GNU bug report logs -
#37656
27.0.50; Arbitrary code execution with special `mode:'
Previous Next
Reported by: adam plaice <plaice.adam+lists <at> gmail.com>
Date: Tue, 8 Oct 2019 08:49:02 UTC
Severity: normal
Tags: security
Found in version 27.0.50
Fixed in version 30.1
Done: Stefan Kangas <stefankangas <at> gmail.com>
Bug is archived. No further changes may be made.
Full log
View this message in rfc822 format
adam plaice <plaice.adam+lists <at> gmail.com> writes:
> Since the bug allows an attacker to execute arbitrary code if the
> victim opens a payload file, and hence opening any file from an
> untrusted source becomes dangerous, it seems to be rather
> serious.
Thanks for raising this here. I agree that this is serious, and we
should treat it accordingly.
The below patch seems to fix it by disabling the feature it exploits.
A workaround is to add this to your init file:
(setq enable-local-variables nil)
Best regards,
Stefan Kangas
diff --git a/lisp/files.el b/lisp/files.el
index 40807617fa..550227b21a 100644
--- a/lisp/files.el
+++ b/lisp/files.el
@@ -3068,7 +3068,7 @@ set-auto-mode
(if (save-excursion (search-forward ":" end t))
;; Find all specifications for the `mode:' variable
;; and execute them left to right.
- (while (let ((case-fold-search t))
+ (when (let ((case-fold-search t))
(or (and (looking-at "mode:")
(goto-char (match-end 0)))
(re-search-forward "[ \t;]mode:" end t)))
This bug report was last modified 126 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.