GNU Emacs Automatically Executes Code in Fast Lock (.flc) Files
SecurityTracker Alert ID: 1020019|
SecurityTracker URL: http://securitytracker.com/id/1020019
(Links to External Site)
Date: May 14 2008
Execution of arbitrary code via local system, Execution of arbitrary code via network, User access via local system, User access via network|
Vendor Confirmed: Yes Exploit Included: Yes |
A vulnerability was reported in GNU Emacs. A user can cause arbitrary code to be executed on the target user's system.|
A user can create a specially crafted fast lock (.flc) file. When a file of the same name (less the '.flc' extension) in the same directory is edited by the target user, the code in the fast lock file will be executed. The code will run with the privileges of the target user.
Morten Welinder reported this vulnerability.
A user can create a file that, when edited by the target user, will execute arbitrary code on the target user's system in certain cases.|
No solution was available at the time of this entry.|
Vendor URL: www.gnu.org/software/emacs/emacs.html (Links to External Site)
Source Message Contents
Date: Sat, 10 May 2008 00:44:44 +0300|
Subject: [email@example.com: Emacs security bug]
------- Start of forwarded message -------
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00 autolearn=ham
Date: Fri, 9 May 2008 12:45:25 -0400
From: "Morten Welinder" <address@hidden>
Subject: Emacs security bug
it's been a while or two -- DJGPP was hot, new technology when we last
It's unclear to me where to send Emacs security concerns, so I am sending
this one to you. Please forward appropriately.
1. Create .emacs with contents
(seq font-lock-support-mode 'fast-lock-mode)
2. Create foo.c with contents /* Nothing to see here */
3. Create foo.c.flc with contents (message "Something to see here!")
4. Start Emacs and load foo.c
- --> Observe that code from foo.c.flc is run. Not good.
(This is with Emacs 21.3.1; XEmacs is also affected, although step 1 needs to
a. Remove "." from fast-lock-cache-directories. Littering little
is not a good idea anyway.
b. Don't use load to handle the .flc file. Instead read it into a
buffer and read
one s-expression at a time and verify that it is sane before evaluating it.
c. Don't use files owned by anyone else. This cannot stand alone, though, as
it has a race condition.
------- End of forwarded message -------