GNU bug report logs - #37656
27.0.50; Arbitrary code execution with special `mode:'

Previous Next

Package: emacs;

Reported by: adam plaice <plaice.adam+lists <at> gmail.com>

Date: Tue, 8 Oct 2019 08:49:02 UTC

Severity: normal

Tags: security

Found in version 27.0.50

Fixed in version 30.1

Done: Stefan Kangas <stefankangas <at> gmail.com>

Bug is archived. No further changes may be made.

Full log

Message #50 received at 37656 <at> debbugs.gnu.org (full text, mbox):

From: Eli Zaretskii <eliz <at> gnu.org>
To: Phil Sainty <psainty <at> orcon.net.nz>
Cc: stefan <at> marxist.se, 37656 <at> debbugs.gnu.org, plaiceadam <at> gmail.com
Subject: Re: bug#37656: 27.0.50; Arbitrary code execution with special `mode:'
Date: Wed, 16 Oct 2019 22:34:22 +0300

> Cc: Adam Plaice <plaiceadam <at> gmail.com>, 37656 <at> debbugs.gnu.org,
>  stefan <at> marxist.se
> From: Phil Sainty <psainty <at> orcon.net.nz>
> Date: Thu, 17 Oct 2019 08:09:04 +1300
> 
> On 17/10/19 6:09 AM, Eli Zaretskii wrote:
> > I don't think that removing the feature will solve the more
> > general problem in this bug report.
> 
> 
> In particular it seems there is no point in removing the deprecated
> method of calling a minor mode using local variables because, after
> testing, the *approved* method of calling a minor mode via local
> variables causes the same behaviour.  i.e.:
> 
> -*- mode: emacs-lisp; eval:(flymake-mode 1); -*-
> 
> 
> So the deprecated approach isn't actually a factor here.

Right, thanks for confirming.

The question is: can we do something in core to prevent these
problems, or does the solution have to be in the individual minor
modes?
This bug report was last modified 126 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.