oss-sec mailing list archives

Max Nikulin <manikulin () gmail com> writes:

- Disable auto-completion features in untrusted .el files
- UPDATE: Also set enable-local-eval to nil

It should work, however it is rather drastic measure that may cause
inconvenience.

I wanted to point out an interesting aspect of Emacs file local
variables. It may be surprising to some that including `-*-
eval:(foobar-mode) -*-` at the beginning of a file will happily evaluate
the specified function, regardless of whether it is an "actual" minor
mode created with `define-minor-mode'. The only requirement is that the
name ends with "-mode."

This raises some questions about potential security implications. While
I'm not certain how relevant this is or in what scenarios it could be
exploited (if an attacker can define a new function, it's obviously
game-over no matter what), it certainly feels concerning. Some users may
expect the `-mode` convention to apply solely to well-known, built-in
minor modes in Emacs, not for instance the user's own custom Lisp.

Current thread:

• GNU Emacs 30.1 released with 2 CVE fixes Alan Coopersmith (Feb 26)
  • Re: GNU Emacs 30.1 released with 2 CVE fixes Max Nikulin (Feb 27)
    • Re: Re: GNU Emacs 30.1 released with 2 CVE fixes Henrik Ahlgren (Mar 01)
      • Re: Re: GNU Emacs 30.1 released with 2 CVE fixes Max Nikulin (Mar 01)