From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED.blaine.gmane.org!not-for-mail From: =?UTF-8?Q?Cl=c3=a9ment_Pit-Claudel?= Newsgroups: gmane.emacs.devel Subject: Re: bug#37656: 27.0.50; Arbitrary code execution with special `mode:' Date: Tue, 15 Oct 2019 18:23:30 -0400 Message-ID: References: Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Injection-Info: blaine.gmane.org; posting-host="blaine.gmane.org:195.159.176.226"; logging-data="153014"; mail-complaints-to="usenet@blaine.gmane.org" User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.9.0 To: emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Wed Oct 16 00:24:34 2019 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([209.51.188.17]) by blaine.gmane.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1iKVF4-000dfi-FA for ged-emacs-devel@m.gmane.org; Wed, 16 Oct 2019 00:24:34 +0200 Original-Received: from localhost ([::1]:60690 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iKVF1-0007TU-KY for ged-emacs-devel@m.gmane.org; Tue, 15 Oct 2019 18:24:33 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:37383) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iKVE7-0007TI-Dh for emacs-devel@gnu.org; Tue, 15 Oct 2019 18:23:36 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1iKVE5-0006tP-Q3 for emacs-devel@gnu.org; Tue, 15 Oct 2019 18:23:35 -0400 Original-Received: from mail-qk1-x72b.google.com ([2607:f8b0:4864:20::72b]:33868) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1iKVE5-0006tG-MF for emacs-devel@gnu.org; Tue, 15 Oct 2019 18:23:33 -0400 Original-Received: by mail-qk1-x72b.google.com with SMTP id q203so20835131qke.1 for ; Tue, 15 Oct 2019 15:23:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=TylseqpjCeBNQm6ojWjcYOIX6ADink1111hdeYK587s=; b=UArySmW0OmJXBYOweQ15JHToSHwx4DgTlGV3gTZ1lsh25egAyej5pcjvAU9wGIP+uq dX0stYMA+Tp13LfgIohjnyapWsTMJb4lqKhrgUiWPfRAogtsYDLiqmCf0EyIFQxkbr78 zyiccYUjRxLhmJRP2KauF4/SHZZ6ImhK3D9ZXxoFxZQSqbn0NXKzZQlQY4EcsmTLhkqm gTKbs+L/4D0BCYb3Oh9VRJ34twxu5eSITeXkW7c+zIDY6TCYJJL3FY3DcP6FndnOMiQo yVYphbzSQX+XIyyinN4yQV6f+3y2homUWW7NPE+tt2uov9C2XqjNgrtrv7OYMohzkLW4 P43Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=TylseqpjCeBNQm6ojWjcYOIX6ADink1111hdeYK587s=; b=qQiJQIUBSjnnVWPD5kUV+NgQqXZjVVZT66catHsiKP1yu77eTLgXAcM/3t18Ss1pcU T19Fedblnwi8nexqon7xIE1njTQjz0NSo3pZ/thWJp3gr62T8B1e2rhtn3AlKMb6ofkD Ir8ERHYc1yya8K9TBRM8HxwJUBOYN2ERIXFNoyA6ojc48EyclCNhg+6yepCL2j52Dpmr MLfoHjs3kjs2OrXDgCWZi7S6E303KK4h/L+e6hO9q1iGblI8/OivvoXALi5/JsAn9yqN j68XUojNcjEotxDs1huXq2pjGutB7TxRWiiapO7jrwh18AiuCGKa4EJY+4rqA8beEHkd LYLg== X-Gm-Message-State: APjAAAXbLPXsRvzdN3Z8s6iB8EHLStSqUw65KHf6NLBMMq3Cq+pfioUg sWKjc2KgRjCEwIoYFTF9APXkSqHS X-Google-Smtp-Source: APXvYqzlDkqYibuIwcucioV1bj1z+tU8bc0VdzFd9x4Byzw0RzoM2i5qyDIiZkPb5Is68HboGIjX2g== X-Received: by 2002:a37:5bc6:: with SMTP id p189mr36332754qkb.1.1571178212547; Tue, 15 Oct 2019 15:23:32 -0700 (PDT) Original-Received: from ?IPv6:2601:184:4180:66e7:29f4:b2db:5f83:f6d2? ([2601:184:4180:66e7:29f4:b2db:5f83:f6d2]) by smtp.googlemail.com with ESMTPSA id d45sm11847695qtc.70.2019.10.15.15.23.31 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 15 Oct 2019 15:23:31 -0700 (PDT) In-Reply-To: Content-Language: en-GB X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2607:f8b0:4864:20::72b X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.org gmane.emacs.devel:241070 Archived-At: Besides this particular problem, whose fix might just be to remove an already deprecated feature, there's the more general issue that many people enable Flymake and Flycheck unconditionally in prog-mode and derivatives. Flycheck has that same code execution problem, and