From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED!not-for-mail From: Salvatore Bonaccorso Newsgroups: gmane.emacs.bugs Subject: bug#28350: [oss-security] GNU Emacs 25.2 enriched text remote code execution Date: Thu, 14 Sep 2017 19:21:40 +0200 Message-ID: <20170914172140.gncnsqipfsnaa2yi__1825.11135139993$1505410339$gmane$org@eldamar.local> References: <09f18b8d-037d-edd2-84d5-270cd9b44d54@cs.ucla.edu> <20170911185857.hfti4mrponqoddin@eldamar.local> <20170912052251.yunyqonyel2hibg4@lorien.valinor.li> NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Trace: blaine.gmane.org 1505410339 11622 195.159.176.226 (14 Sep 2017 17:32:19 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Thu, 14 Sep 2017 17:32:19 +0000 (UTC) User-Agent: NeoMutt/20170609 (1.8.3) To: oss-security@lists.openwall.com Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Thu Sep 14 19:32:13 2017 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dsXzn-0002qD-JG for geb-bug-gnu-emacs@m.gmane.org; Thu, 14 Sep 2017 19:32:11 +0200 Original-Received: from localhost ([::1]:49113 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dsXzu-0007ya-PL for geb-bug-gnu-emacs@m.gmane.org; Thu, 14 Sep 2017 13:32:18 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:33705) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dsXzj-0007vK-Ft for bug-gnu-emacs@gnu.org; Thu, 14 Sep 2017 13:32:11 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dsXzf-0000bt-4G for bug-gnu-emacs@gnu.org; Thu, 14 Sep 2017 13:32:07 -0400 Original-Received: from debbugs.gnu.org ([208.118.235.43]:60914) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1dsXze-0000bY-W5 for bug-gnu-emacs@gnu.org; Thu, 14 Sep 2017 13:32:03 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1dsXze-0001HA-J7 for bug-gnu-emacs@gnu.org; Thu, 14 Sep 2017 13:32:02 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Salvatore Bonaccorso Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Thu, 14 Sep 2017 17:32:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 28350 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: security Original-Received: via spool by 28350-submit@debbugs.gnu.org id=B28350.15054103024873 (code B ref 28350); Thu, 14 Sep 2017 17:32:02 +0000 Original-Received: (at 28350) by debbugs.gnu.org; 14 Sep 2017 17:31:42 +0000 Original-Received: from localhost ([127.0.0.1]:41362 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dsXzH-0001GR-4n for submit@debbugs.gnu.org; Thu, 14 Sep 2017 13:31:42 -0400 Original-Received: from mail-wm0-f50.google.com ([74.125.82.50]:44639) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dsXpj-00011M-RJ for 28350@debbugs.gnu.org; Thu, 14 Sep 2017 13:21:52 -0400 Original-Received: by mail-wm0-f50.google.com with SMTP id 189so6870744wmh.1 for <28350@debbugs.gnu.org>; Thu, 14 Sep 2017 10:21:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:date:from:to:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=zcOYsuBcKa8b1KLxoOyQw4aXnh35yPFdLSmLLHE2ELs=; b=lcW2+kuDfd2USKXzanUe7sxwUK6g14COc92YJPj2KOouiqU6LQrE5NLJCZr9DlWoxU