From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED!not-for-mail From: Philipp Stephani Newsgroups: gmane.emacs.help Subject: Re: CVE-2017-14482 - Red Hat Customer Portal Date: Tue, 26 Sep 2017 18:51:14 +0000 Message-ID: References: <2e991bb7-c570-49ce-be94-3654945bb4b5@mousecar.com> <87d16jxjz6.fsf@eps142.cdf.udc.es> <861smzcgx3.fsf@zoho.com> <1b3bec6e-d4d5-37a7-ba54-49bd2d8281bd@yandex.com> <87377dtw33.fsf@qcore> <83zi9la78x.fsf@gnu.org> <9uvak9ib98.fsf@fencepost.gnu.org> <877ewle1uu.fsf@gmail.com> NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" X-Trace: blaine.gmane.org 1506451934 23220 195.159.176.226 (26 Sep 2017 18:52:14 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Tue, 26 Sep 2017 18:52:14 +0000 (UTC) Cc: help-gnu-emacs@gnu.org To: Narendra Joshi , Glenn Morris Original-X-From: help-gnu-emacs-bounces+geh-help-gnu-emacs=m.gmane.org@gnu.org Tue Sep 26 20:52:05 2017 Return-path: Envelope-to: geh-help-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dwuxa-00052t-Qx for geh-help-gnu-emacs@m.gmane.org; Tue, 26 Sep 2017 20:51:58 +0200 Original-Received: from localhost ([::1]:50748 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dwuxi-0005m1-22 for geh-help-gnu-emacs@m.gmane.org; Tue, 26 Sep 2017 14:52:06 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:50841) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dwux6-0005ja-2l for help-gnu-emacs@gnu.org; Tue, 26 Sep 2017 14:51:29 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dwux5-0003d1-7y for help-gnu-emacs@gnu.org; Tue, 26 Sep 2017 14:51:28 -0400 Original-Received: from mail-oi0-x232.google.com ([2607:f8b0:4003:c06::232]:52400) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1dwux3-0003bu-Ie; Tue, 26 Sep 2017 14:51:25 -0400 Original-Received: by mail-oi0-x232.google.com with SMTP id p126so13347350oih.9; Tue, 26 Sep 2017 11:51:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=37FU5LYR0nMKcrgEbdhqPPnfF5o5dGnHy0T1sGe/JmQ=; b=bYqBSw451QSr9tJ5sp8xTxaUjlBqdK8t5nUNBLIpAOOBVLWd6XE6580dWHkxyeiKL/ AXWkXcGhEF7MJyMCIVOg/gdGdWIF6FqnFuY6Vfmzkx2W/eqFNN+7alk53kv7vWnF1VAR +stFnRln8S3qkg5/Dx52VeAycFCqq4nB06YPpAMTKbUH+f3hHH00O2fK5plR/xV5mZVp a4J+2K+b2Kwjoj9R/WOVqq5US98aG66K9QkFOWVT8amXXy3jC3+UE6bPoH86I9S+2zxM Yf+naG2wb5fUwEfUuHcpkNxhRO6XIH/xwq5SB9+DkQniMT5p5/vUpXThZzR7WEFqqnqX ONfQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=37FU5LYR0nMKcrgEbdhqPPnfF5o5dGnHy0T1sGe/JmQ=; b=ulq05DMuakUMPnoY6BZeRQE84ZQVt0l8cPV6xlmSitqVpOq4NMOLbSkOpnFbPbJZRY Jit+h63n7NFtJP8dofslYptj1L0TIa3+AVw/ZlZkHxzZEkAR3kqmiN3SWDOkqae9koOl 4QMax3tjXauxZ1pMfhqt9+/dlguLRQRSZadqea9LOWimaLjC9KkcwJqYnN3veRr7oTMS hWG/I/8o4Vba50yjD/vhMqIZq12cuIO+oQvJJyQlze1Zdv7yQ8nTs3UM5j6DfZNfs8E9 yOWcUbyhruOOsgeQ3aSrfkoYR34Yv7P624YdgoL1YeCdeGlSsPwUDGw+ctxNA9wGS9Zo pcYA== X-Gm-Message-State: AMCzsaVamRP43RMJz6U4nsPbnCjW3dECplfzWQ8cJxUIYAySZxO1G3s6 fAh/ucZYut96f0J6678tFJep449G25facFEZD3F15A== X-Google-Smtp-Source: AOwi7QAU6JUqllwXmqL2QoFyQEHqv8CQMxH7aQqNg5jGXR5rUoAUTNU8+6Q19y/4/0TkpLdlKI7NZYOS5w7cvvq71Ws= X-Received: by 10.157.43.138 with SMTP id u10mr356922ota.388.1506451884740; Tue, 26 Sep 2017 11:51:24 -0700 (PDT) In-Reply-To: <877ewle1uu.fsf@gmail.com> X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2607:f8b0:4003:c06::232 X-Content-Filtered-By: Mailman/MimeDel 2.1.21 X-BeenThere: help-gnu-emacs@gnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: Users list for the GNU Emacs text editor List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-gnu-emacs-bounces+geh-help-gnu-emacs=m.gmane.org@gnu.org Original-Sender: "help-gnu-emacs" Xref: news.gmane.org gmane.emacs.help:114428 Archived-At: Narendra Joshi schrieb am Di., 26. Sep. 2017 um 20:43 Uhr: > Glenn Morris writes: > > > Eli Zaretskii wrote: > > > >> But they don't tell the whole story: the vulnerability was actually > >> caused by Gnus, MH-E, and perhaps other MUAs who decided to > >> automatically support enriched text, without checking the code first. > >> Otherwise, enriched.el per se has/had no problem whatsoever. > > > > I disagree. Simply opening a file in an unpatched Emacs can run > > arbitrary code with zero prompting. This is a massive security risk that > > is entirely internal to enriched.el (possibly with the 'display property > > more generally). It does get worse that Gnus would trust enriched.el to > > decode mail messages too. But anyone using Emacs from 21.1 to 25.2 > I just checked my Emacs version and its > > ``` > GNU Emacs 27.0.50 (build 1, x86_64-pc-linux-gnu, X toolkit, Xaw3d scroll > bars) of 2017-09-17 > ``` > Are we going to skip Emacs 26? > You're building from master. That already has the major version after the next release version, since changes pushed to master will end up in Emacs 27.