Fwd: Re: [oss-security] GNU Emacs 25.2 enriched text remote code execution

Fwd: Re: [oss-security] GNU Emacs 25.2 enriched text remote code execution

[Paul Eggert]

I got the following response to the announcement on the oss-security 
mailing list. Question: what would cause the eval-after-load to be bypassed?


-------- Forwarded Message --------
Subject: 	Re: [oss-security] GNU Emacs 25.2 enriched text remote code 
execution
Date: 	Tue, 12 Sep 2017 20:08:00 +0200
From: 	Florian Weimer <fw@deneb.enyo.de>
To: 	Paul Eggert <eggert@cs.ucla.edu>
CC: 	oss-security@lists.openwall.com



* Paul Eggert:

> == Mitigation ==
>
> To work around the bug in unfixed versions of Emacs, put the following code in 
> your personal or site-wide Emacs init file (~/.emacs, ~/emacs.d/init.el, 
> site-start.el):
>
>    ;; Mitigate Bug#28350 (security) in Emacs 25.2 and earlier.
>    (eval-after-load "enriched"
>      '(defun enriched-decode-display-prop (start end &optional param)
>         (list start end)))

This does not override the function in all cases when enriched is
loaded.  Something like this would be more reliable, but it will of
course slow down the starting of Emacs:

(require 'enriched)
(defun enriched-decode-display-prop (start end &optional param)
   (list start end))

Re: Fwd: Re: [oss-security] GNU Emacs 25.2 enriched text remote code execution

[Kalle Olavi Niemitalo]

Paul Eggert <eggert@cs.ucla.edu> writes:

> Question: what would cause the eval-after-load to be bypassed?

eval-after-load in Emacs 21.3 says "FILE must match exactly."

Re: Fwd: Re: [oss-security] GNU Emacs 25.2 enriched text remote code execution

[Paul Eggert]

Kalle Olavi Niemitalo wrote:
> eval-after-load in Emacs 21.3 says "FILE must match exactly."

In that case, the mitigation strategy published in etc/NEWS is not sufficient, 
and we should go back to the method that says (require 'enriched) first. I'll do 
that if nobody has a better suggestion.

Re: Fwd: Re: [oss-security] GNU Emacs 25.2 enriched text remote code execution

[Stefan Monnier]

> In that case, the mitigation strategy published in etc/NEWS is not
> sufficient, and we should go back to the method that says (require
> 'enriched) first. I'll do that if nobody has a better suggestion.

Personally, I'd rather use `advice-add` or `defadvice`.


        Stefan

Re: Fwd: Re: [oss-security] GNU Emacs 25.2 enriched text remote code execution

[Eli Zaretskii]

> From: Paul Eggert <eggert@cs.ucla.edu>
> Date: Wed, 13 Sep 2017 01:56:04 -0700
> Cc: Emacs development discussions <emacs-devel@gnu.org>
> 
> Kalle Olavi Niemitalo wrote:
> > eval-after-load in Emacs 21.3 says "FILE must match exactly."
> 
> In that case, the mitigation strategy published in etc/NEWS is not sufficient, 
> and we should go back to the method that says (require 'enriched) first. I'll do 
> that if nobody has a better suggestion.

I only have 21.4, and there the recipe in the 25.3 NEWS works.  Can we
please see the exact recipe tried in Emacs 21.3 and its results?

Thanks.

Re: Fwd: Re: [oss-security] GNU Emacs 25.2 enriched text remote code execution

[Paul Eggert]

On 09/13/2017 07:46 AM, Eli Zaretskii wrote:
>> that if nobody has a better suggestion.
> I only have 21.4, and there the recipe in the 25.3 NEWS works.  Can we
> please see the exact recipe tried in Emacs 21.3 and its results?

I did not reproduce the problem on Solaris 10 sparc, which ships with 
GNU Emacs 21.3 in /opt/sfw/bin/emacs (dated 2006-03-26). I ran the shell 
command "Emacs" from a terminal window, where my ~/.emacs file contained 
only this:

   (eval-after-load "enriched"
       '(defun enriched-decode-display-prop (start end &optional param)
              (list start end)))

which is what is in 25.3 etc/NEWS. Emacs started up fine and the bugfix 
was in place. So perhaps we should leave the NEWS file alone.

It's hard to reproduce the problem on today's GNU/Linux, as these old 
releases no longer build out of the box.