ERq2Cb7uG/mgYQz4z9cbiE7Kda1pdDJi95GNhd34IiNXR6Cojj8zadG9Sb/VHYqru9Wc TUaItTo9OktbPFq9ZtigKXu2+/cvFYvcWzSum2WiaHH0nq22zm/jwIhRS+mglI2lh4VS uMvX2cFo0WG8qWMEx9SkEQUDnPQS8QKwva6a7sa1jCGUYFYOhbOjoKV3AZmkeKBkh2d9 njIfNlXKBEXy0m12eW/5qMv0OcHTwJs1nI1q+1BgwDDWatWxrqBJpb3fp5QGeDvLGamy g+9w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:date:from:to:subject:message-id :references:mime-version:content-disposition:in-reply-to:user-agent; bh=zcOYsuBcKa8b1KLxoOyQw4aXnh35yPFdLSmLLHE2ELs=; b=FI8uwfBnnf3qGOsAp1MhmHynorDsi903wqcr0Fr11g6qsJxLwQZTMqy1HESjqPFAct UGMqed+kWmu99GHrP5v/WN8TtishxYHB84UqGBqqX/xgYWWNve2+B2xDhlZHiM8avVfp Tk30QRGFThCw+wXqkba+PdMQkgss4N5PqVfL1qNRPwEdh/ZtWiYUwwQjBVkoxnp755Ir JsVzkIRUzS5TM7ILlrMCKzJ/7ZClzHOJNCNade793Gqgj6ToHTawmaW9pU6e49ISPoFd gtXqB3HxAttlTuPW8f3VP1pc7j/F1AelyjNzYA2g2CuNv9QXk4/atUMvbwgr7JhvUJOs AwMA== X-Gm-Message-State: AHPjjUiUIVXOKsAShi8BhvJOjOkKdwa1i0mGoeUNuOBp5f2helqFfFAi /cw6nrXnV+NOyad/Ng/dq0FSzA== X-Google-Smtp-Source: AOwi7QB3mOSsHGo1Y1mwDAQmYnxojTPwdJfxNuQAEgdTmJXvqEz7M9fkLe4UI3WUV5Frz0ybXlcDPA== X-Received: by 10.28.102.213 with SMTP id a204mr571073wmc.151.1505409701932; Thu, 14 Sep 2017 10:21:41 -0700 (PDT) Original-Received: from eldamar (80-218-164-11.dclient.hispeed.ch. [80.218.164.11]) by smtp.gmail.com with ESMTPSA id m19sm403576wmd.16.2017.09.14.10.21.40 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Thu, 14 Sep 2017 10:21:41 -0700 (PDT) Content-Disposition: inline In-Reply-To: <20170912052251.yunyqonyel2hibg4@lorien.valinor.li> X-Mailman-Approved-At: Thu, 14 Sep 2017 13:31:36 -0400 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 208.118.235.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.org gmane.emacs.bugs:136967 Archived-At: Hi On Tue, Sep 12, 2017 at 07:22:51AM +0200, Salvatore Bonaccorso wrote: > Hi > > On Mon, Sep 11, 2017 at 08:58:57PM +0200, Salvatore Bonaccorso wrote: > > Hi Paul, > > > > On Sun, Sep 10, 2017 at 11:56:20PM -0700, Paul Eggert wrote: > > > GNU Emacs is an extensible, customizable, free/libre text editor and > > > software environment. When Emacs renders MIME text/enriched data (Internet > > > RFC 1896), it is vulnerable to arbitrary code execution. Since Emacs-based > > > mail clients decode "Content-Type: text/enriched", this code is exploitable > > > remotely. This bug affects GNU Emacs versions 19.29 through 25.2. > > > > > > Although we know no efforts to exploit this in the wild, exploitation is easy. > > [...] > > > == Timeline == > > > > > > 2017-09-04. Bug reported to the Emacs bug tracker by Charles A. Roelli. > > > > > > 2017-09-07. POC for remote code execution sent to the maintainers of Emacs > > > and Gnus (Reiner Steib , private mail). > > > > > > 2017-09-08. Patch (by Lars Ingebrigtsen ) to disable the > > > problematic code and mitigation (private mail). > > > > > > 2017-09-09. Patch committed in main development repository. > > > > Have you requested a CVE for this issue? > > FTR, it seems this was submitted to DWF already as per: > https://debbugs.gnu.org/cgi/bugreport.cgi?bug=28350#63 CVE-2017-14482 was assigned for this issue. Regards, Salvatore