Hi there,
I saw that the latest release (version 36) purports to mitigate CVE-2024-53920, but I think the fix (in commit 77c100c) does not actually mitigate the issue, and AFAICT Flycheck is still vulnerable. Note that the vulnerability is not about file-local variables, it's about the fact that Elisp macro-expansion (which is a necessary part of Elisp compilation) executes arbitrary code.
To mitigate this vulnerability, Flycheck needs to refrain from compiling untrusted Elisp files/buffers, e.g. by checking trusted-content-p before initiating compilation.
Thanks!
Hi there,
I saw that the latest release (version 36) purports to mitigate CVE-2024-53920, but I think the fix (in commit 77c100c) does not actually mitigate the issue, and AFAICT Flycheck is still vulnerable. Note that the vulnerability is not about file-local variables, it's about the fact that Elisp macro-expansion (which is a necessary part of Elisp compilation) executes arbitrary code.
To mitigate this vulnerability, Flycheck needs to refrain from compiling untrusted Elisp files/buffers, e.g. by checking
trusted-content-pbefore initiating compilation.Thanks!