GNU bug report logs - #37656
27.0.50; Arbitrary code execution with special `mode:'

Previous Next

Package: emacs;

Reported by: adam plaice <plaice.adam+lists <at> gmail.com>

Date: Tue, 8 Oct 2019 08:49:02 UTC

Severity: normal

Tags: security

Found in version 27.0.50

Fixed in version 30.1

Done: Stefan Kangas <stefankangas <at> gmail.com>

Bug is archived. No further changes may be made.

Full log

Message #32 received at 37656 <at> debbugs.gnu.org (full text, mbox):

From: Eli Zaretskii <eliz <at> gnu.org>
To: Adam Plaice <plaiceadam <at> gmail.com>
Cc: 37656 <at> debbugs.gnu.org, stefan <at> marxist.se
Subject: Re: bug#37656: 27.0.50; Arbitrary code execution with special `mode:'
Date: Wed, 16 Oct 2019 10:57:03 +0300

> From: Adam Plaice <plaiceadam <at> gmail.com>
> Date: Wed, 16 Oct 2019 02:35:58 +0200
> Cc: 37656 <at> debbugs.gnu.org, Emacs developers <emacs-devel <at> gnu.org>
> 
> Unfortunately, I've realised that a similar problem can be introduced
> with directory variables.

Indeed, and I expect the same problem to pop up in other places.

Which is why I think the problem should be solved in those modes which
allow execution of arbitrary code via file-local variables without any
security precautions or other limitations, at least under user
control.

> (Should I file separate bug for this as it's closely related but not
> quite the same?)

No, it's the same problem, and I don't like the proposed solution for
the reasons explained above.  I think we need a different solution.
This bug report was last modified 126 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.