[metroholografix]

What's of greater importance here is not this specific security issue, but the default configuration of MIME handling in Emacs which can turn any unexpected evaluation bug -which we are likely to see more of- into remote code execution. We've had a previous Org security issue in exactly the same vein [1] and the Emacs MIME defaults are still unsafe. Of course, one can change them (non-trivial and related documentation is extremely confusing, see [2] for a possible solution) but really Emacs should not come with these defaults.

The loss of on-by-default functionality such as Org fontification in email message buffers is in no way as important as being wide open to trivial remote code execution.

[1] https://github.com/emacs-mirror/emacs/commit/befa9fcaae29a6c...

[2] https://xristos.sdf.org/fix-gnus-mime.el.txt

[hsbauauvhabzb]

I don’t fully understand lisp nor emacs internals. Do you anticipate similar bugs would exist across different major and minor modes, or emacs by default?

E.g., is markdown-mode or python-mode likely to have similar bugs? What about web browser modes, or chat modes, etc?

I genuinely like emacs but I’m worried for a future where my client cannot be trusted to not evaluate random data it has in files.

[metroholografix]

These bugs can be described as the major or minor mode evaluating code that is provided as part of the buffer that the mode is being enabled for. The two semi-recent examples that come to mind include Org (which offers this code evaluation as a feature) and text/enriched (which allowed arbitrary Lisp evaluation through a non-standard extension). In both of these cases, the evaluation was -somewhat- intended and even documented, so these are not bugs in the traditional definition. They become security bugs when one takes into account the exposed attack surface / dynamic interaction with parts of Emacs automatically switching on the mode (e.g. through an email in Gnus) on 3rd party untrusted input.

I don't expect to see code evaluation on untrusted input as intended features in web browser or chat modes.

[a1369209993]

> I don't expect to see code evaluation on untrusted input as intended features in web browser

I'm not sure whether to laugh or cry at that. Suffice to say that ship has sailed all the way around the world several times, to the great detriment of everyone who isn't a advertising or other malware-development corporation.

[metroholografix]

There's no JS interpreter in EWW [1]. If you're forced to use a different browser, having JS off by default is not hard to get used to.

[1] https://www.gnu.org/software/emacs/manual/html_node/eww/Over...

[kreyenborgi]

But surely someone out there will make a code highlighter for EWW, and maybe that highlighter calls org-mode on some block and that ends up evaluating stuff etc.