From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED!not-for-mail From: Glenn Morris Newsgroups: gmane.emacs.help Subject: Re: CVE-2017-14482 - Red Hat Customer Portal Date: Sat, 23 Sep 2017 13:18:59 -0400 Message-ID: <9uvak9ib98.fsf@fencepost.gnu.org> References: <2e991bb7-c570-49ce-be94-3654945bb4b5@mousecar.com> <87d16jxjz6.fsf@eps142.cdf.udc.es> <861smzcgx3.fsf@zoho.com> <1b3bec6e-d4d5-37a7-ba54-49bd2d8281bd@yandex.com> <87377dtw33.fsf@qcore> <83zi9la78x.fsf@gnu.org> NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: blaine.gmane.org 1506187172 5905 195.159.176.226 (23 Sep 2017 17:19:32 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Sat, 23 Sep 2017 17:19:32 +0000 (UTC) User-Agent: Gnus (www.gnus.org), GNU Emacs (www.gnu.org/software/emacs/) Cc: help-gnu-emacs@gnu.org To: Eli Zaretskii Original-X-From: help-gnu-emacs-bounces+geh-help-gnu-emacs=m.gmane.org@gnu.org Sat Sep 23 19:19:26 2017 Return-path: Envelope-to: geh-help-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dvo5O-00019k-Cf for geh-help-gnu-emacs@m.gmane.org; Sat, 23 Sep 2017 19:19:26 +0200 Original-Received: from localhost ([::1]:35597 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dvo5T-0002pq-QJ for geh-help-gnu-emacs@m.gmane.org; Sat, 23 Sep 2017 13:19:31 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:52259) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dvo50-0002pZ-BX for help-gnu-emacs@gnu.org; Sat, 23 Sep 2017 13:19:03 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dvo4z-0006Xg-FV for help-gnu-emacs@gnu.org; Sat, 23 Sep 2017 13:19:02 -0400 Original-Received: from fencepost.gnu.org ([2001:4830:134:3::e]:38809) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dvo4z-0006Xa-Bj for help-gnu-emacs@gnu.org; Sat, 23 Sep 2017 13:19:01 -0400 Original-Received: from rgm by fencepost.gnu.org with local (Exim 4.82) (envelope-from ) id 1dvo4x-0002VK-Is; Sat, 23 Sep 2017 13:18:59 -0400 X-Spook: Nerve agent National security eternity server Mantis PET X-Ran: "4=&@]c|88`Olj}Gy56F^{W?ZXhXxWixfGw8mXwjmSPN (Eli Zaretskii's message of "Sat, 23 Sep 2017 16:12:46 +0300") X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-BeenThere: help-gnu-emacs@gnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: Users list for the GNU Emacs text editor List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-gnu-emacs-bounces+geh-help-gnu-emacs=m.gmane.org@gnu.org Original-Sender: "help-gnu-emacs" Xref: news.gmane.org gmane.emacs.help:114363 Archived-At: Eli Zaretskii wrote: > But they don't tell the whole story: the vulnerability was actually > caused by Gnus, MH-E, and perhaps other MUAs who decided to > automatically support enriched text, without checking the code first. > Otherwise, enriched.el per se has/had no problem whatsoever. I disagree. Simply opening a file in an unpatched Emacs can run arbitrary code with zero prompting. This is a massive security risk that is entirely internal to enriched.el (possibly with the 'display property more generally). It does get worse that Gnus would trust enriched.el to decode mail messages too. But anyone using Emacs from 21.1 to 25.2 should be aware of this issue, whether or not they use Emacs for mail.