
oss-sec mailing list archives
Re: Re: GNU Emacs 30.1 released with 2 CVE fixes
From: Max Nikulin <manikulin () gmail com>
Date: Sun, 2 Mar 2025 01:17:52 +0700
- Disable auto-completion features in untrusted .el files - UPDATE: Also set enable-local-eval to nilMax Nikulin writes:It should work, however it is rather drastic measure that may cause inconvenience.
It is more tricky. At least in Emacs-28, enable-local-eval helps to mitigate the variant from the blog post
;; -*- eval: (flymake-mode 1) -*-however the user option has no effect for the case reported in the Emacs bug#37656 ("deprecated" feature)
;; -*- mode: emacs-lisp; mode: flymake -*- Neither emacs -Q --eval '(setq enable-local-eval nil)' poc.txt nor emacs -Q --eval '(setq enable-local-variables :safe)' poc.txt prevents execution of code from the file. Unfortunately emacs -Q --eval '(setq enable-local-variables nil)' poc.txtor a similar form in init.el disables file-specific major modes as well. So "mode: outline" is ignored in files like "NEWS". enable-local-eval affects "eval: (...)", but not "mode: ...". These settings are described in
<https://www.gnu.org/software/emacs/manual/html_node/emacs/Safe-File-Variables.html> and in doc strings <https://git.savannah.gnu.org/cgit/emacs.git/tree/lisp/files.el?h=emacs-30.1#n669>So setting enable-local-variables to nil is a better recommendation, but the price is inconvenience. An attack can not be prevented by setting enable-local-eval.
On 01/03/2025 19:39, Henrik Ahlgren wrote:
I wanted to point out an interesting aspect of Emacs file local variables. It may be surprising to some that including `-*- eval:(foobar-mode) -*-` at the beginning of a file will happily evaluate the specified function, regardless of whether it is an "actual" minor mode created with `define-minor-mode'. The only requirement is that the name ends with "-mode." This raises some questions about potential security implications.
Language encourage this kind of tricks. Function names at least have to have -mode suffix. In the case of CVE-2025-1244, "man:" URL scheme causing attempt to load url-man.el (does not exist) then call to the url-man function from url-misc.el, see url-scheme-get-property in lisp/url/url-methods.el. The url package is a mix of functions implementing some URL schemes (url-info, url-http, etc.), API functions, and helpers having url-* names. There are no settings in url similar to browse-url-handlers and eww-use-browse-url that define explicit mapping (e.g. to browse-url-man) and limit schemes available through browse-url.el.
Current thread:
- GNU Emacs 30.1 released with 2 CVE fixes Alan Coopersmith (Feb 26)
- Re: GNU Emacs 30.1 released with 2 CVE fixes Max Nikulin (Feb 27)
- Re: Re: GNU Emacs 30.1 released with 2 CVE fixes Henrik Ahlgren (Mar 01)
- Re: Re: GNU Emacs 30.1 released with 2 CVE fixes Max Nikulin (Mar 01)
- Re: Re: GNU Emacs 30.1 released with 2 CVE fixes Henrik Ahlgren (Mar 01)
- Re: GNU Emacs 30.1 released with 2 CVE fixes Max Nikulin (Feb 27)