James Endres HowellUhhh, guys? This looks real bad
"GNU Emacs: Multiple Remote Code Execution Vectors on File Open"
https://github.com/califio/publications/blob/main/MADBugs/vim-vs-emacs-vs-claude/Emacs.md
cehteh@jameshowell nice find, but looks more like an git issue to me. emacs is the culprit as it executes `git ls-files` but a user can do the same and wont expect that this executes attacker controlled scripts. Other IDE's probably also calling git ls-files.
The suggested fix is also overly specific. other git mechanisms execute scripts stored in .git too (hooks, diff/merge engines, signing).
Bottom line is: clone git, don't ship/touch/unpack untrusted archives that have a .git included.
Thomas@cehteh Ni, this is an Emacs problem. It's the one calling git unprompted. If it can't do that safely, it's up to Emacs to not*
Arguable that cripples the usefulness (anyone checked #Magit, may have the same problem).
The suggested fix is inadequate at least.
A rather drastic fix would be that git itself maintains a list of trusted repositories (the ones it cloned or initialized itself), plus a UI to add/remove/gc from this list. then only executing content from these .git's and rejects everything else.
One could implement that for emacs alone, keeping a list of trusted git repos and reject git on untrusted one. But thats not a fix on the root of the problem.
DianeI think a solution may be this tar argument.
--exclude-vcs Exclude version control system directories.
The problem is if someone slips you an untrusted .git/config it can execute code on your system.
but untrusted .git/ directories can run arbitrary code through a number of other mechanisms as well.
It's probably not a great idea to unpack something without reviewing its contents first.
I'm pretty sure if you git clone, the config file only contains settings you set.
@alienghic The solution can't be "just don't download a nefarious zip/tarball". Also think about how an Emacs user would look at the contents of an archive before unpacking : using Emacs, which will helpfully unarchive it to temp storage and run git on it when you look at a file.
The solution needs to be Emacs not running unsafe commands unbidden.
I am an emacs user, I download archives and extract them with the shell. This issue reminds me that a .git directory contains code and shouldn't be trusted.
Git probably should have a some mark that when you move a git repo to another machine anything that can execute code is blocked until you mark the repo as trusted.