GNU bug report logs - #37656
27.0.50; Arbitrary code execution with special `mode:'

Previous Next

Package: emacs;

Reported by: adam plaice <plaice.adam+lists <at> gmail.com>

Date: Tue, 8 Oct 2019 08:49:02 UTC

Severity: normal

Tags: security

Found in version 27.0.50

Fixed in version 30.1

Done: Stefan Kangas <stefankangas <at> gmail.com>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Adam Plaice <plaiceadam <at> gmail.com>
To: Stefan Kangas <stefan <at> marxist.se>
Cc: 37656 <at> debbugs.gnu.org, Emacs developers <emacs-devel <at> gnu.org>
Subject: bug#37656: 27.0.50; Arbitrary code execution with special `mode:'
Date: Wed, 16 Oct 2019 02:35:58 +0200

> Here is a more complete patch.  Does it look like the right fix?

This indeed fixes the issue! Thanks for dealing with it so quickly! (Though
I'm obviously not qualified to say whether it's _the_ right fix for this.)

>  I think the relevant node in the documentation is:
> (info "(emacs)Choosing Modes")

That, and part of:
(info "(emacs)Specifying File Variables")


Unfortunately, I've realised that a similar problem can be introduced
with directory variables. (Should I file separate bug for this as it's
closely related but not quite the same?) This requires at least two
files, so it's not quite as serious:

In .dir-locals.el:

((nil . ((mode . flymake))))

In, say, foobar, in the same directory:

-*- mode: emacs-lisp -*-

(eval-when-compile
  (with-temp-file "~/emacs_flymake_security_bug"
    (insert "Could have also executed any code.")))


(Some other, equivalent arrangements (e.g. (mode . emacs-lisp) directly in
.dir-locals.el), or simply an .el extension, also "work".)

According to the manual (info "(emacs)Directory Variables"):

> The special ‘mode’ element specifies the minor mode to be
> enabled.  So ‘(mode . auto-fill)’ specifies that the minor mode
> ‘auto-fill-mode’ needs to be enabled.

so in this case setting the minor mode _is_ the intended/documented behaviour,
which might make resolving the bug harder.

(OTOH (info "(emacs)Directory Variables") also states:

> You can specify the variables ‘mode’, ‘eval’, and ‘unibyte’ in your
> ‘.dir-locals.el’, and they have the same meanings as they would have in
> file local variables.

while (info "(emacs)Specifying File Variables") says:

> The special variable/value pair ‘mode:
> MODENAME;’, if present, specifies a major mode.

so there's some inconsistency on what `mode' in .dir-locals.el is actually
"supposed" to specify — a major mode, a minor mode or either.)

Thanks,
Adam
This bug report was last modified 126 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.