From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED!not-for-mail From: charles@aurox.ch (Charles A. Roelli) Newsgroups: gmane.emacs.bugs Subject: bug#28350: enriched.el code execution Date: Sun, 10 Sep 2017 20:54:13 +0200 Message-ID: References: <305e0573-2e10-cb15-4133-9bd72d33ea5e@cs.ucla.edu> NNTP-Posting-Host: blaine.gmane.org X-Trace: blaine.gmane.org 1505069742 28817 195.159.176.226 (10 Sep 2017 18:55:42 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Sun, 10 Sep 2017 18:55:42 +0000 (UTC) Cc: larsi@gnus.org, 28350@debbugs.gnu.org To: Paul Eggert Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Sun Sep 10 20:55:34 2017 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dr7Ns-0005kv-84 for geb-bug-gnu-emacs@m.gmane.org; Sun, 10 Sep 2017 20:55:08 +0200 Original-Received: from localhost ([::1]:53960 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dr7Nz-0004ux-GT for geb-bug-gnu-emacs@m.gmane.org; Sun, 10 Sep 2017 14:55:15 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:47325) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dr7Ns-0004rA-1v for bug-gnu-emacs@gnu.org; Sun, 10 Sep 2017 14:55:11 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dr7No-0008Qn-5W for bug-gnu-emacs@gnu.org; Sun, 10 Sep 2017 14:55:08 -0400 Original-Received: from debbugs.gnu.org ([208.118.235.43]:50998) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1dr7Nn-0008Qg-WF for bug-gnu-emacs@gnu.org; Sun, 10 Sep 2017 14:55:04 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1dr7Nl-0006jJ-MY for bug-gnu-emacs@gnu.org; Sun, 10 Sep 2017 14:55:03 -0400 X-Loop: help-debbugs@gnu.org Resent-From: charles@aurox.ch (Charles A. Roelli) Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Sun, 10 Sep 2017 18:55:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 28350 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: security Original-Received: via spool by 28350-submit@debbugs.gnu.org id=B28350.150506968925848 (code B ref 28350); Sun, 10 Sep 2017 18:55:01 +0000 Original-Received: (at 28350) by debbugs.gnu.org; 10 Sep 2017 18:54:49 +0000 Original-Received: from localhost ([127.0.0.1]:59679 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dr7NW-0006im-1M for submit@debbugs.gnu.org; Sun, 10 Sep 2017 14:54:49 -0400 Original-Received: from sinyavsky.aurox.ch ([37.35.109.145]:55924) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dr7NR-0006iU-Hk for 28350@debbugs.gnu.org; Sun, 10 Sep 2017 14:54:45 -0400 Original-Received: from sinyavsky.aurox.ch (sinyavsky.aurox.ch [127.0.0.1]) by sinyavsky.aurox.ch (Postfix) with ESMTP id 9361822534 for <28350@debbugs.gnu.org>; Sun, 10 Sep 2017 18:48:27 +0000 (UTC) Authentication-Results: sinyavsky.aurox.ch (amavisd-new); dkim=pass (1024-bit key) reason="pass (just generated, assumed good)" header.d=aurox.ch DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=aurox.ch; h= references:subject:subject:in-reply-to:to:from:from:message-id :date:date; s=dkim; t=1505069303; x=1505933304; bh=h22X1VS/g/+ss q/fblQaedijWJoJ4hJ/lAv3x7imbp8=; b=afb7t1c+snQAYaeR+kT4+UrLAjAOD Yady/MF4k5TWfXMIlZKdWT+UMDOde0fRgvrSXS+6lzglpaM/f8pSuMR4cZq/2bJ6 1GNScUcsci3Uq/Cluoy5ErJw1SACu8xQw5l5yOstseZNKQg0fl4YTlmkSYHQQIoK MhyoEEImJJ1QWg= X-Virus-Scanned: Debian amavisd-new at test.virtualizor.com Original-Received: from sinyavsky.aurox.ch ([127.0.0.1]) by sinyavsky.aurox.ch (sinyavsky.aurox.ch [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id hFqPdq6cCXz4 for <28350@debbugs.gnu.org>; Sun, 10 Sep 2017 18:48:23 +0000 (UTC) Original-Received: from gray (125.85.192.178.dynamic.wline.res.cust.swisscom.ch [178.192.85.125]) by sinyavsky.aurox.ch (Postfix) with ESMTPSA id E79D822516; Sun, 10 Sep 2017 18:48:19 +0000 (UTC) In-reply-to: <305e0573-2e10-cb15-4133-9bd72d33ea5e@cs.ucla.edu> (message from Paul Eggert on Sat, 9 Sep 2017 15:43:30 -0700) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 208.118.235.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.org gmane.emacs.bugs:136737 Archived-At: > From: Paul Eggert > Date: Sat, 9 Sep 2017 15:43:30 -0700 > > Thanks for reporting this bug. Since it is a serious security hole I have > installed a patch by Lars Ingebrigtsen that temporarily disables the problematic > translations, and that also changes Gnus to not call enriched-decode. For the > emacs-25 branch the patch is here: > > https://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-25&id=9ad0fcc54442a9a01d41be19880250783426db70 > > and for the master branch the patch is here: > > https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=19584f13b1e2e4a778602a8302619ef5c675e68b > > As this patch is merely a workaround to close the security hole, I am not > marking the underlying bug as fixed. > > Thank you for reporting the problem. Thanks for these fixes. I have some comments: > branch: master > commit 19584f13b1e2e4a778602a8302619ef5c675e68b > Author: Lars Ingebrigtsen > Commit: Paul Eggert > > [...] > > --- a/lisp/textmodes/enriched.el > +++ b/lisp/textmodes/enriched.el > @@ -117,12 +117,7 @@ expression, which is evaluated to get the string to insert.") > (full "flushboth") > (center "center")) > (PARAMETER (t "param")) ; Argument of preceding annotation > - ;; The following are not part of the standard: > - (FUNCTION (enriched-decode-foreground "x-color") > - (enriched-decode-background "x-bg-color") Do we know that "x-color" and/or "x-bg-color" are vulnerable to a similar misuse as "x-display"? If not, I can still re-add them at a later time. > branch: emacs-25 > commit b6389930146882a77c22901a4357e287826fc7ff > Author: Paul Eggert > Commit: Paul Eggert > > [...] > > +** Enriched text mode no longer supports the 'FUNCTION' and 'display' > +translations, and Gnus no longer processes enriched text when > +inlining. This fixes bugs introduced in Emacs 19.29. To work around > +these bugs in Emacs versions 19.29 through 25.2, append the following > +to your ~/.emacs file: > + > + (provide 'enriched) > + (defun enriched-mode (&optional arg)) > + (defun enriched-decode (from to)) This fix is very safe, at the cost of disabling Enriched mode. Could we do any better? I had suggested the following (in https://debbugs.gnu.org/cgi/bugreport.cgi?bug=28350#16): (eval-after-load "enriched" '(defun enriched-decode-display-prop (start end &optional param) (list start end))) But it may not work in Emacs earlier than 23 (I can't test it).