From unknown Sat Jun 14 08:58:49 2025 X-Loop: help-debbugs@gnu.org Subject: bug#28350: enriched.el code execution Resent-From: charles@aurox.ch (Charles A. Roelli) Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Mon, 04 Sep 2017 19:26:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 28350 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: To: 28350@debbugs.gnu.org X-Debbugs-Original-To: bug-gnu-emacs@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.150455313310768 (code B ref -1); Mon, 04 Sep 2017 19:26:01 +0000 Received: (at submit) by debbugs.gnu.org; 4 Sep 2017 19:25:33 +0000 Received: from localhost ([127.0.0.1]:49312 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dox00-0002nc-VX for submit@debbugs.gnu.org; Mon, 04 Sep 2017 15:25:33 -0400 Received: from eggs.gnu.org ([208.118.235.92]:49771) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dowzz-0002nM-Uw for submit@debbugs.gnu.org; Mon, 04 Sep 2017 15:25:32 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dowzp-0001eT-VG for submit@debbugs.gnu.org; Mon, 04 Sep 2017 15:25:26 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,T_DKIM_INVALID, URIBL_BLOCKED autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:35254) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dowzp-0001e9-SQ for submit@debbugs.gnu.org; Mon, 04 Sep 2017 15:25:21 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:40627) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dowzk-0006pc-No for bug-gnu-emacs@gnu.org; Mon, 04 Sep 2017 15:25:21 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dowzf-0001WF-RF for bug-gnu-emacs@gnu.org; Mon, 04 Sep 2017 15:25:16 -0400 Received: from sinyavsky.aurox.ch ([37.35.109.145]:56282) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dowzf-0001M6-HG for bug-gnu-emacs@gnu.org; Mon, 04 Sep 2017 15:25:11 -0400 Received: from sinyavsky.aurox.ch (sinyavsky.aurox.ch [127.0.0.1]) by sinyavsky.aurox.ch (Postfix) with ESMTP id 592E822523 for ; Mon, 4 Sep 2017 19:19:00 +0000 (UTC) Authentication-Results: sinyavsky.aurox.ch (amavisd-new); dkim=pass (1024-bit key) reason="pass (just generated, assumed good)" header.d=aurox.ch DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=aurox.ch; h= content-type:content-type:mime-version:subject:subject:to:from :from:message-id:date:date; s=dkim; t=1504552738; x=1505416739; bh=Ge37mg/HikKbAVW6qG18PqCO/oL5ly/uxtZJXl7hoxE=; b=EOwEUSPYwtEN uRKEjjNL229XNm0zS+fOHfOGfP04PLcfLcgnM263d3RPOuVgNwzo6IMyApR1cDTz yFgK3nI8bGCTqUt6tz7QTI+rVrOQcaiGboNUqTOu3MTEjMkQ9IC+8YfP9zPTF+YF OH7zr0AuQ8UdGHpCERY64HKF9VBe2BM= X-Virus-Scanned: Debian amavisd-new at test.virtualizor.com Received: from sinyavsky.aurox.ch ([127.0.0.1]) by sinyavsky.aurox.ch (sinyavsky.aurox.ch [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id XKrrWFwG6Rez for ; Mon, 4 Sep 2017 19:18:58 +0000 (UTC) Received: from gray (125.85.192.178.dynamic.wline.res.cust.swisscom.ch [178.192.85.125]) by sinyavsky.aurox.ch (Postfix) with ESMTPSA id 874D022520 for ; Mon, 4 Sep 2017 19:18:58 +0000 (UTC) Date: Mon, 04 Sep 2017 21:24:42 +0200 Message-Id: From: charles@aurox.ch (Charles A. Roelli) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.1 (----) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -4.1 (----) --=-=-= Content-Type: text/plain Enriched mode implements an extension command to the text/enriched format called "x-display", which stores "display" text properties. It was added awhile ago: commit d9e28c1ca1d95f51a05d052dcf1fe06888d52476 Author: Gerd Moellmann Date: Wed Jul 21 21:43:03 1999 +0000 (enriched-translations): Add `display' and "x-display". (enriched-handle-display-prop): New. (enriched-decode-display-prop): New. It's possible to use this extension command to transparently execute arbitrary code in an Emacs process that opens a text/enriched file. For example, if you open a file containing the following contents: Content-Type: text/enriched Text-Width: 70 (when (message "hello world") nil)test Then "hello world" will be printed in the echo area whenever the "test" text is displayed (which is immediate). Note that the s-expression between the tags needs to conform to a "display" spec: but since there are a few display specs that can execute code, it's not difficult to craft a file that could have bad effects (shell commands work, for example). Additionally, such a file can be compressed with gzip (thus hiding the contents), and when it is opened, Emacs will automatically decompress it and apply the display properties. Attached is an example file (enriched-bug-example.txt) that turns the mode line red as soon as you open it. It works in 23.4, 24.5, 25.2 and master (and possibly earlier versions -- I haven't tested). Other extensions in `enriched-translations' of enriched.el may have similar issues (I don't understand them all, so I hope somebody else can make sure). --=-=-= Content-Type: text/enriched Content-Disposition: attachment; filename=enriched-bug-example.txt Content-Type: text/enriched Text-Width: 70 (when (set-face-attribute (quote mode-line) nil :background "red") nil)test --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Tue Sep 05 11:35:07 2017 Received: (at control) by debbugs.gnu.org; 5 Sep 2017 15:35:07 +0000 Received: from localhost ([127.0.0.1]:51619 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dpFsY-0005K7-Qh for submit@debbugs.gnu.org; Tue, 05 Sep 2017 11:35:06 -0400 Received: from eggs.gnu.org ([208.118.235.92]:59366) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dpFsW-0005Ja-9w for control@debbugs.gnu.org; Tue, 05 Sep 2017 11:35:04 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dpFsM-0006pD-QA for control@debbugs.gnu.org; Tue, 05 Sep 2017 11:34:59 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:40555) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dpFsM-0006p7-NZ for control@debbugs.gnu.org; Tue, 05 Sep 2017 11:34:54 -0400 Received: from rgm by fencepost.gnu.org with local (Exim 4.82) (envelope-from ) id 1dpFsM-0007gx-Ci for control@debbugs.gnu.org; Tue, 05 Sep 2017 11:34:54 -0400 Subject: control message for bug 28350 To: X-Mailer: mail (GNU Mailutils 2.99.98) Message-Id: From: Glenn Morris Date: Tue, 05 Sep 2017 11:34:54 -0400 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) severity 28350 important tag 28350 security From debbugs-submit-bounces@debbugs.gnu.org Tue Sep 05 11:35:33 2017 Received: (at control) by debbugs.gnu.org; 5 Sep 2017 15:35:33 +0000 Received: from localhost ([127.0.0.1]:51622 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dpFsz-0005Kn-4X for submit@debbugs.gnu.org; Tue, 05 Sep 2017 11:35:33 -0400 Received: from eggs.gnu.org ([208.118.235.92]:59591) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dpFsx-0005KZ-ES for control@debbugs.gnu.org; Tue, 05 Sep 2017 11:35:31 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dpFso-00077G-0E for control@debbugs.gnu.org; Tue, 05 Sep 2017 11:35:26 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:40575) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dpFsn-00077A-Ty for control@debbugs.gnu.org; Tue, 05 Sep 2017 11:35:21 -0400 Received: from rgm by fencepost.gnu.org with local (Exim 4.82) (envelope-from ) id 1dpFsn-0000Ni-NI for control@debbugs.gnu.org; Tue, 05 Sep 2017 11:35:21 -0400 Subject: control message for bug 24655 To: X-Mailer: mail (GNU Mailutils 2.99.98) Message-Id: From: Glenn Morris Date: Tue, 05 Sep 2017 11:35:21 -0400 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) block 24655 by 28350 From debbugs-submit-bounces@debbugs.gnu.org Tue Sep 05 14:54:33 2017 Received: (at control) by debbugs.gnu.org; 5 Sep 2017 18:54:33 +0000 Received: from localhost ([127.0.0.1]:51793 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dpIzY-0003UY-Sg for submit@debbugs.gnu.org; Tue, 05 Sep 2017 14:54:33 -0400 Received: from eggs.gnu.org ([208.118.235.92]:33260) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dpIzX-0003UL-5T for control@debbugs.gnu.org; Tue, 05 Sep 2017 14:54:31 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dpIzN-0001z4-GJ for control@debbugs.gnu.org; Tue, 05 Sep 2017 14:54:25 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:46802) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dpIzN-0001yz-CV for control@debbugs.gnu.org; Tue, 05 Sep 2017 14:54:21 -0400 Received: from 84.94.185.246.cable.012.net.il ([84.94.185.246]:4277 helo=home-c4e4a596f7) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1dpIzL-00005X-73 for control@debbugs.gnu.org; Tue, 05 Sep 2017 14:54:21 -0400 Date: Tue, 05 Sep 2017 21:54:09 +0300 Message-Id: <83tw0h0yem.fsf@gnu.org> From: Eli Zaretskii To: control@debbugs.gnu.org Subject: enriched.el code execution X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Eli Zaretskii Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) unblock 24655 by 28350 thanks From unknown Sat Jun 14 08:58:49 2025 X-Loop: help-debbugs@gnu.org Subject: bug#28350: enriched.el code execution Resent-From: charles@aurox.ch (Charles A. Roelli) Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Wed, 06 Sep 2017 19:26:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 28350 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: security To: 28350@debbugs.gnu.org Received: via spool by 28350-submit@debbugs.gnu.org id=B28350.15047259406773 (code B ref 28350); Wed, 06 Sep 2017 19:26:02 +0000 Received: (at 28350) by debbugs.gnu.org; 6 Sep 2017 19:25:40 +0000 Received: from localhost ([127.0.0.1]:53388 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dpfxE-0001lB-0A for submit@debbugs.gnu.org; Wed, 06 Sep 2017 15:25:40 -0400 Received: from sinyavsky.aurox.ch ([37.35.109.145]:52201) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dpfxC-0001ky-4v for 28350@debbugs.gnu.org; Wed, 06 Sep 2017 15:25:38 -0400 Received: from sinyavsky.aurox.ch (sinyavsky.aurox.ch [127.0.0.1]) by sinyavsky.aurox.ch (Postfix) with ESMTP id D610D22526 for <28350@debbugs.gnu.org>; Wed, 6 Sep 2017 19:19:27 +0000 (UTC) Authentication-Results: sinyavsky.aurox.ch (amavisd-new); dkim=pass (1024-bit key) reason="pass (just generated, assumed good)" header.d=aurox.ch DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=aurox.ch; h= references:subject:subject:in-reply-to:to:from:from:message-id :date:date; s=dkim; t=1504725566; x=1505589567; bh=1TxvlKXXwcOL+ RuEN95K7YivSAyzMIaygH9HJmW3dmc=; b=f4TztJDYz0KP4cl8vhBFA8epz3753 kF7gWL9qFW7zmdyltps9Axm+J1SBh3MN9fUBvJe6rIJRyJrRmgq27RsVbs9J7Msc 0URoSYSy9WQ58evhUCTKcaPIhb+e4sQWVWIQhzbyrhT3GgL86XEZJFAMrLEWzYIH vrv1c6yTi0gvLQ= X-Virus-Scanned: Debian amavisd-new at test.virtualizor.com Received: from sinyavsky.aurox.ch ([127.0.0.1]) by sinyavsky.aurox.ch (sinyavsky.aurox.ch [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id r16unYIo5wOH for <28350@debbugs.gnu.org>; Wed, 6 Sep 2017 19:19:26 +0000 (UTC) Received: from gray (125.85.192.178.dynamic.wline.res.cust.swisscom.ch [178.192.85.125]) by sinyavsky.aurox.ch (Postfix) with ESMTPSA id 843E92250D for <28350@debbugs.gnu.org>; Wed, 6 Sep 2017 19:19:26 +0000 (UTC) Date: Wed, 06 Sep 2017 21:25:18 +0200 Message-Id: From: charles@aurox.ch (Charles A. Roelli) In-reply-to: (charles@aurox.ch) References: X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.3 (--) If anyone wants a fix to apply locally, the following s-expression prevents the display parameter from being used by Enriched mode (tested in Emacs 23+): (eval-after-load "enriched" '(defun enriched-decode-display-prop (start end &optional param) (list start end))) As for a fix to apply to master: I'd like to keep "x-display" if we can agree on some "safe" predicate that the given parameter would have to satisfy. Looking at the list of display specifications that are available, it seems that simple string, margin text, space-width, height (only in the (+ n), (- n) and n cases) and raise specifications should be okay. Does anybody else have an opinion about this? From unknown Sat Jun 14 08:58:49 2025 X-Loop: help-debbugs@gnu.org Subject: bug#28350: enriched.el code execution Resent-From: Eli Zaretskii Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Thu, 07 Sep 2017 02:35:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 28350 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: security To: charles@aurox.ch (Charles A. Roelli) Cc: 28350@debbugs.gnu.org Reply-To: Eli Zaretskii Received: via spool by 28350-submit@debbugs.gnu.org id=B28350.150475168413085 (code B ref 28350); Thu, 07 Sep 2017 02:35:02 +0000 Received: (at 28350) by debbugs.gnu.org; 7 Sep 2017 02:34:44 +0000 Received: from localhost ([127.0.0.1]:53674 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dpmeR-0003Oz-NP for submit@debbugs.gnu.org; Wed, 06 Sep 2017 22:34:43 -0400 Received: from eggs.gnu.org ([208.118.235.92]:53600) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dpmeP-0003Om-HK for 28350@debbugs.gnu.org; Wed, 06 Sep 2017 22:34:41 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dpmeF-0007Rf-Jj for 28350@debbugs.gnu.org; Wed, 06 Sep 2017 22:34:36 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:36801) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dpmeF-0007RX-Fz; Wed, 06 Sep 2017 22:34:31 -0400 Received: from 84.94.185.246.cable.012.net.il ([84.94.185.246]:1491 helo=home-c4e4a596f7) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1dpmeE-0004JZ-TX; Wed, 06 Sep 2017 22:34:31 -0400 Date: Thu, 07 Sep 2017 05:34:34 +0300 Message-Id: <837exb1bk5.fsf@gnu.org> From: Eli Zaretskii In-reply-to: (charles@aurox.ch) References: X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) > Date: Wed, 06 Sep 2017 21:25:18 +0200 > From: charles@aurox.ch (Charles A. Roelli) > > As for a fix to apply to master: I'd like to keep "x-display" if we > can agree on some "safe" predicate that the given parameter would have > to satisfy. Looking at the list of display specifications that are > available, it seems that simple string, margin text, space-width, > height (only in the (+ n), (- n) and n cases) and raise specifications > should be okay. Does anybody else have an opinion about this? I agree that the cases you have shown are safe. Thanks. From debbugs-submit-bounces@debbugs.gnu.org Fri Sep 08 16:22:16 2017 Received: (at control) by debbugs.gnu.org; 8 Sep 