* bug#37656: 27.0.50; Opening file with specially crafted local variables can cause arbitrary code execution Inbox x @ 2019-10-08 8:48 adam plaice 2019-10-15 21:05 ` bug#37656: 27.0.50; Arbitrary code execution with special `mode:' adam plaice 2019-10-16 13:13 ` bug#37656: 27.0.50; Opening file with specially crafted local variables can cause arbitrary code execution Inbox x Stefan Monnier 0 siblings, 2 replies; 3+ messages in thread From: adam plaice @ 2019-10-08 8:48 UTC (permalink / raw To: 37656 * To reproduce: 1. Create a file, say `~/foobar', (it could have an arbitrary extension) with the following contents: -*- mode: emacs-lisp; mode: flymake -*- (eval-when-compile (with-temp-file "~/emacs_flymake_security_bug" (insert "Could have also executed any code."))) 2. Open the file with emacs: emacs -Q ~/foobar 3. Inspect ~/emacs_flymake_security_bug: cat ~/emacs_flymake_security_bug * Expected result ~/emacs_flymake_security_bug does not exist. * Actual result ~/emacs_flymake_security_bug does exist. * Further information This relies on the "deprecated" feature of allowing `mode: ' to be repeated more than once, to also specify minor modes. Just having: -*- mode: flymake -*- in, say, `~/foobar.el' would not trigger the security bug. There may, however, be alternative ways of triggering it, that I haven't come up with. This was "inspired" by a very similar bug (concerning an external package, editorconfig), described here: https://illikainen.dev/blog/2019-10-06-editorconfig Thank you and best regards, Adam In GNU Emacs 27.0.50 (build 1, x86_64-pc-linux-gnu, GTK+ Version 3.18.9) of 2019-10-07 built on adam Repository revision: 9839466b231b6384055b9b137405730876413cbe Repository branch: master Windowing system distributor 'The X.Org Foundation', version 11.0.11804000 System Description: Ubuntu 16.04.6 LTS Recent messages: For information about GNU Emacs and the GNU system, type C-h C-a. Configured using: 'configure --with-modules --without-pop' Configured features: XPM JPEG TIFF GIF PNG RSVG SOUND GPM DBUS GSETTINGS GLIB NOTIFY INOTIFY ACL LIBSELINUX GNUTLS LIBXML2 FREETYPE HARFBUZZ M17N_FLT LIBOTF XFT ZLIB TOOLKIT_SCROLL_BARS GTK3 X11 XDBE XIM MODULES THREADS PDUMPER LCMS2 GMP Important settings: value of $LANG: en_GB.UTF-8 locale-coding-system: utf-8-unix Major mode: Lisp Interaction Minor modes in effect: tooltip-mode: t global-eldoc-mode: t eldoc-mode: t electric-indent-mode: t mouse-wheel-mode: t tool-bar-mode: t menu-bar-mode: t file-name-shadow-mode: t global-font-lock-mode: t font-lock-mode: t blink-cursor-mode: t auto-composition-mode: t auto-encryption-mode: t auto-compression-mode: t line-number-mode: t transient-mark-mode: t Load-path shadows: None found. Features: (shadow sort mail-extr emacsbug message rmc puny dired dired-loaddefs format-spec rfc822 mml easymenu mml-sec password-cache epa derived epg epg-config gnus-util rmail rmail-loaddefs text-property-search time-date subr-x seq byte-opt gv bytecomp byte-compile cconv mm-decode mm-bodies mm-encode mail-parse rfc2231 mailabbrev gmm-utils mailheader cl-loaddefs cl-lib sendmail rfc2047 rfc2045 ietf-drums mm-util mail-prsvr mail-utils tooltip eldoc electric uniquify ediff-hook vc-hooks lisp-float-type mwheel term/x-win x-win term/common-win x-dnd tool-bar dnd fontset image regexp-opt fringe tabulated-list replace newcomment text-mode elisp-mode lisp-mode prog-mode register page tab-bar menu-bar rfn-eshadow isearch timer select scroll-bar mouse jit-lock font-lock syntax facemenu font-core term/tty-colors frame cl-generic cham georgian utf-8-lang misc-lang vietnamese tibetan thai tai-viet lao korean japanese eucjp-ms cp51932 hebrew greek romanian slovak czech european ethiopic indian cyrillic chinese composite charscript charprop case-table epa-hook jka-cmpr-hook help simple abbrev obarray minibuffer cl-preloaded nadvice loaddefs button faces cus-face macroexp files text-properties overlay sha1 md5 base64 format env code-pages mule custom widget hashtable-print-readable backquote threads dbusbind inotify lcms2 dynamic-setting system-font-setting font-render-setting move-toolbar gtk x-toolkit x multi-tty make-network-process emacs) Memory information: ((conses 16 44045 5448) (symbols 48 5971 1) (strings 32 15685 1582) (string-bytes 1 506409) (vectors 16 9198) (vector-slots 8 123144 8510) (floats 8 19 25) (intervals 56 186 0) (buffers 1000 11) (heap 1024 12431 1138)) ^ permalink raw reply [flat|nested] 3+ messages in thread
