GNU bug report logs - #37656
27.0.50; Arbitrary code execution with special `mode:'

Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Package: emacs; Reported by: adam plaice <plaice.adam+lists@HIDDEN>; Keywords: security; dated Tue, 8 Oct 2019 08:49:02 UTC; Maintainer for emacs is bug-gnu-emacs@HIDDEN.

Message received at 37656 <at> debbugs.gnu.org:


Received: (at 37656) by debbugs.gnu.org; 16 Oct 2019 21:02:50 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Oct 16 17:02:50 2019
Received: from localhost ([127.0.0.1]:46679 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1iKqRV-000389-H6
	for submit <at> debbugs.gnu.org; Wed, 16 Oct 2019 17:02:50 -0400
Received: from mail-lf1-f52.google.com ([209.85.167.52]:36420)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <plaiceadam@HIDDEN>) id 1iKqRT-00037u-GE
 for 37656 <at> debbugs.gnu.org; Wed, 16 Oct 2019 17:02:47 -0400
Received: by mail-lf1-f52.google.com with SMTP id u16so89834lfq.3
 for <37656 <at> debbugs.gnu.org>; Wed, 16 Oct 2019 14:02:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=mime-version:references:in-reply-to:from:date:message-id:subject:to
 :cc; bh=hqDIGFuoMIF2ohjqUKG/VCwlJrCA/1jk5oOoxScr1zk=;
 b=B4uIl+KOS/s/tDCEvzd/erySv0MMG8FuyQtgk8dJLfP1qLcRV9F+EwLNMQ1UEpoeGF
 7w9plCf0e9jBPIbBMQKCmQiVwjaLaLguf5ecphc/wi0CIXIlwKQ4XY0ktyBr18TTgwRn
 Sn7CloTLM1iPsS3zusK+Cw9ZxG9h3jkAYnU/nJghL52dUFvGHBFDrPERnXHLcrP/ZqBR
 hzGdWqVDX3QWD9vjw+dEpfH2Pj+13gJiv9Rx+eqzOZIg3VLtc6RmjFjmU7qmaLgzRaa0
 yOFgC6eQ934Io7Y80DrcXYaJcjIfpYaNt841J7kTh8jai2n9Ii5fdEy3yvTwXDEbzVg9
 6UQg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc;
 bh=hqDIGFuoMIF2ohjqUKG/VCwlJrCA/1jk5oOoxScr1zk=;
 b=Kx2TljJWFjkKCzIYqSWoFolGn7nqCghKEqBY4LV8AT8fIPXx7UdpdIun38wj98DIZC
 j2nElVtQXUYMQwF0ne27EybvY+gp/M4ICSxURidBeCaGoYlWVmCkWsE1TcNIMToh+GM9
 qZFtkI8WcfkjHJY/pomScpkkG1yfPfbHXoegAYGDd0bZwy3QL834gAmYEi4zTMz9YW0Q
 D5pAw6qGvFmM5pdk7rnbHp/ZCxnCEqHe/1QdvdFp2MnSKXBO47xNGr9ich3uuzFq3I/R
 KnE8ukBhFywmBAHfuWkyoQOqZEelvwyYtuq/D20oQoM0vsTIaDP7ddNDv3lZyCgvDJH/
 cOkw==
X-Gm-Message-State: APjAAAUWl/8VsAMASWhkBLLbuqp6H8sKnNiHSVFt8nZVs8f3jJFVVLUq
 WMHoIRTbqNetsU0agR0eulhcbeBdKWN40Pakx/E=
X-Google-Smtp-Source: APXvYqyoikr32eMOZeJDXKU7AsSTNv5PZas+j3Sim+DxcqR0Us1E71Smal54eRtyN5UWju6Fa43EJ0Fr7lqYW/AcDR4=
X-Received: by 2002:a19:855:: with SMTP id 82mr7127067lfi.44.1571259761359;
 Wed, 16 Oct 2019 14:02:41 -0700 (PDT)
MIME-Version: 1.0
References: <CAJw81dZZmX=z-YFDwvEkuWR6xH+cf=mR9h-fcZTphwdXWrA5wg@HIDDEN>
 <CADwFkmnqfbsEEWkWMA2xnN1O+-JsTcCKrSYv0e3g1+jXrxRY5g@HIDDEN>
 <CADwFkm=U1zfUsD4jTPj44mNvQX-h2gVrvXCkvjM5V7brhS71_Q@HIDDEN>
 <CADwFkmk+03=J8YUy51xzBxSK2+u0DuMLq3Ur63Wr_YWv6e=C=g@HIDDEN>
 <838splf7g1.fsf@HIDDEN>
 <CAJw81dYvV2vA9Rmq-1psqO+D5cHBX9JO55j6ww=zft+d-EWE=A@HIDDEN>
 <83d0ewehxf.fsf@HIDDEN> <16f494c4-be3a-09d7-1c56-d58647059c44@HIDDEN>
In-Reply-To: <16f494c4-be3a-09d7-1c56-d58647059c44@HIDDEN>
From: Adam Plaice <plaiceadam@HIDDEN>
Date: Wed, 16 Oct 2019 23:02:29 +0200
Message-ID: <CAJw81dYKcEYG3eT4BT_XtzFA4KFjvBiPLZJM4rLEMXO7J1xXvg@HIDDEN>
Subject: Re: bug#37656: 27.0.50; Arbitrary code execution with special `mode:'
To: Phil Sainty <psainty@HIDDEN>
Content-Type: text/plain; charset="UTF-8"
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 37656
Cc: Eli Zaretskii <eliz@HIDDEN>, Stefan Kangas <stefan@HIDDEN>,
 37656 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

> So the deprecated approach isn't actually a factor here.

FWIW bug#8613 included a discussion of adding an optional `:risky'
argument to define-minor-mode.  If RISKY were absent (or nil) then the
relevant minor mode function would have its `safe-local-eval-function'
property set to t.  (Why a `:risky' argument rather than a `:safe'
one, would have been preferable, is discussed in the bug.)  In the end,
this was not implemented, (and the alternative approach of treating
modes as a special case in `hack-one-local-variable-eval-safep', was
taken).  It was decided to not be needed yet, as the case of an
unsafe minor mode was considered hypothetical.

> I think it goes further than just flymake support for Elisp: flymake
> support for other major modes may also end up running arbitrary code
> (tho it will depend on the specifics).

The advantage of being able to mark minor modes as "risky" would be
that it might help solve the issue for all flymake backends and for
any third-party minor modes which are unsafe, with minimal changes
needed for such backends/modes.

Adam
Information forwarded to bug-gnu-emacs@HIDDEN:
bug#37656; Package emacs. Full text available.

Message received at 37656 <at> debbugs.gnu.org:


Received: (at 37656) by debbugs.gnu.org; 16 Oct 2019 19:34:49 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Oct 16 15:34:49 2019
Received: from localhost ([127.0.0.1]:46578 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1iKp4L-0000vM-3A
	for submit <at> debbugs.gnu.org; Wed, 16 Oct 2019 15:34:49 -0400
Received: from eggs.gnu.org ([209.51.188.92]:53667)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <eliz@HIDDEN>) id 1iKp4I-0000v9-SU
 for 37656 <at> debbugs.gnu.org; Wed, 16 Oct 2019 15:34:47 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e]:49487)
 by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <eliz@HIDDEN>)
 id 1iKp4D-0008C8-5w; Wed, 16 Oct 2019 15:34:41 -0400
Received: from [176.228.60.248] (port=3080 helo=home-c4e4a596f7)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <eliz@HIDDEN>)
 id 1iKp4C-00080r-KB; Wed, 16 Oct 2019 15:34:40 -0400
Date: Wed, 16 Oct 2019 22:34:22 +0300
Message-Id: <83r23ccwn5.fsf@HIDDEN>
From: Eli Zaretskii <eliz@HIDDEN>
To: Phil Sainty <psainty@HIDDEN>
In-reply-to: <16f494c4-be3a-09d7-1c56-d58647059c44@HIDDEN> (message from
 Phil Sainty on Thu, 17 Oct 2019 08:09:04 +1300)
Subject: Re: bug#37656: 27.0.50; Arbitrary code execution with special `mode:'
References: <CAJw81dZZmX=z-YFDwvEkuWR6xH+cf=mR9h-fcZTphwdXWrA5wg@HIDDEN>
 <CADwFkmnqfbsEEWkWMA2xnN1O+-JsTcCKrSYv0e3g1+jXrxRY5g@HIDDEN>
 <CADwFkm=U1zfUsD4jTPj44mNvQX-h2gVrvXCkvjM5V7brhS71_Q@HIDDEN>
 <CADwFkmk+03=J8YUy51xzBxSK2+u0DuMLq3Ur63Wr_YWv6e=C=g@HIDDEN>
 <838splf7g1.fsf@HIDDEN>
 <CAJw81dYvV2vA9Rmq-1psqO+D5cHBX9JO55j6ww=zft+d-EWE=A@HIDDEN>
 <83d0ewehxf.fsf@HIDDEN> <16f494c4-be3a-09d7-1c56-d58647059c44@HIDDEN>
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 37656
Cc: stefan@HIDDEN, 37656 <at> debbugs.gnu.org, plaiceadam@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

> Cc: Adam Plaice <plaiceadam@HIDDEN>, 37656 <at> debbugs.gnu.org,
>  stefan@HIDDEN
> From: Phil Sainty <psainty@HIDDEN>
> Date: Thu, 17 Oct 2019 08:09:04 +1300
> 
> On 17/10/19 6:09 AM, Eli Zaretskii wrote:
> > I don't think that removing the feature will solve the more
> > general problem in this bug report.
> 
> 
> In particular it seems there is no point in removing the deprecated
> method of calling a minor mode using local variables because, after
> testing, the *approved* method of calling a minor mode via local
> variables causes the same behaviour.  i.e.:
> 
> -*- mode: emacs-lisp; eval:(flymake-mode 1); -*-
> 
> 
> So the deprecated approach isn't actually a factor here.

Right, thanks for confirming.

The question is: can we do something in core to prevent these
problems, or does the solution have to be in the individual minor
modes?
Information forwarded to bug-gnu-emacs@HIDDEN:
bug#37656; Package emacs. Full text available.

