From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED!not-for-mail From: Eli Zaretskii Newsgroups: gmane.emacs.help Subject: Re: CVE-2017-14482 - Red Hat Customer Portal Date: Sat, 23 Sep 2017 16:12:46 +0300 Message-ID: <83zi9la78x.fsf@gnu.org> References: <2e991bb7-c570-49ce-be94-3654945bb4b5@mousecar.com> <87d16jxjz6.fsf@eps142.cdf.udc.es> <861smzcgx3.fsf@zoho.com> <1b3bec6e-d4d5-37a7-ba54-49bd2d8281bd@yandex.com> <87377dtw33.fsf@qcore> NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Trace: blaine.gmane.org 1506172406 27777 195.159.176.226 (23 Sep 2017 13:13:26 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Sat, 23 Sep 2017 13:13:26 +0000 (UTC) To: help-gnu-emacs@gnu.org Original-X-From: help-gnu-emacs-bounces+geh-help-gnu-emacs=m.gmane.org@gnu.org Sat Sep 23 15:13:23 2017 Return-path: Envelope-to: geh-help-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dvkFF-0006wF-WC for geh-help-gnu-emacs@m.gmane.org; Sat, 23 Sep 2017 15:13:22 +0200 Original-Received: from localhost ([::1]:34967 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dvkFN-0007Au-8r for geh-help-gnu-emacs@m.gmane.org; Sat, 23 Sep 2017 09:13:29 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:45922) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dvkEp-0007Ad-RC for help-gnu-emacs@gnu.org; Sat, 23 Sep 2017 09:12:56 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dvkEl-0006NS-Tc for help-gnu-emacs@gnu.org; Sat, 23 Sep 2017 09:12:55 -0400 Original-Received: from fencepost.gnu.org ([2001:4830:134:3::e]:36071) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dvkEl-0006NO-PV for help-gnu-emacs@gnu.org; Sat, 23 Sep 2017 09:12:51 -0400 Original-Received: from 84.94.185.246.cable.012.net.il ([84.94.185.246]:2642 helo=home-c4e4a596f7) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1dvkEk-0006RL-PB for help-gnu-emacs@gnu.org; Sat, 23 Sep 2017 09:12:51 -0400 In-reply-to: <87377dtw33.fsf@qcore> (message from =?iso-8859-1?Q?=D3scar?= Fuentes on Sat, 23 Sep 2017 14:53:36 +0200) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-BeenThere: help-gnu-emacs@gnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: Users list for the GNU Emacs text editor List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-gnu-emacs-bounces+geh-help-gnu-emacs=m.gmane.org@gnu.org Original-Sender: "help-gnu-emacs" Xref: news.gmane.org gmane.emacs.help:114361 Archived-At: > From: Óscar Fuentes > Date: Sat, 23 Sep 2017 14:53:36 +0200 > > charles@aurox.ch (Charles A. Roelli) writes: > > > The code that caused CVE-2017-14482 (aka Bug#28350) was 100% correct. > > It was also far too powerful, so its behavior had to be properly > > limited. > > The two sentences above are contradictory. Not really. But they don't tell the whole story: the vulnerability was actually caused by Gnus, MH-E, and perhaps other MUAs who decided to automatically support enriched text, without checking the code first. Otherwise, enriched.el per se has/had no problem whatsoever.