2017 20:22:16 +0000 Received: from localhost ([127.0.0.1]:56436 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dqPn6-00013L-Ak for submit@debbugs.gnu.org; Fri, 08 Sep 2017 16:22:16 -0400 Received: from eggs.gnu.org ([208.118.235.92]:45414) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dqPn5-00013A-1f for control@debbugs.gnu.org; Fri, 08 Sep 2017 16:22:15 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dqPmz-0006lS-BP for control@debbugs.gnu.org; Fri, 08 Sep 2017 16:22:09 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:46045) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dqPmz-0006lO-7y for control@debbugs.gnu.org; Fri, 08 Sep 2017 16:22:09 -0400 Received: from rgm by fencepost.gnu.org with local (Exim 4.82) (envelope-from ) id 1dqPmz-0006sk-1j for control@debbugs.gnu.org; Fri, 08 Sep 2017 16:22:09 -0400 Subject: control message for bug 28350 To: X-Mailer: mail (GNU Mailutils 2.99.98) Message-Id: From: Glenn Morris Date: Fri, 08 Sep 2017 16:22:09 -0400 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) found 28350 21.1,21.2,21.3,21.4,22.1,22.2,22.3,23.1,23.2,23.3,23.4,24.1,24.2,24.3,24.4,24.5,25.1,25.2 From unknown Sat Jun 14 08:58:49 2025 X-Loop: help-debbugs@gnu.org Subject: bug#28350: enriched.el code execution Resent-From: charles@aurox.ch (Charles A. Roelli) Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Sat, 09 Sep 2017 12:25:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 28350 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: security To: Eli Zaretskii Cc: 28350@debbugs.gnu.org Received: via spool by 28350-submit@debbugs.gnu.org id=B28350.150495988214128 (code B ref 28350); Sat, 09 Sep 2017 12:25:01 +0000 Received: (at 28350) by debbugs.gnu.org; 9 Sep 2017 12:24:42 +0000 Received: from localhost ([127.0.0.1]:56948 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dqeoU-0003fo-BM for submit@debbugs.gnu.org; Sat, 09 Sep 2017 08:24:42 -0400 Received: from sinyavsky.aurox.ch ([37.35.109.145]:54631) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dqeoR-0003fY-NV for 28350@debbugs.gnu.org; Sat, 09 Sep 2017 08:24:40 -0400 Received: from sinyavsky.aurox.ch (sinyavsky.aurox.ch [127.0.0.1]) by sinyavsky.aurox.ch (Postfix) with ESMTP id 6C61E22533 for <28350@debbugs.gnu.org>; Sat, 9 Sep 2017 12:18:25 +0000 (UTC) Authentication-Results: sinyavsky.aurox.ch (amavisd-new); dkim=pass (1024-bit key) reason="pass (just generated, assumed good)" header.d=aurox.ch DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=aurox.ch; h= content-type:content-type:mime-version:references:subject :subject:in-reply-to:to:from:from:message-id:date:date; s=dkim; t=1504959503; x=1505823504; bh=zs8wxsqZhOdyrbKsN8wUqWnPsgwjLf2y ZelZAyWzSG0=; b=Zd8YFj2y9zITGJYzPBy9LF1oFCCETeATnFICRlS6vOscOLBQ cDTzxXO1IqSfz1GIUI/E2enJNwCXfN3uM80pmB5ZqH3yyRb28t1/Qr+XCP2/jrLm jT5MPmXniqZIfXfqkrRCBF3acS7VLuYSTbYl1MFMZXqqGp47rj0R9HXx2C8= X-Virus-Scanned: Debian amavisd-new at test.virtualizor.com Received: from sinyavsky.aurox.ch ([127.0.0.1]) by sinyavsky.aurox.ch (sinyavsky.aurox.ch [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id Cj2KJYJYvYmg for <28350@debbugs.gnu.org>; Sat, 9 Sep 2017 12:18:23 +0000 (UTC) Received: from gray (125.85.192.178.dynamic.wline.res.cust.swisscom.ch [178.192.85.125]) by sinyavsky.aurox.ch (Postfix) with ESMTPSA id 195012252B; Sat, 9 Sep 2017 12:18:21 +0000 (UTC) Date: Sat, 09 Sep 2017 14:23:54 +0200 Message-Id: From: charles@aurox.ch (Charles A. Roelli) In-reply-to: <837exb1bk5.fsf@gnu.org> (message from Eli Zaretskii on Thu, 07 Sep 2017 05:34:34 +0300) References: <837exb1bk5.fsf@gnu.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.3 (--) --=-=-= Content-Type: text/plain > Date: Thu, 07 Sep 2017 05:34:34 +0300 > From: Eli Zaretskii > CC: 28350@debbugs.gnu.org > > > Date: Wed, 06 Sep 2017 21:25:18 +0200 > > From: charles@aurox.ch (Charles A. Roelli) > > > > As for a fix to apply to master: I'd like to keep "x-display" if we > > can agree on some "safe" predicate that the given parameter would have > > to satisfy. Looking at the list of display specifications that are > > available, it seems that simple string, margin text, space-width, > > height (only in the (+ n), (- n) and n cases) and raise specifications > > should be okay. Does anybody else have an opinion about this? > > I agree that the cases you have shown are safe. > > Thanks. Thank you. Does the attached patch look OK? I've used the file enriched-test-safe-props.txt (also attached) to test that safe properties are still applied. --=-=-= Content-Type: text/x-patch Content-Disposition: attachment; filename=0001-Prevent-code-execution-by-text-enriched-files-Bug-28.patch >From 1c58b3e76a80a342c2f7e96d91214fe49678f471 Mon Sep 17 00:00:00 2001 From: "Charles A. Roelli" Date: Sat, 9 Sep 2017 14:03:58 +0200 Subject: [PATCH] Prevent code execution by text/enriched files (Bug#28350) * lisp/textmodes/enriched.el (enriched-display-prop-safe-p): New function. (enriched-decode-display-prop): Use it to prevent unsafe display properties from being applied. --- lisp/textmodes/enriched.el | 43 ++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 42 insertions(+), 1 deletion(-) diff --git a/lisp/textmodes/enriched.el b/lisp/textmodes/enriched.el index 7ace2a5..f496259 100644 --- a/lisp/textmodes/enriched.el +++ b/lisp/textmodes/enriched.el @@ -503,6 +503,47 @@ enriched-decode-display-prop (error nil))))) (unless prop (message "Warning: invalid parameter %s" param)) - (list start end 'display prop))) + (if (enriched-display-prop-safe-p prop) + (list start end 'display prop) + (message "Warning: unsafe parameter %s not applied" param) + (list start end)))) + +(defun enriched-display-prop-safe-p (prop) + "Return t if display property PROP is safe to apply to text. + +A safe display property is either: + + - a string, + + - a space-width display specification, (space-width factor), + where FACTOR is an integer or a float, + + - a margin display specification, ((margin right-margin) spec) + or ((margin left-margin) spec), where SPEC is a string, + + - a height display specification, (height spec), where SPEC is + of the form (+ n), (- n) or n, and N is an integer, + + - or a raise display specification, (raise factor), where + FACTOR is an integer. + +See Info node `(elisp)Display Property' for the use of these +display specifications." + (ignore-errors + (or (stringp prop) + (and (eq (car prop) 'space-width) + (or (integerp (cadr prop)) (floatp (cadr prop)))) + (and (consp (car prop)) + (eq (caar prop) 'margin) + (or (eq (cadar prop) 'right-margin) + (eq (cadar prop) 'left-margin)) + (stringp (cadr prop))) + (and (eq (car prop) 'height) + (or (integerp (cadr prop)) + (and (listp (cadr prop)) + (or (eq (elt (cadr prop) 0) '+) (elt (cadr prop) 0) '-) + (integerp (elt (cadr prop) 1))))) + (and (eq (car prop) 'raise) + (integerp (cadr prop)))))) ;;; enriched.el ends here -- 2.9.4 --=-=-= Content-Type: text/enriched Content-Disposition: attachment; filename=enriched-test-safe-props.txt Content-Type: text/enriched Text-Width: 70 "replace"test (space-width 5)large spaces ((margin left-margin) "string")marginal text (height 3)tall text (raise 5)raised text --=-=-=-- From unknown Sat Jun 14 08:58:49 2025 X-Loop: help-debbugs@gnu.org Subject: bug#28350: enriched.el code execution Resent-From: Eli Zaretskii Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Sat, 09 Sep 2017 13:46:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 28350 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: security To: charles@aurox.ch (Charles A. Roelli) Cc: 28350@debbugs.gnu.org Reply-To: Eli Zaretskii Received: via spool by 28350-submit@debbugs.gnu.org id=B28350.150496474422094 (code B ref 28350); Sat, 09 Sep 2017 13:46:01 +0000 Received: (at 28350) by debbugs.gnu.org; 9 Sep 2017 13:45:44 +0000 Received: from localhost ([127.0.0.1]:56988 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dqg4t-0005kI-UO for submit@debbugs.gnu.org; Sat, 09 Sep 2017 09:45:44 -0400 Received: from eggs.gnu.org ([208.118.235.92]:33339) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dqg4s-0005k4-Hv for 28350@debbugs.gnu.org; Sat, 09 Sep 2017 09:45:42 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dqg4j-0008P2-0Q for 28350@debbugs.gnu.org; Sat, 09 Sep 2017 09:45:37 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:38486) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dqg4i-0008Oy-Ts; Sat, 09 Sep 2017 09:45:32 -0400 Received: from 84.94.185.246.cable.012.net.il ([84.94.185.246]:1490 helo=home-c4e4a596f7) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1dqg4i-0008OO-Ak; Sat, 09 Sep 2017 09:45:32 -0400 Date: Sat, 09 Sep 2017 16:45:40 +0300 Message-Id: <838thovvcr.fsf@gnu.org> From: Eli Zaretskii In-reply-to: (charles@aurox.ch) References: <837exb1bk5.fsf@gnu.org> X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) > Date: Sat, 09 Sep 2017 14:23:54 +0200 > From: charles@aurox.ch (Charles A. Roelli) > CC: 28350@debbugs.gnu.org > > Thank you. Does the attached patch look OK? I've used the file > enriched-test-safe-props.txt (also attached) to test that safe > properties are still applied. Thank you for working on this. I have some comments: > --- a/lisp/textmodes/enriched.el > +++ b/lisp/textmodes/enriched.el > @@ -503,6 +503,47 @@ enriched-decode-display-prop > (error nil))))) > (unless prop > (message "Warning: invalid parameter %s" param)) > - (list start end 'display prop))) > + (if (enriched-display-prop-safe-p prop) > + (list start end 'display prop) > + (message "Warning: unsafe parameter %s not applied" param) > + (list start end)))) I think we will want to allow unsafe display properties, given a user's explicit permission. So I think we need a defcustom that allows this, and then enriched-display-prop-safe-p should always return non-nil. > +See Info node `(elisp)Display Property' for the use of these > +display specifications." > + (ignore-errors > + (or (stringp prop) ^^^^^^^^^^^^ What about an image spec (including a slice spec)? > + (and (eq (car prop) 'space-width) > + (or (integerp (cadr prop)) (floatp (cadr prop)))) > + (and (consp (car prop)) > + (eq (caar prop) 'margin) > + (or (eq (cadar prop) 'right-margin) > + (eq (cadar prop) 'left-margin)) > + (stringp (cadr prop))) The margin display can also specify an image, not just a string, and I think that would be safe as well. > + (and (eq (car prop) 'height) > + (or (integerp (cadr prop)) > + (and (listp (cadr prop)) > + (or (eq (elt (cadr prop) 0) '+) (elt (cadr prop) 0) '-) > + (integerp (elt (cadr prop) 1))))) ^^^^^^^^ I think this should be numberp, as the value could also safely be a float. > + (and (eq (car prop) 'raise) > + (integerp (cadr prop)))))) ^^^^^^^^ The FACTOR in (raise FACTOR) can also be a float, so I think numberp is the correct predicate here. And then what about (space . PROPS) type of display spec? I think all of its variants are safe. From unknown Sat Jun 14 08:58:49 2025 X-Loop: help-debbugs@gnu.org Subject: bug#28350: enriched.el code execution Resent-From: charles@aurox.ch (Charles A. Roelli) Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Sat, 09 Sep 2017 15:58:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 28350 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: security To: Eli Zaretskii Cc: 28350@debbugs.gnu.org Received: via spool by 28350-submit@debbugs.gnu.org id=B28350.15049726602032 (code B ref 28350); Sat, 09 Sep 2017 15:58:02 +0000 Received: (at 28350) by debbugs.gnu.org; 9 Sep 2017 15:57:40 +0000 Received: from localhost ([127.0.0.1]:57685 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dqi8Z-0000Wi-PC for submit@debbugs.gnu.org; Sat, 09 Sep 2017 11:57:39 -0400 Received: from sinyavsky.aurox.ch ([37.35.109.145]:54793) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dqi8X-0000WS-M5 for 28350@debbugs.gnu.org; Sat, 09 Sep 2017 11:57:38 -0400 Received: from sinyavsky.aurox.ch (sinyavsky.aurox.ch [127.0.0.1]) by sinyavsky.aurox.ch (Postfix) with ESMTP id 7FA4022532 for <28350@debbugs.gnu.org>; Sat, 9 Sep 2017 15:51:21 +0000 (UTC) Authentication-Results: sinyavsky.aurox.ch (amavisd-new); dkim=pass (1024-bit key) reason="pass (just generated, assumed good)" header.d=aurox.ch DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=aurox.ch; h= content-transfer-encoding:content-type:content-type:mime-version :references:subject:subject:in-reply-to:to:from:from:message-id :date:date; s=dkim; t=1504972278; x=1505836279; bh=tO63skOvaS5r+ Fk+o5HTIUGnloUEmOR4Z+kjWip5H0k=; b=islAnYELzfI2No/m3XJ7T/YqeA0IC F27kZ5j6/FE00BKUrx8NSyAAbJCfCifX0NKvOl/kvVjrQAy7Xqqt6aVGGAZcgzg4 gzO1q414dzZyL4UQaLYa+RPTZF9WvGENMBlPOaVHCrXuxkryeQ2Fy3WZp1/NFxcP sLxtBDvQVy46Mo= X-Virus-Scanned: Debian amavisd-new at test.virtualizor.com Received: from sinyavsky.aurox.ch ([127.0.0.1]) by sinyavsky.aurox.ch (sinyavsky.aurox.ch [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 6JVHd8AxQJyQ for <28350@debbugs.gnu.org>; Sat, 9 Sep 2017 15:51:18 +0000 (UTC) Received: from gray (125.85.192.178.dynamic.wline.res.cust.swisscom.ch [178.192.85.125]) by sinyavsky.aurox.ch (Postfix) with ESMTPSA id 9A5FA2252B; Sat, 9 Sep 2017 15:51:16 +0000 (UTC) Date: Sat, 09 Sep 2017 17:57:10 +0200 Message-Id: From: charles@aurox.ch (Charles A. Roelli) In-reply-to: <838thovvcr.fsf@gnu.org> (message from Eli Zaretskii on Sat, 09 Sep 2017 16:45:40 +0300) References: <837exb1bk5.fsf@gnu.org> <838thovvcr.fsf@gnu.org> MIME-version: 1.0 Content-type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.3 (--) Thanks for the feedback. > Date: Sat, 09 Sep 2017 16:45:40 +0300 > From: Eli Zaretskii > CC: 28350@debbugs.gnu.org > Reply-to: Eli Zaretskii > > > --- a/lisp/textmodes/enriched.el > > +++ b/lisp/textmodes/enriched.el > > @@ -503,6 +503,47 @@ enriched-decode-display-prop > > (error nil))))) > > (unless prop > > (message "Warning: invalid parameter %s" param)) > > - (list start end 'display prop))) > > + (if (enriched-display-prop-safe-p prop) > > + (list start end 'display prop) > > + (message "Warning: unsafe parameter %s not applied" param) > > + (list start end)))) > > I think we will want to allow unsafe display properties, given a > user's explicit permission. So I think we need a defcustom that > allows this, and then enriched-display-prop-safe-p should always > return non-nil. Agreed, I've added this. > > +See Info node `(elisp)Display Property' for the use of these > > +display specifications." > > + (ignore-errors > > + (or (stringp prop) > ^^^^^^^^^^^^ > What about an image spec (including a slice spec)? Okay, I see that image specs can be safe. But are they all safe? And I don't understand how a slice spec is used together with an image spec. Is the slice spec used inside of IMAGE-PROPS, i.e. as you might gather from the manual: ‘(image . IMAGE-PROPS)’ This kind of display specification is an image descriptor (*note Images). When used as a display specification, it means to display the image instead of the text that has the display specification. ‘(slice X Y WIDTH HEIGHT)’ This specification together with ‘image’ specifies a “slice” (a partial area) of the image to display. ? > > > + (and (eq (car prop) 'space-width) > > + (or (integerp (cadr prop)) (floatp (cadr prop)))) > > + (and (consp (car prop)) > > + (eq (caar prop) 'margin) > > + (or (eq (cadar prop) 'right-margin) > > + (eq (cadar prop) 'left-margin)) > > + (stringp (cadr prop))) > > The margin display can also specify an image, not just a string, and I > think that would be safe as well. Okay, I'll apply the same procedure as we decide for the above image spec. > > > + (and (eq (car prop) 'height) > > + (or (integerp (cadr prop)) > > + (and (listp (cadr prop)) > > + (or (eq (elt (cadr prop) 0) '+) (elt (cadr prop) 0) '-) > > + (integerp (elt (cadr prop) 1))))) > ^^^^^^^^ > I think this should be numberp, as the value could also safely be a > float. > > > + (and (eq (car prop) 'raise) > > + (integerp (cadr prop)))))) > ^^^^^^^^ > The FACTOR in (raise FACTOR) can also be a float, so I think numberp > is the correct predicate here. > > And then what about (space . PROPS) type of display spec? I think all > of its variants are safe. Okay, I've made these changes and added the `space' spec. At this point it seems that unsafe display specs are more the exception than the rule, so it might make sense to define the `enriched-display-prop-safe-p' function by excluding the unsafe specifications instead of including the safe ones. What do you think? From unknown Sat Jun 14 08:58:49 2025 X-Loop: help-debbugs@gnu.org Subject: bug#28350: enriched.el code execution Resent-From: Eli Zaretskii Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Sat, 09 Sep 2017 16:57:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 28350 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: security To: charles@aurox.ch (Charles A. Roelli) Cc: 28350@debbugs.gnu.org Reply-To: Eli Zaretskii Received: via spool by 28350-submit@debbugs.gnu.org id=B28350.15049761627145 (code B ref 28350); Sat, 09 Sep 2017 16:57:02 +0000 Received: (at 28350) by debbugs.gnu.org; 9 Sep 2017 16:56:02 +0000 Received: from localhost ([127.0.0.1]:57743 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dqj33-0001r5-MD for submit@debbugs.gnu.org; Sat, 09 Sep 2017 12:56:02 -0400 Received: from eggs.gnu.org ([208.118.235.92]:58684) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dqj32-0001qs-2P for 28350@debbugs.gnu.org; Sat, 09 Sep 2017 12:56:00 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dqj2t-00016o-QP for 28350@debbugs.gnu.org; Sat, 09 Sep 2017 12:55:54 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:42602) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dqj2t-00016i-MB; Sat, 09 Sep 2017 12:55:51 -0400 Received: from 84.94.185.246.cable.012.net.il ([84.94.185.246]:1673 helo=home-c4e4a596f7) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1dqj2r-0003eR-3C; Sat, 09 Sep 2017 12:55:51 -0400 Date: Sat, 09 Sep 2017 19:55:37 +0300 Message-Id: <83wp57vmk6.fsf@gnu.org> From: Eli Zaretskii In-reply-to: (charles@aurox.ch) References: <837exb1bk5.fsf@gnu.org> <838thovvcr.fsf@gnu.org> MIME-version: 1.0 Content-type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) > Date: Sat, 09 Sep 2017 17:57:10 +0200 > From: charles@aurox.ch (Charles A. Roelli) > CC: 28350@debbugs.gnu.org > > > > +See Info node `(elisp)Display Property' for the use of these > > > +display specifications." > > > + (ignore-errors > > > + (or (stringp prop) > > ^^^^^^^^^^^^ > > What about an image spec (including a slice spec)? > > Okay, I see that image specs can be safe. But are they all safe? I think they are. Does anyone know different? > And I don't understand how a slice spec is used together with an image > spec. Is the slice spec used inside of IMAGE-PROPS, i.e. as you might > gather from the manual: > > ‘(image . IMAGE-PROPS)’ > This kind of display specification is an image descriptor (*note > Images). When used as a display specification, it means to > display the image instead of the text that has the display > specification. > > ‘(slice X Y WIDTH HEIGHT)’ > This specification together with ‘image’ specifies a “slice” (a > partial area) of the image to display. > > ? AFAIU, like this: ((slice X Y WIDTH HEIGHT) (image . IMAGE-PROPS)) You can see examples of this in image.el and image-mode.el. > At this point it seems that unsafe display specs are more the > exception than the rule, so it might make sense to define the > `enriched-display-prop-safe-p' function by excluding the unsafe > specifications instead of including the safe ones. What do you > think? I'm not sure. The display spec can be complex, so to make sure none of these exceptions sneak through, you will have to recursively unpack the spec data structure and examine each of the elements, which smells too similar to emulating 'eval'. No? Thanks. From unknown Sat Jun 14 08:58:49 2025 X-Loop: help-debbugs@gnu.org Subject: bug#28350: enriched.el code execution Resent-From: charles@aurox.ch (Charles A. Roelli) Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Sat, 09 Sep 2017 20:39:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 28350 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: security To: Eli Zaretskii Cc: 28350@debbugs.gnu.org Received: via spool by 28350-submit@debbugs.gnu.org id=B28350.150498949327244 (code B ref 28350); Sat, 09 Sep 2017 20:39:02 +0000 Received: (at 28350) by debbugs.gnu.org; 9 Sep 2017 20:38:13 +0000 Received: from localhost ([127.0.0.1]:57950 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dqmW4-00075L-MT for submit@debbugs.gnu.org; Sat, 09 Sep 2017 16:38:13 -0400 Received: from sinyavsky.aurox.ch ([37.35.109.145]:55040) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dqmW2-000757-SX for 28350@debbugs.gnu.org; Sat, 09 Sep 2017 16:38:11 -0400 Received: from sinyavsky.aurox.ch (sinyavsky.aurox.ch [127.0.0.1]) by sinyavsky.aurox.ch (Postfix) with ESMTP id B490B22532 for <28350@debbugs.gnu.org>; Sat, 9 Sep 2017 20:31:57 +0000 (UTC) Authentication-Results: sinyavsky.aurox.ch (amavisd-new); dkim=pass (1024-bit key) reason="pass (just generated, assumed good)" header.d=aurox.ch DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=aurox.ch; h= content-type:content-type:mime-version:references:subject :subject:in-reply-to:to:from:from:message-id:date:date; s=dkim; t=1504989114; x=1505853115; bh=OPJLqAjvJrdiEmME4e3oIE6iv4wYmeeK r89QdQVFseQ=; b=Z/GAe8e+09tI+Jj7Ahi8dy/wOKfmhOtynX2RG85dXNNuKBEr jE0zl+wtqvHDc87EFNF0MHWlOvK0wlUjB1hLAK7KLfSxwkQlbfHVpVEdL7XGv2r2 oK69xFkaaYE9hcH67ZCDLojij7ZMFGPIP+IhnaFGSBH2FcwAR2T+hsMOs+w= X-Virus-Scanned: Debian amavisd-new at test.virtualizor.com Received: from sinyavsky.aurox.ch ([127.0.0.1]) by sinyavsky.aurox.ch (sinyavsky.aurox.ch [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id U0Te3bPCBDG3 for <28350@debbugs.gnu.org>; Sat, 9 Sep 2017 20:31:54 +0000 (UTC) Received: from gray (125.85.192.178.dynamic.wline.res.cust.swisscom.ch [178.192.85.125]) by sinyavsky.aurox.ch (Postfix) with ESMTPSA id 943B622529; Sat, 9 Sep 2017 20:31:51 +0000 (UTC) Date: Sat, 09 Sep 2017 22:37:29 +0200 Message-Id: From: charles@aurox.ch (Charles A. Roelli) In-reply-to: <83wp57vmk6.fsf@gnu.org> (message from Eli Zaretskii on Sat, 09 Sep 2017 19:55:37 +0300) References: <837exb1bk5.fsf@gnu.org> <838thovvcr.fsf@gnu.org> <83wp57vmk6.fsf@gnu.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.3 (--) --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable > Date: Sat, 09 Sep 2017 19:55:37 +0300 > From: Eli Zaretskii > CC: 28350@debbugs.gnu.org > > > > > +See Info node `(elisp)Display Property' for the use of these > > > > +display specifications." > > > > + (ignore-errors > > > > + (or (stringp prop) > > > ^^^^^^^^^^^^ > > > What about an image spec (including a slice spec)? > >=20 > > Okay, I see that image specs can be safe. But are they all safe? >=20 > I think they are. Does anyone know different? I read over the documentation some more and they do look alright. > > And I don't understand how a slice spec is used together with an image > > spec. Is the slice spec used inside of IMAGE-PROPS, i.e. as you might > > gather from the manual: > >=20 > > =E2=80=98(image . IMAGE-PROPS)=E2=80=99 > > This kind of display specification is an image descriptor (*note > > Images). When used as a display specification, it means to > > display the image instead of the text that has the display > > specification. > >=20 > > =E2=80=98(slice X Y WIDTH HEIGHT)=E2=80=99 > > This specification together with =E2=80=98image=E2=80=99 specifies= a =E2=80=9Cslice=E2=80=9D (a > > partial area) of the image to display.=20 > >=20 > > ? >=20 > AFAIU, like this: >=20 > ((slice X Y WIDTH HEIGHT) (image . IMAGE-PROPS)) >=20 > You can see examples of this in image.el and image-mode.el. Thanks. I forgot that the display property can be set to a list or vector of display specifications. I've updated the patch to reflect this: + (and (seqp prop) (seq-every-p 'enriched-display-prop-safe-p prop))= ))) and I've added slice/image specifications. > > At this point it seems that unsafe display specs are more the > > exception than the rule, so it might make sense to define the > > `enriched-display-prop-safe-p' function by excluding the unsafe > > specifications instead of including the safe ones. What do you > > think? >=20 > I'm not sure. The display spec can be complex, so to make sure none > of these exceptions sneak through, you will have to recursively unpack > the spec data structure and examine each of the elements, which smells > too similar to emulating 'eval'. No? Thank you. I've kept the current approach. Please see again the attached patch. Also, should the left-fringe/right-fringe display specifications be considered safe? They seem innocuous. --=-=-= Content-Type: text/x-patch Content-Disposition: attachment; filename=0001-Prevent-code-execution-by-text-enriched-files-Bug-28.patch >From baf533eeddc185a0e65c641022f7be2be2cbcb09 Mon Sep 17 00:00:00 2001 From: "Charles A. Roelli" Date: Sat, 9 Sep 2017 14:03:58 +0200 Subject: [PATCH] Prevent code execution by text/enriched files (Bug#28350) * lisp/textmodes/enriched.el (enriched-allow-unsafe-display-props): New customizable option. (enriched-display-prop-safe-p): New function. (enriched-decode-display-prop): Use the new function to prevent unsafe display properties from being applied. --- lisp/textmodes/enriched.el | 84 +++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 83 insertions(+), 1 deletion(-) diff --git a/lisp/textmodes/enriched.el b/lisp/textmodes/enriched.el index 7ace2a5..74a1229 100644 --- a/lisp/textmodes/enriched.el +++ b/lisp/textmodes/enriched.el @@ -147,6 +147,20 @@ enriched-mode-hook :type 'hook :group 'enriched) +(defcustom enriched-allow-unsafe-display-props nil + "Variable determining whether to decode arbitrary display properties. + +Enriched mode recognizes display properties of text stored using +an extension command to the text/enriched format, \"x-display\". +These properties must, by default, satisfy +`enriched-display-prop-safe-p' (q.v.), otherwise they are not +applied. Customize this option to t to turn off this safety +feature. Note, however, that applying unsafe display properties +can execute arbitrary Lisp code." + :risky t + :type 'boolean + :group 'enriched) + (defvar enriched-old-bindings nil "Store old variable values that we change when entering mode. The value is a list of \(VAR VALUE VAR VALUE...).") @@ -503,6 +517,74 @@ enriched-decode-display-prop (error nil))))) (unless prop (message "Warning: invalid parameter %s" param)) - (list start end 'display prop))) + (if (enriched-display-prop-safe-p prop) + (list start end 'display prop) + (message "Warning: unsafe parameter %s not applied" param) + (list start end)))) + +(defun enriched-display-prop-safe-p (prop) + "Return t if display property PROP is safe to apply to text. + +This function always returns t when +`enriched-allow-unsafe-display-props' is set to t. + +A safe display property is either: + + - a string, + + - an image display specification, (image . image-props), where + IMAGE-PROPS is a property list, + + - a slice display specification, (slice x y width height), + where X and Y are integers, and WIDTH and HEIGHT are either + integers or floats, + + - a space display specification, (space . props), where PROPS + is a property list, + + - a space-width display specification, (space-width factor), + where FACTOR is an integer or a float, + + - a margin display specification, ((margin right-margin) spec) + or ((margin left-margin) spec), where SPEC is a string or an + image display specification as above, + + - a height display specification, (height spec), where SPEC is + of the form (+ n), (- n) or n, and N is an integer or a + float, + + - a raise display specification, (raise factor), where + FACTOR is an integer or a float, + + - or a list/vector containing safe display specifications, as + above. + +See Info node `(elisp)Display Property' for the use of these +display specifications." + (ignore-errors + (or enriched-allow-unsafe-display-props + (stringp prop) + (and (consp prop) (eq (car prop) 'image)) + (and (consp prop) + (eq (car prop) 'slice) + (integerp (elt prop 1)) ; x + (integerp (elt prop 2)) ; y + (numberp (elt prop 3)) ; width + (numberp (elt prop 4))) ; height + (and (consp prop) (eq (car prop) 'space)) + (and (eq (car prop) 'space-width) (numberp (cadr