From: Werner Fink Date: Fri, 13 Dec 2024 14:32:39 +0000 Subject: [PATCH] Disable flymake on start and save (CVE-2024-53920) Disable flymake on start and save to avoid to be attacked with elisp code like in this example: > cat document.txt ;; -*- mode: emacs-lisp -*- (rx (eval (call-process "touch" nil nil nil "/tmp/owned"))) if not disabled the elisp code above is completed which means executed without any warning if `flymake-mode' would be enabled by default for `emacs-lisp-mode'. --- lisp/progmodes/flymake.el | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) --- lisp/progmodes/flymake.el +++ lisp/progmodes/flymake.el 2024-12-13 14:26:43.833166494 +0000 @@ -199,15 +199,21 @@ If nil, never start checking buffer auto (define-obsolete-variable-alias 'flymake-start-syntax-check-on-find-file 'flymake-start-on-flymake-mode "26.1") -(defcustom flymake-start-on-flymake-mode t +(defcustom flymake-start-on-flymake-mode nil "If non-nil, start syntax check when `flymake-mode' is enabled. -Specifically, start it when the buffer is actually displayed." +Specifically, start it when the buffer is actually displayed. +Warning: if enabled and with elisp-mode the triggered code completion on +untrusted Emacs Lisp source code allows attackers to execute arbitrary code. +More information at https://www.cve.org/CVERecord?id=CVE-2024-53920" :version "26.1" :type 'boolean) -(defcustom flymake-start-on-save-buffer t +(defcustom flymake-start-on-save-buffer nil "If non-nil, start syntax check when a buffer is saved. -Specifically, start it when the saved buffer is actually displayed." +Specifically, start it when the saved buffer is actually displayed. +Warning: if enabled and with elisp-mode the triggered code completion on +untrusted Emacs Lisp source code allows attackers to execute arbitrary code. +More information at https://www.cve.org/CVERecord?id=CVE-2024-53920" :version "27.1" :type 'boolean)