emacs/emacs-CVE-2024-53920.patch

From: Werner Fink <werner@suse.de>
Date: Fri, 13 Dec 2024 14:32:39 +0000
Subject: [PATCH] Disable flymake on start and save (CVE-2024-53920)

Disable flymake on start and save to avoid to be attacked with elisp code
like in this example:

 > cat document.txt 
 ;; -*- mode: emacs-lisp -*-
 (rx (eval (call-process "touch" nil nil nil "/tmp/owned")))

if not disabled the elisp code above is completed which means executed
without any warning if `flymake-mode' would be enabled by default for
`emacs-lisp-mode'.

---
 lisp/progmodes/flymake.el |   14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

--- lisp/progmodes/flymake.el
+++ lisp/progmodes/flymake.el	2024-12-13 14:26:43.833166494 +0000
@@ -199,15 +199,21 @@ If nil, never start checking buffer auto
 (define-obsolete-variable-alias 'flymake-start-syntax-check-on-find-file
   'flymake-start-on-flymake-mode "26.1")
 
-(defcustom flymake-start-on-flymake-mode t
+(defcustom flymake-start-on-flymake-mode nil
   "If non-nil, start syntax check when `flymake-mode' is enabled.
-Specifically, start it when the buffer is actually displayed."
+Specifically, start it when the buffer is actually displayed.
+Warning: if enabled and with elisp-mode the triggered code completion on
+untrusted Emacs Lisp source code allows attackers to execute arbitrary code.
+More information at https://www.cve.org/CVERecord?id=CVE-2024-53920"
   :version "26.1"
   :type 'boolean)
 
-(defcustom flymake-start-on-save-buffer t
+(defcustom flymake-start-on-save-buffer nil
   "If non-nil, start syntax check when a buffer is saved.
-Specifically, start it when the saved buffer is actually displayed."
+Specifically, start it when the saved buffer is actually displayed.
+Warning: if enabled and with elisp-mode the triggered code completion on
+untrusted Emacs Lisp source code allows attackers to execute arbitrary code.
+More information at https://www.cve.org/CVERecord?id=CVE-2024-53920"
   :version "27.1"
   :type 'boolean)