Message received at 37656 <at> debbugs.gnu.org:


Received: (at 37656) by debbugs.gnu.org; 16 Oct 2019 19:09:10 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Oct 16 15:09:10 2019
Received: from localhost ([127.0.0.1]:46566 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1iKofW-0000Jn-Jd
	for submit <at> debbugs.gnu.org; Wed, 16 Oct 2019 15:09:10 -0400
Received: from smtp-1.orcon.net.nz ([60.234.4.34]:34231)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <psainty@HIDDEN>) id 1iKofU-0000JX-Fk
 for 37656 <at> debbugs.gnu.org; Wed, 16 Oct 2019 15:09:09 -0400
Received: from [116.251.203.173] (port=38687 helo=[192.168.20.103])
 by smtp-1.orcon.net.nz with esmtpa (Exim 4.90_1)
 (envelope-from <psainty@HIDDEN>)
 id 1iKofR-0007vG-Eo; Thu, 17 Oct 2019 08:09:05 +1300
Subject: Re: bug#37656: 27.0.50; Arbitrary code execution with special `mode:'
To: Eli Zaretskii <eliz@HIDDEN>
References: <CAJw81dZZmX=z-YFDwvEkuWR6xH+cf=mR9h-fcZTphwdXWrA5wg@HIDDEN>
 <CADwFkmnqfbsEEWkWMA2xnN1O+-JsTcCKrSYv0e3g1+jXrxRY5g@HIDDEN>
 <CADwFkm=U1zfUsD4jTPj44mNvQX-h2gVrvXCkvjM5V7brhS71_Q@HIDDEN>
 <CADwFkmk+03=J8YUy51xzBxSK2+u0DuMLq3Ur63Wr_YWv6e=C=g@HIDDEN>
 <838splf7g1.fsf@HIDDEN>
 <CAJw81dYvV2vA9Rmq-1psqO+D5cHBX9JO55j6ww=zft+d-EWE=A@HIDDEN>
 <83d0ewehxf.fsf@HIDDEN>
From: Phil Sainty <psainty@HIDDEN>
Message-ID: <16f494c4-be3a-09d7-1c56-d58647059c44@HIDDEN>
Date: Thu, 17 Oct 2019 08:09:04 +1300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
 Thunderbird/60.9.0
MIME-Version: 1.0
In-Reply-To: <83d0ewehxf.fsf@HIDDEN>
Content-Type: text/plain; charset=utf-8
Content-Language: en-GB
Content-Transfer-Encoding: 7bit
X-GeoIP: NZ
X-Spam_score: -2.9
X-Spam_score_int: -28
X-Spam_bar: --
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 37656
Cc: stefan@HIDDEN, 37656 <at> debbugs.gnu.org,
 Adam Plaice <plaiceadam@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.7 (-)

> > -*- mode: emacs-lisp; mode: flymake -*-
> > This relies on the "deprecated" feature of allowing `mode: '
> > to be repeated more than once, to also specify minor modes.
> > Just having: -*- mode: flymake -*- [...] would not trigger
> > the security bug.


On 17/10/19 6:09 AM, Eli Zaretskii wrote:
> I don't think that removing the feature will solve the more
> general problem in this bug report.


In particular it seems there is no point in removing the deprecated
method of calling a minor mode using local variables because, after
testing, the *approved* method of calling a minor mode via local
variables causes the same behaviour.  i.e.:

-*- mode: emacs-lisp; eval:(flymake-mode 1); -*-


So the deprecated approach isn't actually a factor here.


-Phil
Information forwarded to bug-gnu-emacs@HIDDEN:
bug#37656; Package emacs. Full text available.

Message received at 37656 <at> debbugs.gnu.org:


Received: (at 37656) by debbugs.gnu.org; 16 Oct 2019 17:09:44 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Oct 16 13:09:44 2019
Received: from localhost ([127.0.0.1]:46465 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1iKmnw-0005jn-7V
	for submit <at> debbugs.gnu.org; Wed, 16 Oct 2019 13:09:44 -0400
Received: from eggs.gnu.org ([209.51.188.92]:33178)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <eliz@HIDDEN>) id 1iKmnu-0005ja-HW
 for 37656 <at> debbugs.gnu.org; Wed, 16 Oct 2019 13:09:42 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e]:46954)
 by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <eliz@HIDDEN>)
 id 1iKmno-0003ZZ-Vf; Wed, 16 Oct 2019 13:09:37 -0400
Received: from [176.228.60.248] (port=2067 helo=home-c4e4a596f7)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <eliz@HIDDEN>)
 id 1iKmnn-0004oD-Mn; Wed, 16 Oct 2019 13:09:36 -0400
Date: Wed, 16 Oct 2019 20:09:16 +0300
Message-Id: <83d0ewehxf.fsf@HIDDEN>
From: Eli Zaretskii <eliz@HIDDEN>
To: Adam Plaice <plaiceadam@HIDDEN>
In-reply-to: <CAJw81dYvV2vA9Rmq-1psqO+D5cHBX9JO55j6ww=zft+d-EWE=A@HIDDEN>
 (message from Adam Plaice on Wed, 16 Oct 2019 13:51:57 +0200)
Subject: Re: bug#37656: 27.0.50; Arbitrary code execution with special `mode:'
References: <CAJw81dZZmX=z-YFDwvEkuWR6xH+cf=mR9h-fcZTphwdXWrA5wg@HIDDEN>
 <CADwFkmnqfbsEEWkWMA2xnN1O+-JsTcCKrSYv0e3g1+jXrxRY5g@HIDDEN>
 <CADwFkm=U1zfUsD4jTPj44mNvQX-h2gVrvXCkvjM5V7brhS71_Q@HIDDEN>
 <CADwFkmk+03=J8YUy51xzBxSK2+u0DuMLq3Ur63Wr_YWv6e=C=g@HIDDEN>
 <838splf7g1.fsf@HIDDEN>
 <CAJw81dYvV2vA9Rmq-1psqO+D5cHBX9JO55j6ww=zft+d-EWE=A@HIDDEN>
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 37656
Cc: 37656 <at> debbugs.gnu.org, stefan@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

> From: Adam Plaice <plaiceadam@HIDDEN>
> Date: Wed, 16 Oct 2019 13:51:57 +0200
> Cc: Stefan Kangas <stefan@HIDDEN>, 37656 <at> debbugs.gnu.org
> 
> > This feature was described as "deprecated", but where and why did we
> > deprecate it?
> 
> I think bug#8613 is where the decision was made.  The deprecation is
> mentioned in files.el and the manual warns against using `mode:' for
> minor modes in:
> (info "(emacs) Specifying File Variables")

OK, thanks.

However, I don't think that removing the feature will solve the more
general problem in this bug report.
Information forwarded to bug-gnu-emacs@HIDDEN:
bug#37656; Package emacs. Full text available.

Message received at 37656 <at> debbugs.gnu.org:


Received: (at 37656) by debbugs.gnu.org; 16 Oct 2019 13:14:01 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Oct 16 09:14:01 2019
Received: from localhost ([127.0.0.1]:45406 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1iKj7p-00087T-8X
	for submit <at> debbugs.gnu.org; Wed, 16 Oct 2019 09:14:01 -0400
Received: from mailscanner.iro.umontreal.ca ([132.204.25.50]:3287)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <monnier@HIDDEN>) id 1iKj7n-00087G-6e
 for 37656 <at> debbugs.gnu.org; Wed, 16 Oct 2019 09:13:59 -0400
Received: from pmg2.iro.umontreal.ca (localhost.localdomain [127.0.0.1])
 by pmg2.iro.umontreal.ca (Proxmox) with ESMTP id 5AF30811EE;
 Wed, 16 Oct 2019 09:13:53 -0400 (EDT)
Received: from mail01.iro.umontreal.ca (unknown [172.31.2.1])
 by pmg2.iro.umontreal.ca (Proxmox) with ESMTP id 183E480E08;
 Wed, 16 Oct 2019 09:13:52 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=iro.umontreal.ca;
 s=mail; t=1571231632;
 bh=lEcfEaZw4aIkIgnvdPKnupxZZNg2jhnOcMMayiMC6n8=;
 h=From:To:Cc:Subject:References:Date:In-Reply-To:From;
 b=GZafytbZlObMmHkmrrT5iUHgRXyQkIzTZFEXLe3WSdn478YnGiOChhxOFhZV1O5nS
 MoQp0eecLPKMAUb5j/PJ9G//HHO6qZ+6npP8RDXrvpzmEILP19wApc/qakMgFappDI
 IemUNjyiX+76eMWtLmcxcwE4dG1nwGwCIM6u1xYZDHa576DXinFsBqewRn/aXe33dg
 ZnqcXCZ47LBoGOWXvhTacVCQQmX1LveR4FC2XFAusWru1Vfq1/gwsQsUlxVcz1tc9P
 etnbRoyjOVyz4gtQXrWcen5nzZAyJ9styYsFFjzr7bfOSn/kOiAdV+qtVaC3MdDvx8
 ISWiStY2JvSIA==
Received: from pastel (unknown [216.154.15.203])
 by mail01.iro.umontreal.ca (Postfix) with ESMTPSA id 7FA70120AAB;
 Wed, 16 Oct 2019 09:13:50 -0400 (EDT)
From: Stefan Monnier <monnier@HIDDEN>
To: adam plaice <plaice.adam+lists@HIDDEN>
Subject: Re: bug#37656: 27.0.50; Opening file with specially crafted local
 variables can cause arbitrary code execution Inbox x
Message-ID: <jwvmue0x2ek.fsf-monnier+emacs@HIDDEN>
References: <CAJw81da4=R1jMJ0enx6SbO7G1rzaL61K2kqbY+jxhe=AM-3vtQ@HIDDEN>
Date: Wed, 16 Oct 2019 09:13:43 -0400
In-Reply-To: <CAJw81da4=R1jMJ0enx6SbO7G1rzaL61K2kqbY+jxhe=AM-3vtQ@HIDDEN>
 (adam plaice's message of "Tue, 8 Oct 2019 10:48:32 +0200")
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.0.50 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-SPAM-INFO: Spam detection results:  0
 ALL_TRUSTED                -1 Passed through trusted hosts only via SMTP
 AWL -0.020 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 DKIM_SIGNED               0.1 Message has a DKIM or DK signature,
 not necessarily valid
 DKIM_VALID -0.1 Message has at least one valid DKIM or DK signature
 DKIM_VALID_AU -0.1 Message has a valid DKIM or DK signature from author's
 domain
X-SPAM-LEVEL: 
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 37656
Cc: 37656 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.7 (-)

> -*- mode: emacs-lisp; mode: flymake -*-
>
> (eval-when-compile
>   (with-temp-file "~/emacs_flymake_security_bug"
>       (insert "Could have also executed any code.")))

