From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!.POSTED!not-for-mail
From: Roland Winkler <winkler@gnu.org>
Newsgroups: gmane.emacs.devel
Subject: Re: [ANNOUNCE] Emacs 25.3 released
Date: Tue, 12 Sep 2017 11:06:14 -0500
Message-ID: <87tw07kikp.fsf@gnu.org>
References: <87wp55t0un.fsf@petton.fr>
NNTP-Posting-Host: blaine.gmane.org
Mime-Version: 1.0
Content-Type: text/plain
X-Trace: blaine.gmane.org 1505232501 17792 195.159.176.226 (12 Sep 2017 16:08:21 GMT)
X-Complaints-To: usenet@blaine.gmane.org
NNTP-Posting-Date: Tue, 12 Sep 2017 16:08:21 +0000 (UTC)
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux)
To: emacs-devel@gnu.org
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Tue Sep 12 18:08:17 2017
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by blaine.gmane.org with esmtp (Exim 4.84_2)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1drnjB-0003ec-K3
	for ged-emacs-devel@m.gmane.org; Tue, 12 Sep 2017 18:07:57 +0200
Original-Received: from localhost ([::1]:36792 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1drnjI-0007zx-W9
	for ged-emacs-devel@m.gmane.org; Tue, 12 Sep 2017 12:08:05 -0400
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:58591)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <ged-emacs-devel@m.gmane.org>) id 1drniC-0007yT-Tx
	for emacs-devel@gnu.org; Tue, 12 Sep 2017 12:06:57 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <ged-emacs-devel@m.gmane.org>) id 1drni9-0006V8-M3
	for emacs-devel@gnu.org; Tue, 12 Sep 2017 12:06:56 -0400
Original-Received: from [195.159.176.226] (port=45594 helo=blaine.gmane.org)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <ged-emacs-devel@m.gmane.org>)
	id 1drni9-0006Ta-DB
	for emacs-devel@gnu.org; Tue, 12 Sep 2017 12:06:53 -0400
Original-Received: from list by blaine.gmane.org with local (Exim 4.84_2)
	(envelope-from <ged-emacs-devel@m.gmane.org>) id 1drnhn-0008QR-EK
	for emacs-devel@gnu.org; Tue, 12 Sep 2017 18:06:31 +0200
X-Injected-Via-Gmane: http://gmane.org/
Original-Lines: 15
Original-X-Complaints-To: usenet@blaine.gmane.org
Cancel-Lock: sha1:UavYdo5IWhoDfK0nVzoc7I504dk=
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
	[fuzzy]
X-Received-From: 195.159.176.226
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/emacs-devel/>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Original-Sender: "Emacs-devel" <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Xref: news.gmane.org gmane.emacs.devel:218128
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/218128>

On Mon, Sep 11 2017, Nicolas Petton wrote:
> This vulnerability was introduced in Emacs 19.29.  To work around that
> in Emacs versions before 25.3, append the following to your ~/.emacs
> init file:
>
>   (eval-after-load "enriched"
>     '(defun enriched-decode-display-prop (start end &optional param)
>        (list start end)))

Many users may have the problem that they cannot upgrade immediately to
25.3.  Is it fair to say that putting the above lines of code in
~/.emacs fully protects the user from the vulnerability?  If yes, we may
want to advertise these lines of code more broadly.  Or do the above
lines of code provide only an incomplete fix?  Then, what can users do
instead when they still have to use older versions of emacs?