From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!.POSTED!not-for-mail
From: Paul Eggert <eggert@cs.ucla.edu>
Newsgroups: gmane.emacs.devel
Subject: Fwd: Re: [oss-security] GNU Emacs 25.2 enriched text remote code
	execution
Date: Tue, 12 Sep 2017 11:18:12 -0700
Organization: UCLA Computer Science Department
Message-ID: <f51f59e1-c074-5a58-6e9b-e81aa9721f49@cs.ucla.edu>
References: <87mv5zzt6n.fsf@mid.deneb.enyo.de>
NNTP-Posting-Host: blaine.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Trace: blaine.gmane.org 1505240888 4834 195.159.176.226 (12 Sep 2017 18:28:08 GMT)
X-Complaints-To: usenet@blaine.gmane.org
NNTP-Posting-Date: Tue, 12 Sep 2017 18:28:08 +0000 (UTC)
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
	Thunderbird/52.3.0
To: Emacs development discussions <emacs-devel@gnu.org>
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Tue Sep 12 20:28:03 2017
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by blaine.gmane.org with esmtp (Exim 4.84_2)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1drpuJ-0008DQ-48
	for ged-emacs-devel@m.gmane.org; Tue, 12 Sep 2017 20:27:35 +0200
Original-Received: from localhost ([::1]:38020 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1drpuQ-0000Ea-BV
	for ged-emacs-devel@m.gmane.org; Tue, 12 Sep 2017 14:27:42 -0400
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:45238)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <eggert@cs.ucla.edu>) id 1drplM-0007jE-4I
	for emacs-devel@gnu.org; Tue, 12 Sep 2017 14:18:21 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <eggert@cs.ucla.edu>) id 1drplH-000059-8X
	for emacs-devel@gnu.org; Tue, 12 Sep 2017 14:18:20 -0400
Original-Received: from zimbra.cs.ucla.edu ([131.179.128.68]:38550)
	by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
	(Exim 4.71) (envelope-from <eggert@cs.ucla.edu>) id 1drplH-00004y-1q
	for emacs-devel@gnu.org; Tue, 12 Sep 2017 14:18:15 -0400
Original-Received: from localhost (localhost [127.0.0.1])
	by zimbra.cs.ucla.edu (Postfix) with ESMTP id 2DC63160988
	for <emacs-devel@gnu.org>; Tue, 12 Sep 2017 11:18:14 -0700 (PDT)
Original-Received: from zimbra.cs.ucla.edu ([127.0.0.1])
	by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10032)
	with ESMTP id gT6H4XaETAgv for <emacs-devel@gnu.org>;
	Tue, 12 Sep 2017 11:18:12 -0700 (PDT)
Original-Received: from localhost (localhost [127.0.0.1])
	by zimbra.cs.ucla.edu (Postfix) with ESMTP id 885D8160CF8
	for <emacs-devel@gnu.org>; Tue, 12 Sep 2017 11:18:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at zimbra.cs.ucla.edu
Original-Received: from zimbra.cs.ucla.edu ([127.0.0.1])
	by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10026)
	with ESMTP id 1hZ_KkzHJvOy for <emacs-devel@gnu.org>;
	Tue, 12 Sep 2017 11:18:12 -0700 (PDT)
Original-Received: from Penguin.CS.UCLA.EDU (Penguin.CS.UCLA.EDU [131.179.64.200])
	by zimbra.cs.ucla.edu (Postfix) with ESMTPSA id 70C1A160CE3
	for <emacs-devel@gnu.org>; Tue, 12 Sep 2017 11:18:12 -0700 (PDT)
X-Forwarded-Message-Id: <87mv5zzt6n.fsf@mid.deneb.enyo.de>
In-Reply-To: <87mv5zzt6n.fsf@mid.deneb.enyo.de>
Content-Language: en-US
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [fuzzy]
X-Received-From: 131.179.128.68
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/emacs-devel/>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Original-Sender: "Emacs-devel" <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Xref: news.gmane.org gmane.emacs.devel:218148
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/218148>

I got the following response to the announcement on the oss-security 
mailing list. Question: what would cause the eval-after-load to be bypassed?


-------- Forwarded Message --------
Subject: 	Re: [oss-security] GNU Emacs 25.2 enriched text remote code 
execution
Date: 	Tue, 12 Sep 2017 20:08:00 +0200
From: 	Florian Weimer <fw@deneb.enyo.de>
To: 	Paul Eggert <eggert@cs.ucla.edu>
CC: 	oss-security@lists.openwall.com



* Paul Eggert:

> == Mitigation ==
>
> To work around the bug in unfixed versions of Emacs, put the following code in 
> your personal or site-wide Emacs init file (~/.emacs, ~/emacs.d/init.el, 
> site-start.el):
>
>    ;; Mitigate Bug#28350 (security) in Emacs 25.2 and earlier.
>    (eval-after-load "enriched"
>      '(defun enriched-decode-display-prop (start end &optional param)
>         (list start end)))

This does not override the function in all cases when enriched is
loaded.  Something like this would be more reliable, but it will of
course slow down the starting of Emacs:

(require 'enriched)
(defun enriched-decode-display-prop (start end &optional param)
   (list start end))