GNU Releases Emacs 26.1 and Plugs Lisp-related Security Hole

GNU developers announced today that the release of Emacs 26.1 tightened up a security hole in the venerable nearly 42-year-old Unix and Linux text editor. While it might seem strange to the uninitiated that a text editor would require security updates, fans of Emacs will be quick to point out that the application does far more than provide a blank screen to write code.

Emacs is capable of managing email accounts, file structures and RSS feeds, thus making it a target for vandals at least in theory. The security vulnerability was related to Enrich Text mode, and developers report that it was first introduced with the release of Emacs 21.1. This mode failed to evaluate Lisp code in display properties to allow saving these properties with the text.

Since Emacs supports evaluation of forms as part of processing the display properties, displaying this sort of Enriched Text could allow the editor to execute malicious Lisp code. While the risk of this happening was low, GNU’s developers were afraid that dangerous code could be attached to an enriched email message that would then execute on the recipient’s machine.

Emacs 26.1 disables arbitrary form execution in display properties by default. System administrators who have a pressing need for this compromised feature can enable it manually if they understand the risk.

Those with older versions of the packages already installed needn’t upgrade to take advantage of the security fix. According to the emacs.git news text file that accompanies the newest version of the software, users working with versions going back to 21.1 can append a single line to their .emacs configuration file to disable the feature that causes the issue.

Due to the way that Unix and Linux security schemes function, exploits related to this vulnerability would have been unlikely to do damage outside of a user’s home directory. However, an exploit could have hypothetically ruined locally stored documents and configuration files as well as sent malicious email messages if a user had emacs connected to an email server.


John Rendace

John is a GNU/Linux expert with a hobbyist's background in C/C++, Web development, storage and file system technologies. In his free time, he maintains custom and vintage PC hardware. He's been compiling his own software from source since the DOS days and still prefers using the command line all these years later.