Emacs同样出现rce漏洞
- 内容介绍
- 文章标签
- 相关推荐
[image] 推上的信息 vim存在rce,打开文件即可触发 Vim tabpanel modeline escape affects Vim < 9.2.0272 · Advisory · vim/vim · GitHub poc vim -version VIM - Vi IMproved 9.2 (2026 Feb 14, compiled Mar 25 2026 22:0…
也同样是被claude发现的
MADBugs/vim-vs-emacs-vs-claude/emacs-claude-prompts.txt
main
## GNU Emacs Security Audit — Conversation Summary
---
### User: I've heard a rumor that there are RCE 0-days when you open a txt file without any confirmation prompts.
Claude: Investigated multiple angles in parallel — file-local variable parsing order, `read-symbol-shorthands` bypass attempts, auto-triggered evaluation paths, `safe-local-eval-forms` abuse, enriched text `<x-display>` display properties, and the `disable-eval` check in the C display engine (xdisp.c). Found that shorthands can't bypass safety checks because values are read in temp buffers before shorthands are applied. Confirmed `mode-line-format` IS in the risky list. Searched for CVEs and found Emacs 29.3/29.4 were emergency releases for org-mode RCE.
Key finding: `hack-one-local-variable-eval-safep` (files.el:4568) allows calling ANY function ending in `-mode` with args nil/1/0/-1 via file-local `eval:` — no prompt. Dangerous modes found: `server-mode` (opens eval socket), `flyspell-mode` (spawns ispell), `doc-view-mode` (spawns ghostscript).
---
### User: There are more.
Claude: Searched deeper — process-spawning modes, safe variables that enable dangerous behavior, `:safe t` defcustoms. Found:
- **VC-mode** runs `git ls-files` and `git status` on EVERY file open via `find-file-hook` (vc-hooks.el:1005). A malicious `.git/config` with `core.fsmonitor` executes arbitrary commands. Zero local variables needed.
- **flyspell-mode** spawns ispell process during activation.
- **doc-view-mode** spawns ghostscript/mutool during activation.
- **treesit grammar loading** — `treesit-extra-load-path` NOT marked risky. `.dir-locals.el` can point to malicious `.so` files loaded via `dlopen()`.
- **less-css-lessc-options** has `:safe t` — completely unrestricted values accepted without prompt.
此文件已被截断。 显示原始文件
2026-03-31_18-07-56986×299 23.8 KB
网友解答:--【壹】--:
有无补丁
[image] 推上的信息 vim存在rce,打开文件即可触发 Vim tabpanel modeline escape affects Vim < 9.2.0272 · Advisory · vim/vim · GitHub poc vim -version VIM - Vi IMproved 9.2 (2026 Feb 14, compiled Mar 25 2026 22:0…
也同样是被claude发现的
MADBugs/vim-vs-emacs-vs-claude/emacs-claude-prompts.txt
main
## GNU Emacs Security Audit — Conversation Summary
---
### User: I've heard a rumor that there are RCE 0-days when you open a txt file without any confirmation prompts.
Claude: Investigated multiple angles in parallel — file-local variable parsing order, `read-symbol-shorthands` bypass attempts, auto-triggered evaluation paths, `safe-local-eval-forms` abuse, enriched text `<x-display>` display properties, and the `disable-eval` check in the C display engine (xdisp.c). Found that shorthands can't bypass safety checks because values are read in temp buffers before shorthands are applied. Confirmed `mode-line-format` IS in the risky list. Searched for CVEs and found Emacs 29.3/29.4 were emergency releases for org-mode RCE.
Key finding: `hack-one-local-variable-eval-safep` (files.el:4568) allows calling ANY function ending in `-mode` with args nil/1/0/-1 via file-local `eval:` — no prompt. Dangerous modes found: `server-mode` (opens eval socket), `flyspell-mode` (spawns ispell), `doc-view-mode` (spawns ghostscript).
---
### User: There are more.
Claude: Searched deeper — process-spawning modes, safe variables that enable dangerous behavior, `:safe t` defcustoms. Found:
- **VC-mode** runs `git ls-files` and `git status` on EVERY file open via `find-file-hook` (vc-hooks.el:1005). A malicious `.git/config` with `core.fsmonitor` executes arbitrary commands. Zero local variables needed.
- **flyspell-mode** spawns ispell process during activation.
- **doc-view-mode** spawns ghostscript/mutool during activation.
- **treesit grammar loading** — `treesit-extra-load-path` NOT marked risky. `.dir-locals.el` can point to malicious `.so` files loaded via `dlopen()`.
- **less-css-lessc-options** has `:safe t` — completely unrestricted values accepted without prompt.
此文件已被截断。 显示原始文件
2026-03-31_18-07-56986×299 23.8 KB
网友解答:--【壹】--:
有无补丁