[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#37656: 27.0.50; Arbitrary code execution with special `mode:'
From: |
Stefan Kangas |
Subject: |
bug#37656: 27.0.50; Arbitrary code execution with special `mode:' |
Date: |
Wed, 16 Oct 2019 01:17:51 +0200 |
Stefan Kangas <stefan@marxist.se> writes:
> > The below patch seems to fix it by disabling the feature it exploits.
>
> Here is a more complete patch. Does it look like the right fix?
flymake.el was first added to Emacs in version 22.1:
4bcbcb9df3 2004-05-29 Eli Zaretskii New file.
The "multiple mode specification feature" dates back to:
9fa7bfe524 1993-09-11 Richard M. Stallman
(hack-local-variables-prop-line): Ignore any specification
for `mode:', since set-auto-mode has already handled it.
(set-auto-mode): Clean up. Handle more than one `mode:' spec in -*-.
The code that my proposed patch changes has stayed untouched since
this 1993 commit. If we agree that disabling this feature is the
solution here, a backported security fix should therefore hopefully be
a one liner all the way back to version 22.1.
Best regards,
Stefan Kangas
- bug#37656: 27.0.50; Opening file with specially crafted local variables can cause arbitrary code execution Inbox x, adam plaice, 2019/10/08
- bug#37656: 27.0.50; Arbitrary code execution with special `mode:', adam plaice, 2019/10/15
- bug#37656: 27.0.50; Arbitrary code execution with special `mode:', Stefan Kangas, 2019/10/15
- bug#37656: 27.0.50; Arbitrary code execution with special `mode:', Stefan Kangas, 2019/10/15
- bug#37656: 27.0.50; Arbitrary code execution with special `mode:',
Stefan Kangas <=
- bug#37656: 27.0.50; Arbitrary code execution with special `mode:', Eli Zaretskii, 2019/10/16
- bug#37656: 27.0.50; Arbitrary code execution with special `mode:', Adam Plaice, 2019/10/16
- bug#37656: 27.0.50; Arbitrary code execution with special `mode:', Eli Zaretskii, 2019/10/16
- bug#37656: 27.0.50; Arbitrary code execution with special `mode:', Phil Sainty, 2019/10/16
- bug#37656: 27.0.50; Arbitrary code execution with special `mode:', Eli Zaretskii, 2019/10/16
- bug#37656: 27.0.50; Arbitrary code execution with special `mode:', Adam Plaice, 2019/10/16
- bug#37656: 27.0.50; Arbitrary code execution with special `mode:', Adam Plaice, 2019/10/15
- bug#37656: 27.0.50; Arbitrary code execution with special `mode:', Eli Zaretskii, 2019/10/16
- bug#37656: 27.0.50; Arbitrary code execution with special `mode:', Phil Sainty, 2019/10/15
bug#37656: 27.0.50; Opening file with specially crafted local variables can cause arbitrary code execution Inbox x, Stefan Monnier, 2019/10/16