Mastodawn

Opening a file in GNU Emacs can trigger arbitrary code execution through version control (git), most requiring zero user interaction beyond the file open itself.

https://github.com/califio/publications/blob/main/MADBugs/vim-vs-emacs-vs-claude/Emacs.md

#infosec #cybersecurity #redteam #pentest #ai #emacs #claude

publications/MADBugs/vim-vs-emacs-vs-claude/Emacs.md at main · califio/publications

Publications from Calif. Contribute to califio/publications development by creating an account on GitHub.

GitHub

Show thread

maya 1d ago

@r1cksec yeah the complete thing is not a vulnerability at all, you will run arbitrary code when running git hooks - that is git vuln. atd second, you need to downlad a git repo tar because cloning does not clone git hooks

Show thread

Neblib

@zenmaya @r1cksec yeah definitely a git bug. I don't typically use them but looking into it, it seems a good solution might be to distrust git hooks globally then allow them per trusted project in git itself?

git config --global core.hooksPath /dev/null (or your own custom trusted hooks folder you always want)

then in trusted projects enable them git config core.hooksPath .git/hooks