prop))) + (and (consp (car prop)) + (eq (caar prop) 'margin) + (or (eq (cadar prop) 'right-margin) + (eq (cadar prop) 'left-margin)) + (enriched-display-prop-safe-p (cadr prop))) + (and (eq (car prop) 'height) + (or (numberp (cadr prop)) + (and (listp (cadr prop)) + (or (eq (elt (cadr prop) 0) '+) (elt (cadr prop) 0) '-) + (integerp (elt (cadr prop) 1))))) + (and (eq (car prop) 'raise) + (numberp (cadr prop))) + (and (seqp prop) (seq-every-p 'enriched-display-prop-safe-p prop))))) ;;; enriched.el ends here -- 2.9.4 --=-=-=-- From unknown Sat Jun 14 08:58:49 2025 X-Loop: help-debbugs@gnu.org Subject: bug#28350: enriched.el code execution References: In-Reply-To: Resent-From: Paul Eggert Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Sat, 09 Sep 2017 22:44:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 28350 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: security To: "Charles A. Roelli" Cc: 28350@debbugs.gnu.org Received: via spool by 28350-submit@debbugs.gnu.org id=B28350.15049970195555 (code B ref 28350); Sat, 09 Sep 2017 22:44:01 +0000 Received: (at 28350) by debbugs.gnu.org; 9 Sep 2017 22:43:39 +0000 Received: from localhost ([127.0.0.1]:58024 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dqoTT-0001RX-Bg for submit@debbugs.gnu.org; Sat, 09 Sep 2017 18:43:39 -0400 Received: from zimbra.cs.ucla.edu ([131.179.128.68]:46328) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dqoTR-0001RL-Km for 28350@debbugs.gnu.org; Sat, 09 Sep 2017 18:43:38 -0400 Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id BAD0F160CB8; Sat, 9 Sep 2017 15:43:31 -0700 (PDT) Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id lTmqlm94ZYmA; Sat, 9 Sep 2017 15:43:30 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id C3747160CBB; Sat, 9 Sep 2017 15:43:30 -0700 (PDT) X-Virus-Scanned: amavisd-new at zimbra.cs.ucla.edu Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id pi0lktIXYZfu; Sat, 9 Sep 2017 15:43:30 -0700 (PDT) Received: from [192.168.1.9] (unknown [47.153.184.153]) by zimbra.cs.ucla.edu (Postfix) with ESMTPSA id 98F5016096D; Sat, 9 Sep 2017 15:43:30 -0700 (PDT) From: Paul Eggert Organization: UCLA Computer Science Department Message-ID: <305e0573-2e10-cb15-4133-9bd72d33ea5e@cs.ucla.edu> Date: Sat, 9 Sep 2017 15:43:30 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.3 (--) Thanks for reporting this bug. Since it is a serious security hole I have= =20 installed a patch by Lars Ingebrigtsen that temporarily disables the prob= lematic=20 translations, and that also changes Gnus to not call enriched-decode. For= the=20 emacs-25 branch the patch is here: https://git.savannah.gnu.org/cgit/emacs.git/commit/?h=3Demacs-25&id=3D9ad= 0fcc54442a9a01d41be19880250783426db70 and for the master branch the patch is here: https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=3D19584f13b1e2e4a7= 78602a8302619ef5c675e68b As this patch is merely a workaround to close the security hole, I am not= =20 marking the underlying bug as fixed. Thank you for reporting the problem. From unknown Sat Jun 14 08:58:49 2025 X-Loop: help-debbugs@gnu.org Subject: bug#28350: enriched.el code execution Resent-From: Eli Zaretskii Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Sun, 10 Sep 2017 17:02:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 28350 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: security To: charles@aurox.ch (Charles A. Roelli) Cc: 28350@debbugs.gnu.org Reply-To: Eli Zaretskii Received: via spool by 28350-submit@debbugs.gnu.org id=B28350.150506288415891 (code B ref 28350); Sun, 10 Sep 2017 17:02:01 +0000 Received: (at 28350) by debbugs.gnu.org; 10 Sep 2017 17:01:24 +0000 Received: from localhost ([127.0.0.1]:59575 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dr5bo-00048E-Fs for submit@debbugs.gnu.org; Sun, 10 Sep 2017 13:01:24 -0400 Received: from eggs.gnu.org ([208.118.235.92]:60261) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dr5bm-000481-Ha for 28350@debbugs.gnu.org; Sun, 10 Sep 2017 13:01:22 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dr5be-00037M-7C for 28350@debbugs.gnu.org; Sun, 10 Sep 2017 13:01:17 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-0.0 required=5.0 tests=BAYES_40,RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:36511) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dr5be-00037H-3A; Sun, 10 Sep 2017 13:01:14 -0400 Received: from 84.94.185.246.cable.012.net.il ([84.94.185.246]:3492 helo=home-c4e4a596f7) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1dr5bc-00021n-SX; Sun, 10 Sep 2017 13:01:13 -0400 Date: Sun, 10 Sep 2017 20:01:20 +0300 Message-Id: <83y3pmtrmn.fsf@gnu.org> From: Eli Zaretskii In-reply-to: (charles@aurox.ch) References: <837exb1bk5.fsf@gnu.org> <838thovvcr.fsf@gnu.org> <83wp57vmk6.fsf@gnu.org> X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) > Date: Sat, 09 Sep 2017 22:37:29 +0200 > From: charles@aurox.ch (Charles A. Roelli) > CC: 28350@debbugs.gnu.org > > Thank you. I've kept the current approach. Please see again the > attached patch. Some minor nits below. > Also, should the left-fringe/right-fringe display specifications be > considered safe? They seem innocuous. Yes, I think so. And your patch already does allow them, doesn't it? > +(defcustom enriched-allow-unsafe-display-props nil > + "Variable determining whether to decode arbitrary display properties. "If non-nil allow to evaluate arbitrary forms in display properties." > + :risky t > + :type 'boolean > + :group 'enriched) Please add :version here. Please also add a short NEWS entry. It would be good to have tests for this, but doing that is much less urgent than fixing the vulnerability, so please feel free to do so as a separate commit (unless you already have the tests ready). Otherwise, looks good to me. Thanks. From unknown Sat Jun 14 08:58:49 2025 X-Loop: help-debbugs@gnu.org Subject: bug#28350: enriched.el code execution Resent-From: charles@aurox.ch (Charles A. Roelli) Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Sun, 10 Sep 2017 18:55:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 28350 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: security To: Paul Eggert Cc: larsi@gnus.org, 28350@debbugs.gnu.org Received: via spool by 28350-submit@debbugs.gnu.org id=B28350.150506968925848 (code B ref 28350); Sun, 10 Sep 2017 18:55:01 +0000 Received: (at 28350) by debbugs.gnu.org; 10 Sep 2017 18:54:49 +0000 Received: from localhost ([127.0.0.1]:59679 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dr7NW-0006im-1M for submit@debbugs.gnu.org; Sun, 10 Sep 2017 14:54:49 -0400 Received: from sinyavsky.aurox.ch ([37.35.109.145]:55924) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dr7NR-0006iU-Hk for 28350@debbugs.gnu.org; Sun, 10 Sep 2017 14:54:45 -0400 Received: from sinyavsky.aurox.ch (sinyavsky.aurox.ch [127.0.0.1]) by sinyavsky.aurox.ch (Postfix) with ESMTP id 9361822534 for <28350@debbugs.gnu.org>; Sun, 10 Sep 2017 18:48:27 +0000 (UTC) Authentication-Results: sinyavsky.aurox.ch (amavisd-new); dkim=pass (1024-bit key) reason="pass (just generated, assumed good)" header.d=aurox.ch DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=aurox.ch; h= references:subject:subject:in-reply-to:to:from:from:message-id :date:date; s=dkim; t=1505069303; x=1505933304; bh=h22X1VS/g/+ss q/fblQaedijWJoJ4hJ/lAv3x7imbp8=; b=afb7t1c+snQAYaeR+kT4+UrLAjAOD Yady/MF4k5TWfXMIlZKdWT+UMDOde0fRgvrSXS+6lzglpaM/f8pSuMR4cZq/2bJ6 1GNScUcsci3Uq/Cluoy5ErJw1SACu8xQw5l5yOstseZNKQg0fl4YTlmkSYHQQIoK MhyoEEImJJ1QWg= X-Virus-Scanned: Debian amavisd-new at test.virtualizor.com Received: from sinyavsky.aurox.ch ([127.0.0.1]) by sinyavsky.aurox.ch (sinyavsky.aurox.ch [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id hFqPdq6cCXz4 for <28350@debbugs.gnu.org>; Sun, 10 Sep 2017 18:48:23 +0000 (UTC) Received: from gray (125.85.192.178.dynamic.wline.res.cust.swisscom.ch [178.192.85.125]) by sinyavsky.aurox.ch (Postfix) with ESMTPSA id E79D822516; Sun, 10 Sep 2017 18:48:19 +0000 (UTC) Date: Sun, 10 Sep 2017 20:54:13 +0200 Message-Id: From: charles@aurox.ch (Charles A. Roelli) In-reply-to: <305e0573-2e10-cb15-4133-9bd72d33ea5e@cs.ucla.edu> (message from Paul Eggert on Sat, 9 Sep 2017 15:43:30 -0700) References: <305e0573-2e10-cb15-4133-9bd72d33ea5e@cs.ucla.edu> X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.3 (--) > From: Paul Eggert > Date: Sat, 9 Sep 2017 15:43:30 -0700 > > Thanks for reporting this bug. Since it is a serious security hole I have > installed a patch by Lars Ingebrigtsen that temporarily disables the problematic > translations, and that also changes Gnus to not call enriched-decode. For the > emacs-25 branch the patch is here: > > https://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-25&id=9ad0fcc54442a9a01d41be19880250783426db70 > > and for the master branch the patch is here: > > https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=19584f13b1e2e4a778602a8302619ef5c675e68b > > As this patch is merely a workaround to close the security hole, I am not > marking the underlying bug as fixed. > > Thank you for reporting the problem. Thanks for these fixes. I have some comments: > branch: master > commit 19584f13b1e2e4a778602a8302619ef5c675e68b > Author: Lars Ingebrigtsen > Commit: Paul Eggert > > [...] > > --- a/lisp/textmodes/enriched.el > +++ b/lisp/textmodes/enriched.el > @@ -117,12 +117,7 @@ expression, which is evaluated to get the string to insert.") > (full "flushboth") > (center "center")) > (PARAMETER (t "param")) ; Argument of preceding annotation > - ;; The following are not part of the standard: > - (FUNCTION (enriched-decode-foreground "x-color") > - (enriched-decode-background "x-bg-color") Do we know that "x-color" and/or "x-bg-color" are vulnerable to a similar misuse as "x-display"? If not, I can still re-add them at a later time. > branch: emacs-25 > commit b6389930146882a77c22901a4357e287826fc7ff > Author: Paul Eggert > Commit: Paul Eggert > > [...] > > +** Enriched text mode no longer supports the 'FUNCTION' and 'display' > +translations, and Gnus no longer processes enriched text when > +inlining. This fixes bugs introduced in Emacs 19.29. To work around > +these bugs in Emacs versions 19.29 through 25.2, append the following > +to your ~/.emacs file: > + > + (provide 'enriched) > + (defun enriched-mode (&optional arg)) > + (defun enriched-decode (from to)) This fix is very safe, at the cost of disabling Enriched mode. Could we do any better? I had suggested the following (in https://debbugs.gnu.org/cgi/bugreport.cgi?bug=28350#16): (eval-after-load "enriched" '(defun enriched-decode-display-prop (start end &optional param) (list start end))) But it may not work in Emacs earlier than 23 (I can't test it). From unknown Sat Jun 14 08:58:49 2025 X-Loop: help-debbugs@gnu.org Subject: bug#28350: enriched.el code execution Resent-From: Paul Eggert Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Sun, 10 Sep 2017 21:48:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 28350 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: security To: "Charles A. Roelli" Cc: larsi@gnus.org, 28350@debbugs.gnu.org Received: via spool by 28350-submit@debbugs.gnu.org id=B28350.15050800309138 (code B ref 28350); Sun, 10 Sep 2017 21:48:02 +0000 Received: (at 28350) by debbugs.gnu.org; 10 Sep 2017 21:47:10 +0000 Received: from localhost ([127.0.0.1]:59856 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1drA4M-0002NK-J8 for submit@debbugs.gnu.org; Sun, 10 Sep 2017 17:47:10 -0400 Received: from zimbra.cs.ucla.edu ([131.179.128.68]:37706) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1drA4J-0002Mr-Mm for 28350@debbugs.gnu.org; Sun, 10 Sep 2017 17:47:08 -0400 Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id B9364160A30; Sun, 10 Sep 2017 14:47:01 -0700 (PDT) Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id mw1C3Mn15gK1; Sun, 10 Sep 2017 14:47:00 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id 50EAE160CC3; Sun, 10 Sep 2017 14:47:00 -0700 (PDT) X-Virus-Scanned: amavisd-new at zimbra.cs.ucla.edu Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id sXO1LHh1auEi; Sun, 10 Sep 2017 14:47:00 -0700 (PDT) Received: from [192.168.1.9] (unknown [47.153.184.153]) by zimbra.cs.ucla.edu (Postfix) with ESMTPSA id 2D070160CBF; Sun, 10 Sep 2017 14:47:00 -0700 (PDT) References: <305e0573-2e10-cb15-4133-9bd72d33ea5e@cs.ucla.edu> From: Paul Eggert Organization: UCLA Computer Science Department Message-ID: <89bf7f23-d065-572c-ad54-bce7cb9a02e7@cs.ucla.edu> Date: Sun, 10 Sep 2017 14:46:59 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.3 (--) Charles A. Roelli wrote: > Do we know that "x-color" and/or "x-bg-color" are vulnerable to a > similar misuse as "x-display"? If not, I can still re-add them at a > later time. Eli asked the same question privately. I don't know the code myself; perh= aps=20 Lars could say. >> + (provide 'enriched) >> + (defun enriched-mode (&optional arg)) >> + (defun enriched-decode (from to)) >=20 > This fix is very safe, at the cost of disabling Enriched mode. Could > we do any better? I had suggested the following (in > https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D28350#16): >=20 > (eval-after-load "enriched" > '(defun enriched-decode-display-prop (start end &optional param) > (list start end))) >=20 > But it may not work in Emacs earlier than 23 (I can't test it). It should work, since eval-after-load predates Emacs 19.29. Though it as= sumes=20 that x-display is the only problem here. From unknown Sat Jun 14 08:58:49 2025 X-Loop: help-debbugs@gnu.org Subject: bug#28350: enriched.el code execution Resent-From: Eli Zaretskii Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Mon, 11 Sep 2017 02:40:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 28350 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: security To: Paul Eggert Cc: larsi@gnus.org, charles@aurox.ch, 28350@debbugs.gnu.org Reply-To: Eli Zaretskii Received: via spool by 28350-submit@debbugs.gnu.org id=B28350.150509757310038 (code B ref 28350); Mon, 11 Sep 2017 02:40:01 +0000 Received: (at 28350) by debbugs.gnu.org; 11 Sep 2017 02:39:33 +0000 Received: from localhost ([127.0.0.1]:60130 