Yes, it's a serious (and, sadly, known) problem.

I think it goes further than just flymake support for Elisp: flymake
support for other major modes may also end up running arbitrary code
(tho it will depend on the specifics).

So, I think flymake should have a list of "safe" places where it can
treat files like it does know, and any file found elsewhere should be
treated with more care either by simply disabling flymake or disabling
some of its backends, or making its backends more careful (e.g. to
compile those files in a mode where `eval-when-compile` is not executed
or is only executed after passing it through a stringent safety test).


        Stefan
Information forwarded to bug-gnu-emacs@HIDDEN:
bug#37656; Package emacs. Full text available.

Message received at 37656 <at> debbugs.gnu.org:


Received: (at 37656) by debbugs.gnu.org; 16 Oct 2019 11:52:16 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Oct 16 07:52:16 2019
Received: from localhost ([127.0.0.1]:45344 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1iKhqi-0006Cl-C3
	for submit <at> debbugs.gnu.org; Wed, 16 Oct 2019 07:52:16 -0400
Received: from mail-lf1-f43.google.com ([209.85.167.43]:45020)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <plaiceadam@HIDDEN>) id 1iKhqg-0006CZ-R3
 for 37656 <at> debbugs.gnu.org; Wed, 16 Oct 2019 07:52:15 -0400
Received: by mail-lf1-f43.google.com with SMTP id q12so17197141lfc.11
 for <37656 <at> debbugs.gnu.org>; Wed, 16 Oct 2019 04:52:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=mime-version:references:in-reply-to:from:date:message-id:subject:to
 :cc; bh=DdsXcgjVgtsKC2aNjpMPbelXugxkFWdDVA1xg03mMDs=;
 b=MEf3limxSHBHIfYXIlT1OfZpvsOiMRuMoCa4pRglVWBWr+FzTIF2bXGpIisQ7WiT9I
 pdPCMPxUHhdsEugxMAjdlkRDoJqYZcEeP1VHrN9TnQpEJgDR1ExEviUD557vtTwqg50g
 8IzMOTHCBfv1msjZ9SW/4yKGI1h4/AllFER6Kl5vDlV2rUPSdXvj45wwWHAW7DH62mji
 xwo0S3++yY8pHCOQeOhXWnGh/BwqiMM+ywhzx7hlm+fXWLgo/kHe8u0juKTDKgzv96Pq
 +fpW0KZhDdPbo4Xz7PaVG5r+S764WRjjoZYn/P7c0ltbZOkvRguBjZ6Fg49nadkOZtjW
 BCeQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc;
 bh=DdsXcgjVgtsKC2aNjpMPbelXugxkFWdDVA1xg03mMDs=;
 b=Gpl48pFz+GcXdSAYipRpHaom7tD3Oaq7AuBk6hlcItBCTMcKFycjCUxvSpJoE7BTBb
 XHil22cqvzUT6ocTYUVJ6XDisvLVBO9nPYcBD0oiCpmUHC4wGPXnFjQ6jJdmYRl7Vahx
 ML1yWXxJSvWq29REI14dJKIHVVa9PpqYcmjrYU/9PYRiIEYsBgwjemzGWNPLB2Xmhbm+
 BZcSoxas/LhDJATNwnPZAzdRDzHUQVDg7jGrx0W3Ypov/8GNcNCObANEBCEEaP7Zb8xU
 p+7BICCskmdI4sXlWLtc8nS4VJCUUOtpQ+o9Ct1XJcmtvMDtARhGK6mWiCRlOTLa8Mt1
 YlBA==
X-Gm-Message-State: APjAAAXIKmL9Qp43cGoium3G3B7l8zkSsvVqEip9GP0lw6cFeQC7w2VV
 RTXrn/DnLHVDsqbblo/EYQ9yKpO/Q7LLWvV39xo=
X-Google-Smtp-Source: APXvYqwctJPASdeAFX2rshrsSPUUsS05kJgRGWYzjlMus3JfVpIIyyLdH1p3S1S4HW4pi40YqVYCyn9GGPoAcZJNFLc=
X-Received: by 2002:a19:6e0a:: with SMTP id j10mr8837911lfc.131.1571226728751; 
 Wed, 16 Oct 2019 04:52:08 -0700 (PDT)
MIME-Version: 1.0
References: <CAJw81dZZmX=z-YFDwvEkuWR6xH+cf=mR9h-fcZTphwdXWrA5wg@HIDDEN>
 <CADwFkmnqfbsEEWkWMA2xnN1O+-JsTcCKrSYv0e3g1+jXrxRY5g@HIDDEN>
 <CADwFkm=U1zfUsD4jTPj44mNvQX-h2gVrvXCkvjM5V7brhS71_Q@HIDDEN>
 <CADwFkmk+03=J8YUy51xzBxSK2+u0DuMLq3Ur63Wr_YWv6e=C=g@HIDDEN>
 <838splf7g1.fsf@HIDDEN>
In-Reply-To: <838splf7g1.fsf@HIDDEN>
From: Adam Plaice <plaiceadam@HIDDEN>
Date: Wed, 16 Oct 2019 13:51:57 +0200
Message-ID: <CAJw81dYvV2vA9Rmq-1psqO+D5cHBX9JO55j6ww=zft+d-EWE=A@HIDDEN>
Subject: Re: bug#37656: 27.0.50; Arbitrary code execution with special `mode:'
To: Eli Zaretskii <eliz@HIDDEN>
Content-Type: text/plain; charset="UTF-8"
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 37656
Cc: 37656 <at> debbugs.gnu.org, Stefan Kangas <stefan@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

> Please don't cross-post bug reports.  Please use only one of these two
> lists for any discussions, preferably the bug list.

Sorry!

> This feature was described as "deprecated", but where and why did we
> deprecate it?

I think bug#8613 is where the decision was made.  The deprecation is
mentioned in files.el and the manual warns against using `mode:' for
minor modes in:
(info "(emacs) Specifying File Variables")

Adam
Information forwarded to bug-gnu-emacs@HIDDEN:
bug#37656; Package emacs. Full text available.

Message received at 37656 <at> debbugs.gnu.org:


Received: (at 37656) by debbugs.gnu.org; 16 Oct 2019 07:58:32 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Oct 16 03:58:32 2019
Received: from localhost ([127.0.0.1]:45176 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1iKeCW-0006uY-4p
	for submit <at> debbugs.gnu.org; Wed, 16 Oct 2019 03:58:32 -0400
Received: from eggs.gnu.org ([209.51.188.92]:32912)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <eliz@HIDDEN>) id 1iKeCU-0006uH-4F
 for 37656 <at> debbugs.gnu.org; Wed, 16 Oct 2019 03:58:30 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e]:37333)
 by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <eliz@HIDDEN>)
 id 1iKeCO-0006A2-TS; Wed, 16 Oct 2019 03:58:24 -0400
Received: from [176.228.60.248] (port=3943 helo=home-c4e4a596f7)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <eliz@HIDDEN>)
 id 1iKeCN-0007EI-Ph; Wed, 16 Oct 2019 03:58:24 -0400
Date: Wed, 16 Oct 2019 10:58:06 +0300
Message-Id: <838splf7g1.fsf@HIDDEN>
From: Eli Zaretskii <eliz@HIDDEN>
To: Stefan Kangas <stefan@HIDDEN>
In-reply-to: <CADwFkmk+03=J8YUy51xzBxSK2+u0DuMLq3Ur63Wr_YWv6e=C=g@HIDDEN>
 (message from Stefan Kangas on Wed, 16 Oct 2019 01:17:51 +0200)
Subject: Re: bug#37656: 27.0.50; Arbitrary code execution with special `mode:'
References: <CAJw81dZZmX=z-YFDwvEkuWR6xH+cf=mR9h-fcZTphwdXWrA5wg@HIDDEN>
 <CADwFkmnqfbsEEWkWMA2xnN1O+-JsTcCKrSYv0e3g1+jXrxRY5g@HIDDEN>
 <CADwFkm=U1zfUsD4jTPj44mNvQX-h2gVrvXCkvjM5V7brhS71_Q@HIDDEN>
 <CADwFkmk+03=J8YUy51xzBxSK2+u0DuMLq3Ur63Wr_YWv6e=C=g@HIDDEN>
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 37656
Cc: 37656 <at> debbugs.gnu.org, plaice.adam+lists@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

> From: Stefan Kangas <stefan@HIDDEN>
> Date: Wed, 16 Oct 2019 01:17:51 +0200
> Cc: 37656 <at> debbugs.gnu.org, Emacs developers <emacs-devel@HIDDEN>
> 
> The "multiple mode specification feature" dates back to:
> 9fa7bfe524 1993-09-11 Richard M. Stallman
>     (hack-local-variables-prop-line): Ignore any specification
>     for `mode:', since set-auto-mode has already handled it.
>     (set-auto-mode): Clean up.  Handle more than one `mode:' spec in -*-.
> 
> The code that my proposed patch changes has stayed untouched since
> this 1993 commit.  If we agree that disabling this feature is the
> solution here, a backported security fix should therefore hopefully be
> a one liner all the way back to version 22.1.

This feature was described as "deprecated", but where and why did we
deprecate it?
Information forwarded to bug-gnu-emacs@HIDDEN:
bug#37656; Package emacs. Full text available.

