From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED!not-for-mail From: Eli Zaretskii Newsgroups: gmane.emacs.help Subject: Re: CVE-2017-14482 - Red Hat Customer Portal Date: Sat, 23 Sep 2017 20:34:07 +0300 Message-ID: <83poah9v5c.fsf@gnu.org> References: <2e991bb7-c570-49ce-be94-3654945bb4b5@mousecar.com> <87d16jxjz6.fsf@eps142.cdf.udc.es> <861smzcgx3.fsf@zoho.com> <1b3bec6e-d4d5-37a7-ba54-49bd2d8281bd@yandex.com> <87377dtw33.fsf@qcore> <83zi9la78x.fsf@gnu.org> <9uvak9ib98.fsf@fencepost.gnu.org> NNTP-Posting-Host: blaine.gmane.org X-Trace: blaine.gmane.org 1506188097 11838 195.159.176.226 (23 Sep 2017 17:34:57 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Sat, 23 Sep 2017 17:34:57 +0000 (UTC) To: help-gnu-emacs@gnu.org Original-X-From: help-gnu-emacs-bounces+geh-help-gnu-emacs=m.gmane.org@gnu.org Sat Sep 23 19:34:52 2017 Return-path: Envelope-to: geh-help-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dvoKJ-0002g5-Oj for geh-help-gnu-emacs@m.gmane.org; Sat, 23 Sep 2017 19:34:51 +0200 Original-Received: from localhost ([::1]:35629 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dvoKR-0005gv-2C for geh-help-gnu-emacs@m.gmane.org; Sat, 23 Sep 2017 13:34:59 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:53747) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dvoJv-0005gq-97 for help-gnu-emacs@gnu.org; Sat, 23 Sep 2017 13:34:28 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dvoJs-0005d9-6Z for help-gnu-emacs@gnu.org; Sat, 23 Sep 2017 13:34:27 -0400 Original-Received: from fencepost.gnu.org ([2001:4830:134:3::e]:38919) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dvoJs-0005d3-2Z for help-gnu-emacs@gnu.org; Sat, 23 Sep 2017 13:34:24 -0400 Original-Received: from 84.94.185.246.cable.012.net.il ([84.94.185.246]:3217 helo=home-c4e4a596f7) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1dvoJp-0003jA-CV for help-gnu-emacs@gnu.org; Sat, 23 Sep 2017 13:34:23 -0400 In-reply-to: <9uvak9ib98.fsf@fencepost.gnu.org> (message from Glenn Morris on Sat, 23 Sep 2017 13:18:59 -0400) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-BeenThere: help-gnu-emacs@gnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: Users list for the GNU Emacs text editor List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-gnu-emacs-bounces+geh-help-gnu-emacs=m.gmane.org@gnu.org Original-Sender: "help-gnu-emacs" Xref: news.gmane.org gmane.emacs.help:114364 Archived-At: > From: Glenn Morris > Cc: help-gnu-emacs@gnu.org > Date: Sat, 23 Sep 2017 13:18:59 -0400 > > Eli Zaretskii wrote: > > > But they don't tell the whole story: the vulnerability was actually > > caused by Gnus, MH-E, and perhaps other MUAs who decided to > > automatically support enriched text, without checking the code first. > > Otherwise, enriched.el per se has/had no problem whatsoever. > > I disagree. Simply opening a file in an unpatched Emacs can run > arbitrary code with zero prompting. How did that file end up in a directory you can access? Why are you visiting a file about which you know nothing at all? And how is that different from a Lisp package that creates display properties out of thin air? > This is a massive security risk that is entirely internal to > enriched.el (possibly with the 'display property more generally). More generally, Emacs itself. Even more generally, any software you use. > It does get worse that Gnus would trust enriched.el to decode mail > messages too. But anyone using Emacs from 21.1 to 25.2 should be > aware of this issue, whether or not they use Emacs for mail. If you use software you didn't write, you are at risk. If you don't want the risk of ending up in a car crash, the only way is not to leave home.