Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <14c3bf23-eadb-475d-9fd7-d4f97e70c7a1@gmail.com>
Date: Sun, 2 Mar 2025 01:17:52 +0700
From: Max Nikulin <manikulin@...il.com>
To: Henrik Ahlgren <pablo@...stieto.com>
Cc: oss-security@...ts.openwall.com
Subject: Re: Re: GNU Emacs 30.1 released with 2 CVE fixes


>>>> - Disable auto-completion features in untrusted .el files
>>>> - UPDATE: Also set enable-local-eval to nil
>>
> Max Nikulin writes:
>> It should work, however it is rather drastic measure that may cause
>> inconvenience.

It is more tricky. At least in Emacs-28, enable-local-eval helps to 
mitigate the variant from the blog post

;; -*- eval: (flymake-mode 1) -*-

however the user option has no effect for the case reported in the Emacs 
bug#37656 ("deprecated" feature)

;; -*- mode: emacs-lisp; mode: flymake -*-

Neither
     emacs -Q --eval '(setq enable-local-eval nil)' poc.txt
nor
     emacs -Q --eval '(setq enable-local-variables :safe)' poc.txt
prevents execution of code from the file.

Unfortunately
     emacs -Q --eval '(setq enable-local-variables nil)' poc.txt
or a similar form in init.el disables file-specific major modes as well. 
So "mode: outline" is ignored in files like "NEWS". enable-local-eval 
affects "eval: (...)", but not "mode: ...". These settings are described in
<https://www.gnu.org/software/emacs/manual/html_node/emacs/Safe-File-Variables.html>
and in doc strings
<https://git.savannah.gnu.org/cgit/emacs.git/tree/lisp/files.el?h=emacs-30.1#n669>

So setting enable-local-variables to nil is a better recommendation, but 
the price is inconvenience. An attack can not be prevented by setting 
enable-local-eval.

On 01/03/2025 19:39, Henrik Ahlgren wrote:

> I wanted to point out an interesting aspect of Emacs file local
> variables. It may be surprising to some that including `-*-
> eval:(foobar-mode) -*-` at the beginning of a file will happily evaluate
> the specified function, regardless of whether it is an "actual" minor
> mode created with `define-minor-mode'. The only requirement is that the
> name ends with "-mode."
> 
> This raises some questions about potential security implications.

Language encourage this kind of tricks. Function names at least have to 
have -mode suffix. In the case of CVE-2025-1244, "man:" URL scheme 
causing attempt to load url-man.el (does not exist) then call to the 
url-man function from url-misc.el, see url-scheme-get-property in 
lisp/url/url-methods.el. The url package is a mix of functions 
implementing some URL schemes (url-info, url-http, etc.), API functions, 
and helpers having url-* names. There are no settings in url similar to 
browse-url-handlers and eww-use-browse-url that define explicit mapping 
(e.g. to browse-url-man) and limit schemes available through browse-url.el.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.