* bug#37656: 27.0.50; Arbitrary code execution with special `mode:' 2019-10-08 8:48 bug#37656: 27.0.50; Opening file with specially crafted local variables can cause arbitrary code execution Inbox x adam plaice @ 2019-10-15 21:05 ` adam plaice 2019-10-16 13:13 ` bug#37656: 27.0.50; Opening file with specially crafted local variables can cause arbitrary code execution Inbox x Stefan Monnier 1 sibling, 0 replies; 3+ messages in thread From: adam plaice @ 2019-10-15 21:05 UTC (permalink / raw To: emacs-devel; +Cc: 37656 Since the bug allows an attacker to execute arbitrary code if the victim opens a payload file, and hence opening any file from an untrusted source becomes dangerous, it seems to be rather serious. The bug relies on the fact that flymake-mode can execute arbitrary code, that minor modes (in particular, flymake-mode) can be set with local variables (with `mode:') and that when a minor-mode is set in this way, the major-mode is not unset. (See the linked bug or below for details.) I'm not sure whether I should be bringing greater attention to it, but given that it's already in the open, and malicious actors can find it (or just come up with it themselves, as it's not a particularly complex idea), increasing the likelihood of getting it fixed hopefully outweighs the disadvantages. I'd offer to provide a patch, but I'm neither very proficient with Emacs lisp, nor a security expert. I also haven't signed any copyright papers. Some thoughts on potential solutions (from a well-intentioned, but possibly misguided layman): AFAICT the easiest way to prevent this specific bug would be to prevent more than one mode being set by the file and directory local-variables machinery. Perhaps also only allowing major modes to be set with `mode' in local variables (and only allowing minor-modes to be set with `eval', as is already encouraged in the manual), might decrease the "attack surface" for similar such attacks. I'm not sure whether any major modes are "unsafe" (in the way flymake is), but possibly it might make sense to mark major modes as safe, similarly to the way variables are, though that would be a far more extensive change. Thank you, Adam PS Should Emacs have some policies on reporting security issues? I was encouraged (via an earlier e-mail exchange) to post the bug to debbugs, as normal, but it might perhaps be useful if the process (specifically for security vulnerabilities, not bugs in general) were mentioned in the manual. > https://debbugs.gnu.org/cgi/bugreport.cgi?bug=37656 > > * To reproduce: > > 1. Create a file, say `~/foobar', (it could have an arbitrary > extension) with the following contents: > > -*- mode: emacs-lisp; mode: flymake -*- > > (eval-when-compile > (with-temp-file "~/emacs_flymake_security_bug" > (insert "Could have also executed any code."))) > > 2. Open the file with emacs: > > emacs -Q ~/foobar > > 3. Inspect ~/emacs_flymake_security_bug: > > cat ~/emacs_flymake_security_bug > > * Expected result > > ~/emacs_flymake_security_bug does not exist. > > * Actual result > > ~/emacs_flymake_security_bug does exist. > > * Further information > > This relies on the "deprecated" feature of allowing `mode: ' to be > repeated more than once, to also specify minor modes. Just having: > > -*- mode: flymake -*- > > in, say, `~/foobar.el' would not trigger the security bug. There may, > however, be alternative ways of triggering it, that I haven't come up > with. > > > This was "inspired" by a very similar bug (concerning an external > package, editorconfig), described here: > > https://illikainen.dev/blog/2019-10-06-editorconfig > > Thank you and best regards, > Adam > > ^ permalink raw reply [flat|nested] 3+ messages in thread
* bug#37656: 27.0.50; Opening file with specially crafted local variables can cause arbitrary code execution Inbox x 2019-10-08 8:48 bug#37656: 27.0.50; Opening file with specially crafted local variables can cause arbitrary code execution Inbox x adam plaice 2019-10-15 21:05 ` bug#37656: 27.0.50; Arbitrary code execution with special `mode:' adam plaice @ 2019-10-16 13:13 ` Stefan Monnier 1 sibling, 0 replies; 3+ messages in thread From: Stefan Monnier @ 2019-10-16 13:13 UTC (permalink / raw To: adam plaice; +Cc: 37656 > -*- mode: emacs-lisp; mode: flymake -*- > > (eval-when-compile > (with-temp-file "~/emacs_flymake_security_bug" > (insert "Could have also executed any code."))) Yes, it's a serious (and, sadly, known) problem. I think it goes further than just flymake support for Elisp: flymake support for other major modes may also end up running arbitrary code (tho it will depend on the specifics). So, I think flymake should have a list of "safe" places where it can treat files like it does know, and any file found elsewhere should be treated with more care either by simply disabling flymake or disabling some of its backends, or making its backends more careful (e.g. to compile those files in a mode where `eval-when-compile` is not executed or is only executed after passing it through a stringent safety test). Stefan ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-10-16 13:13 UTC | newest] Thread overview: 3+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2019-10-08 8:48 bug#37656: 27.0.50; Opening file with specially crafted local variables can cause arbitrary code execution Inbox x adam plaice 2019-10-15 21:05 ` bug#37656: 27.0.50; Arbitrary code execution with special `mode:' adam plaice 2019-10-16 13:13 ` bug#37656: 27.0.50; Opening file with specially crafted local variables can cause arbitrary code execution Inbox x Stefan Monnier
Code repositories for project(s) associated with this external index https://git.savannah.gnu.org/cgit/emacs.git https://git.savannah.gnu.org/cgit/emacs/org-mode.git This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.