GNU bug report logs - #28350
CVE-2017-14482: enriched.el code execution

Previous Next

Package: emacs;

Reported by: charles <at> aurox.ch (Charles A. Roelli)

Date: Mon, 4 Sep 2017 19:26:01 UTC

Severity: important

Tags: security

Found in versions 25.1, 23.1, 21.4, 23.2, 21.2, 22.3, 24.3, 21.1, 21.3, 24.1, 24.5, 25.2, 24.2, 23.4, 22.1, 23.3, 24.4, 22.2

Fixed in version 25.3

Done: Eli Zaretskii <eliz <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Eli Zaretskii <eliz <at> gnu.org>
To: eggert <at> cs.ucla.edu
Cc: larsi <at> gnus.org, charles <at> aurox.ch, 28350 <at> debbugs.gnu.org
Subject: bug#28350: enriched.el code execution
Date: Mon, 11 Sep 2017 17:22:48 +0300

> Date: Mon, 11 Sep 2017 05:39:27 +0300
> From: Eli Zaretskii <eliz <at> gnu.org>
> Cc: larsi <at> gnus.org, charles <at> aurox.ch, 28350 <at> debbugs.gnu.org
> 
> > From: Paul Eggert <eggert <at> cs.ucla.edu>
> > Date: Sun, 10 Sep 2017 14:46:59 -0700
> > Cc: larsi <at> gnus.org, 28350 <at> debbugs.gnu.org
> > 
> > >    (eval-after-load "enriched"
> > >      '(defun enriched-decode-display-prop (start end &optional param)
> > >         (list start end)))
> > > 
> > > But it may not work in Emacs earlier than 23 (I can't test it).
> > 
> > It should work, since eval-after-load predates Emacs 19.29.  Though it assumes 
> > that x-display is the only problem here.
> 
> x-display _is_ the only problem, because only it allows arbitrary Lisp
> forms.

I eventually decided to provide a simpler patch, see below.  The
original changes unnecessarily removed the capability to encode
display properties while saving Enriched Mode text, something that
doesn't have any security issues (because the vulnerability is on the
receiving end).  I also prefer not to remove the offending code, but
instead to comment it out, as I believe this is more in the tradition
of Free Software to let people eyeball what we did.  Finally, I
rewrote the NEWS entry to be more accurate wrt the actual change.

Nicolas is working on the release as we speak, so if someone has
suggestions, or objections, or something else important to say about
the patch, please speak up.

I'd like to take this opportunity to thank all those who worked and
continue working on fixing this vulnerability.


2017-09-11  Eli Zaretskii  <eliz <at> gnu.org>

	* etc/NEWS: Document the vulnerability and its resolution.
	Include a workaround.  Suggested by Charles A. Roelli
	<charles <at> aurox.ch>.

	* lisp/gnus/mm-view.el (mm-inline-text): Disable decoding of
	"enriched" and "richtext" MIME objects.  Suggested by Lars
	Ingebrigtsen <larsi <at> gnus.org>.

	* lisp/textmodes/enriched.el (enriched-decode-display-prop): Don't
	produce 'display' properties.  (Bug#28350)


--- lisp/textmodes/enriched.el~0	2017-02-03 12:25:44.000000000 +0200
+++ lisp/textmodes/enriched.el	2017-09-11 17:31:35.943569900 +0300
@@ -503,6 +503,9 @@
 		  (error nil)))))
     (unless prop
       (message "Warning: invalid <x-display> parameter %s" param))
-    (list start end 'display prop)))
+    ;; Disabled in Emacs 25.3 to avoid execution of arbitrary Lisp
+    ;; forms in display properties stored within enriched text.
+    ;; (list start end 'display prop)))
+    (list start end)))
 
 ;;; enriched.el ends here


--- lisp/gnus/mm-view.el~0	2017-02-03 12:25:44.000000000 +0200
+++ lisp/gnus/mm-view.el	2017-09-11 16:56:58.804519400 +0300
@@ -383,10 +383,12 @@
 	(goto-char (point-max))))
     (save-restriction
       (narrow-to-region b (point))
-      (when (member type '("enriched" "richtext"))
-        (set-text-properties (point-min) (point-max) nil)
-	(ignore-errors
-	  (enriched-decode (point-min) (point-max))))
+      ;; Disabled in Emacs 25.3 to avoid execution of arbitrary Lisp
+      ;; forms in display properties supported by enriched.el.
+      ;; (when (member type '("enriched" "richtext"))
+      ;;   (set-text-properties (point-min) (point-max) nil)
+      ;; 	(ignore-errors
+      ;; 	  (enriched-decode (point-min) (point-max))))
       (mm-handle-set-undisplayer
        handle
        `(lambda ()


--- etc/NEWS~0	2017-02-21 11:08:27.000000000 +0200
+++ etc/NEWS	2017-09-11 17:21:06.994252400 +0300
@@ -16,6 +16,32 @@
 with a prefix argument or by typing C-u C-h C-n.
 
 
+* Changes in Emacs 25.3
+
+This is an emergency release to fix a security vulnerability in Emacs.
+
+** Security vulnerability related to Enriched Text mode is removed.
+
+*** Enriched Text mode has its support for decoding 'x-display' disabled.
+This feature allows saving 'display' properties as part of text.
+Emacs 'display' properties support evaluation of arbitrary Lisp forms
+as part of instantiating the property, so decoding 'x-display' is
+vulnerable to executing arbitrary malicious Lisp code included in the
+text (e.g., sent as part of an email message).
+
+This vulnerability was introduced in Emacs 19.29.  To work around that
+in Emacs versions before 25.3, append the following to your ~/.emacs
+init file:
+
+  (eval-after-load "enriched"
+    '(defun enriched-decode-display-prop (start end &optional param)
+       (list start end)))
+
+*** Gnus no longer supports "richtext" and "enriched" inline MIME objects.
+This support was disabled to avoid evaluation of arbitrary Lisp code
+contained in email messages and news articles.
+
+
 * Changes in Emacs 25.2
 
 This is mainly a bug-fix release, but there are some other changes.
This bug report was last modified 7 years and 245 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.