From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED!not-for-mail From: Eli Zaretskii Newsgroups: gmane.emacs.bugs Subject: bug#28350: enriched.el code execution Date: Mon, 11 Sep 2017 17:22:48 +0300 Message-ID: <83efrdtivb.fsf@gnu.org> References: <305e0573-2e10-cb15-4133-9bd72d33ea5e@cs.ucla.edu> <89bf7f23-d065-572c-ad54-bce7cb9a02e7@cs.ucla.edu> <83ingqt0v4.fsf@gnu.org> Reply-To: Eli Zaretskii NNTP-Posting-Host: blaine.gmane.org X-Trace: blaine.gmane.org 1505140010 8021 195.159.176.226 (11 Sep 2017 14:26:50 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Mon, 11 Sep 2017 14:26:50 +0000 (UTC) Cc: larsi@gnus.org, charles@aurox.ch, 28350@debbugs.gnu.org To: eggert@cs.ucla.edu Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Mon Sep 11 16:26:41 2017 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1drPf7-0000IJ-Ax for geb-bug-gnu-emacs@m.gmane.org; Mon, 11 Sep 2017 16:26:09 +0200 Original-Received: from localhost ([::1]:58081 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1drPfC-0003Qv-Tz for geb-bug-gnu-emacs@m.gmane.org; Mon, 11 Sep 2017 10:26:14 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:51807) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1drPd9-0001Uf-HV for bug-gnu-emacs@gnu.org; Mon, 11 Sep 2017 10:24:13 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1drPd5-0003f6-4E for bug-gnu-emacs@gnu.org; Mon, 11 Sep 2017 10:24:07 -0400 Original-Received: from debbugs.gnu.org ([208.118.235.43]:53123) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1drPd5-0003et-0H for bug-gnu-emacs@gnu.org; Mon, 11 Sep 2017 10:24:03 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1drPd3-0004gp-Qv for bug-gnu-emacs@gnu.org; Mon, 11 Sep 2017 10:24:02 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Eli Zaretskii Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Mon, 11 Sep 2017 14:24:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 28350 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: security Original-Received: via spool by 28350-submit@debbugs.gnu.org id=B28350.150513979217970 (code B ref 28350); Mon, 11 Sep 2017 14:24:01 +0000 Original-Received: (at 28350) by debbugs.gnu.org; 11 Sep 2017 14:23:12 +0000 Original-Received: from localhost ([127.0.0.1]:33571 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1drPcD-0004fi-E8 for submit@debbugs.gnu.org; Mon, 11 Sep 2017 10:23:12 -0400 Original-Received: from eggs.gnu.org ([208.118.235.92]:60454) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1drPc9-0004ex-24 for 28350@debbugs.gnu.org; Mon, 11 Sep 2017 10:23:08 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1drPbz-00033E-I6 for 28350@debbugs.gnu.org; Mon, 11 Sep 2017 10:22:59 -0400 Original-Received: from fencepost.gnu.org ([2001:4830:134:3::e]:59751) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1drPbz-000337-EZ; Mon, 11 Sep 2017 10:22:55 -0400 Original-Received: from 84.94.185.246.cable.012.net.il ([84.94.185.246]:4293 helo=home-c4e4a596f7) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1drPbx-0007q5-VJ; Mon, 11 Sep 2017 10:22:55 -0400 In-reply-to: <83ingqt0v4.fsf@gnu.org> (message from Eli Zaretskii on Mon, 11 Sep 2017 05:39:27 +0300) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 208.118.235.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.org gmane.emacs.bugs:136775 Archived-At: > Date: Mon, 11 Sep 2017 05:39:27 +0300 > From: Eli Zaretskii > Cc: larsi@gnus.org, charles@aurox.ch, 28350@debbugs.gnu.org > > > From: Paul Eggert > > Date: Sun, 10 Sep 2017 14:46:59 -0700 > > Cc: larsi@gnus.org, 28350@debbugs.gnu.org > > > > > (eval-after-load "enriched" > > > '(defun enriched-decode-display-prop (start end &optional param) > > > (list start end))) > > > > > > But it may not work in Emacs earlier than 23 (I can't test it). > > > > It should work, since eval-after-load predates Emacs 19.29. Though