GNU bug report logs - #28350
CVE-2017-14482: enriched.el code execution

Previous Next

Package: emacs;

Reported by: charles <at> aurox.ch (Charles A. Roelli)

Date: Mon, 4 Sep 2017 19:26:01 UTC

Severity: important

Tags: security

Found in versions 25.1, 23.1, 21.4, 23.2, 21.2, 22.3, 24.3, 21.1, 21.3, 24.1, 24.5, 25.2, 24.2, 23.4, 22.1, 23.3, 24.4, 22.2

Fixed in version 25.3

Done: Eli Zaretskii <eliz <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

Message #66 received at 28350 <at> debbugs.gnu.org (full text, mbox):

From: Paul Eggert <eggert <at> cs.ucla.edu>
To: Glenn Morris <rgm <at> gnu.org>
Cc: "Charles A. Roelli" <charles <at> aurox.ch>, 28350 <at> debbugs.gnu.org
Subject: Re: bug#28350: enriched.el code execution
Date: Mon, 11 Sep 2017 09:38:14 -0700

On 09/11/2017 08:33 AM, Glenn Morris wrote:
> I submitted this tohttps://github.com/distributedweaknessfiling/  .
> I see you sent it tohttp://seclists.org/oss-sec/2017/q3/422  .

Yes, I sent it to the oss-security mailing list, and it is archived here:

http://www.openwall.com/lists/oss-security/2017/09/11/1

> Are you sure this issue affects Emacs 19.29, as stated there?
> The x-display code is "only" present since 21.1, AFAICS.

Thanks for checking. When I wrote that, I looked for any of the text 
involved in Lars's patch. If a smaller patch will do, that might explain 
why you're seeing 21.1 rather than 19.29. We can mention 21.1 instead of 
19.29 in the 25.3 release, and I'll update etc/NEWS accordingly in 
emacs-25 and master once that comes out.

These days almost nobody is running Emacs older than 21.1, so the exact 
version number shouldn't matter to anybody other than software 
archaeologists.
This bug report was last modified 7 years and 245 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.