Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <5215a75e-e20c-46f3-adca-471b04e1dbab@gmail.com>
Date: Thu, 27 Feb 2025 22:27:27 +0700
From: Max Nikulin <manikulin@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: GNU Emacs 30.1 released with 2 CVE fixes

On 27/02/2025 06:45, Alan Coopersmith wrote:
> 
>> ** Fix shell injection vulnerability in man.el (CVE-2025-1244).
>> We urge all users to upgrade immediately.
> 
> This was reported in https://debbugs.gnu.org/cgi/bugreport.cgi?bug=66390

Reading <https://bugzilla.redhat.com/show_bug.cgi?id=2345150> I have 
realized that org-link was not the only package that did not follow 
(from #66390):
"'man' is an interactive command, so it should not
second-guess the user who invokes it.  Commands that call 'man'
non-interactively should make sure they call 'man' with a valid
argument, especially when the argument comes from some file."
Fortunately, finally it was fixed in man.el, so other callers are not 
affected any more as well.

> CVE-2024-53920 is further described in
> https://eshelyaron.com/posts/2024-11-27-emacs-aritrary-code-execution- 
> and-how-to-avoid-it.html
[...]
>> - Avoid visiting untrusted .el files in Emacs

Do not open *any* file that you do not trust. The issue is not specific 
to files having .el suffix. In default configuration emacs-lisp mode may 
be forced by specifying file-local variables inside a file.

>> - Disable automatic error checking (with Flymake or Flycheck) in 
>> untrusted .el files

Disabling flymake may be tricky. File-local variables allow to force it 
(in default configuration).

>> - Disable auto-completion features in untrusted .el files
>> - UPDATE: Also set enable-local-eval to nil

It should work, however it is rather drastic measure that may cause 
inconvenience.

It is funny that a similar suggestion was published in the previous century.

Simson Garfinkel, Gene Spafford. Practical UNIX & Internet Security. 
1996. Chapter 11 Protecting Against Programmed Threats:
> Another possible source of initialization errors comes into play
> when you edit files that have embedded edit commands. Both vi/ex
> and Emacs allow you to embed editor commands within text files so
> they are automatically executed whenever you edit the file. For
> this to work, they must be located in the first few or last few
> lines of the file.
> 
> To disable this feature in Emacs, place one of these lines in your .emacs file:
>     (setq inhibit-local-variables t) ; emacs version 18
> or:
>     (setq enable-local-variables "ask") ; emacs verison 19 and above

The following bugs have not marked as fixed for some reason, but from my 
point of view, original reports prominently highlight risk of 
CVE-2024-53920.

- <https://debbugs.gnu.org/37656> Tue, 8 Oct 2019 08:49:02 UTC
   Arbitrary code execution with special `mode:'
- <https://debbugs.gnu.org/32495> Wed, 22 Aug 2018 00:13:02 UTC
   Arbitrary code execution when completing inside untrusted elisp code

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.