at 12:25:24PM +0300, Jean Louis wrote: > > > Send me the working example of dangerous macro, that I can see how it > > > works, thank you. Make > > > > (rx (eval (call-process "touch" nil nil nil "/tmp/owned"))) > > I see it executes and makes the file by opening ex.el with the > above. It doesn't work with .txt file though. Believing in "file extensions" is yet another recipe for disaster (remember those ".jpg.exe"? Cheers -- t [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 195 bytes --] ^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: Emacs Arbitrary Code Execution and How to Avoid It 2024-12-11 10:38 ` Jean Louis 2024-12-11 10:42 ` tomas @ 2024-12-11 12:50 ` Daniel Radetsky 2024-12-11 13:10 ` tomas 1 sibling, 1 reply; 29+ messages in thread From: Daniel Radetsky @ 2024-12-11 12:50 UTC (permalink / raw) To: emacs-devel On Wed, Dec 11, 2024 at 01:38:44PM +0300, Jean Louis wrote: > I see it executes and makes the file by opening ex.el with the > above. It doesn't work with .txt file though. ;; -*- emacs-lisp -*- ^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: Emacs Arbitrary Code Execution and How to Avoid It 2024-12-11 12:50 ` Daniel Radetsky @ 2024-12-11 13:10 ` tomas 0 siblings, 0 replies; 29+ messages in thread From: tomas @ 2024-12-11 13:10 UTC (permalink / raw) To: Daniel Radetsky; +Cc: emacs-devel [-- Attachment #1: Type: text/plain, Size: 313 bytes --] On Wed, Dec 11, 2024 at 04:50:41AM -0800, Daniel Radetsky wrote: > On Wed, Dec 11, 2024 at 01:38:44PM +0300, Jean Louis wrote: > > I see it executes and makes the file by opening ex.el with the > > above. It doesn't work with .txt file though. > > ;; -*- emacs-lisp -*- What I said :) Cheers -- t [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 195 bytes --] ^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: Emacs Arbitrary Code Execution and How to Avoid It 2024-12-10 18:03 ` Daniel Radetsky 2024-12-11 8:35 ` Eshel Yaron @ 2024-12-12 4:48 ` Richard Stallman 2024-12-12 7:39 ` Jean Louis 1 sibling, 1 reply; 29+ messages in thread From: Richard Stallman @ 2024-12-12 4:48 UTC (permalink / raw) To: Daniel Radetsky; +Cc: bugs, steven, christopher, emacs-devel [[[ To any NSA and FBI agents reading my email: please consider ]]] [[[ whether defending the US Constitution against all enemies, ]]] [[[ foreign or domestic, requires you to follow Snowden's example. ]]] > As I understand it, the issue is that the user has already > said "execute elisp code in any elisp-mode files," Does the user literallky say that. or does the user say something different which you _interpret_ as _tentamount_ to saying that? It makes a big difference here. > If the user has already asked emacs to execute elisp, the > only thing that could IMO count as a fix is to _prevent_ > them from doing this. Preventng this is the sort of fix I have in mind. But I have not yet come across a message explaining precisely what user actions activate that behavior. Until I learn that, I won't fully understand the issue. I asked for that info, and I hope I soon come across a response. But it looks like this conequence came as a surprse. So I think we did not anticipate, when adding the feture, that it would have this effect. We did not intentinally add the feature as a way for users to say, "Go ahead and randomly execute Elisp code from any of my visited files." If we actually want to offer a command by which the user says to execute unpredictably parts of whatever Elisp files get visited, Emacs should warn per that "this is dangerous" and ask per to confirm with `yes'. We should not let users risk stumbling into this mode without knowing what care they will have to take in this mode. But even wth understanding, it would be unwise to accept. Everyone who uses Emacs and looks at Emacs Lisp code will occasionally visit a file of Elisp code which is _not_ part of per own work. So even if perse wants this feature for all of a certain project, perse could fall into a trap by enabling it for _all_ Elisp files that are visited. THis leads me to think of settig up a more selective interface whereby you would enable this for source files of a specific project. Maybe that would give enough control that it could be safe and yet still convenient. -- Dr