Fix enriched.el code execution (Bug#28350)

* etc/NEWS: Document the vulnerability and its resolution.
Include a workaround.  Suggested by Charles A. Roelli
<charles@aurox.ch>.
* lisp/gnus/mm-view.el (mm-inline-text): Disable decoding of
"enriched" and "richtext" MIME objects.  Suggested by Lars
Ingebrigtsen <larsi@gnus.org>.
* lisp/textmodes/enriched.el (enriched-decode-display-prop): Don't
produce 'display' properties.  (Bug#28350)

diff --git a/etc/NEWS b/etc/NEWS
index 539e56e42a0b47f178ff4eb0470e55de57e4c09a..013b7dc8c9ce544cd4cdcc87ff34e3fdeb5b4e70 100644 (file)
--- a/etc/NEWS
+++ b/etc/NEWS
@@ -15,6 +15,32 @@ and NEWS.1-17 for changes in older Emacs versions.
 You can narrow news to a specific version by calling 'view-emacs-news'
 with a prefix argument or by typing C-u C-h C-n.
 
+\f
+* Changes in Emacs 25.3
+
+This is an emergency release to fix a security vulnerability in Emacs.
+
+** Security vulnerability related to Enriched Text mode is removed.
+
+*** Enriched Text mode has its support for decoding 'x-display' disabled.
+This feature allows saving 'display' properties as part of text.
+Emacs 'display' properties support evaluation of arbitrary Lisp forms
+as part of instantiating the property, so decoding 'x-display' is
+vulnerable to executing arbitrary malicious Lisp code included in the
+text (e.g., sent as part of an email message).
+
+This vulnerability was introduced in Emacs 19.29.  To work around that
+in Emacs versions before 25.3, append the following to your ~/.emacs
+init file:
+
+  (eval-after-load "enriched"
+    '(defun enriched-decode-display-prop (start end &optional param)
+       (list start end)))
+
+*** Gnus no longer supports "richtext" and "enriched" inline MIME objects.
+This support was disabled to avoid evaluation of arbitrary Lisp code
+contained in email messages and news articles.
+
 \f
 * Changes in Emacs 25.2
 

diff --git a/lisp/gnus/mm-view.el b/lisp/gnus/mm-view.el
index e5859d002cf19e3ca1ed3ac0355f34ba0b09fe87..1b4c9526e211769a82935292c7a42dce7bfbe0d5 100644 (file)
--- a/lisp/gnus/mm-view.el
+++ b/lisp/gnus/mm-view.el
@@ -383,10 +383,12 @@
        (goto-char (point-max))))
     (save-restriction
       (narrow-to-region b (point))
-      (when (member type '("enriched" "richtext"))
-        (set-text-properties (point-min) (point-max) nil)
-       (ignore-errors
-         (enriched-decode (point-min) (point-max))))
+      ;; Disabled in Emacs 25.3 to avoid execution of arbitrary Lisp
+      ;; forms in display properties supported by enriched.el.
+      ;; (when (member type '("enriched" "richtext"))
+      ;;   (set-text-properties (point-min) (point-max) nil)
+      ;;       (ignore-errors
+      ;;         (enriched-decode (point-min) (point-max))))
       (mm-handle-set-undisplayer
        handle
        `(lambda ()

diff --git a/lisp/textmodes/enriched.el b/lisp/textmodes/enriched.el
index beb6c6dda39eb8e7e4d0e49bee2385a6f18fc6e1..bdfd5d68e327490eb355ce83d81aa4f27eab32a3 100644 (file)
--- a/lisp/textmodes/enriched.el
+++ b/lisp/textmodes/enriched.el
@@ -503,6 +503,9 @@ the range of text to assign text property SYMBOL with value VALUE."
                  (error nil)))))
     (unless prop
       (message "Warning: invalid <x-display> parameter %s" param))
-    (list start end 'display prop)))
+    ;; Disabled in Emacs 25.3 to avoid execution of arbitrary Lisp
+    ;; forms in display properties stored within enriched text.
+    ;; (list start end 'display prop)))
+    (list start end)))
 
 ;;; enriched.el ends here