GNU bug report logs - #32495
26.1; Arbitrary code execution when completing inside untrusted elisp code

Previous Next

Package: emacs;

Reported by: Wilfred Hughes <me <at> wilfred.me.uk>

Date: Wed, 22 Aug 2018 00:13:02 UTC

Severity: normal

Tags: security

Found in version 26.1

Full log

View this message in rfc822 format

From: Stefan Monnier <monnier <at> iro.umontreal.ca>
To: Wilfred Hughes <me <at> wilfred.me.uk>
Cc: 32495 <at> debbugs.gnu.org
Subject: bug#32495: 26.1; Arbitrary code execution when completing inside untrusted elisp code
Date: Thu, 23 Aug 2018 14:54:31 -0400

> 1. pass in an environment with all untrusted macros replaced with dummies:

Sounds like a good first step.

We could even start with a blacklist rather than a whitelist
(eval-when-compile, eval-and-compile, cl-eval-when, ...), so the point
would be to protect oneself from accidental problems rather than from
malign adversaries.

> 2. bind all eval-capable functions first (INCOMPLETE, there are other
> eval-capable functions, such as load):

Trying to plug each and every hole sounds like a losing game
(e.g. you can implement `eval` by building a `(lambda () ,exp) and then
causing it to be called one way or another).

Ideally, we'd have some way to confine Elisp code to a sandbox of some
sort (e.g. no access to any I/O and all changes to global vars are ignored).


        Stefan

This bug report was last modified 6 years and 357 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.

GNU bug report logs - #32495 26.1; Arbitrary code execution when completing inside untrusted elisp code

GNU bug report logs - #32495
26.1; Arbitrary code execution when completing inside untrusted elisp code