branch: elpa/flycheck
commit 77c100c3804c927786e39aa81d27f58d52935b76
Author: Bozhidar Batsov <[email protected]>
Commit: Bozhidar Batsov <[email protected]>
Mitigate CVE-2024-53920 in emacs-lisp checker subprocess
Disable local eval directives and restrict local variables to safe
values in the byte-compilation subprocess. This prevents arbitrary
code execution via file-local eval: directives when byte-compiling
untrusted files.
On Emacs 30+, the more comprehensive trusted-content mechanism
already prevents the rx (eval ...) attack vector.
Closes #2131
---
flycheck.el | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/flycheck.el b/flycheck.el
index 8f35d87db2..f290da5aba 100644
--- a/flycheck.el
+++ b/flycheck.el
@@ -8711,6 +8711,10 @@ See `https://credo-ci.org/'."
(defconst flycheck-emacs-lisp-check-form
(flycheck-prepare-emacs-lisp-form
+ ;; Mitigate CVE-2024-53920: prevent arbitrary code execution via
+ ;; file-local eval: directives during byte-compilation.
+ (setq enable-local-eval nil
+ enable-local-variables :safe)
;; Keep track of the generated bytecode files, to delete them after byte
;; compilation.
(require 'bytecomp)
