From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED!not-for-mail From: Reiner Steib Newsgroups: gmane.emacs.devel Subject: Re: enriched.el code execution Date: Thu, 07 Sep 2017 22:47:08 +0200 Message-ID: References: <83tw0h0yem.fsf@gnu.org> <83lglr24ck.fsf@gnu.org> Reply-To: Reiner Steib NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: blaine.gmane.org 1504821764 2172 195.159.176.226 (7 Sep 2017 22:02:44 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Thu, 7 Sep 2017 22:02:44 +0000 (UTC) User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) Cc: Eli Zaretskii , emacs-devel@gnu.org To: Paul Eggert Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Fri Sep 08 00:02:30 2017 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dq4sI-0007aW-Cp for ged-emacs-devel@m.gmane.org; Fri, 08 Sep 2017 00:02:14 +0200 Original-Received: from localhost ([::1]:42421 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dq4sP-0002w6-Lf for ged-emacs-devel@m.gmane.org; Thu, 07 Sep 2017 18:02:21 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:56290) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dq3nH-0000UC-ML for emacs-devel@gnu.org; Thu, 07 Sep 2017 16:53:04 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dq3nD-0007Ci-5B for emacs-devel@gnu.org; Thu, 07 Sep 2017 16:52:59 -0400 Original-Received: from mail-wm0-x243.google.com ([2a00:1450:400c:c09::243]:38880) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1dq3nC-0007C7-Us; Thu, 07 Sep 2017 16:52:55 -0400 Original-Received: by mail-wm0-x243.google.com with SMTP id x17so451491wmd.5; Thu, 07 Sep 2017 13:52:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:references:mail-followup-to:reply-to :message-id:user-agent:mime-version; bh=NLWqE+XrBaCX+UQwBGqFFT4iv9zloafI4FNQ+N7KY28=; b=UHcVEgAS+XTmCtU47ndlajUi4gHWfOmg5U9URAs3uNnXiNxPMG5Ya222r3R3pfmY2c phLS1Id65FIysumwjvC5utkTtbvGqUdBcA0wNfuK3mSwHAFgL0wmvWfsyv8AXRU0uUta Bk+mkz0jm3My4qmJ/vJrcfrALFXYvMlpoEZBwIwa8TaeHPcd00Z/xg/8kl4aXo9hm8O2 TS6Oscp5JmBsIgA95gEUMenwzXxWmM6GUjBj3tTBlzDQZXbjSoBOZ6zahENoJCq0cv3S zqPz4BATB3Ur9JhsaDiWbNyUh12zxGgg0BoS0tmU14kYHiNxfcHB+DpCEkuSfhXE5nEB /92A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:references :mail-followup-to:reply-to:message-id:user-agent:mime-version; bh=NLWqE+XrBaCX+UQwBGqFFT4iv9zloafI4FNQ+N7KY28=; b=amnwBnrzwIT0RWOmRtOtuAJ9wFb2olAccE2H49t7FvBD8dRy1fh9PiMxqHAhVCF42T jCduBvi9TFqJovy8ohnQdp2crd0sM2X07BeaNtsYKDCZgJNCJgcKDP3xzi9WhjQ+2dBd bXjOroUc+3HredrexEB6lZeqcFjyvom5HgX/+wZjcUIEqiPIBzdrvcQIEoOoGpLWDaeh CHI4oIyMbwcFLkMmwD+F11snrxGnRqB73/pHj8JnxgFrKEExkgh6Yj2xi9wcVXi7cs41 sCGdCgApPclcvdWRjQNNd2id6xppr/4tQgXbsSXY/LucbSckFoUnvHLy89u+9c+EKdza Y1Fg== X-Gm-Message-State: AHPjjUgat2qhkgxr+Gu8GqUYL+JD3Dy9TnShGFjz5YkChch7ekz/VUu4 sl6Qup6dfcDgAdS24cU= X-Google-Smtp-Source: ADKCNb6Y44BTJEJnOZMgAtHyZQ8DS4OSSt7K5b7NToHHo8BnKqkhW0KghPN9bdn71+iUjp5sTx69Ng== X-Received: by 10.80.218.10 with SMTP id z10mr393122edj.224.1504817572191; Thu, 07 Sep 2017 13:52:52 -0700 (PDT) Original-Received: from t530 (x5f748b79.dyn.telefonica.de. [95.116.139.121]) by smtp.gmail.com with ESMTPSA id j52sm82765eda.20.2017.09.07.13.52.50 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Thu, 07 Sep 2017 13:52:51 -0700 (PDT) X-Google-Original-From: Reiner Steib X-Face: 1; h7XMU[7l}$T@J.D}5z*w8Tg'}B5ArAWc8>2X~otB; kOjKs8X%|hTC#dG:%Vpx")x7S/`v :VXU#fZW$X$zdhEU.RfVQ@<-m9IuN{Hm"fW{,5]6kR'M*vEs+{5Cj!L(JTRzA$(},?5J=sm; %Od, Eli Zaretskii , emacs-devel@gnu.org X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2a00:1450:400c:c09::243 X-Mailman-Approved-At: Thu, 07 Sep 2017 18:01:40 -0400 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.org gmane.emacs.devel:217998 Archived-At: On Wed, Sep 06 2017, Paul Eggert wrote: > This particular bug involved remote code execution by visiting an > email attachment. Any security hole this serious should be > blocking. It doesn't matter that the bug has been around for a while, > as the bug is known now and is likely to be exploited by anyone who > cares to attack Emacs users. I'm surprised that there was controversy > about this case, as the bug really should be fixed as soon as we > reasonably can, or in any event before the next release. If I understand correctly, this issue is serious enough (CVSS is 8.8, Common Vulnerability Scoring System, v3.0) that we should prepare a security fix release (from Emacs 25.2) as soon as we have a fix for this bug (or we should disable this feature of enriched mode). Bye, Reiner.