* bug#28350: [oss-security] GNU Emacs 25.2 enriched text remote code execution [not found] ` <20170912052251.yunyqonyel2hibg4@lorien.valinor.li> @ 2017-09-14 17:21 ` Salvatore Bonaccorso [not found] ` <20170914172140.gncnsqipfsnaa2yi@eldamar.local> 1 sibling, 0 replies; 3+ messages in thread From: Salvatore Bonaccorso @ 2017-09-14 17:21 UTC (permalink / raw) To: oss-security Hi On Tue, Sep 12, 2017 at 07:22:51AM +0200, Salvatore Bonaccorso wrote: > Hi > > On Mon, Sep 11, 2017 at 08:58:57PM +0200, Salvatore Bonaccorso wrote: > > Hi Paul, > > > > On Sun, Sep 10, 2017 at 11:56:20PM -0700, Paul Eggert wrote: > > > GNU Emacs is an extensible, customizable, free/libre text editor and > > > software environment. When Emacs renders MIME text/enriched data (Internet > > > RFC 1896), it is vulnerable to arbitrary code execution. Since Emacs-based > > > mail clients decode "Content-Type: text/enriched", this code is exploitable > > > remotely. This bug affects GNU Emacs versions 19.29 through 25.2. > > > > > > Although we know no efforts to exploit this in the wild, exploitation is easy. > > [...] > > > == Timeline == > > > > > > 2017-09-04. Bug reported to the Emacs bug tracker by Charles A. Roelli. > > > > > > 2017-09-07. POC for remote code execution sent to the maintainers of Emacs > > > and Gnus (Reiner Steib <Reiner.Steib@gmx.de>, private mail). > > > > > > 2017-09-08. Patch (by Lars Ingebrigtsen <larsi@gnus.org>) to disable the > > > problematic code and mitigation (private mail). > > > > > > 2017-09-09. Patch committed in main development repository. > > > > Have you requested a CVE for this issue? > > FTR, it seems this was submitted to DWF already as per: > https://debbugs.gnu.org/cgi/bugreport.cgi?bug=28350#63 CVE-2017-14482 was assigned for this issue. Regards, Salvatore ^ permalink raw reply [flat|nested] 3+ messages in thread
[parent not found: <20170914172140.gncnsqipfsnaa2yi@eldamar.local>]
* bug#28350: [oss-security] GNU Emacs 25.2 enriched text remote code execution [not found] ` <20170914172140.gncnsqipfsnaa2yi@eldamar.local> @ 2017-09-14 17:43 ` Glenn Morris 2017-09-14 19:54 ` Salvatore Bonaccorso 0 siblings, 1 reply; 3+ messages in thread From: Glenn Morris @ 2017-09-14 17:43 UTC (permalink / raw) To: Salvatore Bonaccorso; +Cc: 28350 Salvatore Bonaccorso wrote: >> FTR, it seems this was submitted to DWF already as per: >> https://debbugs.gnu.org/cgi/bugreport.cgi?bug=28350#63 > > CVE-2017-14482 was assigned for this issue. Thanks. Do I need to cancel or update the DWF submission (if so, how)? ^ permalink raw reply [flat|nested] 3+ messages in thread
* bug#28350: [oss-security] GNU Emacs 25.2 enriched text remote code execution 2017-09-14 17:43 ` Glenn Morris @ 2017-09-14 19:54 ` Salvatore Bonaccorso 0 siblings, 0 replies; 3+ messages in thread From: Salvatore Bonaccorso @ 2017-09-14 19:54 UTC (permalink / raw) To: Glenn Morris; +Cc: 28350 Hi Glenn, On Thu, Sep 14, 2017 at 01:43:02PM -0400, Glenn Morris wrote: > Salvatore Bonaccorso wrote: > > >> FTR, it seems this was submitted to DWF already as per: > >> https://debbugs.gnu.org/cgi/bugreport.cgi?bug=28350#63 > > > > CVE-2017-14482 was assigned for this issue. > > Thanks. Do I need to cancel or update the DWF submission (if so, how)? There is nothing further needed. The DWF has cancelled the request. ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2017-09-14 19:54 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <09f18b8d-037d-edd2-84d5-270cd9b44d54@cs.ucla.edu>
[not found] ` <20170911185857.hfti4mrponqoddin@eldamar.local>
[not found] ` <20170912052251.yunyqonyel2hibg4@lorien.valinor.li>
2017-09-14 17:21 ` bug#28350: [oss-security] GNU Emacs 25.2 enriched text remote code execution Salvatore Bonaccorso
[not found] ` <20170914172140.gncnsqipfsnaa2yi@eldamar.local>
2017-09-14 17:43 ` Glenn Morris
2017-09-14 19:54 ` Salvatore Bonaccorso
Code repositories for project(s) associated with this public inbox https://git.savannah.gnu.org/cgit/emacs.git This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).