[Secure-testing-team] Bug#480877: emacs21: arbitrary code execution in fast-lock-mode

[Sven Joachim]

Package: emacs21
Version: 21.4a+1-5.4
Severity: important
Tags: security

The following message was forwarded to the emacs-devel mailing list, see
[1].  It is currently still under discussion there.

------- Start of forwarded message -------
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00 autolearn=ham 
	version=3.1.0
Date: Fri, 9 May 2008 12:45:25 -0400
From: "Morten Welinder" <mwelinder at gmail.com>
To: eliz at gnu.org
Subject: Emacs security bug

Hi there,

it's been a while or two -- DJGPP was hot, new technology when we last
spoke, :-)

It's unclear to me where to send Emacs security concerns, so I am sending
this one to you.  Please forward appropriately.

1. Create .emacs with contents
    (global-font-lock-mode t)
    (seq font-lock-support-mode 'fast-lock-mode)

2. Create foo.c with contents /* Nothing to see here */

3. Create foo.c.flc with contents (message "Something to see here!")

4. Start Emacs and load foo.c

- --> Observe that code from foo.c.flc is run.  Not good.
(This is with Emacs 21.3.1; XEmacs is also affected, although step 1 needs to
be adjusted.)

Suggestions:

a. Remove "." from fast-lock-cache-directories.  Littering little
files everywhere
    is not a good idea anyway.

b. Don't use load to handle the .flc file.  Instead read it into a
buffer and read
    one s-expression at a time and verify that it is sane before evaluating it.

c. Don't use files owned by anyone else.  This cannot stand alone, though, as
    it has a race condition.

Morten Welinder
------- End of forwarded message -------

Since fast-lock-mode is not the default font-lock-support-mode and
probably few people use it, I set the severity to important rather than
grave.  Nevertheless it should be fixed in one of the ways Morten
outlined.


[1] http://lists.gnu.org/archive/html/emacs-devel/2008-05/msg00645.html