* bug#28350: [oss-security] GNU Emacs 25.2 enriched text remote code execution
[not found] ` <20170912052251.yunyqonyel2hibg4@lorien.valinor.li>
@ 2017-09-14 17:21 ` Salvatore Bonaccorso
[not found] ` <20170914172140.gncnsqipfsnaa2yi@eldamar.local>
1 sibling, 0 replies; 3+ messages in thread
From: Salvatore Bonaccorso @ 2017-09-14 17:21 UTC (permalink / raw)
To: oss-security
Hi
On Tue, Sep 12, 2017 at 07:22:51AM +0200, Salvatore Bonaccorso wrote:
> Hi
>
> On Mon, Sep 11, 2017 at 08:58:57PM +0200, Salvatore Bonaccorso wrote:
> > Hi Paul,
> >
> > On Sun, Sep 10, 2017 at 11:56:20PM -0700, Paul Eggert wrote:
> > > GNU Emacs is an extensible, customizable, free/libre text editor and
> > > software environment. When Emacs renders MIME text/enriched data (Internet
> > > RFC 1896), it is vulnerable to arbitrary code execution. Since Emacs-based
> > > mail clients decode "Content-Type: text/enriched", this code is exploitable
> > > remotely. This bug affects GNU Emacs versions 19.29 through 25.2.
> > >
> > > Although we know no efforts to exploit this in the wild, exploitation is easy.
> > [...]
> > > == Timeline ==
> > >
> > > 2017-09-04. Bug reported to the Emacs bug tracker by Charles A. Roelli.
> > >
> > > 2017-09-07. POC for remote code execution sent to the maintainers of Emacs
> > > and Gnus (Reiner Steib <Reiner.Steib@gmx.de>, private mail).
> > >
> > > 2017-09-08. Patch (by Lars Ingebrigtsen <larsi@gnus.org>) to disable the
> > > problematic code and mitigation (private mail).
> > >
> > > 2017-09-09. Patch committed in main development repository.
> >
> > Have you requested a CVE for this issue?
>
> FTR, it seems this was submitted to DWF already as per:
> https://debbugs.gnu.org/cgi/bugreport.cgi?bug=28350#63
CVE-2017-14482 was assigned for this issue.
Regards,
Salvatore
^ permalink raw reply [flat|nested] 3+ messages in thread
* bug#28350: [oss-security] GNU Emacs 25.2 enriched text remote code execution
[not found] ` <20170914172140.gncnsqipfsnaa2yi@eldamar.local>
@ 2017-09-14 17:43 ` Glenn Morris
2017-09-14 19:54 ` Salvatore Bonaccorso
0 siblings, 1 reply; 3+ messages in thread
From: Glenn Morris @ 2017-09-14 17:43 UTC (permalink / raw)
To: Salvatore Bonaccorso; +Cc: 28350
Salvatore Bonaccorso wrote:
>> FTR, it seems this was submitted to DWF already as per:
>> https://debbugs.gnu.org/cgi/bugreport.cgi?bug=28350#63
>
> CVE-2017-14482 was assigned for this issue.
Thanks. Do I need to cancel or update the DWF submission (if so, how)?
^ permalink raw reply [flat|nested] 3+ messages in thread
* bug#28350: [oss-security] GNU Emacs 25.2 enriched text remote code execution
2017-09-14 17:43 ` Glenn Morris
@ 2017-09-14 19:54 ` Salvatore Bonaccorso
0 siblings, 0 replies; 3+ messages in thread
From: Salvatore Bonaccorso @ 2017-09-14 19:54 UTC (permalink / raw)
To: Glenn Morris; +Cc: 28350
Hi Glenn,
On Thu, Sep 14, 2017 at 01:43:02PM -0400, Glenn Morris wrote:
> Salvatore Bonaccorso wrote:
>
> >> FTR, it seems this was submitted to DWF already as per:
> >> https://debbugs.gnu.org/cgi/bugreport.cgi?bug=28350#63
> >
> > CVE-2017-14482 was assigned for this issue.
>
> Thanks. Do I need to cancel or update the DWF submission (if so, how)?
There is nothing further needed. The DWF has cancelled the request.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2017-09-14 19:54 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <09f18b8d-037d-edd2-84d5-270cd9b44d54@cs.ucla.edu>
[not found] ` <20170911185857.hfti4mrponqoddin@eldamar.local>
[not found] ` <20170912052251.yunyqonyel2hibg4@lorien.valinor.li>
2017-09-14 17:21 ` bug#28350: [oss-security] GNU Emacs 25.2 enriched text remote code execution Salvatore Bonaccorso
[not found] ` <20170914172140.gncnsqipfsnaa2yi@eldamar.local>
2017-09-14 17:43 ` Glenn Morris
2017-09-14 19:54 ` Salvatore Bonaccorso
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).