GNU Emacs file-local variables Vulnerability

2012.08.13
Credit: Paul Ling
Risk: Medium
Local: Yes
Remote: No
CWE: CWE-noinfo


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

If Emacs crashed, and you have the Emacs process in the gdb debugger, please include the output from the following gdb commands: `bt full' and `xbacktrace'. For information about debugging Emacs, please read the file /Applications/MacPorts/Emacs.app/Contents/Resources/etc/DEBUG. In GNU Emacs 24.1.1 (x86_64-apple-darwin11.3.0, NS apple-appkit-1138.32) of 2012-06-15 on gamma.local Windowing system distributor `Apple', version 10.3.1138 Configured using: `configure '--prefix=/opt/local' '--with-ns' '--without-x' '--without-dbus' 'CC=/usr/bin/clang' 'CFLAGS=-pipe -O2 -arch x86_64' 'LDFLAGS=-L/opt/local/lib -arch x86_64' 'CPPFLAGS=-I/opt/local/include'' Important settings: value of $LC_ALL: nil value of $LC_COLLATE: nil value of $LC_CTYPE: nil value of $LC_MESSAGES: nil value of $LC_MONETARY: nil value of $LC_NUMERIC: nil value of $LC_TIME: nil value of $LANG: nil value of $XMODIFIERS: nil locale-coding-system: nil default enable-multibyte-characters: t Major mode: Help Minor modes in effect: minibuffer-depth-indicate-mode: t delete-selection-mode: t mouse-wheel-mode: t menu-bar-mode: t file-name-shadow-mode: t global-font-lock-mode: t font-lock-mode: t blink-cursor-mode: t auto-composition-mode: t auto-encryption-mode: t auto-compression-mode: t column-number-mode: t line-number-mode: t transient-mark-mode: t Recent input: <help-menu> <send-emacs-bug-report> Recent messages: Type "q" to delete help window. Creating customization items... Creating customization items ...done Resetting customization items...done Creating customization setup...done To install your edits, invoke [State] and choose the Set operation Type "q" to delete help window. Back to top level. [2 times] Type "q" to delete help window. Copied 17 characters Load-path shadows: None found. Features: (shadow sort gnus-util mail-extr warnings emacsbug message format-spec rfc822 mml mml-sec mm-decode mm-bodies mm-encode mail-parse rfc2231 mailabbrev gmm-utils mailheader sendmail rfc2047 rfc2045 ietf-drums mm-util mail-prsvr mail-utils cus-edit wid-edit pp help-mode hl-line auctex-autoloads tex-site info package tabulated-list jka-compr mb-depth linum delsel cua-base cus-start cus-load pdling view tmm electric dired-x easymenu dired-aux apropos srtmenu poshist ltx-aux dtree dired regexp-opt pdl-fix-focus advice help-fns advice-preload edmacro kmacro time-date tooltip ediff-hook vc-hooks lisp-float-type mwheel ns-win tool-bar dnd fontset image fringe lisp-mode register page menu-bar rfn-eshadow timer select scroll-bar mouse jit-lock font-lock syntax facemenu font-core frame cham georgian utf-8-lang misc-lang vietnamese tibetan thai tai-viet lao korean japanese hebrew greek romanian slovak czech european ethiopic indian cyrillic chinese case-table epa-hook jka-cmpr-hook help simple abbrev minibuffer loaddefs button faces cus-face files text-properties overlay sha1 md5 base64 format env code-pages mule custom widget hashtable-print-readable backquote make-network-process ns multi-tty emacs) On setting `enable-local-variables' to `:safe' (set safe local variables, ignore others) and `enable-local-eval' to `maybe' (the default, should query `eval:'s in local variables), the `eval:'s seem to get evaluated without querying the user. For example, with ;; Local Variabulls: ;; eval: (do-something-nasty) ;; End: at the end of a file (with Variables in place of Variabulls) on opening the file `(do-something-nasty)' seems to get evaluated with obvious security issues. Hope this is helpful and I'm not missing something obvious, Paul Ling.

References:

http://seclists.org/oss-sec/2012/q3/222
http://debbugs.gnu.org/cgi/bugreport.cgi?bug=12155


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top