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1drEdF-0002bl-US for submit@debbugs.gnu.org; Sun, 10 Sep 2017 22:39:33 -0400 Received: from eggs.gnu.org ([208.118.235.92]:39273) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1drEdB-0002bV-Ay for 28350@debbugs.gnu.org; Sun, 10 Sep 2017 22:39:28 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1drEd2-0007ev-0j for 28350@debbugs.gnu.org; Sun, 10 Sep 2017 22:39:20 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:46206) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1drEd1-0007ej-T4; Sun, 10 Sep 2017 22:39:15 -0400 Received: from 84.94.185.246.cable.012.net.il ([84.94.185.246]:3964 helo=home-c4e4a596f7) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1drEd1-0003OL-Cv; Sun, 10 Sep 2017 22:39:15 -0400 Date: Mon, 11 Sep 2017 05:39:27 +0300 Message-Id: <83ingqt0v4.fsf@gnu.org> From: Eli Zaretskii In-reply-to: <89bf7f23-d065-572c-ad54-bce7cb9a02e7@cs.ucla.edu> (message from Paul Eggert on Sun, 10 Sep 2017 14:46:59 -0700) References: <305e0573-2e10-cb15-4133-9bd72d33ea5e@cs.ucla.edu> <89bf7f23-d065-572c-ad54-bce7cb9a02e7@cs.ucla.edu> X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) > From: Paul Eggert > Date: Sun, 10 Sep 2017 14:46:59 -0700 > Cc: larsi@gnus.org, 28350@debbugs.gnu.org > > > (eval-after-load "enriched" > > '(defun enriched-decode-display-prop (start end &optional param) > > (list start end))) > > > > But it may not work in Emacs earlier than 23 (I can't test it). > > It should work, since eval-after-load predates Emacs 19.29. Though it assumes > that x-display is the only problem here. x-display _is_ the only problem, because only it allows arbitrary Lisp forms. From unknown Sat Jun 14 08:58:49 2025 X-Loop: help-debbugs@gnu.org Subject: bug#28350: enriched.el code execution Resent-From: Eli Zaretskii Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Mon, 11 Sep 2017 14:24:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 28350 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: security To: eggert@cs.ucla.edu Cc: larsi@gnus.org, charles@aurox.ch, 28350@debbugs.gnu.org Reply-To: Eli Zaretskii Received: via spool by 28350-submit@debbugs.gnu.org id=B28350.150513979217970 (code B ref 28350); Mon, 11 Sep 2017 14:24:01 +0000 Received: (at 28350) by debbugs.gnu.org; 11 Sep 2017 14:23:12 +0000 Received: from localhost ([127.0.0.1]:33571 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1drPcD-0004fi-E8 for submit@debbugs.gnu.org; Mon, 11 Sep 2017 10:23:12 -0400 Received: from eggs.gnu.org ([208.118.235.92]:60454) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1drPc9-0004ex-24 for 28350@debbugs.gnu.org; Mon, 11 Sep 2017 10:23:08 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1drPbz-00033E-I6 for 28350@debbugs.gnu.org; Mon, 11 Sep 2017 10:22:59 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:59751) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1drPbz-000337-EZ; Mon, 11 Sep 2017 10:22:55 -0400 Received: from 84.94.185.246.cable.012.net.il ([84.94.185.246]:4293 helo=home-c4e4a596f7) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1drPbx-0007q5-VJ; Mon, 11 Sep 2017 10:22:55 -0400 Date: Mon, 11 Sep 2017 17:22:48 +0300 Message-Id: <83efrdtivb.fsf@gnu.org> From: Eli Zaretskii In-reply-to: <83ingqt0v4.fsf@gnu.org> (message from Eli Zaretskii on Mon, 11 Sep 2017 05:39:27 +0300) References: <305e0573-2e10-cb15-4133-9bd72d33ea5e@cs.ucla.edu> <89bf7f23-d065-572c-ad54-bce7cb9a02e7@cs.ucla.edu> <83ingqt0v4.fsf@gnu.org> X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) > Date: Mon, 11 Sep 2017 05:39:27 +0300 > From: Eli Zaretskii > Cc: larsi@gnus.org, charles@aurox.ch, 28350@debbugs.gnu.org > > > From: Paul Eggert > > Date: Sun, 10 Sep 2017 14:46:59 -0700 > > Cc: larsi@gnus.org, 28350@debbugs.gnu.org > > > > > (eval-after-load "enriched" > > > '(defun enriched-decode-display-prop (start end &optional param) > > > (list start end))) > > > > > > But it may not work in Emacs earlier than 23 (I can't test it). > > > > It should work, since eval-after-load predates Emacs 19.29. Though it assumes > > that x-display is the only problem here. > > x-display _is_ the only problem, because only it allows arbitrary Lisp > forms. I eventually decided to provide a simpler patch, see below. The original changes unnecessarily removed the capability to encode display properties while saving Enriched Mode text, something that doesn't have any security issues (because the vulnerability is on the receiving end). I also prefer not to remove the offending code, but instead to comment it out, as I believe this is more in the tradition of Free Software to let people eyeball what we did. Finally, I rewrote the NEWS entry to be more accurate wrt the actual change. Nicolas is working on the release as we speak, so if someone has suggestions, or objections, or something else important to say about the patch, please speak up. I'd like to take this opportunity to thank all those who worked and continue working on fixing this vulnerability. 2017-09-11 Eli Zaretskii * etc/NEWS: Document the vulnerability and its resolution. Include a workaround. Suggested by Charles A. Roelli . * lisp/gnus/mm-view.el (mm-inline-text): Disable decoding of "enriched" and "richtext" MIME objects. Suggested by Lars Ingebrigtsen . * lisp/textmodes/enriched.el (enriched-decode-display-prop): Don't produce 'display' properties. (Bug#28350) --- lisp/textmodes/enriched.el~0 2017-02-03 12:25:44.000000000 +0200 +++ lisp/textmodes/enriched.el 2017-09-11 17:31:35.943569900 +0300 @@ -503,6 +503,9 @@ (error nil))))) (unless prop (message "Warning: invalid parameter %s" param)) - (list start end 'display prop))) + ;; Disabled in Emacs 25.3 to avoid execution of arbitrary Lisp + ;; forms in display properties stored within enriched text. + ;; (list start end 'display prop))) + (list start end))) ;;; enriched.el ends here --- lisp/gnus/mm-view.el~0 2017-02-03 12:25:44.000000000 +0200 +++ lisp/gnus/mm-view.el 2017-09-11 16:56:58.804519400 +0300 @@ -383,10 +383,12 @@ (goto-char (point-max)))) (save-restriction (narrow-to-region b (point)) - (when (member type '("enriched" "richtext")) - (set-text-properties (point-min) (point-max) nil) - (ignore-errors - (enriched-decode (point-min) (point-max)))) + ;; Disabled in Emacs 25.3 to avoid execution of arbitrary Lisp + ;; forms in display properties supported by enriched.el. + ;; (when (member type '("enriched" "richtext")) + ;; (set-text-properties (point-min) (point-max) nil) + ;; (ignore-errors + ;; (enriched-decode (point-min) (point-max)))) (mm-handle-set-undisplayer handle `(lambda () --- etc/NEWS~0 2017-02-21 11:08:27.000000000 +0200 +++ etc/NEWS 2017-09-11 17:21:06.994252400 +0300 @@ -16,6 +16,32 @@ with a prefix argument or by typing C-u C-h C-n. +* Changes in Emacs 25.3 + +This is an emergency release to fix a security vulnerability in Emacs. + +** Security vulnerability related to Enriched Text mode is removed. + +*** Enriched Text mode has its support for decoding 'x-display' disabled. +This feature allows saving 'display' properties as part of text. +Emacs 'display' properties support evaluation of arbitrary Lisp forms +as part of instantiating the property, so decoding 'x-display' is +vulnerable to executing arbitrary malicious Lisp code included in the +text (e.g., sent as part of an email message). + +This vulnerability was introduced in Emacs 19.29. To work around that +in Emacs versions before 25.3, append the following to your ~/.emacs +init file: + + (eval-after-load "enriched" + '(defun enriched-decode-display-prop (start end &optional param) + (list start end))) + +*** Gnus no longer supports "richtext" and "enriched" inline MIME objects. +This support was disabled to avoid evaluation of arbitrary Lisp code +contained in email messages and news articles. + + * Changes in Emacs 25.2 This is mainly a bug-fix release, but there are some other changes. From unknown Sat Jun 14 08:58:49 2025 X-Loop: help-debbugs@gnu.org Subject: bug#28350: enriched.el code execution Resent-From: Eli Zaretskii Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Mon, 11 Sep 2017 15:19:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 28350 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: security To: charles@aurox.ch (Charles A. Roelli) Cc: larsi@gnus.org, eggert@cs.ucla.edu, 28350@debbugs.gnu.org Reply-To: Eli Zaretskii Received: via spool by 28350-submit@debbugs.gnu.org id=B28350.150514310923147 (code B ref 28350); Mon, 11 Sep 2017 15:19:02 +0000 Received: (at 28350) by debbugs.gnu.org; 11 Sep 2017 15:18:29 +0000 Received: from localhost ([127.0.0.1]:33673 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1drQTh-00061E-Jj for submit@debbugs.gnu.org; Mon, 11 Sep 2017 11:18:29 -0400 Received: from eggs.gnu.org ([208.118.235.92]:56602) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1drQTc-00060y-Jn for 28350@debbugs.gnu.org; Mon, 11 Sep 2017 11:18:24 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1drQTS-0001am-So for 28350@debbugs.gnu.org; Mon, 11 Sep 2017 11:18:15 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:33162) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1drQTS-0001ai-PX; Mon, 11 Sep 2017 11:18:10 -0400 Received: from 84.94.185.246.cable.012.net.il ([84.94.185.246]:4336 helo=home-c4e4a596f7) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1drQTS-0003uP-0J; Mon, 11 Sep 2017 11:18:10 -0400 Date: Mon, 11 Sep 2017 18:18:01 +0300 Message-Id: <83y3pls1qu.fsf@gnu.org> From: Eli Zaretskii In-reply-to: (charles@aurox.ch) References: <305e0573-2e10-cb15-4133-9bd72d33ea5e@cs.ucla.edu> X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) > Date: Sun, 10 Sep 2017 20:54:13 +0200 > From: charles@aurox.ch (Charles A. Roelli) > Cc: larsi@gnus.org, 28350@debbugs.gnu.org > > > --- a/lisp/textmodes/enriched.el > > +++ b/lisp/textmodes/enriched.el > > @@ -117,12 +117,7 @@ expression, which is evaluated to get the string to insert.") > > (full "flushboth") > > (center "center")) > > (PARAMETER (t "param")) ; Argument of preceding annotation > > - ;; The following are not part of the standard: > > - (FUNCTION (enriched-decode-foreground "x-color") > > - (enriched-decode-background "x-bg-color") > > Do we know that "x-color" and/or "x-bg-color" are vulnerable to a > similar misuse as "x-display"? They are not. They are converted to face properties, whose values don't support Lisp evaluation. > > + (provide 'enriched) > > + (defun enriched-mode (&optional arg)) > > + (defun enriched-decode (from to)) > > This fix is very safe, at the cost of disabling Enriched mode. Could > we do any better? I had suggested the following (in > https://debbugs.gnu.org/cgi/bugreport.cgi?bug=28350#16): > > (eval-after-load "enriched" > '(defun enriched-decode-display-prop (start end &optional param) > (list start end))) You are right, and I therefore asked Nicolas to put that as a workaround into NEWS of Emacs 25.3. Anyway, I think I have a better idea for how to fix this on master. And I'm very sorry that this idea didn't come to me earlier, before you invested all these efforts in your patch. (I'm also surprised that no one here had beaten me up to this idea.) Here's the idea: we introduce a new form of a display property: ('disable-eval SPEC) where SPEC is anything supported in a display property. Then we change the implementation of display property in xdisp.c such that when the above form is seen, we disable Lisp evaluation while walking SPEC and producing display from it in the display engine. Such a patch to xdisp.c appears below. Then enriched.el will have to either add disable-eval wrapper around any display property, or not add it if the user customized enriched.el to enable such evaluation. This has the advantage of allowing every possible value of display properties that's safe, while positively disabling any Lisp evaluation while we process such properties that came from enriched text. So we are free from the need to figure out which forms of a display spec can or cannot invoke Lisp. WDYT? Here's the patch: --- src/xdisp.c~2 2017-09-07 11:16:30.503455400 +0300 +++ src/xdisp.c 2017-09-11 17:29:00.507991400 +0300 @@ -876,9 +876,9 @@ static int face_before_or_after_it_pos ( static ptrdiff_t next_overlay_change (ptrdiff_t); static int handle_display_spec (struct it *, Lisp_Object, Lisp_Object, Lisp_Object, struct text_pos *, ptrdiff_t, bool); -static int handle_single_display_spec (struct it *, Lisp_Object, - Lisp_Object, Lisp_Object, - struct text_pos *, ptrdiff_t, int, bool); +static int handle_single_display_spec (struct it *, Lisp_Object, Lisp_Object, + Lisp_Object, struct text_pos *, + ptrdiff_t, int, bool, bool); static int underlying_face_id (struct it *); #define face_before_it_pos(IT) face_before_or_after_it_pos (IT, true) @@ -4731,6 +4731,14 @@ handle_display_spec (struct it *it, Lisp ptrdiff_t bufpos, bool frame_window_p) { int replacing = 0; + bool enable_eval = true; + + /* Support (disable-eval PROP) which is used by enriched.el. */ + if (CONSP (spec) && EQ (XCAR (spec), Qdisable_eval)) + { + enable_eval = false; + spec = XCAR (XCDR (spec)); + } if (CONSP (spec) /* Simple specifications. */ @@ -4754,7 +4762,8 @@ handle_display_spec (struct it *it, Lisp { int rv = handle_single_display_spec (it, XCAR (spec), object, overlay, position, bufpos, - replacing, frame_window_p); + replacing, frame_window_p, + enable_eval); if (rv != 0) { replacing = rv; @@ -4772,7 +4781,8 @@ handle_display_spec (struct it *it, Lisp { int rv = handle_single_display_spec (it, AREF (spec, i), object, overlay, position, bufpos, - replacing, frame_window_p); + replacing, frame_window_p, + enable_eval); if (rv != 0) { replacing = rv; @@ -4785,7 +4795,8 @@ handle_display_spec (struct it *it, Lisp } else replacing = handle_single_display_spec (it, spec, object, overlay, position, - bufpos, 0, frame_window_p); + bufpos, 0, frame_window_p, + enable_eval); return replacing; } @@ -4830,6 +4841,8 @@ display_prop_end (struct it *it, Lisp_Ob don't set up IT. In that case, FRAME_WINDOW_P means SPEC is intended to be displayed in a window on a GUI frame. + Enable evaluation of Lisp forms only if ENABLE_EVAL_P is true. + Value is non-zero if something was found which replaces the display