From unknown Wed Jun 18 00:28:00 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#30912 <30912@debbugs.gnu.org> To: bug#30912 <30912@debbugs.gnu.org> Subject: Status: [bug-gnu-emacs] emacs as a route to privilege escalation Reply-To: bug#30912 <30912@debbugs.gnu.org> Date: Wed, 18 Jun 2025 07:28:00 +0000 retitle 30912 [bug-gnu-emacs] emacs as a route to privilege escalation reassign 30912 emacs submitter 30912 "Nelson H. F. Beebe" severity 30912 normal tag 30912 security wontfix notabug thanks From debbugs-submit-bounces@debbugs.gnu.org Thu Mar 22 19:41:48 2018 Received: (at submit) by debbugs.gnu.org; 22 Mar 2018 23:41:48 +0000 Received: from localhost ([127.0.0.1]:48235 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ez9q4-00031p-02 for submit@debbugs.gnu.org; Thu, 22 Mar 2018 19:41:47 -0400 Received: from eggs.gnu.org ([208.118.235.92]:52748) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ez9q1-00031Z-OV for submit@debbugs.gnu.org; Thu, 22 Mar 2018 19:41:42 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ez9pv-0003XL-A0 for submit@debbugs.gnu.org; Thu, 22 Mar 2018 19:41:36 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50 autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:45246) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ez9pv-0003XA-7O for submit@debbugs.gnu.org; Thu, 22 Mar 2018 19:41:35 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:43694) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ez9pu-0004f5-3A for bug-gnu-emacs@gnu.org; Thu, 22 Mar 2018 19:41:34 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ez9pq-0003UP-JX for bug-gnu-emacs@gnu.org; Thu, 22 Mar 2018 19:41:34 -0400 Received: from mail.math.utah.edu ([155.101.98.135]:49664) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ez9pq-0003QB-Ap for bug-gnu-emacs@gnu.org; Thu, 22 Mar 2018 19:41:30 -0400 Received: from gamma.math.utah.edu (gamma.math.utah.edu [155.101.96.20]) by mail.math.utah.edu (8.14.8/8.14.8) with ESMTP id w2MNfMTf025504; Thu, 22 Mar 2018 17:41:22 -0600 (MDT) Received: from gamma.math.utah.edu (localhost [127.0.0.1]) by gamma.math.utah.edu (8.15.1/8.15.1) with ESMTP id w2MNfMZu158105; Thu, 22 Mar 2018 17:41:22 -0600 Received: (from beebe@localhost) by gamma.math.utah.edu (8.15.1/8.15.1/Submit) id w2MNfM6m158103; Thu, 22 Mar 2018 17:41:22 -0600 Date: Thu, 22 Mar 2018 17:41:22 -0600 From: "Nelson H. F. Beebe" To: bug-gnu-emacs@gnu.org X-US-Mail: "Department of Mathematics, 110 LCB, University of Utah, 155 S 1400 E RM 233, Salt Lake City, UT 84112-0090, USA" X-Telephone: +1 801 581 5254 X-FAX: +1 801 581 4148 X-URL: http://www.math.utah.edu/~beebe Subject: [bug-gnu-emacs] emacs as a route to privilege escalation Message-ID: X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.3.8 (mail.math.utah.edu [155.101.98.135]); Thu, 22 Mar 2018 17:41:22 -0600 (MDT) X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: submit Cc: beebe@math.utah.edu X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) The SANS security list today carried a pointer to this Web site: Abusing Text Editors with Third-party Plugins March 15, 2018 Dor Azouri https://safebreach.com/Post/Abusing-Text-Editors-with-Third-party-Plugins It links to an 11-page report of the same title at https://go.safebreach.com/rs/535-IXZ-934/images/Abusing_Text_Editors.pdf Do emacs developers wish to respond to the security attacks described