Message received at 37656 <at> debbugs.gnu.org:


Received: (at 37656) by debbugs.gnu.org; 16 Oct 2019 07:57:29 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Oct 16 03:57:29 2019
Received: from localhost ([127.0.0.1]:45171 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1iKeBU-0006sn-PI
	for submit <at> debbugs.gnu.org; Wed, 16 Oct 2019 03:57:29 -0400
Received: from eggs.gnu.org ([209.51.188.92]:32770)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <eliz@HIDDEN>) id 1iKeBT-0006sZ-3U
 for 37656 <at> debbugs.gnu.org; Wed, 16 Oct 2019 03:57:27 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e]:37323)
 by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <eliz@HIDDEN>)
 id 1iKeBN-0005zQ-Rx; Wed, 16 Oct 2019 03:57:21 -0400
Received: from [176.228.60.248] (port=3879 helo=home-c4e4a596f7)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <eliz@HIDDEN>)
 id 1iKeBM-0005Ne-I7; Wed, 16 Oct 2019 03:57:21 -0400
Date: Wed, 16 Oct 2019 10:57:03 +0300
Message-Id: <83a7a1f7hs.fsf@HIDDEN>
From: Eli Zaretskii <eliz@HIDDEN>
To: Adam Plaice <plaiceadam@HIDDEN>
In-reply-to: <CAJw81daBs7R8RcpBta2ytNvKyJ7McHzkp5RQ51Nwfo8tqwUjcQ@HIDDEN>
 (message from Adam Plaice on Wed, 16 Oct 2019 02:35:58 +0200)
Subject: Re: bug#37656: 27.0.50; Arbitrary code execution with special `mode:'
References: <CAJw81dZZmX=z-YFDwvEkuWR6xH+cf=mR9h-fcZTphwdXWrA5wg@HIDDEN>
 <CADwFkmnqfbsEEWkWMA2xnN1O+-JsTcCKrSYv0e3g1+jXrxRY5g@HIDDEN>
 <CADwFkm=U1zfUsD4jTPj44mNvQX-h2gVrvXCkvjM5V7brhS71_Q@HIDDEN>
 <CAJw81daBs7R8RcpBta2ytNvKyJ7McHzkp5RQ51Nwfo8tqwUjcQ@HIDDEN>
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 37656
Cc: 37656 <at> debbugs.gnu.org, stefan@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

> From: Adam Plaice <plaiceadam@HIDDEN>
> Date: Wed, 16 Oct 2019 02:35:58 +0200
> Cc: 37656 <at> debbugs.gnu.org, Emacs developers <emacs-devel@HIDDEN>
> 
> Unfortunately, I've realised that a similar problem can be introduced
> with directory variables.

Indeed, and I expect the same problem to pop up in other places.

Which is why I think the problem should be solved in those modes which
allow execution of arbitrary code via file-local variables without any
security precautions or other limitations, at least under user
control.

> (Should I file separate bug for this as it's closely related but not
> quite the same?)

No, it's the same problem, and I don't like the proposed solution for
the reasons explained above.  I think we need a different solution.
Information forwarded to bug-gnu-emacs@HIDDEN:
bug#37656; Package emacs. Full text available.

Message received at 37656 <at> debbugs.gnu.org:


Received: (at 37656) by debbugs.gnu.org; 16 Oct 2019 00:55:19 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Oct 15 20:55:19 2019
Received: from localhost ([127.0.0.1]:45039 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1iKXau-0000b2-UZ
	for submit <at> debbugs.gnu.org; Tue, 15 Oct 2019 20:55:19 -0400
Received: from smtp-2.orcon.net.nz ([60.234.4.43]:43043)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <psainty@HIDDEN>) id 1iKXas-0000ap-G7
 for 37656 <at> debbugs.gnu.org; Tue, 15 Oct 2019 20:55:15 -0400
Received: from [10.253.37.70] (port=37166 helo=webmail.orcon.net.nz)
 by smtp-2.orcon.net.nz with esmtpa (Exim 4.90_1)
 (envelope-from <psainty@HIDDEN>)
 id 1iKXam-00040V-5N; Wed, 16 Oct 2019 13:55:08 +1300
Received: from wlgwil-nat-office.catalyst.net.nz ([202.78.240.7])
 via [10.253.37.253] by webmail.orcon.net.nz
 with HTTP (HTTP/1.1 POST); Wed, 16 Oct 2019 13:55:08 +1300
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII;
 format=flowed
Content-Transfer-Encoding: 7bit
Date: Wed, 16 Oct 2019 13:55:08 +1300
From: Phil Sainty <psainty@HIDDEN>
To: Stefan Kangas <stefan@HIDDEN>
Subject: Re: bug#37656: 27.0.50; Arbitrary code execution with special `mode:'
In-Reply-To: <CADwFkm=U1zfUsD4jTPj44mNvQX-h2gVrvXCkvjM5V7brhS71_Q@HIDDEN>
References: <CAJw81dZZmX=z-YFDwvEkuWR6xH+cf=mR9h-fcZTphwdXWrA5wg@HIDDEN>
 <CADwFkmnqfbsEEWkWMA2xnN1O+-JsTcCKrSYv0e3g1+jXrxRY5g@HIDDEN>
 <CADwFkm=U1zfUsD4jTPj44mNvQX-h2gVrvXCkvjM5V7brhS71_Q@HIDDEN>
Message-ID: <426c551f6e553d791d7cea986d8933a6@HIDDEN>
X-Sender: psainty@HIDDEN
User-Agent: Orcon Webmail
X-GeoIP: --
X-Spam_score: -2.9
X-Spam_score_int: -28
X-Spam_bar: --
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 37656
Cc: 37656 <at> debbugs.gnu.org, adam plaice <plaice.adam+lists@HIDDEN>,
 Emacs developers <emacs-devel@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.7 (-)

On 2019-10-16 11:55, Stefan Kangas wrote:
> Here is a more complete patch.  Does it look like the right fix?

I don't think so.  If we're removing the multiple 'mode' feature, then
`set-auto-mode' says the following about it:

     ;; Once we drop the deprecated feature where mode: is also allowed 
to
     ;; specify minor-modes (ie, there can be more than one "mode:"), we 
can
     ;; remove this section and just let (hack-local-variables t) handle 
it.
     ;; Find a -*- mode tag.
Information forwarded to bug-gnu-emacs@HIDDEN:
bug#37656; Package emacs. Full text available.

Message received at 37656 <at> debbugs.gnu.org:


Received: (at 37656) by debbugs.gnu.org; 16 Oct 2019 00:36:18 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Oct 15 20:36:17 2019
Received: from localhost ([127.0.0.1]:45031 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1iKXIX-0008Po-KE
	for submit <at> debbugs.gnu.org; Tue, 15 Oct 2019 20:36:17 -0400
Received: from mail-lj1-f171.google.com ([209.85.208.171]:44630)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <plaiceadam@HIDDEN>) id 1iKXIW-0008PT-3f
 for 37656 <at> debbugs.gnu.org; Tue, 15 Oct 2019 20:36:16 -0400
Received: by mail-lj1-f171.google.com with SMTP id m13so22059585ljj.11
 for <37656 <at> debbugs.gnu.org>; Tue, 15 Oct 2019 17:36:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=mime-version:references:in-reply-to:from:date:message-id:subject:to
 :cc:content-transfer-encoding;
 bh=4xA6lpLzTqjbeWovaHgbL+kHM3tNE8jQa4WtXvScT9c=;
 b=icWqeOpQzOXj0ZjoCCq5u/Wir/MycndGhSAP44a9kLydZo8Dac6/j2Q3bgbmvcjPdJ
 tMM+F3AOTB3+ELtWMwhNi0qPMnjihYP20SRQua985robxL2zDIPnqVETHO4Bi73U1C1y
 ArrJLKOgre7LT7jQEpQdedI7dmZ6u58jcC8N9DNn86YJk/l3B9mLJhyrpTdp9dSQBCFd
 /5v2TM4E86GhQr3V19wZxlGgm8E9+WTBBdYa2jZMlh7Gt0RYqS6EItMX8j90cYkaNssR
 mZXA2iJuPjzZrlJIY9ot+XWtWbNZwoYHwWao/8mlV9PkmdRUQE9B4i7tIBW0kmSaAuYC
 WY/g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc:content-transfer-encoding;
 bh=4xA6lpLzTqjbeWovaHgbL+kHM3tNE8jQa4WtXvScT9c=;
 b=ok+1oeKPaVOC4lnAHEIENERkNYy0zxi5L+kx39GHB25edyBldgCyTRWbq7/XuXQl7U
 F9VMNaxnCalDr7NWvjwypNMFvli5K2+TmPCLGGvyxkWsPUEBsxKLLKlgdZLTz9O35JQ4
 9Kb4YEAIysg5szE7XSDIAx4W6YAAeO5ow8f2lVaNEIJRIrvVlj3uohMBLYXFqnwV8Ylj
 dV90m/1xh4aVj8fJBpeUTE92S28oLx9b58jPY1IRUjJMWsp45v2yFnbR4WvLXdQscbRN
 sA5xjASgm5zakTG2mU1VeEjWqfqYzseuZb0VrjTU7HoARyyR1bdsnckC1oUxoo9PJhet
 GDog==
X-Gm-Message-State: APjAAAXYn2XVywItuUCZ91vG4T2fPVpClxGMtSoU87jsfP0ze+AWSWZq
 ItGQuPZ1xIOuNaYMqq2tsgBAfPGP20+o0xGWAXLmPw==
X-Google-Smtp-Source: APXvYqwvTuM1RHGeTuc4dz0oV5eScI1GOyBgCBgTHALjzgPz2fw11bbAhSFMVqOqhjvglrNKnJgWk8zhqfbo9XOZrJk=
X-Received: by 2002:a2e:9a03:: with SMTP id o3mr24358388lji.67.1571186170005; 
 Tue, 15 Oct 2019 17:36:10 -0700 (PDT)
MIME-Version: 1.0
References: <CAJw81dZZmX=z-YFDwvEkuWR6xH+cf=mR9h-fcZTphwdXWrA5wg@HIDDEN>
 <CADwFkmnqfbsEEWkWMA2xnN1O+-JsTcCKrSYv0e3g1+jXrxRY5g@HIDDEN>
 <CADwFkm=U1zfUsD4jTPj44mNvQX-h2gVrvXCkvjM5V7brhS71_Q@HIDDEN>
In-Reply-To: <CADwFkm=U1zfUsD4jTPj44mNvQX-h2gVrvXCkvjM5V7brhS71_Q@HIDDEN>
From: Adam Plaice <plaiceadam@HIDDEN>
Date: Wed, 16 Oct 2019 02:35:58 +0200
Message-ID: <CAJw81daBs7R8RcpBta2ytNvKyJ7McHzkp5RQ51Nwfo8tqwUjcQ@HIDDEN>
Subject: Re: bug#37656: 27.0.50; Arbitrary code execution with special `mode:'
To: Stefan Kangas <stefan@HIDDEN>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 37656
Cc: 37656 <at> debbugs.gnu.org, Emacs developers <emacs-devel@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

> Here is a more complete patch.  Does it look like the right fix?

