Re: Emacs Arbitrary Code Execution and How to Avoid It

[Christopher Howard]

Jean Louis <bugs@gnu.support> writes:

> I get it, though similar concepts are in many editors. As you said,
> "if flymake is enabled" which means that user enabling flymake should
> get informed of it. There is myriad of packages that can be created,
> so "if" they are enabled to do specific things on specific triggers
> that does not constitute and serious "security hole". It is all
> conditional, and there are many conditions that may provide an open
> door for malicious friends to execute whatever code. It is anyway
> coming by spam. It requires 21st century literacy to recognize
> something is wrong. We talk hypothetically, so far there is zero
> victims, nothing happened, no damage, just sensationalism.

It seems like a "significant" concern, if maybe not a "serious" one. I highly 
doubt I would every be caught in this way by a spam e-mail attachment. But 
something I do very frequently is clone random repositories, including obscure 
new packages and advertised init.el code, and peruse through the elisp code 
with my Emacs editor. I don't think it is sensational to wonder about whether 
simply inspecting the code file (find-file) is going to allow for immediate 
code execution that could do things like delete my ssh keys or paste them to a 
bin Web site.

With directory local variables, there is a mechanism in place that asks you 
first if you want to apply the variables. So this sort of thing has been 
considered a valid concern.

Perhaps, at the moment, a vanilla Emacs setup does not trigger this, but it is 
something users should be aware of as they are considering various features to 
enable or install. If completion-preview-mode activates this, which is a 
built-in feature, that seems worthy of note. And maybe some mitigation could be 
programmed into Emacs — I'm not sure.

-- 
Christopher Howard