oss-sec mailing list archives
Re: GNU Emacs 30.1 released with 2 CVE fixes
From: Max Nikulin <manikulin () gmail com>
Date: Thu, 27 Feb 2025 22:27:27 +0700
On 27/02/2025 06:45, Alan Coopersmith wrote:
** Fix shell injection vulnerability in man.el (CVE-2025-1244). We urge all users to upgrade immediately.This was reported in https://debbugs.gnu.org/cgi/bugreport.cgi?bug=66390
Reading <https://bugzilla.redhat.com/show_bug.cgi?id=2345150> I have realized that org-link was not the only package that did not follow (from #66390):
"'man' is an interactive command, so it should not second-guess the user who invokes it. Commands that call 'man' non-interactively should make sure they call 'man' with a valid argument, especially when the argument comes from some file."Fortunately, finally it was fixed in man.el, so other callers are not affected any more as well.
CVE-2024-53920 is further described inhttps://eshelyaron.com/posts/2024-11-27-emacs-aritrary-code-execution- and-how-to-avoid-it.html
[...]
- Avoid visiting untrusted .el files in Emacs
Do not open *any* file that you do not trust. The issue is not specific to files having .el suffix. In default configuration emacs-lisp mode may be forced by specifying file-local variables inside a file.
- Disable automatic error checking (with Flymake or Flycheck) in untrusted .el files
Disabling flymake may be tricky. File-local variables allow to force it (in default configuration).
- Disable auto-completion features in untrusted .el files - UPDATE: Also set enable-local-eval to nil
It should work, however it is rather drastic measure that may cause inconvenience.
It is funny that a similar suggestion was published in the previous century.Simson Garfinkel, Gene Spafford. Practical UNIX & Internet Security. 1996. Chapter 11 Protecting Against Programmed Threats:
Another possible source of initialization errors comes into play
when you edit files that have embedded edit commands. Both vi/ex
and Emacs allow you to embed editor commands within text files so
they are automatically executed whenever you edit the file. For
this to work, they must be located in the first few or last few
lines of the file.
To disable this feature in Emacs, place one of these lines in your .emacs file:
(setq inhibit-local-variables t) ; emacs version 18
or:
(setq enable-local-variables "ask") ; emacs verison 19 and above
The following bugs have not marked as fixed for some reason, but from my point of view, original reports prominently highlight risk of CVE-2024-53920.
- <https://debbugs.gnu.org/37656> Tue, 8 Oct 2019 08:49:02 UTC Arbitrary code execution with special `mode:' - <https://debbugs.gnu.org/32495> Wed, 22 Aug 2018 00:13:02 UTC Arbitrary code execution when completing inside untrusted elisp code
Current thread:
- GNU Emacs 30.1 released with 2 CVE fixes Alan Coopersmith (Feb 26)
- Re: GNU Emacs 30.1 released with 2 CVE fixes Max Nikulin (Feb 27)
- Re: Re: GNU Emacs 30.1 released with 2 CVE fixes Henrik Ahlgren (Mar 01)
- Re: Re: GNU Emacs 30.1 released with 2 CVE fixes Max Nikulin (Mar 01)
- Re: Re: GNU Emacs 30.1 released with 2 CVE fixes Henrik Ahlgren (Mar 01)
- Re: GNU Emacs 30.1 released with 2 CVE fixes Max Nikulin (Feb 27)