This indeed fixes the issue! Thanks for dealing with it so quickly! (Though
I'm obviously not qualified to say whether it's _the_ right fix for this.)

>  I think the relevant node in the documentation is:
> (info "(emacs)Choosing Modes")

That, and part of:
(info "(emacs)Specifying File Variables")


Unfortunately, I've realised that a similar problem can be introduced
with directory variables. (Should I file separate bug for this as it's
closely related but not quite the same?) This requires at least two
files, so it's not quite as serious:

In .dir-locals.el:

((nil . ((mode . flymake))))

In, say, foobar, in the same directory:

-*- mode: emacs-lisp -*-

(eval-when-compile
  (with-temp-file "~/emacs_flymake_security_bug"
    (insert "Could have also executed any code.")))


(Some other, equivalent arrangements (e.g. (mode . emacs-lisp) directly in
.dir-locals.el), or simply an .el extension, also "work".)

According to the manual (info "(emacs)Directory Variables"):

> The special =E2=80=98mode=E2=80=99 element specifies the minor mode to be
> enabled.  So =E2=80=98(mode . auto-fill)=E2=80=99 specifies that the mino=
r mode
> =E2=80=98auto-fill-mode=E2=80=99 needs to be enabled.

so in this case setting the minor mode _is_ the intended/documented behavio=
ur,
which might make resolving the bug harder.

(OTOH (info "(emacs)Directory Variables") also states:

> You can specify the variables =E2=80=98mode=E2=80=99, =E2=80=98eval=E2=80=
=99, and =E2=80=98unibyte=E2=80=99 in your
> =E2=80=98.dir-locals.el=E2=80=99, and they have the same meanings as they=
 would have in
> file local variables.

while (info "(emacs)Specifying File Variables") says:

> The special variable/value pair =E2=80=98mode:
> MODENAME;=E2=80=99, if present, specifies a major mode.

so there's some inconsistency on what `mode' in .dir-locals.el is actually
"supposed" to specify =E2=80=94 a major mode, a minor mode or either.)

Thanks,
Adam
Information forwarded to bug-gnu-emacs@HIDDEN:
bug#37656; Package emacs. Full text available.

Message received at 37656 <at> debbugs.gnu.org:


Received: (at 37656) by debbugs.gnu.org; 15 Oct 2019 23:18:13 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Oct 15 19:18:13 2019
Received: from localhost ([127.0.0.1]:45019 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1iKW4z-0006S2-1P
	for submit <at> debbugs.gnu.org; Tue, 15 Oct 2019 19:18:13 -0400
Received: from mail-pg1-f169.google.com ([209.85.215.169]:33778)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <stefankangas@HIDDEN>) id 1iKW4v-0006Rl-LD
 for 37656 <at> debbugs.gnu.org; Tue, 15 Oct 2019 19:18:11 -0400
Received: by mail-pg1-f169.google.com with SMTP id i76so13078949pgc.0
 for <37656 <at> debbugs.gnu.org>; Tue, 15 Oct 2019 16:18:09 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc;
 bh=uy8asuFeUonxQygv5X2HT6YYit6i6IFRsw8r9Ui5FNc=;
 b=rJHl/YCfGBewN8/OQCJ0Q0XXNLx6c2ro4/wZJ0x73k6g4f2toMuGOPDTob9FReoK60
 p4wSA6hXX3h5Qviz9DMWvDlxkevGuL7zjomIqDxaN2xYzrswrMnfXDlkz4aMJun7ibyU
 MB506prRjjSxFTd0bckzgJAFFX+BStQU+n3iRBIcxm0eiVIWb31+gvOV9w+7BMhZE+ag
 wq3RZ6/Z4ISQ6BB9XnYgRk2wcnDvGrLeQyHQ4zh1T+O6Guzp2ik93WDqvTBOic9AqN+G
 csBLlOhy8OgnFFAjnpDIdzGY2sha8aNi4W4DjFlJdzG9vdh7mpFA0ZoNOC9yyzC3dCgy
 DvfA==
X-Gm-Message-State: APjAAAWjUfSD8oa2qu87P2cFlHjjQBWunHPUqi/7/Kzo/v/5nYOqrnA2
 kLV2z9GjOjw8jpN+CZNJdPCjuPjAp6pZMN+yTRk=
X-Google-Smtp-Source: APXvYqxZV2Q34Wqc5b4IsgMrbDfD2faJ/csMJ+fkrh4jGggnTvsIqTVxcmJEDn+Xp9LMAgau1xRMGNAvpAW4nR392q8=
X-Received: by 2002:a63:4046:: with SMTP id n67mr38175017pga.200.1571181483756; 
 Tue, 15 Oct 2019 16:18:03 -0700 (PDT)
MIME-Version: 1.0
References: <CAJw81dZZmX=z-YFDwvEkuWR6xH+cf=mR9h-fcZTphwdXWrA5wg@HIDDEN>
 <CADwFkmnqfbsEEWkWMA2xnN1O+-JsTcCKrSYv0e3g1+jXrxRY5g@HIDDEN>
 <CADwFkm=U1zfUsD4jTPj44mNvQX-h2gVrvXCkvjM5V7brhS71_Q@HIDDEN>
In-Reply-To: <CADwFkm=U1zfUsD4jTPj44mNvQX-h2gVrvXCkvjM5V7brhS71_Q@HIDDEN>
From: Stefan Kangas <stefan@HIDDEN>
Date: Wed, 16 Oct 2019 01:17:51 +0200
Message-ID: <CADwFkmk+03=J8YUy51xzBxSK2+u0DuMLq3Ur63Wr_YWv6e=C=g@HIDDEN>
Subject: Re: bug#37656: 27.0.50; Arbitrary code execution with special `mode:'
To: adam plaice <plaice.adam+lists@HIDDEN>
Content-Type: text/plain; charset="UTF-8"
X-Spam-Score: 0.3 (/)
X-Debbugs-Envelope-To: 37656
Cc: 37656 <at> debbugs.gnu.org, Emacs developers <emacs-devel@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.7 (/)

Stefan Kangas <stefan@HIDDEN> writes:

> > The below patch seems to fix it by disabling the feature it exploits.
>
> Here is a more complete patch.  Does it look like the right fix?

flymake.el was first added to Emacs in version 22.1:
4bcbcb9df3 2004-05-29 Eli Zaretskii New file.

The "multiple mode specification feature" dates back to:
9fa7bfe524 1993-09-11 Richard M. Stallman
    (hack-local-variables-prop-line): Ignore any specification
    for `mode:', since set-auto-mode has already handled it.
    (set-auto-mode): Clean up.  Handle more than one `mode:' spec in -*-.

The code that my proposed patch changes has stayed untouched since
this 1993 commit.  If we agree that disabling this feature is the
solution here, a backported security fix should therefore hopefully be
a one liner all the way back to version 22.1.

Best regards,
Stefan Kangas
Information forwarded to bug-gnu-emacs@HIDDEN:
bug#37656; Package emacs. Full text available.

Message received at 37656 <at> debbugs.gnu.org:


Received: (at 37656) by debbugs.gnu.org; 15 Oct 2019 22:55:29 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Oct 15 18:55:29 2019
Received: from localhost ([127.0.0.1]:45006 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1iKViy-0005tl-OE
	for submit <at> debbugs.gnu.org; Tue, 15 Oct 2019 18:55:29 -0400
Received: from mail-pl1-f173.google.com ([209.85.214.173]:44942)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <stefankangas@HIDDEN>) id 1iKViw-0005tV-C1
 for 37656 <at> debbugs.gnu.org; Tue, 15 Oct 2019 18:55:26 -0400
Received: by mail-pl1-f173.google.com with SMTP id q15so10274887pll.11
 for <37656 <at> debbugs.gnu.org>; Tue, 15 Oct 2019 15:55:26 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc;
 bh=nuBzhgXjTjvDvg5yvQZVeOPK7wF+q8Zl4WRMa28YpMM=;
 b=XqW5B/nwTP8qr9D4SJTkX30WF3UxDN368ONA1/Qz44ScRsv5hRrZ8FR2pXocVBDoeP
 p6DDd6jU6ANMXLpW0/Afl6C1gZNB//zcs6aJ0MsrmzXoGvoKrKy1/rENsPsCtjsWj/a9
 D/2ylNS3zO2yY5TtPF5ypStqz+QwYNYhI1WFoKiVBiQw3zGcjEkhdesvPsNVj5SPLacQ
 zoxzL6pKl9NgBqwXha1igO/pcsY61TwBGPGGOfjiCd7T1LUrBd84Mwafk0IaQQcIuayq
 6wQjbg8jE22vWPfdiuu76qf3CclQ00Sxad2fxzaQosRimo9Mi/BvcsWH1sDwVyVcV7AJ
 Uc8A==
X-Gm-Message-State: APjAAAWBHhKCxZi6eQrRRtakKs5giE8rYHOJkT3E7hkWjtBs598cOzIe
 aSeWAfTY5YEtU7pW3cZVywqlTsMywf1qrvde/pw=
X-Google-Smtp-Source: APXvYqwq7RF2D68Cm33dkbsoy/0ZllZGovTcG3KOPNRoeY4aNVimY2Bsr2n+Z+vt4/3nCzkrSRLEMertXrqBA9wZOBE=
X-Received: by 2002:a17:902:d888:: with SMTP id
 b8mr39003592plz.259.1571180120298; 
 Tue, 15 Oct 2019 15:55:20 -0700 (PDT)
MIME-Version: 1.0
References: <CAJw81dZZmX=z-YFDwvEkuWR6xH+cf=mR9h-fcZTphwdXWrA5wg@HIDDEN>
 <CADwFkmnqfbsEEWkWMA2xnN1O+-JsTcCKrSYv0e3g1+jXrxRY5g@HIDDEN>
In-Reply-To: <CADwFkmnqfbsEEWkWMA2xnN1O+-JsTcCKrSYv0e3g1+jXrxRY5g@HIDDEN>
From: Stefan Kangas <stefan@HIDDEN>
Date: Wed, 16 Oct 2019 00:55:08 +0200
Message-ID: <CADwFkm=U1zfUsD4jTPj44mNvQX-h2gVrvXCkvjM5V7brhS71_Q@HIDDEN>
Subject: Re: bug#37656: 27.0.50; Arbitrary code execution with special `mode:'
To: adam plaice <plaice.adam+lists@HIDDEN>
Content-Type: multipart/mixed; boundary="000000000000f3162c0594fae02c"
X-Spam-Score: 0.3 (/)
X-Debbugs-Envelope-To: 37656
Cc: 37656 <at> debbugs.gnu.org, Emacs developers <emacs-devel@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.7 (/)

--000000000000f3162c0594fae02c
Content-Type: text/plain; charset="UTF-8"

Stefan Kangas <stefan@HIDDEN> writes:
> The below patch seems to fix it by disabling the feature it exploits.