of buffer or string text. */ @@ -4837,7 +4850,7 @@ static int handle_single_display_spec (struct it *it, Lisp_Object spec, Lisp_Object object, Lisp_Object overlay, struct text_pos *position, ptrdiff_t bufpos, int display_replaced, - bool frame_window_p) + bool frame_window_p, bool enable_eval_p) { Lisp_Object form; Lisp_Object location, value; @@ -4855,6 +4868,8 @@ handle_single_display_spec (struct it *i spec = XCDR (spec); } + if (!NILP (form) && !EQ (form, Qt) && !enable_eval_p) + form = Qnil; if (!NILP (form) && !EQ (form, Qt)) { ptrdiff_t count = SPECPDL_INDEX (); @@ -4903,7 +4918,7 @@ handle_single_display_spec (struct it *i steps = - steps; it->face_id = smaller_face (it->f, it->face_id, steps); } - else if (FUNCTIONP (it->font_height)) + else if (FUNCTIONP (it->font_height) && enable_eval_p) { /* Call function with current height as argument. Value is the new height. */ @@ -4924,7 +4939,7 @@ handle_single_display_spec (struct it *i new_height = (XFLOATINT (it->font_height) * XINT (f->lface[LFACE_HEIGHT_INDEX])); } - else + else if (enable_eval_p) { /* Evaluate IT->font_height with `height' bound to the current specified height to get the new height. */ @@ -32164,6 +32179,10 @@ They are still logged to the *Messages* DEFSYM (Qfontified, "fontified"); DEFSYM (Qfontification_functions, "fontification-functions"); + /* Name of the symbol which disables Lisp evaluation in 'display' + properties. This is used by enriched.el. */ + DEFSYM (Qdisable_eval, "disable-eval"); + /* Name of the face used to highlight trailing whitespace. */ DEFSYM (Qtrailing_whitespace, "trailing-whitespace"); From unknown Sat Jun 14 08:58:49 2025 X-Loop: help-debbugs@gnu.org Subject: bug#28350: enriched.el code execution Resent-From: Glenn Morris Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Mon, 11 Sep 2017 15:34:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 28350 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: security To: Paul Eggert Cc: "Charles A. Roelli" , 28350@debbugs.gnu.org Received: via spool by 28350-submit@debbugs.gnu.org id=B28350.150514403424856 (code B ref 28350); Mon, 11 Sep 2017 15:34:02 +0000 Received: (at 28350) by debbugs.gnu.org; 11 Sep 2017 15:33:54 +0000 Received: from localhost ([127.0.0.1]:33723 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1drQig-0006Sp-HW for submit@debbugs.gnu.org; Mon, 11 Sep 2017 11:33:54 -0400 Received: from eggs.gnu.org ([208.118.235.92]:34308) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1drQid-0006Sc-UZ for 28350@debbugs.gnu.org; Mon, 11 Sep 2017 11:33:53 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1drQiY-0001pQ-0J for 28350@debbugs.gnu.org; Mon, 11 Sep 2017 11:33:46 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:33476) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1drQiP-0001j7-SM; Mon, 11 Sep 2017 11:33:37 -0400 Received: from rgm by fencepost.gnu.org with local (Exim 4.82) (envelope-from ) id 1drQiO-0007BD-FC; Mon, 11 Sep 2017 11:33:36 -0400 From: Glenn Morris References: <305e0573-2e10-cb15-4133-9bd72d33ea5e@cs.ucla.edu> X-Spook: UNSCOM Afghanistan monarchist Radiation SAFE Evacuation X-Ran: !6i=XVPc'X\I$WC6L`>MOi;nQ<5n/[K"NwZp~CIC3S{g/(8RK(NzqFGE`4W96D[vXE5Zb; X-Hue: cyan X-Attribution: GM Date: Mon, 11 Sep 2017 11:33:36 -0400 In-Reply-To: <305e0573-2e10-cb15-4133-9bd72d33ea5e@cs.ucla.edu> (Paul Eggert's message of "Sat, 9 Sep 2017 15:43:30 -0700") Message-ID: User-Agent: Gnus (www.gnus.org), GNU Emacs (www.gnu.org/software/emacs/) MIME-Version: 1.0 Content-Type: text/plain X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) I submitted this to https://github.com/distributedweaknessfiling/ . I see you sent it to http://seclists.org/oss-sec/2017/q3/422 . Are you sure this issue affects Emacs 19.29, as stated there? The x-display code is "only" present since 21.1, AFAICS. From unknown Sat Jun 14 08:58:49 2025 X-Loop: help-debbugs@gnu.org Subject: bug#28350: enriched.el code execution Resent-From: Glenn Morris Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Mon, 11 Sep 2017 16:33:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 28350 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: security To: Eli Zaretskii Cc: "Charles A. Roelli" , 28350@debbugs.gnu.org Received: via spool by 28350-submit@debbugs.gnu.org id=B28350.150514757330312 (code B ref 28350); Mon, 11 Sep 2017 16:33:02 +0000 Received: (at 28350) by debbugs.gnu.org; 11 Sep 2017 16:32:53 +0000 Received: from localhost ([127.0.0.1]:33816 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1drRdl-0007sq-8S for submit@debbugs.gnu.org; Mon, 11 Sep 2017 12:32:53 -0400 Received: from eggs.gnu.org ([208.118.235.92]:54642) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1drRdj-0007sd-OO for 28350@debbugs.gnu.org; Mon, 11 Sep 2017 12:32:51 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1drRdd-0001bA-Qt for 28350@debbugs.gnu.org; Mon, 11 Sep 2017 12:32:46 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:35135) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1drRdY-0001Y4-11; Mon, 11 Sep 2017 12:32:40 -0400 Received: from rgm by fencepost.gnu.org with local (Exim 4.82) (envelope-from ) id 1drRdX-000445-Fg; Mon, 11 Sep 2017 12:32:39 -0400 From: Glenn Morris References: <837exb1bk5.fsf@gnu.org> <838thovvcr.fsf@gnu.org> <83wp57vmk6.fsf@gnu.org> X-Spook: kibo NOC class struggle Human to Human AFSPC Lexis-Nexis X-Ran: qU?my<^A7k.|%?X3 (Eli Zaretskii's message of "Sat, 09 Sep 2017 19:55:37 +0300") Message-ID: User-Agent: Gnus (www.gnus.org), GNU Emacs (www.gnu.org/software/emacs/) MIME-Version: 1.0 Content-Type: text/plain X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) Eli Zaretskii wrote: >> At this point it seems that unsafe display specs are more the >> exception than the rule, so it might make sense to define the >> `enriched-display-prop-safe-p' function by excluding the unsafe >> specifications instead of including the safe ones. What do you >> think? > > I'm not sure. The display spec can be complex, so to make sure none > of these exceptions sneak through, you will have to recursively unpack > the spec data structure and examine each of the elements, which smells > too similar to emulating 'eval'. No? FWIW, there is 'unsafep'. From unknown Sat Jun 14 08:58:49 2025 X-Loop: help-debbugs@gnu.org Subject: bug#28350: enriched.el code execution Resent-From: Paul Eggert Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Mon, 11 Sep 2017 16:39:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 28350 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: security To: Glenn Morris Cc: "Charles A. Roelli" , 28350@debbugs.gnu.org Received: via spool by 28350-submit@debbugs.gnu.org id=B28350.150514791030800 (code B ref 28350); Mon, 11 Sep 2017 16:39:01 +0000 Received: (at 28350) by debbugs.gnu.org; 11 Sep 2017 16:38:30 +0000 Received: from localhost ([127.0.0.1]:33824 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1drRjB-00080i-RR for submit@debbugs.gnu.org; Mon, 11 Sep 2017 12:38:30 -0400 Received: from zimbra.cs.ucla.edu ([131.179.128.68]:37606) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1drRjA-00080U-1D for 28350@debbugs.gnu.org; Mon, 11 Sep 2017 12:38:29 -0400 Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id 169E2160CE3; Mon, 11 Sep 2017 09:38:22 -0700 (PDT) Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id qev74exJqmsA; Mon, 11 Sep 2017 09:38:21 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id 029CE160CCF; Mon, 11 Sep 2017 09:38:21 -0700 (PDT) X-Virus-Scanned: amavisd-new at zimbra.cs.ucla.edu Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id UcobJA1tSwgh; Mon, 11 Sep 2017 09:38:20 -0700 (PDT) Received: from Penguin.CS.UCLA.EDU (Penguin.CS.UCLA.EDU [131.179.64.200]) by zimbra.cs.ucla.edu (Postfix) with ESMTPSA id DD6B8160AD0; Mon, 11 Sep 2017 09:38:20 -0700 (PDT) References: <305e0573-2e10-cb15-4133-9bd72d33ea5e@cs.ucla.edu> From: Paul Eggert Organization: UCLA Computer Science Department Message-ID: Date: Mon, 11 Sep 2017 09:38:14 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.3 (--) On 09/11/2017 08:33 AM, Glenn Morris wrote: > I submitted this tohttps://github.com/distributedweaknessfiling/ . > I see you sent it tohttp://seclists.org/oss-sec/2017/q3/422 . Yes, I sent it to the oss-security mailing list, and it is archived here: http://www.openwall.com/lists/oss-security/2017/09/11/1 > Are you sure this issue affects Emacs 19.29, as stated there? > The x-display code is "only" present since 21.1, AFAICS. Thanks for checking. When I wrote that, I looked for any of the text involved in Lars's patch. If a smaller patch will do, that might explain why you're seeing 21.1 rather than 19.29. We can mention 21.1 instead of 19.29 in the 25.3 release, and I'll update etc/NEWS accordingly in emacs-25 and master once that comes out. These days almost nobody is running Emacs older than 21.1, so the exact version number shouldn't matter to anybody other than software archaeologists. From unknown Sat Jun 14 08:58:49 2025 X-Loop: help-debbugs@gnu.org Subject: bug#28350: enriched.el code execution Resent-From: Eli Zaretskii Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Mon, 11 Sep 2017 17:03:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 28350 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: security To: Glenn Morris Cc: charles@aurox.ch, 28350@debbugs.gnu.org Reply-To: Eli Zaretskii Received: via spool by 28350-submit@debbugs.gnu.org id=B28350.1505149326602 (code B ref 28350); Mon, 11 Sep 2017 17:03:02 +0000 Received: (at 28350) by debbugs.gnu.org; 11 Sep 2017 17:02:06 +0000 Received: from localhost ([127.0.0.1]:33878 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1drS61-00009e-Vn for submit@debbugs.gnu.org; Mon, 11 Sep 2017 13:02:06 -0400 Received: from eggs.gnu.org ([208.118.235.92]:39352) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1drS60-00009B-Bp for 28350@debbugs.gnu.org; Mon, 11 Sep 2017 13:02:04 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1drS5s-000819-8f for 28350@debbugs.gnu.org; Mon, 11 Sep 2017 13:01:59 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:35759) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1drS5s-000812-5T; Mon, 11 Sep 2017 13:01:56 -0400 Received: from 84.94.185.246.cable.012.net.il ([84.94.185.246]:4538 helo=home-c4e4a596f7) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1drS5q-0004q1-Nb; Mon, 11 Sep 2017 13:01:55 -0400 Date: Mon, 11 Sep 2017 20:01:43 +0300 Message-Id: <83fubtrwy0.fsf@gnu.org> From: Eli Zaretskii In-reply-to: (message from Glenn Morris on Mon, 11 Sep 2017 12:32:38 -0400) References: <837exb1bk5.fsf@gnu.org> <838thovvcr.fsf@gnu.org> <83wp57vmk6.fsf@gnu.org> X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) > From: Glenn Morris > Cc: charles@aurox.ch (Charles A. Roelli), 28350@debbugs.gnu.org > Date: Mon, 11 Sep 2017 12:32:38 -0400 > > FWIW, there is 'unsafep'. Thanks. Did that pass any audits from security experts? From unknown Sat Jun 14 08:58:49 2025 X-Loop: help-debbugs@gnu.org Subject: bug#28350: enriched.el code execution Resent-From: charles@aurox.ch (Charles A. Roelli) Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Mon, 11 Sep 2017 18:45:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 28350 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: security To: Eli Zaretskii Cc: larsi@gnus.org, eggert@cs.ucla.edu, 28350@debbugs.gnu.org Received: via spool by 28350-submit@debbugs.gnu.org id=B28350.150515548510069 (code B ref 28350); Mon, 11 Sep 2017 18:45:01 +0000 Received: (at 28350) by debbugs.gnu.org; 11 Sep 2017 18:44:45 +0000 Received: from localhost ([127.0.0.1]:33966 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1drThM-0002cK-Mc for submit@debbugs.gnu.org; Mon, 11 Sep 2017 14:44:44 -0400 Received: from sinyavsky.aurox.ch ([37.35.109.145]:56730) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1drThL-0002c7-3L for 28350@debbugs.gnu.org; Mon, 11 Sep 2017 14:44:43 -0400 Received: from sinyavsky.aurox.ch (sinyavsky.aurox.ch [127.0.0.1]) by sinyavsky.aurox.ch (Postfix) with ESMTP id B38FA22532 for <28350@debbugs.gnu.org>; Mon, 11 Sep 2017 18:38:24 +0000 (UTC) Authentication-Results: sinyavsky.aurox.ch (amavisd-new); dkim=pass (1024-bit key) reason="pass (just generated, assumed good)" header.d=aurox.ch DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=aurox.ch; h= references:subject:subject:in-reply-to:to:from:from:message-id :date:date; s=dkim; t=1505155103; x=1506019104; bh=I4AqI72ZdSXdu iTqyydtl/z+MwPEWoKKP7XJHT2EtWc=; b=ENl47kW47NvbzOf+Ch12fIG4hlefU FctbjkS8Q5yspyoFBJnA9ojHvTyPATA+3p6ZYm22vH7Dg2vkEBNfnmVi+G2SYc0y 5zTNSce76WaeX831GZG6l+AxMBaFim4MUnjkwPotbcmFpZc/HmLVrWMHoW1i+hYF +9Q1toafPptUeY= X-Virus-Scanned: Debian amavisd-new at test.virtualizor.com Received: from sinyavsky.aurox.ch ([127.0.0.1]) by sinyavsky.aurox.ch (sinyavsky.aurox.ch [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id D7Bfa2k8S-93 for <28350@debbugs.gnu.org>; Mon, 11 Sep 2017 18:38:23 +0000 (UTC) Received: from gray (125.85.192.178.dynamic.wline.res.cust.swisscom.ch [178.192.85.125]) by sinyavsky.aurox.ch (Postfix) with ESMTPSA id CB3452252B; Mon, 11 Sep 2017 18:38:22 +0000 (UTC) Date: Mon, 11 Sep 2017 20:44:19 +0200 Message-Id: From: charles@aurox.ch (Charles A. Roelli) In-reply-to: <83y3pls1qu.fsf@gnu.org> (message from Eli Zaretskii on Mon, 11 Sep 2017 18:18:01 +0300) References: <305e0573-2e10-cb15-4133-9bd72d33ea5e@cs.ucla.edu> <83y3pls1qu.fsf@gnu.org> X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.3 (--) > Date: Mon, 11 Sep 2017 18:18:01 +0300 > From: Eli Zaretskii > > Anyway, I think I have a better idea for how to fix this on master. > And I'm very sorry that this idea didn't come to me earlier, before > you invested all these efforts in your patch. (I'm also surprised > that no one here had beaten me up to this idea.) > > Here's the idea: we introduce a new form of a display property: > > ('disable-eval SPEC) > > where SPEC is anything supported in a display property. Thanks for suggesting this; it's much cleaner than sanitizing the display specification from Lisp. Looks good to me. From unknown Sat Jun 14 08:58:49 2025 X-Loop: help-debbugs@gnu.org Subject: bug#28350: enriched.el