Sven Joachim
2008-May-12 14:20 UTC
[Secure-testing-team] Bug#480877: emacs21: arbitrary code execution in fast-lock-mode
Package: emacs21
Version: 21.4a+1-5.4
Severity: important
Tags: security
The following message was forwarded to the emacs-devel mailing list, see
[1]. It is currently still under discussion there.
------- Start of forwarded message -------
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00 autolearn=ham
version=3.1.0
Date: Fri, 9 May 2008 12:45:25 -0400
From: "Morten Welinder" <mwelinder at gmail.com>
To: eliz at gnu.org
Subject: Emacs security bug
Hi there,
it''s been a while or two -- DJGPP was hot, new technology when we last
spoke, :-)
It''s unclear to me where to send Emacs security concerns, so I am
sending
this one to you. Please forward appropriately.
1. Create .emacs with contents
(global-font-lock-mode t)
(seq font-lock-support-mode ''fast-lock-mode)
2. Create foo.c with contents /* Nothing to see here */
3. Create foo.c.flc with contents (message "Something to see here!")
4. Start Emacs and load foo.c
- --> Observe that code from foo.c.flc is run. Not good.
(This is with Emacs 21.3.1; XEmacs is also affected, although step 1 needs to
be adjusted.)
Suggestions:
a. Remove "." from fast-lock-cache-directories. Littering little
files everywhere
is not a good idea anyway.
b. Don''t use load to handle the .flc file. Instead read it into a
buffer and read
one s-expression at a time and verify that it is sane before evaluating it.
c. Don''t use files owned by anyone else. This cannot stand alone,
though, as
it has a race condition.
Morten Welinder
------- End of forwarded message -------
Since fast-lock-mode is not the default font-lock-support-mode and
probably few people use it, I set the severity to important rather than
grave. Nevertheless it should be fixed in one of the ways Morten
outlined.
[1] http://lists.gnu.org/archive/html/emacs-devel/2008-05/msg00645.html