GNU bug report logs - #28350
CVE-2017-14482: enriched.el code execution

Previous Next

Package: emacs;

Reported by: charles <at> aurox.ch (Charles A. Roelli)

Date: Mon, 4 Sep 2017 19:26:01 UTC

Severity: important

Tags: security

Found in versions 25.1, 23.1, 21.4, 23.2, 21.2, 22.3, 24.3, 21.1, 21.3, 24.1, 24.5, 25.2, 24.2, 23.4, 22.1, 23.3, 24.4, 22.2

Fixed in version 25.3

Done: Eli Zaretskii <eliz <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

Message #99 received at 28350-done <at> debbugs.gnu.org (full text, mbox):

From: Eli Zaretskii <eliz <at> gnu.org>
To: charles <at> aurox.ch, larsi <at> gnus.org
Cc: eggert <at> cs.ucla.edu, 28350-done <at> debbugs.gnu.org
Subject: Re: bug#28350: enriched.el code execution
Date: Sat, 16 Sep 2017 12:48:58 +0300

> Date: Mon, 11 Sep 2017 22:07:26 +0300
> From: Eli Zaretskii <eliz <at> gnu.org>
> Cc: larsi <at> gnus.org, eggert <at> cs.ucla.edu, 28350 <at> debbugs.gnu.org
> 
> > Date: Mon, 11 Sep 2017 20:44:19 +0200
> > From: charles <at> aurox.ch (Charles A. Roelli)
> > CC: eggert <at> cs.ucla.edu, larsi <at> gnus.org, 28350 <at> debbugs.gnu.org
> > 
> > > Here's the idea: we introduce a new form of a display property:
> > > 
> > >   ('disable-eval SPEC)
> > > 
> > > where SPEC is anything supported in a display property.
> > 
> > Thanks for suggesting this; it's much cleaner than sanitizing the
> > display specification from Lisp.  Looks good to me.
> 
> Thanks, I will wait for a few days before pushing.

Done.

Lars, I re-enabled support for enriched text in Gnus, as the
vulnerability is now removed.  Feel free to disable it again, if you
don't want Gnus users to be able to display enriched text, ever.

I'm marking the bug done.
This bug report was last modified 7 years and 245 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.