Here is a more complete patch.  Does it look like the right fix?

I think the relevant node in the documentation is:
(info "(emacs)Choosing Modes")

Best regards,
Stefan Kangas

--000000000000f3162c0594fae02c
Content-Type: application/octet-stream; 
	name="0001-Remove-support-for-more-than-one-mode-in-file-local-.patch"
Content-Disposition: attachment; 
	filename="0001-Remove-support-for-more-than-one-mode-in-file-local-.patch"
Content-Transfer-Encoding: base64
Content-ID: <f_k1sg1dki0>
X-Attachment-Id: f_k1sg1dki0

RnJvbSBkNjQwZWZlOTcwZWQxZmRkNWYxMjYyZDA5YmZkNmQ1NjRjOGU3ZjgwIE1vbiBTZXAgMTcg
MDA6MDA6MDAgMjAwMQpGcm9tOiBTdGVmYW4gS2FuZ2FzIDxzdGVmYW5rYW5nYXNAZ21haWwuY29t
PgpEYXRlOiBXZWQsIDE2IE9jdCAyMDE5IDAwOjQ0OjU2ICswMjAwClN1YmplY3Q6IFtQQVRDSF0g
UmVtb3ZlIHN1cHBvcnQgZm9yIG1vcmUgdGhhbiBvbmUgbW9kZSBpbiBmaWxlIGxvY2FsIHZhcmlh
YmxlcwoKKiBsaXNwL2ZpbGVzLmVsIChzZXQtYXV0by1tb2RlKTogUmVtb3ZlIHN1cHBvcnQgZm9y
IHNwZWNpZnlpbmcKbW9yZSB0aGFuIG9uZSBtYWpvciBtb2RlIGluIGZpbGUgbG9jYWwgdmFyaWFi
bGVzLiAgKEJ1ZyMzNzY1NikKKiBldGMvTkVXUzogQW5ub3VuY2UgaXQuCi0tLQogZXRjL05FV1Mg
ICAgICB8ICA3ICsrKysrKysKIGxpc3AvZmlsZXMuZWwgfCAxMyArKysrKysrLS0tLS0tCiAyIGZp
bGVzIGNoYW5nZWQsIDE0IGluc2VydGlvbnMoKyksIDYgZGVsZXRpb25zKC0pCgpkaWZmIC0tZ2l0
IGEvZXRjL05FV1MgYi9ldGMvTkVXUwppbmRleCBkMDZmMGE1OTUyLi5kMGNlYzA1MTQzIDEwMDY0
NAotLS0gYS9ldGMvTkVXUworKysgYi9ldGMvTkVXUwpAQCAtMTk3LDYgKzE5NywxMyBAQCB0aGUg
bmV3IHZlcnNpb24gb2YgdGhlIGZpbGUgYWdhaW4uKQogDAogKiBDaGFuZ2VzIGluIEVtYWNzIDI3
LjEKIAorLS0tCisqKiBGaWxlIGxvY2FsIHZhcmlhYmxlcyBjYW4gbm93IHNwZWNpZnkgb25seSBv
bmUgbWFqb3IgbW9kZS4KK1ByZXZpb3VzbHksIGl0IHdhcyBwb3NzaWJsZSB0byBzcGVjaWZ5IG1v
cmUgdGhhbiBvbmUgbWFqb3IgbW9kZSB1c2luZworZmlsZSBsb2NhbCB2YXJpYWJsZXMuICBBIHNl
Y3VyaXR5IGlzc3VlIHdhcyBkaXNjb3ZlcmVkIHdoZXJlIGFuCithdHRhY2tlciBjb3VsZCBleHBs
b2l0IHRoaXMgZmVhdHVyZSB1c2luZyBhIHNwZWNpYWxseSBjcmFmdGVkIGZpbGUsCit3aGljaCBj
b3VsZCBsZWFkIHRvIGFyYml0cmFyeSBjb2RlIGV4ZWN1dGlvbiB3aGVuIHRoZSBmaWxlIHdhcyBv
cGVuZWQuCisKICoqIGVtYWNzY2xpZW50CiAKICsrKwpkaWZmIC0tZ2l0IGEvbGlzcC9maWxlcy5l
bCBiL2xpc3AvZmlsZXMuZWwKaW5kZXggNDA4MDc2MTdmYS4uNDFjMWJhNjBlZCAxMDA2NDQKLS0t
IGEvbGlzcC9maWxlcy5lbAorKysgYi9saXNwL2ZpbGVzLmVsCkBAIC0zMDY2LDEyICszMDY2LDEz
IEBAIHNldC1hdXRvLW1vZGUKIAkgICB0cnktbG9jYWxzCiAJICAgKHNldHEgZW5kIChzZXQtYXV0
by1tb2RlLTEpKQogCSAgIChpZiAoc2F2ZS1leGN1cnNpb24gKHNlYXJjaC1mb3J3YXJkICI6IiBl
bmQgdCkpCi0JICAgICAgIDs7IEZpbmQgYWxsIHNwZWNpZmljYXRpb25zIGZvciB0aGUgYG1vZGU6
JyB2YXJpYWJsZQotCSAgICAgICA7OyBhbmQgZXhlY3V0ZSB0aGVtIGxlZnQgdG8gcmlnaHQuCi0J
ICAgICAgICh3aGlsZSAobGV0ICgoY2FzZS1mb2xkLXNlYXJjaCB0KSkKLQkJCShvciAoYW5kIChs
b29raW5nLWF0ICJtb2RlOiIpCi0JCQkJIChnb3RvLWNoYXIgKG1hdGNoLWVuZCAwKSkpCi0JCQkg
ICAgKHJlLXNlYXJjaC1mb3J3YXJkICJbIFx0O11tb2RlOiIgZW5kIHQpKSkKKwkgICAgICAgOzsg
RmluZCB0aGUgc3BlY2lmaWNhdGlvbiBvZiB0aGUgYG1vZGU6JyB2YXJpYWJsZSBhbmQKKwkgICAg
ICAgOzsgZXhlY3V0ZSBpdC4gIFdlIG5ldmVyIHdhbnQgdG8gZXhlY3V0ZSBtb3JlIHRoYW4gb25l
CisJICAgICAgIDs7IG1vZGUgZm9yIHNlY3VyaXR5IHJlYXNvbnMuICAoQnVnIzM3NjU2KQorCSAg
ICAgICAod2hlbiAobGV0ICgoY2FzZS1mb2xkLXNlYXJjaCB0KSkKKwkJICAgICAgIChvciAoYW5k
IChsb29raW5nLWF0ICJtb2RlOiIpCisJCQkJKGdvdG8tY2hhciAobWF0Y2gtZW5kIDApKSkKKwkJ
CSAgIChyZS1zZWFyY2gtZm9yd2FyZCAiWyBcdDtdbW9kZToiIGVuZCB0KSkpCiAJCSAoc2tpcC1j
aGFycy1mb3J3YXJkICIgXHQiKQogCQkgKGxldCAoKGJlZyAocG9pbnQpKSkKIAkJICAgKGlmIChz
ZWFyY2gtZm9yd2FyZCAiOyIgZW5kIHQpCi0tIAoyLjIzLjAKCg==
--000000000000f3162c0594fae02c--
Information forwarded to bug-gnu-emacs@HIDDEN:
bug#37656; Package emacs. Full text available.

Message received at 37656 <at> debbugs.gnu.org:


Received: (at 37656) by debbugs.gnu.org; 15 Oct 2019 22:27:39 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Oct 15 18:27:39 2019
Received: from localhost ([127.0.0.1]:44960 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1iKVI3-00059G-Gs
	for submit <at> debbugs.gnu.org; Tue, 15 Oct 2019 18:27:39 -0400
Received: from mail-pl1-f170.google.com ([209.85.214.170]:39222)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <stefankangas@HIDDEN>) id 1iKVI0-00058z-7t
 for 37656 <at> debbugs.gnu.org; Tue, 15 Oct 2019 18:27:38 -0400
Received: by mail-pl1-f170.google.com with SMTP id s17so10258109plp.6
 for <37656 <at> debbugs.gnu.org>; Tue, 15 Oct 2019 15:27:36 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc;
 bh=RolC5f2XWEigNTpjM4aN6RKNc+MwPnZ3Hn/D0Ha0+7g=;
 b=E7QKk8A4SB9F296qzvQZ/Ot3gd1x72vApqlzo3UrMEq44MMh7NpycYpAa+FHsksnKc
 u4FsgwJv/2/f1ycAbeo5KgEL3kTk8zwiqezZwy08kWOiawVSuebsygjXp6cVXGpmSfvS
 ZgnDR0gD7HLRob77fDf2FeWkoNx23eXyc9fEqgOstEnw/vENwSQ6Z/jsNlJiQqP6Aqgz
 iDAQYkh/1CG1fDaZPEl+G2AdBc0tzdusyrbcvd4btciRb2+l30jWyRcxhqwwzrmQIKFU
 bPH+Q2TgY2CCiofSomvQxyKOu8A9RX6IFJ/7VjcJNdQSsjcibUG/9DYKxBo5QX506D9y
 ZZ+w==
X-Gm-Message-State: APjAAAXZImU26QfJEvhT44Y7nr9BQn9ymWleRxL2Sl8/SV6ckNpsS7Y6
 fV9KYnDus3VhOCnThpaTKefgF2B8Qpcbw8GHqc4=
X-Google-Smtp-Source: APXvYqzp2Cet8NXsGbegtSsWWcPCvulV4brG0ZY9IigXmMuUU3D7GX9lnIrBEyq7glRefam5A+LPaq7dZRrdNHgXTSM=
X-Received: by 2002:a17:902:6b88:: with SMTP id
 p8mr35744379plk.251.1571178450268; 
 Tue, 15 Oct 2019 15:27:30 -0700 (PDT)
MIME-Version: 1.0
References: <CAJw81dZZmX=z-YFDwvEkuWR6xH+cf=mR9h-fcZTphwdXWrA5wg@HIDDEN>
In-Reply-To: <CAJw81dZZmX=z-YFDwvEkuWR6xH+cf=mR9h-fcZTphwdXWrA5wg@HIDDEN>
From: Stefan Kangas <stefan@HIDDEN>
Date: Wed, 16 Oct 2019 00:27:18 +0200
Message-ID: <CADwFkmnqfbsEEWkWMA2xnN1O+-JsTcCKrSYv0e3g1+jXrxRY5g@HIDDEN>
Subject: Re: bug#37656: 27.0.50; Arbitrary code execution with special `mode:'
To: adam plaice <plaice.adam+lists@HIDDEN>
Content-Type: text/plain; charset="UTF-8"
X-Spam-Score: 0.3 (/)
X-Debbugs-Envelope-To: 37656
Cc: 37656 <at> debbugs.gnu.org, Emacs developers <emacs-devel@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.7 (/)