code execution Resent-From: Eli Zaretskii Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Mon, 11 Sep 2017 19:09:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 28350 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: security To: charles@aurox.ch (Charles A. Roelli) Cc: larsi@gnus.org, eggert@cs.ucla.edu, 28350@debbugs.gnu.org Reply-To: Eli Zaretskii Received: via spool by 28350-submit@debbugs.gnu.org id=B28350.150515689212249 (code B ref 28350); Mon, 11 Sep 2017 19:09:02 +0000 Received: (at 28350) by debbugs.gnu.org; 11 Sep 2017 19:08:12 +0000 Received: from localhost ([127.0.0.1]:33996 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1drU40-0003BS-Sa for submit@debbugs.gnu.org; Mon, 11 Sep 2017 15:08:12 -0400 Received: from eggs.gnu.org ([208.118.235.92]:60298) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1drU3u-0003At-39 for 28350@debbugs.gnu.org; Mon, 11 Sep 2017 15:08:05 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1drU3l-0002MQ-7Y for 28350@debbugs.gnu.org; Mon, 11 Sep 2017 15:07:56 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:38234) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1drU3l-0002MK-4B; Mon, 11 Sep 2017 15:07:53 -0400 Received: from 84.94.185.246.cable.012.net.il ([84.94.185.246]:1066 helo=home-c4e4a596f7) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1drU3i-0004ar-Hq; Mon, 11 Sep 2017 15:07:53 -0400 Date: Mon, 11 Sep 2017 22:07:26 +0300 Message-Id: <83y3plqck1.fsf@gnu.org> From: Eli Zaretskii In-reply-to: (charles@aurox.ch) References: <305e0573-2e10-cb15-4133-9bd72d33ea5e@cs.ucla.edu> <83y3pls1qu.fsf@gnu.org> X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) > Date: Mon, 11 Sep 2017 20:44:19 +0200 > From: charles@aurox.ch (Charles A. Roelli) > CC: eggert@cs.ucla.edu, larsi@gnus.org, 28350@debbugs.gnu.org > > > Here's the idea: we introduce a new form of a display property: > > > > ('disable-eval SPEC) > > > > where SPEC is anything supported in a display property. > > Thanks for suggesting this; it's much cleaner than sanitizing the > display specification from Lisp. Looks good to me. Thanks, I will wait for a few days before pushing. Thanks again for all your work on this grave issue. From unknown Sat Jun 14 08:58:49 2025 X-Loop: help-debbugs@gnu.org Subject: bug#28350: enriched.el code execution Resent-From: Glenn Morris Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Mon, 11 Sep 2017 21:17:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 28350 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: security To: Paul Eggert Cc: "Charles A. Roelli" , 28350@debbugs.gnu.org Received: via spool by 28350-submit@debbugs.gnu.org id=B28350.150516458624134 (code B ref 28350); Mon, 11 Sep 2017 21:17:02 +0000 Received: (at 28350) by debbugs.gnu.org; 11 Sep 2017 21:16:26 +0000 Received: from localhost ([127.0.0.1]:34187 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1drW4A-0006HC-I0 for submit@debbugs.gnu.org; Mon, 11 Sep 2017 17:16:26 -0400 Received: from eggs.gnu.org ([208.118.235.92]:48161) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1drW49-0006Gw-CD for 28350@debbugs.gnu.org; Mon, 11 Sep 2017 17:16:25 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1drW43-0004Zl-Hx for 28350@debbugs.gnu.org; Mon, 11 Sep 2017 17:16:20 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: * X-Spam-Status: No, score=1.2 required=5.0 tests=BAYES_20,RP_MATCHES_RCVD, UNRESOLVED_TEMPLATE autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:41225) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1drW3w-0004Un-0K; Mon, 11 Sep 2017 17:16:12 -0400 Received: from rgm by fencepost.gnu.org with local (Exim 4.82) (envelope-from ) id 1drW3v-0003rN-I6; Mon, 11 Sep 2017 17:16:11 -0400 From: Glenn Morris References: <305e0573-2e10-cb15-4133-9bd72d33ea5e@cs.ucla.edu> X-Spook: Cartel anthrax DHS embassy Al Jazeera Riot UNSCOM IED X-Ran: f8i0oQ+:tXV^xW[ru]8%PO]#JwaXc0QM$:X[~tp&m+xcVf/S-\Rrq,;IML[}ZiK:"jo_7; X-Hue: white X-Attribution: GM Date: Mon, 11 Sep 2017 17:16:11 -0400 In-Reply-To: (Paul Eggert's message of "Mon, 11 Sep 2017 09:38:14 -0700") Message-ID: User-Agent: Gnus (www.gnus.org), GNU Emacs (www.gnu.org/software/emacs/) MIME-Version: 1.0 Content-Type: text/plain X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -4.3 (----) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -4.3 (----) Paul Eggert wrote: > We can mention 21.1 instead of 19.29 in the 25.3 release, and I'll > update etc/NEWS accordingly in emacs-25 and master once that comes > out. Too late. :( For the record: commit d9e28c1 Date: Wed Jul 21 21:43:03 1999 +0000 (enriched-translations): Add `display' and "x-display". git describe --contains --tags d9e28c1 emacs-pretest-21.0.90~7452 > These days almost nobody is running Emacs older than 21.1, so the exact > version number shouldn't matter to anybody other than software > archaeologists. Indeed not, but 19.29 v 21.1 is "staggeringly bad" v "extremely bad" for me. From debbugs-submit-bounces@debbugs.gnu.org Mon Sep 11 17:16:55 2017 Received: (at control) by debbugs.gnu.org; 11 Sep 2017 21:16:55 +0000 Received: from localhost ([127.0.0.1]:34190 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1drW4c-0006I0-UC for submit@debbugs.gnu.org; Mon, 11 Sep 2017 17:16:55 -0400 Received: from eggs.gnu.org ([208.118.235.92]:48465) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1drW4b-0006Hm-Kg for control@debbugs.gnu.org; Mon, 11 Sep 2017 17:16:53 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1drW4W-0004os-1V for control@debbugs.gnu.org; Mon, 11 Sep 2017 17:16:48 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:41243) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1drW4V-0004oo-UT for control@debbugs.gnu.org; Mon, 11 Sep 2017 17:16:47 -0400 Received: from rgm by fencepost.gnu.org with local (Exim 4.82) (envelope-from ) id 1drW4V-0003xq-Nu for control@debbugs.gnu.org; Mon, 11 Sep 2017 17:16:47 -0400 Subject: control message for bug 28350 To: X-Mailer: mail (GNU Mailutils 2.99.98) Message-Id: From: Glenn Morris Date: Mon, 11 Sep 2017 17:16:47 -0400 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) fixed 28350 25.3 From unknown Sat Jun 14 08:58:49 2025 X-Loop: help-debbugs@gnu.org Subject: bug#28350: enriched.el code execution Resent-From: Paul Eggert Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Tue, 12 Sep 2017 20:00:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 28350 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: security To: Glenn Morris Cc: "Charles A. Roelli" , 28350@debbugs.gnu.org Received: via spool by 28350-submit@debbugs.gnu.org id=B28350.15052463645871 (code B ref 28350); Tue, 12 Sep 2017 20:00:02 +0000 Received: (at 28350) by debbugs.gnu.org; 12 Sep 2017 19:59:24 +0000 Received: from localhost ([127.0.0.1]:36362 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1drrLA-0001Wd-K7 for submit@debbugs.gnu.org; Tue, 12 Sep 2017 15:59:24 -0400 Received: from zimbra.cs.ucla.edu ([131.179.128.68]:54096) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1drrL7-0001WP-Nn for 28350@debbugs.gnu.org; Tue, 12 Sep 2017 15:59:22 -0400 Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id CEFDD160CDE; Tue, 12 Sep 2017 12:59:14 -0700 (PDT) Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id FeR7XeO7cb0N; Tue, 12 Sep 2017 12:59:14 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id 2FAE6160CEC; Tue, 12 Sep 2017 12:59:14 -0700 (PDT) X-Virus-Scanned: amavisd-new at zimbra.cs.ucla.edu Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id zAUV_ivKMti3; Tue, 12 Sep 2017 12:59:14 -0700 (PDT) Received: from Penguin.CS.UCLA.EDU (Penguin.CS.UCLA.EDU [131.179.64.200]) by zimbra.cs.ucla.edu (Postfix) with ESMTPSA id 1741C160CE6; Tue, 12 Sep 2017 12:59:14 -0700 (PDT) References: <305e0573-2e10-cb15-4133-9bd72d33ea5e@cs.ucla.edu> From: Paul Eggert Organization: UCLA Computer Science Department Message-ID: <6201c7d1-73ff-b9bc-756d-6ea6c915797e@cs.ucla.edu> Date: Tue, 12 Sep 2017 12:59:13 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.3 (--) On 09/11/2017 02:16 PM, Glenn Morris wrote: > Too late. :( Yes, that horse left the barn. To close the barn door, I changed emacs-25's etc/NEWS (and master's etc/NEWS.25) to say "21.1" rather than "19.29" for when the bug was introduced, so that we look just "extremely bad" rather than "staggeringly bad" in the latest source code. From unknown Sat Jun 14 08:58:49 2025 X-Loop: help-debbugs@gnu.org Subject: bug#28350: [oss-security] GNU Emacs 25.2 enriched text remote code execution Resent-From: Salvatore Bonaccorso Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Thu, 14 Sep 2017 17:32:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 28350 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: security To: oss-security@lists.openwall.com Received: via spool by 28350-submit@debbugs.gnu.org id=B28350.15054103024873 (code B ref 28350); Thu, 14 Sep 2017 17:32:02 +0000 Received: (at 28350) by debbugs.gnu.org; 14 Sep 2017 17:31:42 +0000 Received: from localhost ([127.0.0.1]:41362 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dsXzH-0001GR-4n for submit@debbugs.gnu.org; Thu, 14 Sep 2017 13:31:42 -0400 Received: from mail-wm0-f50.google.com ([74.125.82.50]:44639) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dsXpj-00011M-RJ for 28350@debbugs.gnu.org; Thu, 14 Sep 2017 13:21:52 -0400 Received: by mail-wm0-f50.google.com with SMTP id 189so6870744wmh.1 for <28350@debbugs.gnu.org>; Thu, 14 Sep 2017 10:21:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:date:from:to:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=zcOYsuBcKa8b1KLxoOyQw4aXnh35yPFdLSmLLHE2ELs=; b=lcW2+kuDfd2USKXzanUe7sxwUK6g14COc92YJPj2KOouiqU6LQrE5NLJCZr9DlWoxU ERq2Cb7uG/mgYQz4z9cbiE7Kda1pdDJi95GNhd34IiNXR6Cojj8zadG9Sb/VHYqru9Wc TUaItTo9OktbPFq9ZtigKXu2+/cvFYvcWzSum2WiaHH0nq22zm/jwIhRS+mglI2lh4VS uMvX2cFo0WG8qWMEx9SkEQUDnPQS8QKwva6a7sa1jCGUYFYOhbOjoKV3AZmkeKBkh2d9 njIfNlXKBEXy0m12eW/5qMv0OcHTwJs1nI1q+1BgwDDWatWxrqBJpb3fp5QGeDvLGamy g+9w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:date:from:to:subject:message-id :references:mime-version:content-disposition:in-reply-to:user-agent; bh=zcOYsuBcKa8b1KLxoOyQw4aXnh35yPFdLSmLLHE2ELs=; b=FI8uwfBnnf3qGOsAp1MhmHynorDsi903wqcr0Fr11g6qsJxLwQZTMqy1HESjqPFAct UGMqed+kWmu99GHrP5v/WN8TtishxYHB84UqGBqqX/xgYWWNve2+B2xDhlZHiM8avVfp Tk30QRGFThCw+wXqkba+PdMQkgss4N5PqVfL1qNRPwEdh/ZtWiYUwwQjBVkoxnp755Ir JsVzkIRUzS5TM7ILlrMCKzJ/7ZClzHOJNCNade793Gqgj6ToHTawmaW9pU6e49ISPoFd gtXqB3HxAttlTuPW8f3VP1pc7j/F1AelyjNzYA2g2CuNv9QXk4/atUMvbwgr7JhvUJOs AwMA== X-Gm-Message-State: AHPjjUiUIVXOKsAShi8BhvJOjOkKdwa1i0mGoeUNuOBp5f2helqFfFAi /cw6nrXnV+NOyad/Ng/dq0FSzA== X-Google-Smtp-Source: AOwi7QB3mOSsHGo1Y1mwDAQmYnxojTPwdJfxNuQAEgdTmJXvqEz7M9fkLe4UI3WUV5Frz0ybXlcDPA== X-Received: by 10.28.102.213 with SMTP id a204mr571073wmc.151.1505409701932; Thu, 14 Sep 2017 10:21:41 -0700 (PDT) Received: from eldamar (80-218-164-11.dclient.hispeed.ch. [80.218.164.11]) by smtp.gmail.com with ESMTPSA id m19sm403576wmd.16.2017.09.14.10.21.40 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Thu, 14 Sep 2017 10:21:41 -0700 (PDT) Date: Thu, 14 Sep 2017 19:21:40 +0200 From: Salvatore Bonaccorso Message-ID: <20170914172140.gncnsqipfsnaa2yi@eldamar.local> References: <09f18b8d-037d-edd2-84d5-270cd9b44d54@cs.ucla.edu> <20170911185857.hfti4mrponqoddin@eldamar.local> <20170912052251.yunyqonyel2hibg4@lorien.valinor.li> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20170912052251.yunyqonyel2hibg4@lorien.valinor.li> User-Agent: NeoMutt/20170609 (1.8.3) X-Spam-Score: 0.7 (/) X-Mailman-Approved-At: Thu, 14 Sep 2017 13:31:36 -0400 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.7 (/) Hi On Tue, Sep 12, 2017 at 07:22:51AM +0200, Salvatore Bonaccorso wrote: > Hi > > On Mon, Sep 11, 2017 at 08:58:57PM +0200, Salvatore Bonaccorso wrote: > > Hi Paul, > > > > On Sun, Sep 10, 2017 at 11:56:20PM -0700, Paul Eggert wrote: > > > GNU Emacs is an extensible, customizable, free/libre text editor and > > > software environment. When Emacs renders MIME text/enriched data (Internet > > > RFC 1896), it is vulnerable to arbitrary code execution. Since Emacs-based > > > mail clients decode "Content-Type: text/enriched", this code is exploitable > > > remotely. This bug affects GNU Emacs versions 19.29 through 25.2. > > > > > > Although we know no efforts to exploit this in the wild, exploitation is easy. > > [...] > > > == Timeline == > > > > > > 2017-09-04. Bug reported to the Emacs bug tracker by Charles A. Roelli. > > > > > > 2017-09-07. POC for remote code execution sent to the maintainers of Emacs > > > and Gnus (Reiner Steib , private mail). > > > > > > 2017-09-08. Patch (by Lars Ingebrigtsen ) to disable the > > > problematic code and mitigation (private mail). > > > > > > 2017-09-09. Patch committed in main development repository. > > > > Have you requested a CVE for this issue? > > FTR, it seems this was submitted to DWF already as per: > https://debbugs.gnu.org/cgi/bugreport.cgi?bug=28350#63 CVE-2017-14482 was assigned for this issue. Regards, Salvatore From debbugs-submit-bounces@debbugs.gnu.org Thu Sep 14 13:34:41 2017 Received: (at control) by debbugs.gnu.org; 14 Sep 2017 17:34:41 +0000 Received: from localhost ([127.0.0.1]:41367 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dsY2C-0001Kx-Rj for submit@debbugs.gnu.org; Thu, 14 Sep 2017 13:34:41 -0400 Received: from eggs.gnu.org ([208.118.235.92]:44073) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dsY2A-0001Kl-Jj for control@debbugs.gnu.org; Thu, 14 Sep 2017 13:34:38 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dsY24-00028r-Nx for control@debbugs.gnu.org; Thu, 14 Sep 2017 13:34:33 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:53626) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dsY24-00028f-L3 for control@debbugs.gnu.org; Thu, 14 Sep 2017 13:34:32 -0400 Received: from rgm by fencepost.gnu.org with local (Exim 4.82) (envelope-from ) id 1dsY24-0000gk-EH for control@debbugs.gnu.org; Thu, 14 Sep 2017 13:34:32 -0400 Subject: control message for bug 28350 To: X-Mailer: mail (GNU Mailutils 2.99.98) Message-Id: From: Glenn Morris Date: Thu, 14 Sep 2017 13:34:32 -0400 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) retitle 28350 CVE-2017-14482: enriched.el code execution From unknown Sat Jun 14 08:58:49 2025 X-Loop: help-debbugs@gnu.org Subject: bug#28350: [oss-security] GNU Emacs 25.2 enriched text remote code execution Resent-From: Glenn Morris Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Thu, 14 Sep 2017 17:44:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 28350 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: security To: Salvatore Bonaccorso Cc: 28350@debbugs.gnu.org Received: via spool by 28350-submit@debbugs.gnu.org id=B28350.15054109945946 (code B ref 28350); Thu, 14 Sep 2017 17:44:01 +0000 Received: (at 28350) by debbugs.gnu.org; 14 Sep 2017 17:43:14 +0000 Received: from localhost ([127.0.0.1]:41378 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dsYAU-0001Xq-0D for submit@debbugs.gnu.org; Thu, 14 Sep 2017 13:43:14 -0400 Received: from eggs.gnu.org ([208.118.235.92]:48798) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dsYAT-0001Xd-2z for 28350@debbugs.gnu.org; Thu, 14 Sep 2017 13:43:13 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dsYAN-0000lp-1b for 28350@debbugs.gnu.org; Thu, 14 Sep 2017 13:43:07 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD, URIBL_BLOCKED autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:53832) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dsYAJ-0000ij-Tg; Thu, 14 Sep 2017 13:43:03 -0400 Received: from rgm by fencepost.gnu.org with local (Exim 4.82) (envelope-from ) id 1dsYAI-0003ys-Ae; Thu, 14 Sep 2017 13:43:02 -0400 From: Glenn Morris References: <09f18b8d-037d-edd2-84d5-270cd9b44d54@cs.ucla.edu> <20170911185857.hfti4mrponqoddin@eldamar.local> <20170912052251.yunyqonyel2hibg4@lorien.valinor.li> <20170914172140.gncnsqipfsnaa2yi@eldamar.local> X-Spook: CBNRC Reno Gunfight Drug trade Erosion Symptoms Storm Ft. X-Ran: up0$"XHSri-|1*]XuvNGZ")j`FL7=5c?c|$_5,s3I~b5Q|\YMtLr9x"@3pUd\1p%?