[oss-security] GNU Emacs 30.1 released with 2 CVE fixes

Wed, 26 Feb 2025 15:46:16 -0800 

https://lists.gnu.org/archive/html/info-gnu/2025-02/msg00009.html
announces the release of GNU Emacs 30.1.  Among the changes listed in
https://git.savannah.gnu.org/cgit/emacs.git/tree/etc/NEWS?h=emacs-30.1
are these notes:


** Fix shell injection vulnerability in man.el (CVE-2025-1244).
We urge all users to upgrade immediately.


This was reported in https://debbugs.gnu.org/cgi/bugreport.cgi?bug=66390


** New user option 'trusted-content' to allow potentially dangerous features.
This option lists those files and directories whose content Emacs should
consider as sufficiently trusted to run any part of the code contained
therein even without any explicit user request.

For example, Flymake's backend for Emacs Lisp consults this option
and disables itself with an "untrusted content" warning if the file
is not listed.

Emacs Lisp authors should note that a major or minor mode must never set
this option to the ':all' value.

This option is used to fix CVE-2024-53920.  See below for details.

[...]

*** 'elisp-flymake-byte-compile' is disabled for untrusted files.
For security reasons, this backend can be used only in those files
specified as trusted according to 'trusted-content' and emits an
"untrusted content" warning otherwise.
This fixes CVE-2024-53920.


CVE-2024-53920 is further described in
https://eshelyaron.com/posts/2024-11-27-emacs-aritrary-code-execution-and-how-to-avoid-it.html
which offers this "TL;DR" summary:


Viewing or editing Emacs Lisp code in Emacs can run arbitrary code.
The vulnerability stems from unsafe Lisp macro-expansion, which runs
unrestricted Emacs Lisp code. Most common configurations are
vulnerable (see details below). The best security measures are:

- Avoid visiting untrusted .el files in Emacs
- Disable automatic error checking (with Flymake or Flycheck) in untrusted .el 
files
- Disable auto-completion features in untrusted .el files
- UPDATE: Also set enable-local-eval to nil

This is a long-standing vulnerability which has been known for several
years, but has not been addressed thus far. Emacs maintainers are
working on countermeasures that will hopefully make their way into
future Emacs versions. This advisory is intended to help users of
existing Emacs versions protect themselves.

UPDATE: Mitigations are implemented in Emacs 30.


--
        -Alan Coopersmith-                 alan.coopersm...@oracle.com
         Oracle Solaris Engineering - https://blogs.oracle.com/solaris

Reply via email to