adam plaice <plaice.adam+lists@HIDDEN> writes:

> Since the bug allows an attacker to execute arbitrary code if the
> victim opens a payload file, and hence opening any file from an
> untrusted source becomes dangerous, it seems to be rather
> serious.

Thanks for raising this here.  I agree that this is serious, and we
should treat it accordingly.

The below patch seems to fix it by disabling the feature it exploits.

A workaround is to add this to your init file:
(setq enable-local-variables nil)

Best regards,
Stefan Kangas


diff --git a/lisp/files.el b/lisp/files.el
index 40807617fa..550227b21a 100644
--- a/lisp/files.el
+++ b/lisp/files.el
@@ -3068,7 +3068,7 @@ set-auto-mode
           (if (save-excursion (search-forward ":" end t))
               ;; Find all specifications for the `mode:' variable
               ;; and execute them left to right.
-          (while (let ((case-fold-search t))
+        (when (let ((case-fold-search t))
                        (or (and (looking-at "mode:")
                                 (goto-char (match-end 0)))
                            (re-search-forward "[ \t;]mode:" end t)))
Information forwarded to bug-gnu-emacs@HIDDEN:
bug#37656; Package emacs. Full text available.

Message received at 37656 <at> debbugs.gnu.org:


Received: (at 37656) by debbugs.gnu.org; 15 Oct 2019 21:05:21 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Oct 15 17:05:21 2019
Received: from localhost ([127.0.0.1]:44938 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1iKU0O-0000ti-Sf
	for submit <at> debbugs.gnu.org; Tue, 15 Oct 2019 17:05:21 -0400
Received: from mail-lj1-f178.google.com ([209.85.208.178]:38686)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <plaiceadam@HIDDEN>) id 1iKU0N-0000tT-7p
 for 37656 <at> debbugs.gnu.org; Tue, 15 Oct 2019 17:05:19 -0400
Received: by mail-lj1-f178.google.com with SMTP id b20so21743917ljj.5
 for <37656 <at> debbugs.gnu.org>; Tue, 15 Oct 2019 14:05:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=mime-version:from:date:message-id:subject:to:cc;
 bh=IIgqrbq4gITi0Wy/qtpu1BXDUG4Kuyu8m2IKhgb91cY=;
 b=euc9kLw+y3HL/KSa/GmZth6vJInozdn9yJuhK7mN1TkJy8A9eQWzL6QH/flGwIhEf5
 bSC8ccw+UY2wpQdDgeBgFKey6grv0a0Wb7y3Ft0y6c/qc635w+XBUIwRPlgC7XzlEKjD
 /ciHKefMCF6S0yLzB5ztOMSnBZhNPlRf76jaKxoDGphbsK1FDj9Odisfp+4tlZiVof7f
 Hj0sSdVBPOvi5bqqQV0pKoILXEO0JlnRPMVi3zFpEwXsjbknaLPGFh6eIWMAm7z2LVKw
 6j/zSeWKhdv1w/6K8mC5dphpI0ttARsjC2VRl/5Y8vXDnzd0ljG47dRdxgJhiyEt0BCt
 VKpA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc;
 bh=IIgqrbq4gITi0Wy/qtpu1BXDUG4Kuyu8m2IKhgb91cY=;
 b=uBQiFVSj1ej4b7yY92fNjh8wgf//z4UloIJW0/JK6MxPBGd6ryaWcB9MyRUgG4Oa/2
 IaTsqMmKN0Pn6RA3LOhWU1xDfFdMIwfaILseEkjAZXeLvlKF62+TWTShxLqBNnFT+DEy
 I0nopoJvNQvpBLsVWPNCKNjqPLAAUwGtQm1Qt54OshNIQ5f+vokSp1oJAVaq530zanxr
 sa1vL0LO+lLPVvJTNdDMXAPQnBZR6D447L+8jEAyB2VF2uwTVMqXqfZqda6fPLskFpzE
 x34BmHEAmIac0Rpv2LOiVFWvsk8OMadiUKopG0rh35k3XMUcdDy0UlxDADlo5zM0pyqj
 h9mA==
X-Gm-Message-State: APjAAAWOaPCGGNbPmBGEYLZ7vDXmmdvsPqGqG4BmecagrZyASDc0kg6y
 t4rURhGKgLqaqBw7ngMvm3nBgZSMldTG4zxuz/XUiw==
X-Google-Smtp-Source: APXvYqzHtAwMHennez4RYHebuF+Plo0Lyv7NBLcVF4Rb6HVi7m2aACxFjNd7f9Bzr+WcaLnamuheEnAA7vZVihlcn60=
X-Received: by 2002:a2e:7e0f:: with SMTP id z15mr21890324ljc.55.1571173512618; 
 Tue, 15 Oct 2019 14:05:12 -0700 (PDT)
MIME-Version: 1.0
From: adam plaice <plaice.adam+lists@HIDDEN>
Date: Tue, 15 Oct 2019 23:05:01 +0200
Message-ID: <CAJw81dZZmX=z-YFDwvEkuWR6xH+cf=mR9h-fcZTphwdXWrA5wg@HIDDEN>
Subject: bug#37656: 27.0.50; Arbitrary code execution with special `mode:'
To: emacs-devel@HIDDEN
Content-Type: text/plain; charset="UTF-8"
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 37656
Cc: 37656 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Since the bug allows an attacker to execute arbitrary code if the
victim opens a payload file, and hence opening any file from an
untrusted source becomes dangerous, it seems to be rather
serious.

The bug relies on the fact that flymake-mode can execute arbitrary
code, that minor modes (in particular, flymake-mode) can be set with
local variables (with `mode:') and that when a minor-mode is set in
this way, the major-mode is not unset. (See the linked bug or below
for details.)

I'm not sure whether I should be bringing greater attention to it,
but given that it's already in the open, and malicious actors can
find it (or just come up with it themselves, as it's not a particularly
complex idea), increasing the likelihood of getting it fixed hopefully
outweighs the disadvantages.

I'd offer to provide a patch, but I'm neither very proficient with
Emacs lisp, nor a security expert.  I also haven't signed any copyright
papers.


Some thoughts on potential solutions (from a well-intentioned, but
possibly misguided layman):

AFAICT the easiest way to prevent this specific bug would be to
prevent more than one mode being set by the file and directory
local-variables machinery.

Perhaps also only allowing major modes to be set with `mode' in local
variables (and only allowing minor-modes to be set with `eval', as is
already encouraged in the manual), might decrease the "attack surface"
for similar such attacks.

I'm not sure whether any major modes are "unsafe" (in the way flymake
is), but possibly it might make sense to mark major modes as safe,
similarly to the way variables are, though that would be a far more
extensive change.

Thank you,
Adam

PS Should Emacs have some policies on reporting security issues? I
was encouraged (via an earlier e-mail exchange) to post the bug to
debbugs, as normal, but it might perhaps be useful if the process
(specifically for security vulnerabilities, not bugs in general) were
mentioned in the manual.