@i"{y X-Hue: blue X-Attribution: GM Date: Thu, 14 Sep 2017 13:43:02 -0400 In-Reply-To: <20170914172140.gncnsqipfsnaa2yi@eldamar.local> (Salvatore Bonaccorso's message of "Thu, 14 Sep 2017 19:21:40 +0200") Message-ID: User-Agent: Gnus (www.gnus.org), GNU Emacs (www.gnu.org/software/emacs/) MIME-Version: 1.0 Content-Type: text/plain X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) Salvatore Bonaccorso wrote: >> FTR, it seems this was submitted to DWF already as per: >> https://debbugs.gnu.org/cgi/bugreport.cgi?bug=28350#63 > > CVE-2017-14482 was assigned for this issue. Thanks. Do I need to cancel or update the DWF submission (if so, how)? From unknown Sat Jun 14 08:58:49 2025 X-Loop: help-debbugs@gnu.org Subject: bug#28350: [oss-security] GNU Emacs 25.2 enriched text remote code execution Resent-From: Salvatore Bonaccorso Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Thu, 14 Sep 2017 19:55:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 28350 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: security To: Glenn Morris Cc: 28350@debbugs.gnu.org Received: via spool by 28350-submit@debbugs.gnu.org id=B28350.150541887224801 (code B ref 28350); Thu, 14 Sep 2017 19:55:01 +0000 Received: (at 28350) by debbugs.gnu.org; 14 Sep 2017 19:54:32 +0000 Received: from localhost ([127.0.0.1]:41504 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dsaDX-0006Rx-Tp for submit@debbugs.gnu.org; Thu, 14 Sep 2017 15:54:32 -0400 Received: from mail-wr0-f172.google.com ([209.85.128.172]:50534) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dsaDW-0006Rj-0r for 28350@debbugs.gnu.org; Thu, 14 Sep 2017 15:54:30 -0400 Received: by mail-wr0-f172.google.com with SMTP id w12so278502wrc.7 for <28350@debbugs.gnu.org>; Thu, 14 Sep 2017 12:54:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=nAJmGaR6JOpueNLdUrrZu8KuXXNB58OmG6T4clm9dwA=; b=ARWfZSEqbnXQ2rknmtREVkwdVAsZ0V0D+pVHyudD3GyCpvskHMuRWZ3z2TvIU46PDI vzGn3J+jJdam7sd0uCnAPGy0u4toLlswHPMCIjbrdo2YSjyoXwAaHQabtxrCHZFiNrSd BAVfRqaBnDLIaZj/EWH44uDLsq/pLgYG5zB7+GHwNULC3N3VGmtTVPXwo7I2Kb5oPQvL gr1Nax9KgpSusH/eRopiQF8HUrWyjd25dds7HIU86QmIJ+vQWWkFGOTlQBARIzFMISHN rG1uwei2dLYGm9H8mlou0D9i9J63Uk++boI6FxJMtdfzvwA4K6dYC72RdDZ8c7ExD1tZ cTQw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:date:from:to:cc:subject:message-id :references:mime-version:content-disposition:in-reply-to:user-agent; bh=nAJmGaR6JOpueNLdUrrZu8KuXXNB58OmG6T4clm9dwA=; b=EsuIzRNZDjN2vuI1PryOCXVjE20I2tiyaOxkjiaM/jm4jue5ft+IM8bKSKZzcPM7xD M6+3bULSY0gCG4ScwJuhRMQbJH+o8BronHn2POUvPHoNtJRABj7A75L4m96kyZ8rW0B5 8qArrvOgpijM4gw9gMi2IrK8o4Vs9yoJl+7f0qsu6NRHWAmBPSmgSx0B2ojUB5jEaUcb xDklHfHVcBPgJHWGSrtZQSrHJ6C5Osa7DLLOAa3e7uCzmsBn7TSL7ZvDQ8tqbOdgQJK2 qMdLjSra9rv7MEijbWyuwzlPuMhVGKzCBrSfDuTsRSoDxFznyPvVye/r9yIx/CHchWQj zHsA== X-Gm-Message-State: AHPjjUgi540EaudpLTALWpdsIEAvYQ7rnRv6ZAousDdiAXvKXcZ6EchH 9J5HcYrjGS0c6aq6 X-Google-Smtp-Source: ADKCNb7mb80q4nr1064HDf+Qbwmj46HKllZdwC4FNIN1z6A1icqOWBVX4QDJRDEmITOlv9dfcvgufg== X-Received: by 10.223.136.170 with SMTP id f39mr19081669wrf.164.1505418863761; Thu, 14 Sep 2017 12:54:23 -0700 (PDT) Received: from eldamar (80-218-164-11.dclient.hispeed.ch. [80.218.164.11]) by smtp.gmail.com with ESMTPSA id l4sm12386182wrb.74.2017.09.14.12.54.21 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Thu, 14 Sep 2017 12:54:22 -0700 (PDT) Date: Thu, 14 Sep 2017 21:54:21 +0200 From: Salvatore Bonaccorso Message-ID: <20170914195421.glq3chokpwtr5o7p@eldamar.local> References: <09f18b8d-037d-edd2-84d5-270cd9b44d54@cs.ucla.edu> <20170911185857.hfti4mrponqoddin@eldamar.local> <20170912052251.yunyqonyel2hibg4@lorien.valinor.li> <20170914172140.gncnsqipfsnaa2yi@eldamar.local> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: NeoMutt/20170609 (1.8.3) X-Spam-Score: -2.6 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.6 (--) Hi Glenn, On Thu, Sep 14, 2017 at 01:43:02PM -0400, Glenn Morris wrote: > Salvatore Bonaccorso wrote: > > >> FTR, it seems this was submitted to DWF already as per: > >> https://debbugs.gnu.org/cgi/bugreport.cgi?bug=28350#63 > > > > CVE-2017-14482 was assigned for this issue. > > Thanks. Do I need to cancel or update the DWF submission (if so, how)? There is nothing further needed. The DWF has cancelled the request. From unknown Sat Jun 14 08:58:49 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: charles@aurox.ch (Charles A. Roelli) Subject: bug#28350: closed (Re: bug#28350: enriched.el code execution) Message-ID: References: <83a81vkm7p.fsf@gnu.org> X-Gnu-PR-Message: they-closed 28350 X-Gnu-PR-Package: emacs X-Gnu-PR-Keywords: security Reply-To: 28350@debbugs.gnu.org Date: Sat, 16 Sep 2017 09:50:02 +0000 Content-Type: multipart/mixed; boundary="----------=_1505555402-23898-1" This is a multi-part message in MIME format... ------------=_1505555402-23898-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #28350: CVE-2017-14482: enriched.el code execution which was filed against the emacs package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 28350@debbugs.gnu.org. --=20 28350: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D28350 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1505555402-23898-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 28350-done) by debbugs.gnu.org; 16 Sep 2017 09:49:10 +0000 Received: from localhost ([127.0.0.1]:43351 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dt9ik-0006CI-Mk for submit@debbugs.gnu.org; Sat, 16 Sep 2017 05:49:10 -0400 Received: from eggs.gnu.org ([208.118.235.92]:45760) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dt9if-0006Bl-JP for 28350-done@debbugs.gnu.org; Sat, 16 Sep 2017 05:49:04 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dt9iV-00008Y-K7 for 28350-done@debbugs.gnu.org; Sat, 16 Sep 2017 05:48:56 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:33804) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dt9iV-00008P-GY; Sat, 16 Sep 2017 05:48:51 -0400 Received: from 84.94.185.246.cable.012.net.il ([84.94.185.246]:4875 helo=home-c4e4a596f7) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1dt9iU-00051F-Tw; Sat, 16 Sep 2017 05:48:51 -0400 Date: Sat, 16 Sep 2017 12:48:58 +0300 Message-Id: <83a81vkm7p.fsf@gnu.org> From: Eli Zaretskii To: charles@aurox.ch, larsi@gnus.org In-reply-to: <83y3plqck1.fsf@gnu.org> (message from Eli Zaretskii on Mon, 11 Sep 2017 22:07:26 +0300) Subject: Re: bug#28350: enriched.el code execution References: <305e0573-2e10-cb15-4133-9bd72d33ea5e@cs.ucla.edu> <83y3pls1qu.fsf@gnu.org> <83y3plqck1.fsf@gnu.org> X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: 28350-done Cc: eggert@cs.ucla.edu, 28350-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Eli Zaretskii Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) > Date: Mon, 11 Sep 2017 22:07:26 +0300 > From: Eli Zaretskii > Cc: larsi@gnus.org, eggert@cs.ucla.edu, 28350@debbugs.gnu.org > > > Date: Mon, 11 Sep 2017 20:44:19 +0200 > > From: charles@aurox.ch (Charles A. Roelli) > > CC: eggert@cs.ucla.edu, larsi@gnus.org, 28350@debbugs.gnu.org > > > > > Here's the idea: we introduce a new form of a display property: > > > > > > ('disable-eval SPEC) > > > > > > where SPEC is anything supported in a display property. > > > > Thanks for suggesting this; it's much cleaner than sanitizing the > > display specification from Lisp. Looks good to me. > > Thanks, I will wait for a few days before pushing. Done. Lars, I re-enabled support for enriched text in Gnus, as the vulnerability is now removed. Feel free to disable it again, if you don't want Gnus users to be able to display enriched text, ever. I'm marking the bug done. ------------=_1505555402-23898-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by debbugs.gnu.org; 4 Sep 2017 19:25:33 +0000 Received: from localhost ([127.0.0.1]:49312 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dox00-0002nc-VX for submit@debbugs.gnu.org; Mon, 04 Sep 2017 15:25:33 -0400 Received: from eggs.gnu.org ([208.118.235.92]:49771) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dowzz-0002nM-Uw for submit@debbugs.gnu.org; Mon, 04 Sep 2017 15:25:32 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dowzp-0001eT-VG for submit@debbugs.gnu.org; Mon, 04 Sep 2017 15:25:26 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,T_DKIM_INVALID, URIBL_BLOCKED autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:35254) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dowzp-0001e9-SQ for submit@debbugs.gnu.org; Mon, 04 Sep 2017 15:25:21 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:40627) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dowzk-0006pc-No for bug-gnu-emacs@gnu.org; Mon, 04 Sep 2017 15:25:21 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dowzf-0001WF-RF for bug-gnu-emacs@gnu.org; Mon, 04 Sep 2017 15:25:16 -0400 Received: from sinyavsky.aurox.ch ([37.35.109.145]:56282) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dowzf-0001M6-HG for bug-gnu-emacs@gnu.org; Mon, 04 Sep 2017 15:25:11 -0400 Received: from sinyavsky.aurox.ch (sinyavsky.aurox.ch [127.0.0.1]) by sinyavsky.aurox.ch (Postfix) with ESMTP id 592E822523 for ; Mon, 4 Sep 2017 19:19:00 +0000 (UTC) Authentication-Results: sinyavsky.aurox.ch (amavisd-new); dkim=pass (1024-bit key) reason="pass (just generated, assumed good)" header.d=aurox.ch DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=aurox.ch; h= content-type:content-type:mime-version:subject:subject:to:from :from:message-id:date:date; s=dkim; t=1504552738; x=1505416739; bh=Ge37mg/HikKbAVW6qG18PqCO/oL5ly/uxtZJXl7hoxE=; b=EOwEUSPYwtEN uRKEjjNL229XNm0zS+fOHfOGfP04PLcfLcgnM263d3RPOuVgNwzo6IMyApR1cDTz yFgK3nI8bGCTqUt6tz7QTI+rVrOQcaiGboNUqTOu3MTEjMkQ9IC+8YfP9zPTF+YF OH7zr0AuQ8UdGHpCERY64HKF9VBe2BM= X-Virus-Scanned: Debian amavisd-new at test.virtualizor.com Received: from sinyavsky.aurox.ch ([127.0.0.1]) by sinyavsky.aurox.ch (sinyavsky.aurox.ch [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id XKrrWFwG6Rez for ; Mon, 4 Sep 2017 19:18:58 +0000 (UTC) Received: from gray (125.85.192.178.dynamic.wline.res.cust.swisscom.ch [178.192.85.125]) by sinyavsky.aurox.ch (Postfix) with ESMTPSA id 874D022520 for ; Mon, 4 Sep 2017 19:18:58 +0000 (UTC) Date: Mon, 04 Sep 2017 21:24:42 +0200 Message-Id: From: charles@aurox.ch (Charles A. Roelli) To: bug-gnu-emacs@gnu.org Subject: enriched.el code execution MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.1 (----) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -4.1 (----) --=-=-= Content-Type: text/plain Enriched mode implements an extension command to the text/enriched format called "x-display", which stores "display" text properties. It was added awhile ago: commit d9e28c1ca1d95f51a05d052dcf1fe06888d52476 Author: Gerd Moellmann Date: Wed Jul 21 21:43:03 1999 +0000 (enriched-translations): Add `display' and "x-display". (enriched-handle-display-prop): New. (enriched-decode-display-prop): New. It's possible to use this extension command to transparently execute arbitrary code in an Emacs process that opens a text/enriched file. For example, if you open a file containing the following contents: Content-Type: text/enriched Text-Width: 70 (when (message "hello world") nil)test Then "hello world" will be printed in the echo area whenever the "test" text is displayed (which is immediate). Note that the s-expression between the tags needs to conform to a "display" spec: but since there are a few display specs that can execute code, it's not difficult to craft a file that could have bad effects (shell commands work, for example). Additionally, such a file can be compressed with gzip (thus hiding the contents), and when it is opened, Emacs will automatically decompress it and apply the display properties. Attached is an example file (enriched-bug-example.txt) that turns the mode line red as soon as you open it. It works in 23.4, 24.5, 25.2 and master (and possibly earlier versions -- I haven't tested). Other extensions in `enriched-translations' of enriched.el may have similar issues (I don't understand them all, so I hope somebody else can make sure). --=-=-= Content-Type: text/enriched Content-Disposition: attachment; filename=enriched-bug-example.txt Content-Type: text/enriched Text-Width: 70 (when (set-face-attribute (quote mode-line) nil :background "red") nil)test --=-=-=-- ------------=_1505555402-23898-1--