it's been a known design issue for a while. I think the right fix is to make a safe ELisp macroexpander (we try call checkers for languages that execute code at compile time with appropriate flags, but such flags are not always available; locally, I have a list of paths to enable Flycheck on, and I disable it otherwise). Clément. On 2019-10-15 17:05, adam plaice wrote: > Since the bug allows an attacker to execute arbitrary code if the > victim opens a payload file, and hence opening any file from an > untrusted source becomes dangerous, it seems to be rather > serious. > > The bug relies on the fact that flymake-mode can execute arbitrary > code, that minor modes (in particular, flymake-mode) can be set with > local variables (with `mode:') and that when a minor-mode is set in > this way, the major-mode is not unset. (See the linked bug or below > for details.) > > I'm not sure whether I should be bringing greater attention to it, > but given that it's already in the open, and malicious actors can > find it (or just come up with it themselves, as it's not a particularly > complex idea), increasing the likelihood of getting it fixed hopefully > outweighs the disadvantages. > > I'd offer to provide a patch, but I'm neither very proficient with > Emacs lisp, nor a security expert. I also haven't signed any copyright > papers. > > > Some thoughts on potential solutions (from a well-intentioned, but > possibly misguided layman): > > AFAICT the easiest way to prevent this specific bug would be to > prevent more than one mode being set by the file and directory > local-variables machinery. > > Perhaps also only allowing major modes to be set with `mode' in local > variables (and only allowing minor-modes to be set with `eval', as is > already encouraged in the manual), might decrease the "attack surface" > for similar such attacks. > > I'm not sure whether any major modes are "unsafe" (in the way flymake > is), but possibly it might make sense to mark major modes as safe, > similarly to the way variables are, though that would be a far more > extensive change. > > Thank you, > Adam > > PS Should Emacs have some policies on reporting security issues? I > was encouraged (via an earlier e-mail exchange) to post the bug to > debbugs, as normal, but it might perhaps be useful if the process > (specifically for security vulnerabilities, not bugs in general) were > mentioned in the manual. > >> https://debbugs.gnu.org/cgi/bugreport.cgi?bug=37656 >> >> * To reproduce: >> >> 1. Create a file, say `~/foobar', (it could have an arbitrary >> extension) with the following contents: >> >> -*- mode: emacs-lisp; mode: flymake -*- >> >> (eval-when-compile >> (with-temp-file "~/emacs_flymake_security_bug" >> (insert "Could have also executed any code."))) >> >> 2. Open the file with emacs: >> >> emacs -Q ~/foobar >> >> 3. Inspect ~/emacs_flymake_security_bug: >> >> cat ~/emacs_flymake_security_bug >> >> * Expected result >> >> ~/emacs_flymake_security_bug does not exist. >> >> * Actual result >> >> ~/emacs_flymake_security_bug does exist. >> >> * Further information >> >> This relies on the "deprecated" feature of allowing `mode: ' to be >> repeated more than once, to also specify minor modes. Just having: >> >> -*- mode: flymake -*- >> >> in, say, `~/foobar.el' would not trigger the security bug. There may, >> however, be alternative ways of triggering it, that I haven't come up >> with. >> >> >> This was "inspired" by a very similar bug (concerning an external >> package, editorconfig), described here: >> >> https://illikainen.dev/blog/2019-10-06-editorconfig >> >> Thank you and best regards, >> Adam >> >> > >