> https://debbugs.gnu.org/cgi/bugreport.cgi?bug=37656
>
> * To reproduce:
>
> 1. Create a file, say `~/foobar', (it could have an arbitrary
> extension) with the following contents:
>
> -*- mode: emacs-lisp; mode: flymake -*-
>
> (eval-when-compile
>   (with-temp-file "~/emacs_flymake_security_bug"
>       (insert "Could have also executed any code.")))
>
> 2. Open the file with emacs:
>
> emacs -Q ~/foobar
>
> 3. Inspect ~/emacs_flymake_security_bug:
>
> cat ~/emacs_flymake_security_bug
>
> * Expected result
>
> ~/emacs_flymake_security_bug does not exist.
>
> * Actual result
>
> ~/emacs_flymake_security_bug does exist.
>
> * Further information
>
> This relies on the "deprecated" feature of allowing `mode: ' to be
> repeated more than once, to also specify minor modes.  Just having:
>
> -*- mode: flymake -*-
>
> in, say, `~/foobar.el' would not trigger the security bug.  There may,
> however, be alternative ways of triggering it, that I haven't come up
> with.
>
>
> This was "inspired" by a very similar bug (concerning an external
> package, editorconfig), described here:
>
> https://illikainen.dev/blog/2019-10-06-editorconfig
>
> Thank you and best regards,
> Adam
>
>
Information forwarded to bug-gnu-emacs@HIDDEN:
bug#37656; Package emacs. Full text available.
Changed bug title to '27.0.50; Arbitrary code execution with special `mode:'' from '27.0.50; Opening file with special local variables' Request was from adam plaice <plaice.adam+lists@HIDDEN> to control <at> debbugs.gnu.org. Full text available.
Changed bug title to '27.0.50; Opening file with special local variables' from '27.0.50; Opening file with specially crafted local variables can cause arbitrary code execution Inbox x' Request was from adam plaice <plaice.adam+lists@HIDDEN> to control <at> debbugs.gnu.org. Full text available.
Added tag(s) security. Request was from Glenn Morris <rgm@HIDDEN> to control <at> debbugs.gnu.org. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 8 Oct 2019 08:48:55 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Oct 08 04:48:55 2019
Received: from localhost ([127.0.0.1]:49479 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1iHlAt-0001j8-B0
	for submit <at> debbugs.gnu.org; Tue, 08 Oct 2019 04:48:55 -0400
Received: from lists.gnu.org ([209.51.188.17]:44455)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <plaiceadam@HIDDEN>) id 1iHlAq-0001j1-Sd
 for submit <at> debbugs.gnu.org; Tue, 08 Oct 2019 04:48:53 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:58680)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <plaiceadam@HIDDEN>) id 1iHlAp-0004Vr-6Z
 for bug-gnu-emacs@HIDDEN; Tue, 08 Oct 2019 04:48:52 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,FREEMAIL_FROM,
 URIBL_BLOCKED autolearn=disabled version=3.3.2
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <plaiceadam@HIDDEN>) id 1iHlAm-00087A-J8
 for bug-gnu-emacs@HIDDEN; Tue, 08 Oct 2019 04:48:50 -0400
Received: from mail-lf1-x132.google.com ([2a00:1450:4864:20::132]:46634)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
 (Exim 4.71) (envelope-from <plaiceadam@HIDDEN>)
 id 1iHlAl-00084z-A6
 for bug-gnu-emacs@HIDDEN; Tue, 08 Oct 2019 04:48:48 -0400
Received: by mail-lf1-x132.google.com with SMTP id t8so11273802lfc.13
 for <bug-gnu-emacs@HIDDEN>; Tue, 08 Oct 2019 01:48:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=mime-version:from:date:message-id:subject:to;
 bh=qX9XxbTZQtaqEDETfa8WHDseV2I8VazEbcX9ZgePHCI=;
 b=FnIP4U5rqRQeTWJsm8X8rTR5sEa9ZkJq9d4iMC3LaYVUZUl7vFn0YDPCwgdGmxq17R
 CpoYXAbz3/NSaKpQke6s9n9AzIPb8mUp6JaYdJAb+NaKBWN6lRp1OYDI3LnALuyvDMnU
 3tnxvlR7LN1v36sLzmZenSS4bM0vS0zS77QIn3aZCgSTrYE4qdDjQTOio4yFirm3j9bj
 Vx+vibnFRiKspi/Qhx+QmLG2lBo2Sx0iEcBQiCv2JMf/Ky624NUtuWN2af2GfYtrDIp7
 laHSzA/gvgyulsdQr3GfVR7uwK1PEeB5W3vpN6CrnrL3gHfGhrSDSzArFU/ik29KBJAs
 1AwQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
 bh=qX9XxbTZQtaqEDETfa8WHDseV2I8VazEbcX9ZgePHCI=;
 b=ljd3gf8TqqQ+RvDe+OQvYnO8S3mM2dcRSceQph3HF88hq07DDh9XZ/5VuHwn+yy/v4
 U6U4sse8hbLkQERoaB2ggN7WcHKM9tmPawgMvrlhFcnKdHzEj9quCdx++CN9sLihNQiP
 f8Dr4vUHRszKzKdDaiF43xdVK/wlQdbKsLtQQ5KO25BPI8l0jY2D3QQbrP/mFFNomU4t
 DwDl3ZX9aX0Y52BiFBCK7M1d+Irfg64042c1oF2h3XZ6KafWS7EuivUVrfgudvPnbZFo
 EFh8634umnljEyMnaSTUkf9aydFX0+iG2YT1ekgyhugf4dj4Z112yzSJPtDZWQdkpwlp
 mU0g==
X-Gm-Message-State: APjAAAWVCJwdfXV3DPJPcVRTzKmeq0ZYCDaRpEVHFV63xVGnD38GCMis
 fwDn/yFl/RmOw7O7yDsj2JjwqPEF1JCV8RmokKc1UA==
X-Google-Smtp-Source: APXvYqzZD8vOb1jrLX+gxiA5sunD+rnIV0ZOspc5QEtlALnXQSUdCKkauAtFgXgSEkQQzlrEm/0sOlKnvHHbO/e2874=
X-Received: by 2002:ac2:4427:: with SMTP id w7mr19810629lfl.143.1570524524062; 
 Tue, 08 Oct 2019 01:48:44 -0700 (PDT)
MIME-Version: 1.0
From: adam plaice <plaice.adam+lists@HIDDEN>
Date: Tue, 8 Oct 2019 10:48:32 +0200
Message-ID: <CAJw81da4=R1jMJ0enx6SbO7G1rzaL61K2kqbY+jxhe=AM-3vtQ@HIDDEN>
Subject: 27.0.50; Opening file with specially crafted local variables can
 cause arbitrary code execution Inbox x
To: bug-gnu-emacs@HIDDEN
Content-Type: text/plain; charset="UTF-8"
X-detected-operating-system: by eggs.gnu.org: Genre and OS details not
 recognized.
X-Received-From: 2a00:1450:4864:20::132
X-Spam-Score: 0.7 (/)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.3 (--)

* To reproduce:

1. Create a file, say `~/foobar', (it could have an arbitrary
extension) with the following contents:

-*- mode: emacs-lisp; mode: flymake -*-

(eval-when-compile
  (with-temp-file "~/emacs_flymake_security_bug"
      (insert "Could have also executed any code.")))

2. Open the file with emacs:

emacs -Q ~/foobar

3. Inspect ~/emacs_flymake_security_bug:

cat ~/emacs_flymake_security_bug

* Expected result

~/emacs_flymake_security_bug does not exist.

* Actual result

~/emacs_flymake_security_bug does exist.

* Further information

This relies on the "deprecated" feature of allowing `mode: ' to be
repeated more than once, to also specify minor modes.  Just having:

-*- mode: flymake -*-

in, say, `~/foobar.el' would not trigger the security bug.  There may,
however, be alternative ways of triggering it, that I haven't come up
with.


This was "inspired" by a very similar bug (concerning an external
package, editorconfig), described here:

https://illikainen.dev/blog/2019-10-06-editorconfig

Thank you and best regards,
Adam


In GNU Emacs 27.0.50 (build 1, x86_64-pc-linux-gnu, GTK+ Version 3.18.9)
 of 2019-10-07 built on adam
Repository revision: 9839466b231b6384055b9b137405730876413cbe
Repository branch: master
Windowing system distributor 'The X.Org Foundation', version 11.0.11804000
System Description: Ubuntu 16.04.6 LTS

Recent messages:
For information about GNU Emacs and the GNU system, type C-h C-a.

Configured using:
 'configure --with-modules --without-pop'

Configured features:
XPM JPEG TIFF GIF PNG RSVG SOUND GPM DBUS GSETTINGS GLIB NOTIFY INOTIFY
ACL LIBSELINUX GNUTLS LIBXML2 FREETYPE HARFBUZZ M17N_FLT LIBOTF XFT ZLIB
TOOLKIT_SCROLL_BARS GTK3 X11 XDBE XIM MODULES THREADS PDUMPER LCMS2 GMP

Important settings:
  value of $LANG: en_GB.UTF-8
  locale-coding-system: utf-8-unix

Major mode: Lisp Interaction

Minor modes in effect:
  tooltip-mode: t
  global-eldoc-mode: t
  eldoc-mode: t
  electric-indent-mode: t
  mouse-wheel-mode: t
  tool-bar-mode: t
  menu-bar-mode: t
  file-name-shadow-mode: t
  global-font-lock-mode: t
  font-lock-mode: t
  blink-cursor-mode: t
  auto-composition-mode: t
  auto-encryption-mode: t
  auto-compression-mode: t
  line-number-mode: t
  transient-mark-mode: t

Load-path shadows:
None found.

Features:
(shadow sort mail-extr emacsbug message rmc puny dired dired-loaddefs
format-spec rfc822 mml easymenu mml-sec password-cache epa derived epg
epg-config gnus-util rmail rmail-loaddefs text-property-search time-date
subr-x seq byte-opt gv bytecomp byte-compile cconv mm-decode mm-bodies
mm-encode mail-parse rfc2231 mailabbrev gmm-utils mailheader cl-loaddefs
cl-lib sendmail rfc2047 rfc2045 ietf-drums mm-util mail-prsvr mail-utils
tooltip eldoc electric uniquify ediff-hook vc-hooks lisp-float-type
mwheel term/x-win x-win term/common-win x-dnd tool-bar dnd fontset image
regexp-opt fringe tabulated-list replace newcomment text-mode elisp-mode
lisp-mode prog-mode register page tab-bar menu-bar rfn-eshadow isearch
timer select scroll-bar mouse jit-lock font-lock syntax facemenu
font-core term/tty-colors frame cl-generic cham georgian utf-8-lang
misc-lang vietnamese tibetan thai tai-viet lao korean japanese eucjp-ms
cp51932 hebrew greek romanian slovak czech european ethiopic indian
cyrillic chinese composite charscript charprop case-table epa-hook
jka-cmpr-hook help simple abbrev obarray minibuffer cl-preloaded nadvice
loaddefs button faces cus-face macroexp files text-properties overlay
sha1 md5 base64 format env code-pages mule custom widget
hashtable-print-readable backquote threads dbusbind inotify lcms2
dynamic-setting system-font-setting font-render-setting move-toolbar gtk
x-toolkit x multi-tty make-network-process emacs)

Memory information:
((conses 16 44045 5448)
 (symbols 48 5971 1)
 (strings 32 15685 1582)
 (string-bytes 1 506409)
 (vectors 16 9198)
 (vector-slots 8 123144 8510)
 (floats 8 19 25)
 (intervals 56 186 0)
 (buffers 1000 11)
 (heap 1024 12431 1138))
Acknowledgement sent to adam plaice <plaice.adam+lists@HIDDEN>:
New bug report received and forwarded. Copy sent to bug-gnu-emacs@HIDDEN. Full text available.
Report forwarded to bug-gnu-emacs@HIDDEN:
bug#37656; Package emacs. Full text available.
Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Last modified: Mon, 25 Nov 2019 12:00:02 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.