Richard Stallman (https://stallman.org) Chief GNUisance of the GNU Project (https://gnu.org) Founder, Free Software Foundation (https://fsf.org) Internet Hall-of-Famer (https://internethalloffame.org) ^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: Emacs Arbitrary Code Execution and How to Avoid It 2024-12-12 4:48 ` Richard Stallman @ 2024-12-12 7:39 ` Jean Louis 0 siblings, 0 replies; 29+ messages in thread From: Jean Louis @ 2024-12-12 7:39 UTC (permalink / raw) To: Richard Stallman; +Cc: Daniel Radetsky, steven, christopher, emacs-devel * Richard Stallman <rms@gnu.org> [2024-12-12 07:48]: > [[[ To any NSA and FBI agents reading my email: please consider ]]] > [[[ whether defending the US Constitution against all enemies, ]]] > [[[ foreign or domestic, requires you to follow Snowden's example. ]]] > > > As I understand it, the issue is that the user has already > > said "execute elisp code in any elisp-mode files," > > Does the user literallky say that. or does the user say something > different which you _interpret_ as _tentamount_ to saying that? > > It makes a big difference here. I was first under impression that such user would be aware of it, but after reviewing Flymake, no, user will not be aware of it. Even though condition would rarely happen, Flymake purpose is to verify Emacs Lisp programming for correctness, I don't think many would be verifying other people's files for correctness, normally one's own files. Though the problem may exist in other packages as well. It should simple be disabled. Jean Louis ^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: Emacs Arbitrary Code Execution and How to Avoid It 2024-12-03 17:53 Emacs Arbitrary Code Execution and How to Avoid It Christopher Howard 2024-12-03 19:20 ` Gerd Möllmann 2024-12-04 9:39 ` Jean Louis @ 2024-12-06 4:47 ` Richard Stallman 2024-12-06 5:30 ` Jim Porter ` (2 more replies) 2 siblings, 3 replies; 29+ messages in thread From: Richard Stallman @ 2024-12-06 4:47 UTC (permalink / raw) To: emacs-devel [[[ To any NSA and FBI agents reading my email: please consider ]]] [[[ whether defending the US Constitution against all enemies, ]]] [[[ foreign or domestic, requires you to follow Snowden's example. ]]] Did the person who posted this https://eshelyaron.com/posts/2024-11-27-emacs-aritrary-code-execution-and-how-to-avoid-it.html send us mail, or do anything to report the bug? -- Dr Richard Stallman (https://stallman.org) Chief GNUisance of the GNU Project (https://gnu.org) Founder, Free Software Foundation (https://fsf.org) Internet Hall-of-Famer (https://internethalloffame.org) ^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: Emacs Arbitrary Code Execution and How to Avoid It 2024-12-06 4:47 ` Richard Stallman @ 2024-12-06 5:30 ` Jim Porter 2024-12-06 8:32 ` Eli Zaretskii 2024-12-06 8:29 ` Eli Zaretskii 2024-12-06 16:51 ` Philip Kaludercic 2 siblings, 1 reply; 29+ messages in thread From: Jim Porter @ 2024-12-06 5:30 UTC (permalink / raw) To: rms, emacs-devel On 12/5/2024 8:47 PM, Richard Stallman wrote: > [[[ To any NSA and FBI agents reading my email: please consider ]]] > [[[ whether defending the US Constitution against all enemies, ]]] > [[[ foreign or domestic, requires you to follow Snowden's example. ]]] > > Did the person who posted this > > https://eshelyaron.com/posts/2024-11-27-emacs-aritrary-code-execution-and-how-to-avoid-it.html > > send us mail, or do anything to report the bug? According to this message, Eshel had discussed this with Stefan Kangas privately (and possibly the other maintainers?) first: <https://lists.gnu.org/archive/html/emacs-devel/2024-11/msg00749.html>. ^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: Emacs Arbitrary Code Execution and How to Avoid It 2024-12-06 5:30 ` Jim Porter @ 2024-12-06 8:32 ` Eli Zaretskii 0 siblings, 0 replies; 29+ messages in thread From: Eli Zaretskii @ 2024-12-06 8:32 UTC (permalink / raw) To: Jim Porter; +Cc: rms, emacs-devel > Date: Thu, 5 Dec 2024 21:30:41 -0800 > From: Jim Porter <jporterbugs@gmail.com> > > On 12/5/2024 8:47 PM, Richard Stallman wrote: > > > > Did the person who posted this > > > > https://eshelyaron.com/posts/2024-11-27-emacs-aritrary-code-execution-and-how-to-avoid-it.html > > > > send us mail, or