there? ------------------------------------------------------------------------------- - Nelson H. F. Beebe Tel: +1 801 581 5254 - - University of Utah FAX: +1 801 581 4148 - - Department of Mathematics, 110 LCB Internet e-mail: beebe@math.utah.edu - - 155 S 1400 E RM 233 beebe@acm.org beebe@computer.org - - Salt Lake City, UT 84112-0090, USA URL: http://www.math.utah.edu/~beebe/ - ------------------------------------------------------------------------------- From debbugs-submit-bounces@debbugs.gnu.org Thu Mar 22 19:57:57 2018 Received: (at 30912) by debbugs.gnu.org; 22 Mar 2018 23:57:58 +0000 Received: from localhost ([127.0.0.1]:48241 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ezA5k-0003OG-Dr for submit@debbugs.gnu.org; Thu, 22 Mar 2018 19:57:57 -0400 Received: from hermes.netfonds.no ([80.91.224.195]:47328) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ezA5i-0003O7-BF for 30912@debbugs.gnu.org; Thu, 22 Mar 2018 19:57:54 -0400 Received: from cm-84.209.240.67.getinternet.no ([84.209.240.67] helo=stories) by hermes.netfonds.no with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1ezA5d-0000nK-Da; Fri, 23 Mar 2018 00:57:51 +0100 From: Lars Ingebrigtsen To: "Nelson H. F. Beebe" Subject: Re: bug#30912: emacs as a route to privilege escalation References: Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAAG1BMVEUVAw7NDT6TCy/APkcI AQhHCBwKAgoGAAYlBhSDn0vPAAACLUlEQVQ4jXWTTY/aMBCGDVuyHJlIII4ECuqxqvuxx13ktXsE 0tAevdSMOPYQbXqEtKz42Z2xE8IidaIM1jx+Z+whIzDYnl7tNNYmBHvlNvKbMkWRK61q4pRTRu3k X1WwEUJdAaUKY04cNexoo0/liBQXljtHcdsV6hooBmgFlVMhB3vK66ridCaVe1B+94JwLMsg7C/k R4obpRsQiEm/kK/vwcD54vlj53T8UdT3wwDMb6MOQNYrtC3X2H6xwh/izeGtajGIlU5ggMuhEKRV 5WDZV1+XsARYE+hHy9g3UUP/ALd5CzqkidoAixZQS1DtGAzyBw96SG4JrFCPMEwgNg+QcJnIew/m 0KPlaE616XdYAbroBvociiHmXMFY4Z7COob1JqxWAWDrGixCceQLTLnmjJJmRyonMgZbgBargRUz Kw4EyHCXMPC5oq2PjRcMOD5sB/BuG5d7URnV6wuAaXY6LeirKxcNiKP7LKOYw3KGN9Ma2H6knf+j bfe0x5+yBrRTr8beuFHbuwbweWtb2+6+AZsGzLCUTaqnBgxQHEc1UBegJ8SfM8DXYPIf0JHvz8AK 0V0lFbi5AHgcJ5ViRIpFo2hSpalM9+fjuoSbmGUriKWsM/mvXTv08yW6BD5VgBqY0xPGYisnMq2B Mc9mnt36UdqSom6JH47niCeki/YC1NP6K1srvWOAV2BvcrSllHfWvgKUSuP9h4n8fKXwo4xpmr5c g5xJhDY0T/wDVQsL8j2Mm6YAAAAASUVORK5CYII= Date: Fri, 23 Mar 2018 00:57:49 +0100 In-Reply-To: (Nelson H. F. Beebe's message of "Thu, 22 Mar 2018 17:41:22 -0600") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.0.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 30912 Cc: 30912@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.0 (/) "Nelson H. F. Beebe" writes: > The SANS security list today carried a pointer to this Web site: > > Abusing Text Editors with Third-party Plugins > March 15, 2018 > Dor Azouri=20 > https://safebreach.com/Post/Abusing-Text-Editors-with-Third-party-Plugins > > It links to an 11-page report of the same title at > > https://go.safebreach.com/rs/535-IXZ-934/images/Abusing_Text_Editors.pdf > > Do emacs developers wish to respond to the security attacks described > there? To save people time, I've included the Emacs-relevant bits below. It seems to be pure nonsense. You can't edit root's ~/.emacs without root privilege. ---- Emacs executes its init file when it loads, and that=E2=80=99s where a user= can add key bindings, define functions, and call external commands. It contains personal EmacsLisp code that will be executed when Em= acs starts. This file is located in one of the following locations: =E2=80=A2 For GnuEmacs, it is ~/.emacs or _emacs or ~/.emacs.d/init.el. =E2=80=A2 For XEmacs, it is ~/.xemacs or ~/.xemacs/init.el. =E2=80=A2 For AquamacsEmacs, it is ~/.emacs or ~/Library/Preferences/Aquamacs Emacs/P= references.el All you have to do is add this ELisp line of code to the=20 init file . It will execute the command =E2=80=9Ctouch /stub.file=E2=80=9D, when =E2= =80=9C~/ emacs.d/=E2=80=9D is the working directory. (let (( default-directory "~/.emacs.d/")) (shell-command " touch /stub.file ")) And the privilege escalation objective is possible here as well, because su= rprisingly, this init file can be edited without root=20 permissions. --=20 (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no From debbugs-submit-bounces@debbugs.gnu.org Thu Mar 22 20:05:12 2018 Received: (at 30912) by debbugs.gnu.org; 23 Mar 2018 00:05:12 +0000 Received: from localhost ([127.0.0.1]:48247 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ezACl-0003Zp-Ob for submit@debbugs.gnu.org; Thu, 22 Mar 2018 20:05:12 -0400 Received: from mail-it0-f52.google.com ([209.85.214.52]:56004) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ezACi-0003ZT-OX; Thu, 22 Mar 2018 20:05:09 -0400 Received: by mail-it0-f52.google.com with SMTP id e195-v6so482222ita.5; Thu, 22 Mar 2018 17:05:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version; bh=+UQADyqPj0FABcL+A5ESfoecRiIxfbVXvIS1mr+YJqA=; b=lBS8eDy64yfCpEOTuX50tuaa+mm9AatRqcvR2AFPe5NVlhLzq3dO/lphI/MUiCzGXk Ojcj+4vUhA5eNiY8WyqRErn8p0jxTROj0RTI9qSjjCsSrbidsbV6XYUuSqT8LPAggRvu 6EIkfp3cyd+bO0SrV1fXYlOjvP1lBHECYwV99+SznOMzR7arQjiSf3QYVQkGtntExDWA Cg0P6/ZLkxUI+vEMFFfCjZc0yRrb+Np3WtyVrBtZbAyYqKdi8R6t9zZjBkhcrlx2imgN mThLoKHdKEYclsC9lUHhRKfNBmsz9w6hzs48Ce6c/PQm/95sL2n8TC8UGVBoLq8czYdu hEHQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version; bh=+UQADyqPj0FABcL+A5ESfoecRiIxfbVXvIS1mr+YJqA=; b=poA7/+4R5dYvaOHTbTGXJmVOQWe4Qx2imMbaR+hRT16gMlytM3HjIffxKSNAph3yjo 9cLxPm3NPc3b3jDicEJtSddQtLF6CG+dOo+n1YxjbfVT3HXqGxwC5aXZbk0RvLPXes02 DOnHSjAakLrjBmsEbCK//vH484bhLGLT8oiDCD97wogRfgoswRgikPoBb6trW9q1dPqM DwHI7NSo18pzozD8n61lYgWagXEzmw+CkCTEd2GV9DppO9HCXO2TVoxZNzaZqHAeVC32 Vd9Lg6OWLoK4a3Lv4H2qHRDYX4rYQJrVr7D6KSDw6A6c2/AcZSPftqDk7I1+udukYnSZ 6vPA== X-Gm-Message-State: AElRT7FjKJ+LvJolE8RERM8sVZZXf2b7ysy1BOjXV/u/RWA4cCIgScbp R+toqSTCeHosLBXnvN4XHCu9pQ== X-Google-Smtp-Source: AG47ELsyH/Iu6pbcYm+HqcRDxIdAYK2jus38vfFyAV1xYIsF6FSyaP6R6EgqmqEO7TryW7u0UO4w6A== X-Received: by 2002:a24:3c5:: with SMTP id e188-v6mr11581385ite.74.1521763502907; Thu, 22 Mar 2018 17:05:02 -0700 (PDT) Received: from zebian (cbl-45-2-119-34.yyz.frontiernetworks.ca. [45.2.119.34]) by smtp.googlemail.com with ESMTPSA id e142-v6sm6145656ite.3.2018.03.22.17.05.01 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Thu, 22 Mar 2018 17:05:02 -0700 (PDT) From: Noam Postavsky To: "Nelson H. F. Beebe" Subject: Re: bug#30912: [bug-gnu-emacs] emacs as a route to privilege escalation References: Date: Thu, 22 Mar 2018 20:05:01 -0400 In-Reply-To: (Nelson H. F. Beebe's message of "Thu, 22 Mar 2018 17:41:22 -0600") Message-ID: <87lgejslle.