emacs-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Emacs Arbitrary Code Execution and How to Avoid It

From: Jean Louis
Subject: Re: Emacs Arbitrary Code Execution and How to Avoid It
Date: Wed, 4 Dec 2024 20:02:57 +0300
User-agent: Mutt/2.2.12 (2023-09-09) 
* Steven Allen <steven@stebalien.com> [2024-12-04 18:05]:
> 
> Jean Louis <bugs@gnu.support> writes:
> > In every programming language it is possible to obscure the code and 
> > execute arbitrary code.
> >
> > I do not see it as special security issue, it is common, known.
> >
> > -- 
> > Jean Louis
> 
> Yes, but opening random text files shouldn't execute arbitrary code. The
> concern here is that someone can:
> 
> 1. Create some "document.txt" file.
> 2. Start it with ";; -*- mode: emacs-lisp -*-".
> 3. Include a macro that executes some malicious lisp code.
> 4. Send it to some unsuspecting victim.
> 
> Opening this file will run arbitrary code if flymake is enabled for
> emacs-lisp files, even though the file looks like it should be an
> innocent ".txt" file.

I get it, though similar concepts are in many editors. As you said,
"if flymake is enabled" which means that user enabling flymake should
get informed of it. There is myriad of packages that can be created,
so "if" they are enabled to do specific things on specific triggers
that does not constitute and serious "security hole". It is all
conditional, and there are many conditions that may provide an open
door for malicious friends to execute whatever code. It is anyway
coming by spam. It requires 21st century literacy to recognize
something is wrong. We talk hypothetically, so far there is zero
victims, nothing happened, no damage, just sensationalism.

-- 
Jean Louis
reply via email to
[Prev in Thread] Current Thread [Next in Thread]