On 27/02/2025 06:45, Alan Coopersmith wrote:
** Fix shell injection vulnerability in man.el (CVE-2025-1244).
We urge all users to upgrade immediately.
This was reported in https://debbugs.gnu.org/cgi/bugreport.cgi?bug=66390
Reading <https://bugzilla.redhat.com/show_bug.cgi?id=2345150> I have
realized that org-link was not the only package that did not follow
(from #66390):
"'man' is an interactive command, so it should not
second-guess the user who invokes it. Commands that call 'man'
non-interactively should make sure they call 'man' with a valid
argument, especially when the argument comes from some file."
Fortunately, finally it was fixed in man.el, so other callers are not
affected any more as well.
CVE-2024-53920 is further described in
https://eshelyaron.com/posts/2024-11-27-emacs-aritrary-code-execution-
and-how-to-avoid-it.html
[...]
- Avoid visiting untrusted .el files in Emacs
Do not open *any* file that you do not trust. The issue is not specific
to files having .el suffix. In default configuration emacs-lisp mode may
be forced by specifying file-local variables inside a file.
- Disable automatic error checking (with Flymake or Flycheck) in
untrusted .el files
Disabling flymake may be tricky. File-local variables allow to force it
(in default configuration).
- Disable auto-completion features in untrusted .el files
- UPDATE: Also set enable-local-eval to nil
It should work, however it is rather drastic measure that may cause
inconvenience.
It is funny that a similar suggestion was published in the previous century.
Simson Garfinkel, Gene Spafford. Practical UNIX & Internet Security.
1996. Chapter 11 Protecting Against Programmed Threats:
Another possible source of initialization errors comes into play
when you edit files that have embedded edit commands. Both vi/ex
and Emacs allow you to embed editor commands within text files so
they are automatically executed whenever you edit the file. For
this to work, they must be located in the first few or last few
lines of the file.
To disable this feature in Emacs, place one of these lines in your .emacs file:
(setq inhibit-local-variables t) ; emacs version 18
or:
(setq enable-local-variables "ask") ; emacs verison 19 and above
The following bugs have not marked as fixed for some reason, but from my
point of view, original reports prominently highlight risk of
CVE-2024-53920.
- <https://debbugs.gnu.org/37656> Tue, 8 Oct 2019 08:49:02 UTC
Arbitrary code execution with special `mode:'
- <https://debbugs.gnu.org/32495> Wed, 22 Aug 2018 00:13:02 UTC
Arbitrary code execution when completing inside untrusted elisp code