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.0.90 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 30912 Cc: 30912@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.0 (/) forcemerge 28618 30912 quit "Nelson H. F. Beebe" writes: > The SANS security list today carried a pointer to this Web site: > > Abusing Text Editors with Third-party Plugins > March 15, 2018 > Dor Azouri > https://safebreach.com/Post/Abusing-Text-Editors-with-Third-party-Plugins > > It links to an 11-page report of the same title at > > https://go.safebreach.com/rs/535-IXZ-934/images/Abusing_Text_Editors.pdf > > Do emacs developers wish to respond to the security attacks described > there? Dor already brought this up in Bug#28618. As Glenn said: If an attacker has [compromised] a user account that can run "sudo arbitrary command", then that's just the same as having compromised the root account, and so worrying about this on the individual application level doesn't seem to make sense. Eg they could replace "sudo" with a keylogger. Note that the problem could be "fixed" by setting Defaults always_set_home in /etc/sudoers (Debian has this setting by default), but that won't help with the sudo-is-a-key-logger problem. From debbugs-submit-bounces@debbugs.gnu.org Sat Mar 24 14:24:20 2018 Received: (at 30912) by debbugs.gnu.org; 24 Mar 2018 18:24:20 +0000 Received: from localhost ([127.0.0.1]:51724 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eznq0-0005sH-9p for submit@debbugs.gnu.org; Sat, 24 Mar 2018 14:24:20 -0400 Received: from eggs.gnu.org ([208.118.235.92]:59435) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eznpy-0005s3-3W for 30912@debbugs.gnu.org; Sat, 24 Mar 2018 14:24:18 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eznoo-00007s-T2 for 30912@debbugs.gnu.org; Sat, 24 Mar 2018 14:24:12 -0400 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:60707) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eznhR-0004Ho-AE; Sat, 24 Mar 2018 14:15:29 -0400 Received: from rms by fencepost.gnu.org with local (Exim 4.82) (envelope-from ) id 1eznhQ-0000Cr-Th; Sat, 24 Mar 2018 14:15:28 -0400 Content-Type: text/plain; charset=Utf-8 From: Richard Stallman To: Lars Ingebrigtsen In-reply-to: (message from Lars Ingebrigtsen on Fri, 23 Mar 2018 00:57:49 +0100) Subject: Re: bug#30912: emacs as a route to privilege escalation References: Message-Id: Date: Sat, 24 Mar 2018 14:15:28 -0400 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: 30912 Cc: 30912@debbugs.gnu.org, beebe@math.utah.edu X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: rms@gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) [[[ To any NSA and FBI agents reading my email: please consider ]]] [[[ whether defending the US Constitution against all enemies, ]]] [[[ foreign or domestic, requires you to follow Snowden's example. ]]] > It seems to be pure nonsense. You can't edit root's ~/.emacs without > root privilege. In principle, that should be the case, but sometimes it isn't. Basically, it is true if the kernel has no bugs. However, the kernel often does have a bug which can be used for "privilege escalation." When such an exploit is available, problems in user programs can be used to take control of the computer. But this does not require a add-on. Bugs in programs that display files obtained over the web, even files that are not supposed to contain code at all, can be used to do this. It is a real problem. -- Dr Richard Stallman President, Free Software Foundation (https://gnu.org, https://fsf.org) Internet Hall-of-Famer (https://internethalloffame.org) Skype: No way! See https://stallman.org/skype.html. From unknown Wed Jun 18 00:28:00 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Sun, 22 Apr 2018 11:24:05 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator