GNU bug report logs - #37656
27.0.50; Arbitrary code execution with special `mode:'

Previous Next

Package: emacs;

Reported by: adam plaice <plaice.adam+lists <at> gmail.com>

Date: Tue, 8 Oct 2019 08:49:02 UTC

Severity: normal

Tags: security

Found in version 27.0.50

Fixed in version 30.1

Done: Stefan Kangas <stefankangas <at> gmail.com>

Bug is archived. No further changes may be made.

Full log

Message #58 received at 37656-done <at> debbugs.gnu.org (full text, mbox):

From: Stefan Kangas <stefankangas <at> gmail.com>
To: adam plaice <plaice.adam+lists <at> gmail.com>
Cc: 37656-done <at> debbugs.gnu.org
Subject: Re: bug#37656: 27.0.50; Opening file with specially crafted local
 variables can cause arbitrary code execution Inbox x
Date: Tue, 11 Mar 2025 23:39:17 -0400

Version: 30.1

adam plaice <plaice.adam+lists <at> gmail.com> writes:

> * To reproduce:
>
> 1. Create a file, say `~/foobar', (it could have an arbitrary
> extension) with the following contents:
>
> -*- mode: emacs-lisp; mode: flymake -*-
>
> (eval-when-compile
>   (with-temp-file "~/emacs_flymake_security_bug"
>       (insert "Could have also executed any code.")))
>
> 2. Open the file with emacs:
>
> emacs -Q ~/foobar
>
> 3. Inspect ~/emacs_flymake_security_bug:
>
> cat ~/emacs_flymake_security_bug
>
> * Expected result
>
> ~/emacs_flymake_security_bug does not exist.
>
> * Actual result
>
> ~/emacs_flymake_security_bug does exist.

This is fixed in the recently released Emacs 30.1, so I'm closing this
bug now.

This bug report was last modified 126 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.

GNU bug report logs - #37656 27.0.50; Arbitrary code execution with special `mode:'

GNU bug report logs - #37656
27.0.50; Arbitrary code execution with special `mode:'