https://eshelyaron.com/posts/2024-11-27-emacs-aritrary-code-execution-and-how-to-avoid-it.html
Emacs is like a bloated browser, but whereas you can turn off JS in Firefox, you can't really turn off lisp macros in Emacs since that's basically what Emacs is. Without the macros there is no Emacs. I just learned that my intuition about Emacs security has been proven true: looking at a /simple/ lisp macro in Emacs could trigger a malicious attack. Emacs is vulnerable going back at least to June 2018.
This is why the minimalism and simplicity movement in software has to attack all stacks. We need small secure building blocks that can be sandboxed. Not bloated monoliths ... just to edit text.
3 weeks ago 路 馃憤 m0xee
https://eshelyaron.com/posts/2024-11-27-emacs-aritrary-code-execution-and-how-to-avoid-it.html
Wordgrinder was made for writers and isn't bloat. 路 3 weeks ago
But just imagine what has to be going through your mind to install 250MB of software to edit a textfile. Imagine spending 2 years editing your config file 'just right'. The whole concept of Emacs is like a Commodore 64. Cool in its time, perhaps something to run in an emulator, but an outmoded concept whose continued existence represents a misalignment with reality which is... WAR on every front.
AI fuzzing has an important political implication. Since AI will be able to find the vulns before humans do, there will emerge two strate of software: complexity managed by state-controlled AI, and simplicity managed by individuals. That's a WAR for individual freedom from state control. 路 3 weeks ago
But don't worry. It's fixed now. Go back to sleep. 路 3 weeks ago
Oh, wait, Emacs hasn't just suffered from the CVE since June 2018. It's been /known/ by Emacs developers since that time. It's unbelievable:
[As far as I can tell] the earliest public discussion about the security implications of Emacs Lisp macros started in August 2018, when Wilfred Hughes noted that code completion can lead to arbitrary code execution via macro-expansion. In October 2019, Adam Plaice reported that Flymake specifically can be used in a similar exploit. Some solutions have been floated in the discussions following these reports, but unfortunately, Emacs remains vulnerable to this very day.
It's a WAR on Jenga stacks, or get f--ked by complexity. 路 3 weeks ago
I think a prerequisite for any text editor is that (a) it can be sandboxed, and (b) it can be compiled with varying degrees of security in mind. Vim does this to a certain extent, but if you try to remove plugin functionality, you lose syntax highlighting. Unless you really want to hack the code, you have to accept huge gobs of unwanted functionality which bring with it complexity and vulnerabilities. And that's for the "simple" text editor. Many people flee vim and neovim because configuration constantly breaks with every update. Everything is bloated and broken. Our hammers are made of bananas. 路 3 weeks ago
Treesitter is sold as a feature of helix (and of Emacs and Neovim), but the bash highlighter in helix is complete crap and a serious problem. It shocked me how bad the highlighting was, making a complete visual mess of bash code. Must worse than nano! For example, variables were visually incoherent. I edited the treesitter files, but then I realized that all the themes have to be updated as well. It's a huge technical debt that's already sitting there, and treesitter isn't even 100% in place as the default for anything. It's half baked, but here we are neck deep in it. 路 3 weeks ago
Right now I'm watching helix editor (inspired by kakoune, which was inspired by vim) turn into a bloated mess, slowly but surely. First of all, they've based the entire thing off a library (ropes) that publicly announces that it uses unsafe code, and that it shouldn't be used for secure applications. WTF? Why is it written in rust then? And the plugin system is going to use a lisp flavor, not rust. Their dream is to marry the vim and emacs experience. I wonder if they're going to officially build in the CVE above, or surprise us. Imagine using rust and not making secure software. This is one definition of mental illness. 路 3 weeks ago
How did we get to the point where writing text requires bloated monoliths (Microsoft Word, Emacs, NeoVim), and insecure formats (macros in docx, JS tainted PDFs/Epubs)? Nobody seems to care that we can't write down our thoughts without engaging with huge and insecure stacks. Or writing in nano. It's either all the features, or no features. And writing tools almost always cater to programmers and not writers, which is why writers are stuck with crap like Word. I can't think of a single editor that (a) is aimed at writers, and (b) isn't a half-baked pet project, (c) isn't a bloated pile of crap, or (d) something stupid made for mobile. 路 3 weeks ago