it assumes > > that x-display is the only problem here. > > x-display _is_ the only problem, because only it allows arbitrary Lisp > forms. I eventually decided to provide a simpler patch, see below. The original changes unnecessarily removed the capability to encode display properties while saving Enriched Mode text, something that doesn't have any security issues (because the vulnerability is on the receiving end). I also prefer not to remove the offending code, but instead to comment it out, as I believe this is more in the tradition of Free Software to let people eyeball what we did. Finally, I rewrote the NEWS entry to be more accurate wrt the actual change. Nicolas is working on the release as we speak, so if someone has suggestions, or objections, or something else important to say about the patch, please speak up. I'd like to take this opportunity to thank all those who worked and continue working on fixing this vulnerability. 2017-09-11 Eli Zaretskii * etc/NEWS: Document the vulnerability and its resolution. Include a workaround. Suggested by Charles A. Roelli . * lisp/gnus/mm-view.el (mm-inline-text): Disable decoding of "enriched" and "richtext" MIME objects. Suggested by Lars Ingebrigtsen . * lisp/textmodes/enriched.el (enriched-decode-display-prop): Don't produce 'display' properties. (Bug#28350) --- lisp/textmodes/enriched.el~0 2017-02-03 12:25:44.000000000 +0200 +++ lisp/textmodes/enriched.el 2017-09-11 17:31:35.943569900 +0300 @@ -503,6 +503,9 @@ (error nil))))) (unless prop (message "Warning: invalid parameter %s" param)) - (list start end 'display prop))) + ;; Disabled in Emacs 25.3 to avoid execution of arbitrary Lisp + ;; forms in display properties stored within enriched text. + ;; (list start end 'display prop))) + (list start end))) ;;; enriched.el ends here --- lisp/gnus/mm-view.el~0 2017-02-03 12:25:44.000000000 +0200 +++ lisp/gnus/mm-view.el 2017-09-11 16:56:58.804519400 +0300 @@ -383,10 +383,12 @@ (goto-char (point-max)))) (save-restriction (narrow-to-region b (point)) - (when (member type '("enriched" "richtext")) - (set-text-properties (point-min) (point-max) nil) - (ignore-errors - (enriched-decode (point-min) (point-max)))) + ;; Disabled in Emacs 25.3 to avoid execution of arbitrary Lisp + ;; forms in display properties supported by enriched.el. + ;; (when (member type '("enriched" "richtext")) + ;; (set-text-properties (point-min) (point-max) nil) + ;; (ignore-errors + ;; (enriched-decode (point-min) (point-max)))) (mm-handle-set-undisplayer handle `(lambda () --- etc/NEWS~0 2017-02-21 11:08:27.000000000 +0200 +++ etc/NEWS 2017-09-11 17:21:06.994252400 +0300 @@ -16,6 +16,32 @@ with a prefix argument or by typing C-u C-h C-n. +* Changes in Emacs 25.3 + +This is an emergency release to fix a security vulnerability in Emacs. + +** Security vulnerability related to Enriched Text mode is removed. + +*** Enriched Text mode has its support for decoding 'x-display' disabled. +This feature allows saving 'display' properties as part of text. +Emacs 'display' properties support evaluation of arbitrary Lisp forms +as part of instantiating the property, so decoding 'x-display' is +vulnerable to executing arbitrary malicious Lisp code included in the +text (e.g., sent as part of an email message). + +This vulnerability was introduced in Emacs 19.29. To work around that +in Emacs versions before 25.3, append the following to your ~/.emacs +init file: + + (eval-after-load "enriched" + '(defun enriched-decode-display-prop (start end &optional param) + (list start end))) + +*** Gnus no longer supports "richtext" and "enriched" inline MIME objects. +This support was disabled to avoid evaluation of arbitrary Lisp code +contained in email messages and news articles. + + * Changes in Emacs 25.2 This is mainly a bug-fix release, but there are some other changes.