On Fri, 29 Nov 2024 17:20:00 +0100 Moritz Mühlenhoff wrote:
The following vulnerability was published for emacs. This is no fix
and this is a long-standing issue, so mostly filing a bug for
transparency for now:
CVE-2024-53920[0]:
[...]
https://eshelyaron.com/posts/2024-11-27-emacs-aritrary-code-execution-and-how-to-avoid-it.html
Maybe it is a time to evaluate if it is feasible to issue security
updates since the blog post has been updated:
Emacs 30 will ship with mitigations in place
The Emacs maintainers have implemented a safety mechanism which disables
Flymake and code completion induced macro-expansion in untrusted files.
This is already included in the latest Emacs 30 “pretest” release,
version 30.0.93.
b5158bd1914 2024-12-10 16:26:31 -0500 Stefan Monnier:
elisp-mode.el: Disable Flymake byte-compile backend in untrusted files
8b6c6cffd1f 2024-12-15 17:05:55 -0500 Stefan Monnier:
trusted-content: Adjust the last patch based on preliminary feedback
b9dc337ea74 2024-12-16 09:27:01 -0500 Stefan Monnier:
* lisp/files.el (trusted-content-p): Make `:all` work in non-file buffers
8a0c9c234f1 2024-12-18 19:57:13 +0200 Eli Zaretskii:
Document 'trusted-content
I have not tried to look closely at these patches. Perhaps the code has
been changed due to
Richard Stallman to emacs-devel. Please rename trusted-content ... to
trusted-code. Tue, 31 Dec 2024 23:10:37 -0500.
<https://yhetil.org/emacs-devel/[email protected]/>
<https://lists.gnu.org/archive/html/emacs-devel/2024-12/msg01641.html>
I find the issue rather weird despite I believe the following score is
too high (I expect that user interaction is required):
https://nvd.nist.gov/vuln/detail/CVE-2024-53920
ADP: CISA-ADP 12/02/2024 12:15:13 PM
Base Score: 9.8 CRITICAL
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
The real issue is that it is not specific to .el files and users do not
need to have flymake enabled in their config or to invoke
autocompletion. It is enough to open an "innocent" README file with e.g.
---- 8< ----
; -*- mode: emacs-lisp; mode: flymake; -*-
(eval-and-compile
(shell-command
"emacs -Q --eval '(insert \"CVE-2024-53920: vulnerable\")'"))
---- >8 ----
I do not think that the suggestion to set `enable-local-eval' to nil is
viable since it disables *all* file local variables, however I do not
see a better one. Unsure if it is possible to reset
`flymake-diagnostic-functions' hook to empty list.
Setting `flymake-start-on-flymake-mode' is a weak measure.
The code is executed on any change.
Due to the following message, I do not expect any advertisement from the
developers till Emacs-30 release:
Eli Zaretskii to emacs-devel.
Re: Emacs Arbitrary Code Execution and How to Avoid It.
Mon, 09 Dec 2024 15:59:21 +0200.
<https://yhetil.org/emacs-devel/[email protected]>
<https://lists.gnu.org/archive/html/emacs-devel/2024-12/msg00347.html>
The issue is described as a known one in comments to
<https://debbugs.gnu.org/37656>
27.0.50; Arbitrary code execution with special `mode:'
Tue, 8 Oct 2019 08:49:02 UTC
It seems, this bug was not mentioned in recent discussions. Besides the
threads mentioned above, there was
Eshel Yaron to emacs-devel.
CVE-2024-53920 Emacs arbitrary code execution via unsafe macro-expansion.
Wed, 27 Nov 2024 08:02:35 +0100.
<https://yhetil.org/emacs-devel/[email protected]>
<https://lists.gnu.org/archive/html/emacs-devel/2024-11/msg00749.html>