do anything to report the bug? > > According to this message, Eshel had discussed this with Stefan Kangas > privately (and possibly the other maintainers?) first: > <https://lists.gnu.org/archive/html/emacs-devel/2024-11/msg00749.html>. Yes. ^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: Emacs Arbitrary Code Execution and How to Avoid It 2024-12-06 4:47 ` Richard Stallman 2024-12-06 5:30 ` Jim Porter @ 2024-12-06 8:29 ` Eli Zaretskii 2024-12-06 16:51 ` Philip Kaludercic 2 siblings, 0 replies; 29+ messages in thread From: Eli Zaretskii @ 2024-12-06 8:29 UTC (permalink / raw) To: rms; +Cc: emacs-devel > From: Richard Stallman <rms@gnu.org> > Date: Thu, 05 Dec 2024 23:47:10 -0500 > > Did the person who posted this > > https://eshelyaron.com/posts/2024-11-27-emacs-aritrary-code-execution-and-how-to-avoid-it.html > > send us mail, or do anything to report the bug? Yes. ^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: Emacs Arbitrary Code Execution and How to Avoid It 2024-12-06 4:47 ` Richard Stallman 2024-12-06 5:30 ` Jim Porter 2024-12-06 8:29 ` Eli Zaretskii @ 2024-12-06 16:51 ` Philip Kaludercic 2024-12-08 5:15 ` Richard Stallman 2 siblings, 1 reply; 29+ messages in thread From: Philip Kaludercic @ 2024-12-06 16:51 UTC (permalink / raw) To: Richard Stallman; +Cc: emacs-devel Richard Stallman <rms@gnu.org> writes: > [[[ To any NSA and FBI agents reading my email: please consider ]]] > [[[ whether defending the US Constitution against all enemies, ]]] > [[[ foreign or domestic, requires you to follow Snowden's example. ]]] > > Did the person who posted this > > https://eshelyaron.com/posts/2024-11-27-emacs-aritrary-code-execution-and-how-to-avoid-it.html > > send us mail, or do anything to report the bug? Yes, I saw <m1a5dltb04.fsf@macbookpro.home> on the mailing list a week ago. ^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: Emacs Arbitrary Code Execution and How to Avoid It 2024-12-06 16:51 ` Philip Kaludercic @ 2024-12-08 5:15 ` Richard Stallman 0 siblings, 0 replies; 29+ messages in thread From: Richard Stallman @ 2024-12-08 5:15 UTC (permalink / raw) To: Philip Kaludercic; +Cc: emacs-devel [[[ To any NSA and FBI agents reading my email: please consider ]]] [[[ whether defending the US Constitution against all enemies, ]]] [[[ foreign or domestic, requires you to follow Snowden's example. ]]] > > https://eshelyaron.com/posts/2024-11-27-emacs-aritrary-code-execution-and-how-to-avoid-it.html > > > > send us mail, or do anything to report the bug? > Yes, I saw <m1a5dltb04.fsf@macbookpro.home> on the mailing list a week > ago. I am glad that perse did the right thing. -- Dr Richard Stallman (https://stallman.org) Chief GNUisance of the GNU Project (https://gnu.org) Founder, Free Software Foundation (https://fsf.org) Internet Hall-of-Famer (https://internethalloffame.org) ^ permalink raw reply [flat|nested] 29+ messages in thread
end of thread, other threads:[~2024-12-12 7:39 UTC | newest] Thread overview: 29+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2024-12-03 17:53 Emacs Arbitrary Code Execution and How to Avoid It Christopher Howard 2024-12-03 19:20 ` Gerd Möllmann 2024-12-03 20:25 ` Eshel Yaron 2024-12-08 5:10 ` Richard Stallman 2024-12-06 4:47 ` Richard Stallman 2024-12-06 8:30 ` Eli Zaretskii 2024-12-09 4:57 ` Richard Stallman 2024-12-09 13:59 ` Eli Zaretskii 2024-12-04 9:39 ` Jean Louis 2024-12-04 15:04 ` Steven Allen 2024-12-04 17:02 ` Jean Louis 2024-12-04 17:23 ` Christopher Howard 2024-12-07 4:23 ` Richard Stallman 2024-12-10 18:03 ` Daniel Radetsky 2024-12-11 8:35 ` Eshel Yaron 2024-12-11 9:25 ` Jean Louis 2024-12-11 9:37 ` Daniel Radetsky 2024-12-11 10:38 ` Jean Louis 2024-12-11 10:42 ` tomas 2024-12-11 12:50 ` Daniel Radetsky 2024-12-11 13:10 ` tomas 2024-12-12 4:48 ` Richard Stallman 2024-12-12 7:39 ` Jean Louis 2024-12-06 4:47 ` Richard Stallman 2024-12-06 5:30 ` Jim Porter 2024-12-06 8:32 ` Eli Zaretskii 2024-12-06 8:29 ` Eli Zaretskii 2024-12-06 16:51 ` Philip Kaludercic 2024-12-08 5:15 ` Richard Stallman
Code repositories for project(s) associated with this external index https://git.savannah.gnu.org/cgit/emacs.git https://git.savannah.gnu.org/cgit/emacs/org-mode.git This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.