From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!.POSTED!not-for-mail
From: "Phillip Lord" <phillip.lord@russet.org.uk>
Newsgroups: gmane.emacs.devel
Subject: Re: [ANNOUNCE] Emacs 25.3 released
Date: Tue, 12 Sep 2017 17:46:39 -0000
Message-ID: <161eff40ff05df7d5577e2456baa1676.squirrel@cloud103.planethippo.com>
References: <87wp55t0un.fsf@petton.fr> <87tw07kikp.fsf@gnu.org>
NNTP-Posting-Host: blaine.gmane.org
Mime-Version: 1.0
Content-Type: text/plain;charset=utf-8
Content-Transfer-Encoding: 8bit
X-Trace: blaine.gmane.org 1505238466 5738 195.159.176.226 (12 Sep 2017 17:47:46 GMT)
X-Complaints-To: usenet@blaine.gmane.org
NNTP-Posting-Date: Tue, 12 Sep 2017 17:47:46 +0000 (UTC)
User-Agent: SquirrelMail/1.5.2 [SVN]
Cc: emacs-devel@gnu.org
To: "Roland Winkler" <winkler@gnu.org>
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Tue Sep 12 19:47:39 2017
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by blaine.gmane.org with esmtp (Exim 4.84_2)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1drpHX-0000n8-VH
	for ged-emacs-devel@m.gmane.org; Tue, 12 Sep 2017 19:47:32 +0200
Original-Received: from localhost ([::1]:37855 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1drpHe-0007qq-DP
	for ged-emacs-devel@m.gmane.org; Tue, 12 Sep 2017 13:47:38 -0400
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:59975)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <phillip.lord@russet.org.uk>) id 1drpHS-0007nw-Ui
	for emacs-devel@gnu.org; Tue, 12 Sep 2017 13:47:27 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <phillip.lord@russet.org.uk>) id 1drpHS-0002JZ-32
	for emacs-devel@gnu.org; Tue, 12 Sep 2017 13:47:26 -0400
Original-Received: from cloud103.planethippo.com ([78.129.138.110]:49106)
	by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
	(Exim 4.71) (envelope-from <phillip.lord@russet.org.uk>)
	id 1drpHN-0001oq-Ev; Tue, 12 Sep 2017 13:47:21 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=russet.org.uk; s=default; h=Content-Transfer-Encoding:Content-Type:
	MIME-Version:Cc:To:From:Subject:Date:References:In-Reply-To:Message-ID:Sender
	:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:
	Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:
	List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive;
	bh=xJXDNkVRMa5JZKpRbhV5nKvMEE68WPGUIsZTWfhGoRE=;
	b=gdp2YdcM29NTk+kThgoD2la//C
	1aSlnEbdMr0EEO9sZ6hf+rG4ZQnAjJaEQE0Cf9Y/ekZJ/OY8tdVIRaR1iWISKzfdTMzJVlEIVhAwu
	7o+uvfz1HXkhEF6V9mEEXgyz9JFJ/8K4HQUjrFSAFebgzxk9M+1dzlKXz8WV2y3sHR0xRREQn8Ei1
	sEO/0MUCqaq6Z6zcaO3a4+Zy4Wa/GIS+qSxcmsl8aZzxPwb+K17X4asy5YKDh2ZH52gaOAyQ39moo
	ydnoHvvu8x4dVutpigBp8OTRGvmf6XLsVAQpoQ4jzEhQVQ54hDzbTS5XrHQvMTJGMzOOX8UTPgL8C
	/xcYeuAA==;
Original-Received: from [127.0.0.1] (port=34641 helo=cloud103.planethippo.com)
	by cloud103.planethippo.com with esmtpa (Exim 4.89)
	(envelope-from <phillip.lord@russet.org.uk>)
	id 1drpGh-000IPZ-7P; Tue, 12 Sep 2017 17:46:39 +0000
Original-Received: from 92.233.204.101 ([92.233.204.101])
	(SquirrelMail authenticated user phillip.lord@russet.org.uk)
	by cloud103.planethippo.com with HTTP;
	Tue, 12 Sep 2017 17:46:39 -0000
In-Reply-To: <87tw07kikp.fsf@gnu.org>
X-AntiAbuse: This header was added to track abuse,
	please include it with any abuse report
X-AntiAbuse: Primary Hostname - cloud103.planethippo.com
X-AntiAbuse: Original Domain - gnu.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - russet.org.uk
X-Get-Message-Sender-Via: cloud103.planethippo.com: authenticated_id:
	phillip.lord@russet.org.uk
X-Authenticated-Sender: cloud103.planethippo.com: phillip.lord@russet.org.uk
X-Source: 
X-Source-Args: 
X-Source-Dir: 
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [fuzzy]
X-Received-From: 78.129.138.110
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/emacs-devel/>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Original-Sender: "Emacs-devel" <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Xref: news.gmane.org gmane.emacs.devel:218145
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/218145>

On Tue, September 12, 2017 4:06 pm, Roland Winkler wrote:
> On Mon, Sep 11 2017, Nicolas Petton wrote:
>
>> This vulnerability was introduced in Emacs 19.29.  To work around that
>> in Emacs versions before 25.3, append the following to your ~/.emacs init
>> file:
>>
>>
>> (eval-after-load "enriched"
>> '(defun enriched-decode-display-prop (start end &optional param)
>> (list start end)))
>>
>
> Many users may have the problem that they cannot upgrade immediately to
> 25.3.  Is it fair to say that putting the above lines of code in
> ~/.emacs fully protects the user from the vulnerability?  If yes, we may
> want to advertise these lines of code more broadly.  Or do the above lines
> of code provide only an incomplete fix?  Then, what can users do instead
> when they still have to use older versions of emacs?



What do we not put a "vulnerability" package onto ELPA, then install this
by default. This way, new emacs releases would provide an automatic
mechanism for fixing vulnerabilities. And, for old emacs, the advice would
be "M-x package-install vulnerability".